topaLE/vaultwarden - vaultwarden - Gitea: Git with a cup of tea

Author	SHA1	Message	Date
Zaid Marji	9186ec245b	playwright: fix stale org-nav selectors against bundled web vault The product-switch links in the side nav ("Password Manager", "Admin Console", "Members") are icon-only on the current bundled web vault — the link element carries the accessible name but no visible text content. `locator('a').filter({ hasText: '…' })` therefore matches nothing, and every spec that calls into `setups/orgs.ts` (org create, member invite, policy edit, …) times out before doing anything. Switch to `getByRole('link', { name: '…' })` for the three navs. "Admin Console" appears twice once an org exists (in both `bit-nav-logo` and `navigation-product-switcher`); `.first()` picks the visible one. The "Members" entry inside an org also moved from a `<div>` to a `<link>`, so the `locator('div').filter(...).nth(2)` selector is replaced with the same role-based selector. The org-switcher row has a hover tooltip that intercepts the click on the bundled vault, so the click is forced past the overlay. Verified empirically: with these changes, `organization.spec.ts` (1/1) and `sso_organization.spec.ts` (4/5; the remaining failure is an unrelated server-side master-password-policy enforcement issue) run green where they previously failed before any helper step.	3 weeks ago
Zaid Marji	c02ced432d	playwright: fix TOTP setup flow against bundled web vault The `activateTOTP` helper had three issues against the current bundled web vault (v2026.4.1): 1. The master-password reprompt's Continue button click was racing form validation: the form uses Angular's `updateOn: 'blur'` so clicking immediately after `fill()` saw an "invalid" form and the click was silently no-op. Submitting via `mpInput.press('Enter')` triggers the form's `ngSubmit` directly, which validates and submits in one go. 2. `getByLabel('Key').innerText()` was ambiguous: the same page has a `<bit-svg aria-label="Yubico OTP security key">` providers entry whose accessible name contains "Key" as a substring. Strict-mode violation on Firefox. Anchor with `{ exact: true }` to pick only the `<code aria-label="Key">` element holding the base32 secret. 3. After clicking "Turn on", the original code was effectively a no-op (`await page.getByRole('heading', { name: 'Turned on' })` creates a Locator without awaiting visibility), then clicked the "Close" button which is `bit-aria-disable=true` until the dialog finishes its transition. Chromium happens to tolerate the early click; Firefox doesn't. Wait for `networkidle` after Turn on so the activation request completes; drop the Close click because the dialog auto-closes on success on this web vault. `disableTOTP` got the same reprompt-via-Enter fix for parity. Verified empirically: with these changes, `login.spec.ts`'s `Authenticator 2fa` test passes on Firefox against bundled web-vault v2026.4.1.	3 weeks ago
Zaid Marji	c0589bbd74	playwright: fix stale Master password selectors against bundled web vault The bundled web vault dropped the "(required)" suffix from the master-password input's label text (it likely became a separate visual indicator). Every test that drives a master-password reprompt — account creation, TOTP setup, email-2FA setup, SSO master-password flows, organization-policy management — has been failing on the current bundled vault because `getByLabel('Master password (required)', { exact: true })` no longer matches anything. Two-line change in most files: switch to `getByLabel('Master password')`, matching the pattern that `logUser` (setups/user.ts:46) and `login.spec.ts:40` already use successfully. Substring matching is case-sensitive in Playwright, so the selector is unambiguous against the confirm-field ("Confirm master password" has a lowercase 'm'). `createAccount` step 2 (setups/user.ts) and `logNewUser` step 3 (setups/sso.ts) are special: the registration / "Join organisation" form has three labels matching "Master password" as a case-insensitive substring ("Master password\n(required)", "Confirm master password\n (required)" which matches because Playwright's substring match is case-insensitive in practice, and "Master password hint" which also matches). Anchor those two fields by their stable `formcontrolname` attribute (`newPassword` / `newPasswordConfirm`) instead of label text. Verified empirically: with these changes, both `login.spec.ts` (3/3: Account creation, Master password login, Authenticator 2fa) and `sso_login.spec.ts` (8/8 including SSO Account creation, SSO login, SSO login with TOTP 2fa, Non-SSO login fallback, SSO_ONLY, no SSO) run green against bundled web-vault v2026.4.1.	3 weeks ago
Timshel	0182567a62	Playwright against abitrary web-vault (#6380 ) * Playwright improvements * Playwright fix for the extension setup --------- Co-authored-by: Timshel <timshel@users.noreply.github.com>	7 months ago
Timshel	de808c5ad9	Fix Playwright docker (#6206 )	10 months ago
Timshel	cff6c2b3af	SSO using OpenID Connect (#3899 ) * Add SSO functionality using OpenID Connect Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> * Improvements and error handling * Stop rolling device token * Add playwright tests * Activate PKCE by default * Ensure result order when searching for sso_user * add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION * Toggle SSO button in scss * Base64 encode state before sending it to providers * Prevent disabled User from SSO login * Review fixes * Remove unused UserOrganization.invited_by_email * Split SsoUser::find_by_identifier_or_email * api::Accounts::verify_password add the policy even if it's ignored * Disable signups if SSO_ONLY is activated * Add verifiedDate to organizations::get_org_domain_sso_details * Review fixes * Remove OrganizationId guard from get_master_password_policy * Add wrapper type OIDCCode OIDCState OIDCIdentifier * Membership::confirm_user_invitations fix and tests * Allow set-password only if account is unitialized * Review fixes * Prevent accepting another user invitation * Log password change event on SSO account creation * Unify master password policy resolution * Upgrade openidconnect to 4.0.0 * Revert "Remove unused UserOrganization.invited_by_email" This reverts commit 548e19995e141314af98a10d170ea7371f02fab4. * Process org enrollment in accounts::post_set_password * Improve tests * Pass the claim invited_by_email in case it was not in db * Add Slack configuration hints * Fix playwright tests * Skip broken tests * Add sso identifier in admin user panel * Remove duplicate expiration check, add a log * Augment mobile refresh_token validity * Rauthy configuration hints * Fix playwright tests * Playwright upgrade and conf improvement * Playwright tests improvements * 2FA email and device creation change * Fix and improve Playwright tests * Minor improvements * Fix enforceOnLogin org policies * Run playwright sso tests against correct db * PKCE should now work with Zitadel * Playwright upgrade maildev to use MailBuffer.expect * Upgrades playwright tests deps * Check email_verified in id_token and user_info * Add sso verified endpoint for v2025.6.0 * Fix playwright tests * Create a separate sso_client * Upgrade openidconnect to 4.0.1 * Server settings for login fields toggle * Use only css for login fields * Fix playwright test * Review fix * More review fix * Perform same checks when setting kdf --------- Co-authored-by: Felix Eckhofer <felix@eckhofer.com> Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools> Co-authored-by: Stuart Heap <sheap13@gmail.com> Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud> Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com> Co-authored-by: Jacques B. <timshel@github.com> Co-authored-by: Timshel <timshel@480s>	10 months ago