fix(security): close comment IDOR, unify lockout policy, extend CSRF …#101
Merged
Annotations
10 errors and 1 notice
|
Run Playwright e2e (api + ui projects):
frontend/e2e/ui/_helpers.ts#L65
4) [ui] › e2e/ui/auth-login.ui.spec.ts:28:7 › auth login (browser) › a verified user can log in and reach the authenticated app
Error: register e2e-ui-login-1781202097515-72s7s2zl@example.test
expect(received).toBeTruthy()
Received: false
at ui/_helpers.ts:65
63 | data: { email, password: UI_PASSWORD, confirmPassword: UI_PASSWORD, firstName, lastName },
64 | });
> 65 | expect(response.ok(), `register ${email}`).toBeTruthy();
| ^
66 | const body = await response.json();
67 | const userId: string = body.userId ?? body.UserId;
68 |
at registerVerifiedUser (/home/runner/work/Planora/Planora/frontend/e2e/ui/_helpers.ts:65:48)
at /home/runner/work/Planora/Planora/frontend/e2e/ui/auth-login.ui.spec.ts:29:18
|
|
Run Playwright e2e (api + ui projects):
frontend/e2e/ui/auth-forgot-password.ui.spec.ts#L46
3) [ui] › e2e/ui/auth-forgot-password.ui.spec.ts:37:7 › auth forgot-password (browser) › an unregistered email still resolves to the success state (anti-enumeration)
Retry #2 ───────────────────────────────────────────────────────────────────────────────────────
Error: expect(locator).toBeVisible() failed
Locator: getByText(/password reset link has been sent/i)
Expected: visible
Timeout: 10000ms
Error: element(s) not found
Call log:
- Expect "toBeVisible" with timeout 10000ms
- waiting for getByText(/password reset link has been sent/i)
44 | // The same success banner appears for unknown emails.
45 | await expect(page.getByText(/password reset link has been sent/i))
> 46 | .toBeVisible({ timeout: 10_000 });
| ^
47 | });
48 | });
49 |
at /home/runner/work/Planora/Planora/frontend/e2e/ui/auth-forgot-password.ui.spec.ts:46:8
|
|
Run Playwright e2e (api + ui projects):
frontend/e2e/ui/auth-forgot-password.ui.spec.ts#L46
3) [ui] › e2e/ui/auth-forgot-password.ui.spec.ts:37:7 › auth forgot-password (browser) › an unregistered email still resolves to the success state (anti-enumeration)
Retry #1 ───────────────────────────────────────────────────────────────────────────────────────
Error: expect(locator).toBeVisible() failed
Locator: getByText(/password reset link has been sent/i)
Expected: visible
Timeout: 10000ms
Error: element(s) not found
Call log:
- Expect "toBeVisible" with timeout 10000ms
- waiting for getByText(/password reset link has been sent/i)
44 | // The same success banner appears for unknown emails.
45 | await expect(page.getByText(/password reset link has been sent/i))
> 46 | .toBeVisible({ timeout: 10_000 });
| ^
47 | });
48 | });
49 |
at /home/runner/work/Planora/Planora/frontend/e2e/ui/auth-forgot-password.ui.spec.ts:46:8
|
|
Run Playwright e2e (api + ui projects):
frontend/e2e/ui/auth-forgot-password.ui.spec.ts#L46
3) [ui] › e2e/ui/auth-forgot-password.ui.spec.ts:37:7 › auth forgot-password (browser) › an unregistered email still resolves to the success state (anti-enumeration)
Error: expect(locator).toBeVisible() failed
Locator: getByText(/password reset link has been sent/i)
Expected: visible
Timeout: 10000ms
Error: element(s) not found
Call log:
- Expect "toBeVisible" with timeout 10000ms
- waiting for getByText(/password reset link has been sent/i)
44 | // The same success banner appears for unknown emails.
45 | await expect(page.getByText(/password reset link has been sent/i))
> 46 | .toBeVisible({ timeout: 10_000 });
| ^
47 | });
48 | });
49 |
at /home/runner/work/Planora/Planora/frontend/e2e/ui/auth-forgot-password.ui.spec.ts:46:8
|
|
Run Playwright e2e (api + ui projects):
frontend/e2e/ui/_helpers.ts#L65
2) [ui] › e2e/ui/auth-forgot-password.ui.spec.ts:23:7 › auth forgot-password (browser) › a registered user sees the success state after requesting a reset link
Retry #2 ───────────────────────────────────────────────────────────────────────────────────────
Error: register e2e-ui-forgot-1781202053294-1v1flnkp@example.test
expect(received).toBeTruthy()
Received: false
at ui/_helpers.ts:65
63 | data: { email, password: UI_PASSWORD, confirmPassword: UI_PASSWORD, firstName, lastName },
64 | });
> 65 | expect(response.ok(), `register ${email}`).toBeTruthy();
| ^
66 | const body = await response.json();
67 | const userId: string = body.userId ?? body.UserId;
68 |
at registerVerifiedUser (/home/runner/work/Planora/Planora/frontend/e2e/ui/_helpers.ts:65:48)
at /home/runner/work/Planora/Planora/frontend/e2e/ui/auth-forgot-password.ui.spec.ts:24:18
|
|
Run Playwright e2e (api + ui projects):
frontend/e2e/ui/_helpers.ts#L65
2) [ui] › e2e/ui/auth-forgot-password.ui.spec.ts:23:7 › auth forgot-password (browser) › a registered user sees the success state after requesting a reset link
Retry #1 ───────────────────────────────────────────────────────────────────────────────────────
Error: register e2e-ui-forgot-1781202052196-2qvlh3zb@example.test
expect(received).toBeTruthy()
Received: false
at ui/_helpers.ts:65
63 | data: { email, password: UI_PASSWORD, confirmPassword: UI_PASSWORD, firstName, lastName },
64 | });
> 65 | expect(response.ok(), `register ${email}`).toBeTruthy();
| ^
66 | const body = await response.json();
67 | const userId: string = body.userId ?? body.UserId;
68 |
at registerVerifiedUser (/home/runner/work/Planora/Planora/frontend/e2e/ui/_helpers.ts:65:48)
at /home/runner/work/Planora/Planora/frontend/e2e/ui/auth-forgot-password.ui.spec.ts:24:18
|
|
Run Playwright e2e (api + ui projects):
frontend/e2e/ui/_helpers.ts#L65
2) [ui] › e2e/ui/auth-forgot-password.ui.spec.ts:23:7 › auth forgot-password (browser) › a registered user sees the success state after requesting a reset link
Error: register e2e-ui-forgot-1781202051124-6tze7xi9@example.test
expect(received).toBeTruthy()
Received: false
at ui/_helpers.ts:65
63 | data: { email, password: UI_PASSWORD, confirmPassword: UI_PASSWORD, firstName, lastName },
64 | });
> 65 | expect(response.ok(), `register ${email}`).toBeTruthy();
| ^
66 | const body = await response.json();
67 | const userId: string = body.userId ?? body.UserId;
68 |
at registerVerifiedUser (/home/runner/work/Planora/Planora/frontend/e2e/ui/_helpers.ts:65:48)
at /home/runner/work/Planora/Planora/frontend/e2e/ui/auth-forgot-password.ui.spec.ts:24:18
|
|
Run Playwright e2e (api + ui projects):
frontend/e2e/auth-todos-sharing-hidden.api.spec.ts#L279
1) [api] › e2e/auth-todos-sharing-hidden.api.spec.ts:22:5 › auth, sharing, todos and hidden viewer preferences work through the API gateway
Retry #2 ───────────────────────────────────────────────────────────────────────────────────────
Error: owner registers failed with 403: {"error":"CSRF_VALIDATION_FAILED","message":"CSRF token validation failed"}
277 | async function expectOk(response: APIResponse, action: string) {
278 | if (!response.ok()) {
> 279 | throw new Error(`${action} failed with ${response.status()}: ${await response.text()}`);
| ^
280 | }
281 | }
282 |
at expectOk (/home/runner/work/Planora/Planora/frontend/e2e/auth-todos-sharing-hidden.api.spec.ts:279:11)
at registerUser (/home/runner/work/Planora/Planora/frontend/e2e/auth-todos-sharing-hidden.api.spec.ts:147:3)
at /home/runner/work/Planora/Planora/frontend/e2e/auth-todos-sharing-hidden.api.spec.ts:23:17
|
|
Run Playwright e2e (api + ui projects):
frontend/e2e/auth-todos-sharing-hidden.api.spec.ts#L279
1) [api] › e2e/auth-todos-sharing-hidden.api.spec.ts:22:5 › auth, sharing, todos and hidden viewer preferences work through the API gateway
Retry #1 ───────────────────────────────────────────────────────────────────────────────────────
Error: owner registers failed with 403: {"error":"CSRF_VALIDATION_FAILED","message":"CSRF token validation failed"}
277 | async function expectOk(response: APIResponse, action: string) {
278 | if (!response.ok()) {
> 279 | throw new Error(`${action} failed with ${response.status()}: ${await response.text()}`);
| ^
280 | }
281 | }
282 |
at expectOk (/home/runner/work/Planora/Planora/frontend/e2e/auth-todos-sharing-hidden.api.spec.ts:279:11)
at registerUser (/home/runner/work/Planora/Planora/frontend/e2e/auth-todos-sharing-hidden.api.spec.ts:147:3)
at /home/runner/work/Planora/Planora/frontend/e2e/auth-todos-sharing-hidden.api.spec.ts:23:17
|
|
Run Playwright e2e (api + ui projects):
frontend/e2e/auth-todos-sharing-hidden.api.spec.ts#L279
1) [api] › e2e/auth-todos-sharing-hidden.api.spec.ts:22:5 › auth, sharing, todos and hidden viewer preferences work through the API gateway
Error: owner registers failed with 403: {"error":"CSRF_VALIDATION_FAILED","message":"CSRF token validation failed"}
277 | async function expectOk(response: APIResponse, action: string) {
278 | if (!response.ok()) {
> 279 | throw new Error(`${action} failed with ${response.status()}: ${await response.text()}`);
| ^
280 | }
281 | }
282 |
at expectOk (/home/runner/work/Planora/Planora/frontend/e2e/auth-todos-sharing-hidden.api.spec.ts:279:11)
at registerUser (/home/runner/work/Planora/Planora/frontend/e2e/auth-todos-sharing-hidden.api.spec.ts:147:3)
at /home/runner/work/Planora/Planora/frontend/e2e/auth-todos-sharing-hidden.api.spec.ts:23:17
|
|
Run Playwright e2e (api + ui projects)
10 failed
[api] › e2e/auth-todos-sharing-hidden.api.spec.ts:22:5 › auth, sharing, todos and hidden viewer preferences work through the API gateway
[ui] › e2e/ui/auth-forgot-password.ui.spec.ts:23:7 › auth forgot-password (browser) › a registered user sees the success state after requesting a reset link
[ui] › e2e/ui/auth-forgot-password.ui.spec.ts:37:7 › auth forgot-password (browser) › an unregistered email still resolves to the success state (anti-enumeration)
[ui] › e2e/ui/auth-login.ui.spec.ts:28:7 › auth login (browser) › a verified user can log in and reach the authenticated app
[ui] › e2e/ui/auth-login.ui.spec.ts:45:7 › auth login (browser) › an incorrect password leaves the user on the login page with an error
[ui] › e2e/ui/auth-register.ui.spec.ts:23:7 › auth register (browser) › a new visitor can create an account through the form
[ui] › e2e/ui/auth-reset-password.ui.spec.ts:30:7 › auth reset-password (browser) › a user can complete the forgot → reset → login loop end-to-end
[ui] › e2e/ui/auth-verify-email.ui.spec.ts:29:7 › auth verify-email (browser) › clicking the verification link from the query string auto-verifies and shows the success state
[ui] › e2e/ui/profile-update.ui.spec.ts:24:7 › profile update (browser) › a logged-in user can rename themselves and the change persists
[ui] › e2e/ui/tasks-page.ui.spec.ts:24:7 › tasks page (browser, post-login) › a logged-in user lands on /tasks and can open the create-task panel
2 passed (2.8m)
|
background
wait
wait-all
cancel
parallel
Loading