playwright: serve the test Vaultwarden over HTTPS

The bundled web vault refuses to submit registration and login requests over plain HTTP, surfacing "Insecure URL not allowed. All URLs must use HTTPS." in the UI. The Continue button is left `bit-aria-disable=true` and click handlers are no-ops, which manifests in tests as `locator.fill: timeout exceeded` deep into createAccount — diagnosed via DOM dump showing the error banner. Make the test Rocket server actually serve HTTPS: - Generate a self-signed cert in the Vaultwarden runtime image (separate RUN layer from the apt install so cert tweaks don't bust the deps layer cache). - Point `ROCKET_TLS` at the cert + key in test.env and the dev .env.template. - Switch DOMAIN to `https://localhost:${ROCKET_PORT}`. - Tell Playwright to ignore HTTPS errors on the self-signed cert (in both `playwright.config.ts` for test contexts and `global-utils.ts` for the manual context startVault uses to poll for vault readiness). Self-signed + `ignoreHTTPSErrors` is the idiomatic Playwright pattern for a local-only test target; importing a custom CA into each browser's profile would be substantially more invasive (Firefox uses NSS, Chromium has its own store) for no real-world fidelity gain.
3 weeks ago · f30847d15e
5 changed files with 18 additions and 3 deletions
--- a/playwright/.env.template
+++ b/playwright/.env.template
@ -39,7 +39,8 @@ DUMMY_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${DUMMY_REALM}
 ######################
 ROCKET_ADDRESS=0.0.0.0
 ROCKET_PORT=8000
-DOMAIN=http://localhost:${ROCKET_PORT}
+ROCKET_TLS={certs="/certs/cert.pem",key="/certs/key.pem"}
+DOMAIN=https://localhost:${ROCKET_PORT}
 LOG_LEVEL=info,oidcwarden::sso=debug
 I_REALLY_WANT_VOLATILE_STORAGE=true

--- a/playwright/compose/warden/Dockerfile
+++ b/playwright/compose/warden/Dockerfile
@ -29,6 +29,18 @@ RUN mkdir /data && \
        openssl && \
    rm -rf /var/lib/apt/lists/*

+# Self-signed TLS cert for the test server. The bundled web vault refuses
+# to submit registration/login over HTTP ("Insecure URL not allowed");
+# Rocket needs a cert+key to serve HTTPS. Self-contained layer so cert
+# tweaks don't bust the apt-install layer above.
+RUN mkdir /certs && \
+    openssl req -x509 -nodes -newkey rsa:2048 \
+        -keyout /certs/key.pem \
+        -out /certs/cert.pem \
+        -days 3650 \
+        -subj "/CN=localhost" \
+        -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
+
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
 WORKDIR /
--- a/playwright/global-utils.ts
+++ b/playwright/global-utils.ts
@ -38,7 +38,7 @@ export async function waitFor(url: String, browser: Browser) {

    do {
        try {
-            context = await browser.newContext();
+            context = await browser.newContext({ ignoreHTTPSErrors: true });
            const page = await context.newPage();
            await page.waitForTimeout(500);
            const result = await page.goto(url);
--- a/playwright/playwright.config.ts
+++ b/playwright/playwright.config.ts
@ -35,6 +35,7 @@ export default defineConfig({
        /* Base URL to use in actions like `await page.goto('/')`. */
        baseURL: process.env.DOMAIN,
        browserName: 'firefox',
+        ignoreHTTPSErrors: true,
        locale: 'en-GB',
        timezoneId: 'Europe/London',

--- a/playwright/test.env
+++ b/playwright/test.env
@ -52,7 +52,8 @@ DUMMY_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${DUMMY_REALM}
 # Vaultwarden Config #
 ######################
 ROCKET_PORT=8003
-DOMAIN=http://localhost:${ROCKET_PORT}
+ROCKET_TLS={certs="/certs/cert.pem",key="/certs/key.pem"}
+DOMAIN=https://localhost:${ROCKET_PORT}
 LOG_LEVEL=info,oidcwarden::sso=debug
 LOGIN_RATELIMIT_MAX_BURST=100
 ADMIN_TOKEN=admin