test(e2e): serve the portal + walking-skeleton Playwright e2e (closes #68) #72
Reference in New Issue
Block a user
Delete Branch "feat/68-e2e"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What & why
S-08d — serves the self-service portal in the stack and adds the walking-skeleton Playwright
e2e: mock DigiD login → submit → confirmation, in a real browser. This closes the walking skeleton
end-to-end (portal → BFF → domain → Flowable → ACL → OpenZaak; openbaar reads the projection) and
finishes Iteration 1.
Closes #68
Definition of Done
refs #68).verify-e2estep in theverify-stackjob;frontendlane still green (5 projects).docker compose upserves the portal (self-service, health-checked,:8140).docs/frontend-decisions.md+ walking-skeleton demo note.Notes for reviewers — and a big honesty caveat
I could not validate this slice locally — no browser here, and it needs the live stack + a
container-run browser. The nginx image builds and starts cleanly, the app builds with the runtime
config, and the frontend unit lane is green; but the e2e + serving are CI-first and may well need a
round or two. Key design choices that de-risk it:
/self-service+/openbaartothe BFF. The api-client uses relative URLs → no CORS, no BFF change. nginx resolves the BFF at
request time so it starts before the BFF.
browser reaches Keycloak as
keycloak:8080— the same authority the BFF validates against. This iswhat finally makes the real submit return 202 instead of 401.
config.json: one build; dev →localhost:8180, compose image →keycloak:8080.node:24and installs Chromium at runtime, copiedin via
docker cp(no host pollution), matching the repo'sverify-*pattern.Most likely CI fiddles: Keycloak login selectors, the redirect/CORS dance, or browser-install time.
I'll iterate on the logs.
🤖 Generated with Claude Code
After login the submit silently did nothing: the confirmation ("...is ontvangen...") never rendered because the POST to the BFF went out with no Authorization header, so the BFF rejected it and the no-error-handler subscribe left the page unchanged. Root cause: angular-auth-oidc-client's interceptor attaches the token when `req.url.startsWith(secureRoute)`. The api-client calls the BFF with RELATIVE URLs (same-origin via the nginx proxy), so `req.url` is `/self-service/...` — but secureRoutes was configured as the app ORIGIN (`http://self-service`), which a relative URL never starts with. No match → no token. Configure secureRoutes with the relative `/self-service/` prefix instead. The unit test mocked the api-client, so only the walking-skeleton e2e exercises the real token attachment — now green. Verified against a focused stack (keycloak + self-service + real BFF + stub domain): the submit now carries the bearer token, the BFF forwards to the domain, and the portal shows the confirmation with the returned reference. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>