Restructure solution layout by module

src/Web/StellaOps.Web/tests/e2e/auth.spec.ts

@@ -0,0 +1,79 @@
+import { expect, test } from '@playwright/test';
+
+const mockConfig = {
+  authority: {
+    issuer: 'https://authority.local',
+    clientId: 'stellaops-ui',
+    authorizeEndpoint: 'https://authority.local/connect/authorize',
+    tokenEndpoint: 'https://authority.local/connect/token',
+    logoutEndpoint: 'https://authority.local/connect/logout',
+    redirectUri: 'http://127.0.0.1:4400/auth/callback',
+    postLogoutRedirectUri: 'http://127.0.0.1:4400/',
+    scope:
+      'openid profile email ui.read authority:tenants.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read orch:read vuln:read',
+    audience: 'https://scanner.local',
+    dpopAlgorithms: ['ES256'],
+    refreshLeewaySeconds: 60,
+  },
+  apiBaseUrls: {
+    authority: 'https://authority.local',
+    scanner: 'https://scanner.local',
+    policy: 'https://scanner.local',
+    concelier: 'https://concelier.local',
+    attestor: 'https://attestor.local',
+  },
+};
+
+test.beforeEach(async ({ page }) => {
+  page.on('console', (message) => {
+    // bubble up browser logs for debugging
+    console.log('[browser]', message.type(), message.text());
+  });
+  page.on('pageerror', (error) => {
+    console.log('[pageerror]', error.message);
+  });
+  await page.addInitScript(() => {
+    // Capture attempted redirects so the test can assert against them.
+    (window as any).__stellaopsAssignedUrls = [];
+    const originalAssign = window.location.assign.bind(window.location);
+    window.location.assign = (url: string | URL) => {
+      (window as any).__stellaopsAssignedUrls.push(url.toString());
+    };
+
+    window.sessionStorage.clear();
+  });
+  await page.route('**/config.json', (route) =>
+    route.fulfill({
+      status: 200,
+      contentType: 'application/json',
+      body: JSON.stringify(mockConfig),
+    })
+  );
+  await page.route('https://authority.local/**', (route) => route.abort());
+});
+
+test('sign-in flow builds Authority authorization URL', async ({ page }) => {
+  await page.goto('/');
+  const signInButton = page.getByRole('button', { name: /sign in/i });
+  await expect(signInButton).toBeVisible();
+  const [request] = await Promise.all([
+    page.waitForRequest('https://authority.local/connect/authorize*'),
+    signInButton.click(),
+  ]);
+
+  const authorizeUrl = new URL(request.url());
+  expect(authorizeUrl.origin).toBe('https://authority.local');
+  expect(authorizeUrl.pathname).toBe('/connect/authorize');
+  expect(authorizeUrl.searchParams.get('client_id')).toBe('stellaops-ui');
+
+});
+
+test('callback without pending state surfaces error message', async ({ page }) => {
+  await page.route('https://authority.local/**', (route) =>
+    route.fulfill({ status: 400, body: 'blocked' })
+  );
+  await page.goto('/auth/callback?code=test-code&state=missing');
+  await expect(
+    page.getByText('We were unable to complete the sign-in flow. Please try again.')
+  ).toBeVisible({ timeout: 10000 });
+});