From ea6b727e44224625f3b744de9070360c83d3a010 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Sun, 22 Mar 2026 19:59:27 +0100
Subject: [PATCH] test(e2e): verify login establishes a working API session
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guards against regressions where the session cookie is set but
the backend rejects it — a URL redirect alone is not enough.

Refs #48
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/e2e/auth.spec.ts | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/frontend/e2e/auth.spec.ts b/frontend/e2e/auth.spec.ts
index 06c290f4..5e38e15b 100644
--- a/frontend/e2e/auth.spec.ts
+++ b/frontend/e2e/auth.spec.ts
@@ -48,6 +48,15 @@ test.describe('Authentication', () => {
 		await page.screenshot({ path: 'test-results/e2e/login-success.png' });
 	});
 
+	test('login establishes a session that authenticates API calls', async ({ page }) => {
+		// Guards against regressions where the session cookie is set but broken —
+		// a working URL redirect is not enough evidence that auth works end-to-end.
+		await login(page);
+		const response = await page.request.get('/api/users/me');
+		expect(response.ok()).toBe(true);
+		await page.screenshot({ path: 'test-results/e2e/auth-session-valid.png' });
+	});
+
 	test('logout clears the session and redirects to /login', async ({ page }) => {
 		await login(page);
 		// Logout is inside the user avatar dropdown — open it first