test(e2e): assert session delete breaks refresh

This commit is contained in:
kolaente 2026-04-21 11:06:44 +02:00 committed by kolaente
parent cf9d0a26ab
commit 76055b622b
1 changed files with 26 additions and 1 deletions

View File

@ -1,5 +1,5 @@
import {test, expect} from '../../../support/fixtures'
import {SessionFactory} from '../../../factories/session'
import {SessionFactory, hashSessionToken} from '../../../factories/session'
import {gotoUserSettings} from '../../../support/userSettings'
test.describe('Sessions', () => {
@ -20,4 +20,29 @@ test.describe('Sessions', () => {
await expect(page.locator('.tag.is-primary')).toContainText('Current')
await expect(page.locator('tr', {hasText: 'Firefox on Linux'})).toContainText('192.0.2.5')
})
test('revoking a session breaks its refresh token', async ({
authenticatedPage: page, currentUser, apiContext,
}) => {
const rawToken = 'fixed-refresh-token-for-test-12345678901234567890'
await SessionFactory.create(1, {
user_id: currentUser.id,
token_hash: hashSessionToken(rawToken),
ip_address: '192.0.2.5',
device_info: 'Firefox on Linux',
}, false)
await gotoUserSettings(page, 'sessions')
await page.locator('tr', {hasText: /192\.0\.2\.5/})
.getByRole('button', {name: 'Delete'}).click()
await page.locator('dialog[open] .modal-content .actions .button').filter({hasText: 'Do it!'}).click()
await expect(page.locator('table.table tbody tr')).toHaveCount(1)
// After revoke, the refresh request must fail. Refresh tokens live in the
// vikunja_refresh_token cookie, not as a Bearer credential.
const after = await apiContext.post('user/token/refresh', {
headers: {Cookie: `vikunja_refresh_token=${rawToken}`},
})
expect(after.status()).toBe(401)
})
})