bert.hausmans/flashcards
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(auth): non-blocking follow-ups from final review

Browse Source 
- /api/stats: add verifyCsrf middleware (defense-in-depth; no-op for GETs)
- VerifyEmailPage: useRef guard to prevent React StrictMode double-fire of
  the single-use verify token in dev
- router.tsx: route-level code splitting via React.lazy + Suspense; initial
  bundle drops from 397 KB to 224 KB with per-route chunks (0.3–14 KB each)
- e2e: wait for verify-email completion before login; bump Account-menu
  timeout to handle Vite cold-chunk compile
This commit is contained in:
Bert Hausmans
2026-05-20 23:27:52 +02:00
parent 5739b6d941
commit e27c1ca06c
5 changed files with 80 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
e2e/auth.spec.ts
View File

@@ -26,12 +26,14 @@ test('admin invites user; user accepts and logs in', async ({ page }) => {
await page.getByRole('button', { name: /Account aanmaken/ }).click();
await expect(page.getByText(/bevestigingsmail/i)).toBeVisible();
await page.goto(await fetchLink(adminEmail, 'verify-email'));
await expect(page.getByRole('link', { name: 'Naar inloggen' })).toBeVisible({ timeout: 10_000 });
await page.goto('/login');
await page.getByLabel(/E-mailadres/).fill(adminEmail);
await page.getByLabel(/Wachtwoord/).fill(adminPw);
await page.getByRole('button', { name: 'Inloggen' }).click();
await expect(page.getByRole('button', { name: 'Account menu' })).toBeVisible();
// Cold Vite chunks can take a few seconds to compile on the first run.
await expect(page.getByRole('button', { name: 'Account menu' })).toBeVisible({ timeout: 15_000 });
await page.goto('/admin/users');
const inviteeEmail = `invitee+${Date.now()}@example.com`;

8
e2e/smoke.spec.ts
View File

@@ -27,16 +27,14 @@ test('register → verify → login → create lesson → add card → practice
const link = await fetchVerifyLink(email);
await page.goto(link);
// Verify endpoint is called on mount; React StrictMode in dev triggers it twice
// (second call fails because token is already consumed). The DB is updated by
// the first call, so we can safely proceed regardless of UI state.
await expect(page.getByRole('heading', { name: 'E-mailverificatie' })).toBeVisible();
// Wait for the verify POST to finish before logging in.
await expect(page.getByRole('link', { name: 'Naar inloggen' })).toBeVisible({ timeout: 10_000 });
await page.goto('/login');
await page.getByLabel(/E-mailadres/).fill(email);
await page.getByLabel(/Wachtwoord/).fill(password);
await page.getByRole('button', { name: 'Inloggen' }).click();
await expect(page.getByRole('button', { name: 'Account menu' })).toBeVisible();
await expect(page.getByRole('button', { name: 'Account menu' })).toBeVisible({ timeout: 15_000 });
await page.goto('/admin');
await page.getByPlaceholder(/Nieuwe wortel-les/).fill('E2E les');