From 76055b622bb59d38a6220786706e8f3b045278eb Mon Sep 17 00:00:00 2001 From: kolaente Date: Tue, 21 Apr 2026 11:06:44 +0200 Subject: [PATCH] test(e2e): assert session delete breaks refresh --- .../tests/e2e/user/settings/sessions.spec.ts | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/frontend/tests/e2e/user/settings/sessions.spec.ts b/frontend/tests/e2e/user/settings/sessions.spec.ts index 222d06dbb..841b78a4b 100644 --- a/frontend/tests/e2e/user/settings/sessions.spec.ts +++ b/frontend/tests/e2e/user/settings/sessions.spec.ts @@ -1,5 +1,5 @@ import {test, expect} from '../../../support/fixtures' -import {SessionFactory} from '../../../factories/session' +import {SessionFactory, hashSessionToken} from '../../../factories/session' import {gotoUserSettings} from '../../../support/userSettings' test.describe('Sessions', () => { @@ -20,4 +20,29 @@ test.describe('Sessions', () => { await expect(page.locator('.tag.is-primary')).toContainText('Current') await expect(page.locator('tr', {hasText: 'Firefox on Linux'})).toContainText('192.0.2.5') }) + + test('revoking a session breaks its refresh token', async ({ + authenticatedPage: page, currentUser, apiContext, + }) => { + const rawToken = 'fixed-refresh-token-for-test-12345678901234567890' + await SessionFactory.create(1, { + user_id: currentUser.id, + token_hash: hashSessionToken(rawToken), + ip_address: '192.0.2.5', + device_info: 'Firefox on Linux', + }, false) + + await gotoUserSettings(page, 'sessions') + await page.locator('tr', {hasText: /192\.0\.2\.5/}) + .getByRole('button', {name: 'Delete'}).click() + await page.locator('dialog[open] .modal-content .actions .button').filter({hasText: 'Do it!'}).click() + await expect(page.locator('table.table tbody tr')).toHaveCount(1) + + // After revoke, the refresh request must fail. Refresh tokens live in the + // vikunja_refresh_token cookie, not as a Bearer credential. + const after = await apiContext.post('user/token/refresh', { + headers: {Cookie: `vikunja_refresh_token=${rawToken}`}, + }) + expect(after.status()).toBe(401) + }) })