test(e2e): serve the portal + walking-skeleton Playwright e2e (closes #68) #72

Merged
not merged 11 commits from feat/68-e2e into main 2026-07-13 13:20:58 +00:00
2 changed files with 21 additions and 1 deletions
Showing only changes of commit 39923e0e68 - Show all commits

View File

@@ -91,5 +91,13 @@ with the submit form (S-08c, #67); any deviation from NL DS will be recorded her
runtime, so there's no Playwright-image-version pinning to keep in sync. The spec is copied in
(`docker cp`), not mounted, so it leaves nothing root-owned on the host. Wired as `verify-e2e` in
the `verify-stack` CI job.
- **e2e treats the portal origin as secure.** In-network the portal is served over plain HTTP on a
non-localhost origin (`http://self-service`), which is **not a secure context**, so Web Crypto
(`crypto.subtle`) is unavailable. angular-auth-oidc-client needs it for the PKCE code challenge, so
`authorize()` throws and the login redirect never fires. Production runs behind HTTPS where this is
a non-issue; rather than terminate TLS in the throwaway stack, the Playwright config passes
`--unsafely-treat-insecure-origin-as-secure` (honoured only by the full `channel: 'chromium'`
build, not the default headless-shell). This emulates the production HTTPS secure context without
touching the app or its production config.
- `tests/e2e` is a standalone Playwright project (its own `package.json`), not an Nx project — it's a
live-stack check like the other `verify-*` runners, not part of the `frontend` unit lane.

View File

@@ -2,6 +2,8 @@ import { defineConfig, devices } from '@playwright/test';
// The e2e runs inside the compose network (infra/run-e2e-check.sh); baseURL defaults to the
// self-service service. Keep timeouts generous — the first navigation triggers the DigiD flow.
const baseURL = process.env.SELF_SERVICE_URL ?? 'http://self-service';
export default defineConfig({
testDir: '.',
timeout: 90_000,
@@ -9,8 +11,18 @@ export default defineConfig({
retries: 1,
reporter: [['list']],
use: {
baseURL: process.env.SELF_SERVICE_URL ?? 'http://self-service',
baseURL,
trace: 'on-first-retry',
// The portal is served over plain HTTP on a non-localhost origin (http://self-service) inside the
// compose network, so it is NOT a secure context — and Web Crypto (`crypto.subtle`) is undefined
// there. angular-auth-oidc-client needs SubtleCrypto to build the PKCE code challenge, so
// `authorize()` throws and the login redirect never fires (the login form never appears). In
// production the portal runs behind HTTPS, where this works. Rather than terminate TLS in the
// throwaway e2e stack, tell Chromium to treat this origin as secure — which faithfully emulates
// the production HTTPS context. This flag is only honoured by the full Chromium build (new
// headless), not Playwright's default headless-shell, so pin `channel: 'chromium'`.
channel: 'chromium',
launchOptions: { args: [`--unsafely-treat-insecure-origin-as-secure=${baseURL}`] },
},
projects: [{ name: 'chromium', use: { ...devices['Desktop Chrome'] } }],
});