marcel/familienarchiv
1
0
Fork 0
Code Issues 118 Pull Requests 2 Actions 4 Packages Projects Releases Wiki Activity

test(e2e): close coverage gaps — mutation flows, profile, admin #48

New Issue
Closed
opened 2026-03-22 19:34:31 +01:00 by marcel · 0 comments
marcel commented 2026-03-22 19:34:31 +01:00
Owner
Copy Link

Background

A login regression (commit 8f5c13f) was not caught by the E2E suite because the tests were never enforced before push. The bug — handleFetch returning 401 when no auth_token cookie was present, blocking the login action's own credential-validation request — would have been caught immediately by auth.spec.ts had the suite been run. The fix: add a pre-push hook (see companion commit).

A full audit of the app against the existing E2E specs also revealed significant gaps in mutation flows, the profile feature, and the new admin routes.

Coverage gaps

Auth

  • Login sets a working session — after login(), make an authenticated API call (e.g. GET /api/users/me) and assert 200 OK. Currently auth.spec.ts only checks the URL changed to /; a broken cookie would still pass that assertion.

Documents

  • Create a document — fill in the new-document form, submit, assert redirect to the detail page and that the title appears
  • Edit document and save — open an existing document's edit page, change the title, save, assert the new title is shown on the detail page
  • Upload a file — attach a PDF/image, submit, assert the file preview or download link appears

Persons

  • Create a new person — fill in first + last name, submit, assert redirect to detail page and name appears

Profile

  • View profile page — navigate to /profile, assert own username/fields are shown
  • Update profile fields — change first name, save, assert the updated name appears (e.g. in the nav avatar)
  • Change password (success) — enter correct current password + new password, save, assert success message, then verify login with new password works
  • Change password (wrong current) — enter wrong current password, assert error message is shown

Admin

  • Admin dashboard accessible — navigate to /admin, assert the three tabs (Benutzer, Gruppen, Schlagworte) are visible
  • Create user via /admin/users/new — fill all fields, submit, assert redirect and new user appears in the list
  • Edit user via /admin/users/[id] — change a profile field, save, assert success message
  • Admin password reset — set a new password for another user without entering the current password, assert the user can log in with the new password
  • Delete user — delete a non-admin user, assert they no longer appear in the list
  • Create / edit / delete group — full CRUD cycle for a group
  • Edit / delete tag — rename a tag, assert the new name appears on a document that used it

Permissions

  • Read-only user cannot see write controls — log in as a read-only user, assert "Neues Dokument", "Neue Person", and edit buttons are absent

Notes

  • Auth tests already cover wrong credentials, redirect, and logout — those stay as-is.
  • For destructive tests (delete user/tag), consider a dedicated test user/data fixture or restore state in afterEach.
  • The auth.setup.ts session trick already shows the right pattern for re-using login state; mutation tests should build on that.
## Background A login regression (commit `8f5c13f`) was not caught by the E2E suite because the tests were never enforced before push. The bug — `handleFetch` returning 401 when no `auth_token` cookie was present, blocking the login action's own credential-validation request — would have been caught immediately by `auth.spec.ts` had the suite been run. The fix: add a pre-push hook (see companion commit). A full audit of the app against the existing E2E specs also revealed significant gaps in mutation flows, the profile feature, and the new admin routes. --- ## Coverage gaps ### Auth - [ ] **Login sets a working session** — after `login()`, make an authenticated API call (e.g. `GET /api/users/me`) and assert `200 OK`. Currently `auth.spec.ts` only checks the URL changed to `/`; a broken cookie would still pass that assertion. ### Documents - [ ] **Create a document** — fill in the new-document form, submit, assert redirect to the detail page and that the title appears - [ ] **Edit document and save** — open an existing document's edit page, change the title, save, assert the new title is shown on the detail page - [ ] **Upload a file** — attach a PDF/image, submit, assert the file preview or download link appears ### Persons - [ ] **Create a new person** — fill in first + last name, submit, assert redirect to detail page and name appears ### Profile - [ ] **View profile page** — navigate to `/profile`, assert own username/fields are shown - [ ] **Update profile fields** — change first name, save, assert the updated name appears (e.g. in the nav avatar) - [ ] **Change password (success)** — enter correct current password + new password, save, assert success message, then verify login with new password works - [ ] **Change password (wrong current)** — enter wrong current password, assert error message is shown ### Admin - [ ] **Admin dashboard accessible** — navigate to `/admin`, assert the three tabs (Benutzer, Gruppen, Schlagworte) are visible - [ ] **Create user via `/admin/users/new`** — fill all fields, submit, assert redirect and new user appears in the list - [ ] **Edit user via `/admin/users/[id]`** — change a profile field, save, assert success message - [ ] **Admin password reset** — set a new password for another user without entering the current password, assert the user can log in with the new password - [ ] **Delete user** — delete a non-admin user, assert they no longer appear in the list - [ ] **Create / edit / delete group** — full CRUD cycle for a group - [ ] **Edit / delete tag** — rename a tag, assert the new name appears on a document that used it ### Permissions - [ ] **Read-only user cannot see write controls** — log in as a read-only user, assert "Neues Dokument", "Neue Person", and edit buttons are absent --- ## Notes - Auth tests already cover wrong credentials, redirect, and logout — those stay as-is. - For destructive tests (delete user/tag), consider a dedicated test user/data fixture or restore state in `afterEach`. - The `auth.setup.ts` session trick already shows the right pattern for re-using login state; mutation tests should build on that.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P0-critical
Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.
 P1-high
Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.
 P2-medium
Noticeable improvement; doesn't block anything; schedule opportunistically.
 P3-later
Cosmetic or parking-lot work; fine to stay open indefinitely.
 audit
Read-only audit / assessment work; produces a report rather than changing code
 bug
Something isn't working
 cleanup
Removal of dead code, vague comments, naming violations, and scratch artifacts
 collaboration
We want to extend the family archive to have more collaboration tools
 conversation
descoped
We will do that later
 devops
documentation
README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs
 epic
Marker for epic-level issues that group multiple child issues
 feature
file-upload
legibility
Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction
 notification
person
phase-1: security
Security hygiene — must be done first
 phase-2: container-images
Production-ready multi-stage Docker images
 phase-3: prod-compose
Production compose overlay + Caddy reverse proxy
 phase-4: spring-prod-profile
Spring Boot production configuration profile
 phase-5: backups
Database and object storage backup strategy
 phase-6: deployment-docs
.env.example, DEPLOYMENT.md, runbook
 phase-7: monitoring
Prometheus, Loki, Grafana, Alertmanager
 refactor
Code restructuring without behaviour change
 security
test
ui
UI/UX and accessibility issues
 user
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Jens marcel
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: marcel/familienarchiv#48
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?