From f30847d15e4b86671829ffd3ece180e18414772f Mon Sep 17 00:00:00 2001
From: Zaid Marji <cdej0cbf10ll@opayq.com>
Date: Sun, 24 May 2026 10:24:07 +0300
Subject: [PATCH] playwright: serve the test Vaultwarden over HTTPS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The bundled web vault refuses to submit registration and login
requests over plain HTTP, surfacing "Insecure URL not allowed. All
URLs must use HTTPS." in the UI. The Continue button is left
`bit-aria-disable=true` and click handlers are no-ops, which
manifests in tests as `locator.fill: timeout exceeded` deep into
createAccount — diagnosed via DOM dump showing the error banner.

Make the test Rocket server actually serve HTTPS:

- Generate a self-signed cert in the Vaultwarden runtime image
  (separate RUN layer from the apt install so cert tweaks don't
  bust the deps layer cache).
- Point `ROCKET_TLS` at the cert + key in test.env and the
  dev .env.template.
- Switch DOMAIN to `https://localhost:${ROCKET_PORT}`.
- Tell Playwright to ignore HTTPS errors on the self-signed cert
  (in both `playwright.config.ts` for test contexts and
  `global-utils.ts` for the manual context startVault uses to
  poll for vault readiness).

Self-signed + `ignoreHTTPSErrors` is the idiomatic Playwright pattern
for a local-only test target; importing a custom CA into each
browser's profile would be substantially more invasive (Firefox uses
NSS, Chromium has its own store) for no real-world fidelity gain.
---
 playwright/.env.template             |  3 ++-
 playwright/compose/warden/Dockerfile | 12 ++++++++++++
 playwright/global-utils.ts           |  2 +-
 playwright/playwright.config.ts      |  1 +
 playwright/test.env                  |  3 ++-
 5 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/playwright/.env.template b/playwright/.env.template
index a6696aab..44ddb739 100644
--- a/playwright/.env.template
+++ b/playwright/.env.template
@@ -39,7 +39,8 @@ DUMMY_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${DUMMY_REALM}
 ######################
 ROCKET_ADDRESS=0.0.0.0
 ROCKET_PORT=8000
-DOMAIN=http://localhost:${ROCKET_PORT}
+ROCKET_TLS={certs="/certs/cert.pem",key="/certs/key.pem"}
+DOMAIN=https://localhost:${ROCKET_PORT}
 LOG_LEVEL=info,oidcwarden::sso=debug
 I_REALLY_WANT_VOLATILE_STORAGE=true
 
diff --git a/playwright/compose/warden/Dockerfile b/playwright/compose/warden/Dockerfile
index e472d207..77360f0d 100644
--- a/playwright/compose/warden/Dockerfile
+++ b/playwright/compose/warden/Dockerfile
@@ -29,6 +29,18 @@ RUN mkdir /data && \
         openssl && \
     rm -rf /var/lib/apt/lists/*
 
+# Self-signed TLS cert for the test server. The bundled web vault refuses
+# to submit registration/login over HTTP ("Insecure URL not allowed");
+# Rocket needs a cert+key to serve HTTPS. Self-contained layer so cert
+# tweaks don't bust the apt-install layer above.
+RUN mkdir /certs && \
+    openssl req -x509 -nodes -newkey rsa:2048 \
+        -keyout /certs/key.pem \
+        -out /certs/cert.pem \
+        -days 3650 \
+        -subj "/CN=localhost" \
+        -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
+
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
 WORKDIR /
diff --git a/playwright/global-utils.ts b/playwright/global-utils.ts
index 224bb4b8..9aec2301 100644
--- a/playwright/global-utils.ts
+++ b/playwright/global-utils.ts
@@ -38,7 +38,7 @@ export async function waitFor(url: String, browser: Browser) {
 
     do {
         try {
-            context = await browser.newContext();
+            context = await browser.newContext({ ignoreHTTPSErrors: true });
             const page = await context.newPage();
             await page.waitForTimeout(500);
             const result = await page.goto(url);
diff --git a/playwright/playwright.config.ts b/playwright/playwright.config.ts
index de721aa3..1256cd4d 100644
--- a/playwright/playwright.config.ts
+++ b/playwright/playwright.config.ts
@@ -35,6 +35,7 @@ export default defineConfig({
         /* Base URL to use in actions like `await page.goto('/')`. */
         baseURL: process.env.DOMAIN,
         browserName: 'firefox',
+        ignoreHTTPSErrors: true,
         locale: 'en-GB',
         timezoneId: 'Europe/London',
 
diff --git a/playwright/test.env b/playwright/test.env
index df182ebe..a6c8dbd4 100644
--- a/playwright/test.env
+++ b/playwright/test.env
@@ -52,7 +52,8 @@ DUMMY_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${DUMMY_REALM}
 # Vaultwarden Config #
 ######################
 ROCKET_PORT=8003
-DOMAIN=http://localhost:${ROCKET_PORT}
+ROCKET_TLS={certs="/certs/cert.pem",key="/certs/key.pem"}
+DOMAIN=https://localhost:${ROCKET_PORT}
 LOG_LEVEL=info,oidcwarden::sso=debug
 LOGIN_RATELIMIT_MAX_BURST=100
 ADMIN_TOKEN=admin