Home A - Z
Page Index

An Otter Wiki
Properties 
category: design
tags: [testing, playwright, e2e, infrastructure]
last_updated: 2026-03-20
confidence: high

E2E Testing

End-to-end testing for robot.wtf using Playwright and a mock ATProto PDS.

Status: COMPLETE — 23 tests on main, deployed 2026-03-20.

Current State

23 passing E2E tests on main across 4 files, plus 294 unit tests.

Test files

test_login_flow.py (5 tests):

  1. Login page loads
  2. Client metadata endpoint serves valid ATProto OAuth metadata
  3. Full OAuth login flow (mock PDS → PAR → consent → callback → cookie)
  4. Logout clears cookie
  5. OAuth callback error shows flash (not 500)

test_auth_flows.py (4 tests):

  1. Auto-redirect when authenticated (visit /auth/login with valid cookie → /app/)
  2. Return-to URL preservation across OAuth redirect chain
  3. Login with handle (tests error handling for unresolvable mock handles)
  4. Unauthenticated access redirects to login with return_to

test_wiki_lifecycle.py (8 tests):

  1. Wiki creation form (slug/name → submit → redirect → MCP token visible)
  2. Wiki settings update (change display_name → flash → persists on reload)
  3. Wiki deletion with confirmation (expand danger zone → confirm slug → delete)
  4. MCP token regeneration (click regen → JS confirm → new token in flash)
  5. Dashboard redirects to existing wiki
  6. Wiki deletion wrong slug rejected (confirm mismatch → flash error → wiki survives)
  7. Wiki creation duplicate slug rejected
  8. Wiki creation invalid slug rejected (bypasses browser validation, tests server-side)
  9. Wiki settings steady state (no token flash, regenerate button present)

test_account.py (6 tests):

  1. Account page renders (displays DID, handle)
  2. Account deletion wrong confirmation (wrong handle → error flash)
  3. MCP consent page renders (client info, wiki name, approve/deny buttons)
  4. Account deletion (correct handle → cookie cleared → redirected)
  5. MCP consent deny redirects with error
  6. Wiki settings steady state page elements

Infrastructure

  • tests/e2e/mock_pds.py — In-process mock ATProto PDS with PKCE verification, thread-safe state
  • tests/e2e/conftest.py — Fixtures for single platform server, authenticated pages, wiki creation

Fixtures

  • platform_server (session): Starts consolidated Flask app in daemon thread on a free port
  • authenticated_page (function): Fresh browser context with valid platform_token cookie via direct JWT minting
  • wiki_fixture (function): Creates wiki directly in DB + filesystem, cleans up after test
  • destructive_page (function): Separate browser context for tests that destroy state
  • pds (session): Mock PDS in daemon thread
  • test_account (session): Test account on mock PDS

Production code changes for test mode

Gated by ALLOW_HTTP_PDS=true + FLASK_ENV=testing (RuntimeError at import if either is wrong):

  • app/auth/atproto_security.py_ALLOW_HTTP_PDS flag, loopback SSRF relaxation
  • app/auth/atproto_identity.pyPLC_DIRECTORY_URL read at request time, skip bidirectional handle verification
  • app/auth/atproto_oauth.py — Relax HTTPS/port assertions on auth server metadata
  • app/platform_server.py_SCHEME variable, conditional SESSION_COOKIE_SECURE, conditional cookie secure flag, rate limiter disabled in test mode, limiter GC strong-reference fix
  • app/db.pycheck_same_thread=False scoped to FLASK_ENV=testing

Bug fixes discovered during E2E work

  • resolve_did() SSRF: Upgraded from plain requests.get to hardened_http (pre-existing vulnerability, elevated by injectable PLC_DIRECTORY_URL)
  • Flask-Limiter GC: Limiter object garbage collected after create_app() returned due to weak references. Fixed with strong ref in app.config["_LIMITER"]

Architecture Notes

Mock PDS

The mock PDS (tests/e2e/mock_pds.py) implements the full ATProto OAuth flow:

  • Account creation/session management
  • OAuth AS metadata, protected resource metadata
  • PAR, authorize (HTML form), token exchange with PKCE S256 verification
  • DID document serving (acts as PLC directory)
  • Thread-safe global state with threading.Lock

All on 127.0.0.1 to avoid IPv6 resolution issues.

Test mode env vars

  • ALLOW_HTTP_PDS=true — relaxes SSRF protections for loopback HTTP (guarded by FLASK_ENV=testing)
  • PLC_DIRECTORY_URL — points at mock PDS for DID resolution (read at request time in resolve_did())
  • PLATFORM_DOMAIN=127.0.0.1:{port} — makes CLIENT_ID/REDIRECT_URI use HTTP
  • WIKI_TEMPLATE_DIR — pointed at nonexistent path for predictable fallback behavior

Future Directions (priority order)

1. Resolver permission tests (HIGH)

The TenantResolver is the only thing preventing cross-tenant access. No E2E test hits a wiki subdomain. The is_bearer_token bypass, _apply_wiki_access_restrictions, and the internal API key path are untested end-to-end. Requires routing to a second Host in the test environment (Playwright supports set_extra_http_headers).

2. Multi-user fixtures (HIGH)

Single test account means ownership isolation is untested. Add test_account_b (mock PDS already supports multiple accounts). Test: user B cannot access user A's wiki settings, user B gets appropriate access level on user A's wiki content.

3. Fix CI pipeline (HIGH, low effort)

Current ci.yml doesn't install Playwright browsers. Needs: playwright install chromium, separate unit/E2E jobs, browser caching (~/.cache/ms-playwright), --screenshot=only-on-failure artifacts, --timeout=60.

4. Infrastructure hardening (MEDIUM)

  • Port allocation race: bind-then-close gap before make_server. Pass bound socket directly.
  • Silent teardown: wiki_fixture swallows cleanup exceptions. Log them.
  • Session-scoped page fixture leaks state between tests.

The MCP server (otterwiki-mcp/ repo, separate from mcp_entry.py sidecar) has 12 real tools wrapping the REST API. E2E testing the full flow — consent → token → tool invocation — is feasible now. The consent HMAC signing is security-critical.

6. Rate limit enforcement (LOW)

One test: 6 rapid writes, assert 6th returns 429. Catches wiring bugs where the limiter is instantiated but never called.

7. Otterwiki integration (DEFERRED)

Full path: login → create wiki → visit subdomain → see content. Requires otterwiki installed in CI and subprocess management. Defer until CI infrastructure is more mature.