DHC
/
bmad-template
Obserwuj 4
Gwiazdka 0
Forkuj 0
Kod Problemy 0 Pull Requests 0 Wydania 0 Wiki Aktywność
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commity
2 Gałęzie
Gałąź: master
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z 'master'
${ noResults }
bmad-template/.workbuddy/skills/bmad-testarch-framework/resources/knowledge/email-auth.md

email-auth.md 24KB
Bezpośredni odnośnik Normal View Historia Czysty

增加workbuddy的支持
5 dni temu
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721 
  1. # Email-Based Authentication Testing

  2. 

  3. ## Principle

  4. 

  5. Email-based authentication (magic links, one-time codes, passwordless login) requires specialized testing with email capture services like Mailosaur or Ethereal. Extract magic links via HTML parsing or use built-in link extraction, preserve browser storage (local/session/cookies) when processing links, cache email payloads to avoid exhausting inbox quotas, and cover negative cases (expired links, reused links, multiple rapid requests). Log email IDs and links for troubleshooting, but scrub PII before committing artifacts.

  6. 

  7. ## Rationale

  8. 

  9. Email authentication introduces unique challenges: asynchronous email delivery, quota limits (AWS Cognito: 50/day), cost per email, and complex state management (session preservation across link clicks). Without proper patterns, tests become slow (wait for email each time), expensive (quota exhaustion), and brittle (timing issues, missing state). Using email capture services + session caching + state preservation patterns makes email auth tests fast, reliable, and cost-effective.

  10. 

  11. ## Pattern Examples

  12. 

  13. ### Example 1: Magic Link Extraction with Mailosaur

  14. 

  15. **Context**: Passwordless login flow where user receives magic link via email, clicks it, and is authenticated.

  16. 

  17. **Implementation**:

  18. 

  19. ```typescript

  20. // tests/e2e/magic-link-auth.spec.ts

  21. import { test, expect } from '@playwright/test';

  22. 

  23. /**

  24.  * Magic Link Authentication Flow

  25.  * 1. User enters email

  26.  * 2. Backend sends magic link

  27.  * 3. Test retrieves email via Mailosaur

  28.  * 4. Extract and visit magic link

  29.  * 5. Verify user is authenticated

  30.  */

  31. 

  32. // Mailosaur configuration

  33. const MAILOSAUR_API_KEY = process.env.MAILOSAUR_API_KEY!;

  34. const MAILOSAUR_SERVER_ID = process.env.MAILOSAUR_SERVER_ID!;

  35. 

  36. /**

  37.  * Extract href from HTML email body

  38.  * DOMParser provides XML/HTML parsing in Node.js

  39.  */

  40. function extractMagicLink(htmlString: string): string | null {

  41.   const { JSDOM } = require('jsdom');

  42.   const dom = new JSDOM(htmlString);

  43.   const link = dom.window.document.querySelector('#magic-link-button');

  44.   return link ? (link as HTMLAnchorElement).href : null;

  45. }

  46. 

  47. /**

  48.  * Alternative: Use Mailosaur's built-in link extraction

  49.  * Mailosaur automatically parses links - no regex needed!

  50.  */

  51. async function getMagicLinkFromEmail(email: string): Promise<string> {

  52.   const MailosaurClient = require('mailosaur');

  53.   const mailosaur = new MailosaurClient(MAILOSAUR_API_KEY);

  54. 

  55.   // Wait for email (timeout: 30 seconds)

  56.   const message = await mailosaur.messages.get(

  57.     MAILOSAUR_SERVER_ID,

  58.     {

  59.       sentTo: email,

  60.     },

  61.     {

  62.       timeout: 30000, // 30 seconds

  63.     },

  64.   );

  65. 

  66.   // Mailosaur extracts links automatically - no parsing needed!

  67.   const magicLink = message.html?.links?.[0]?.href;

  68. 

  69.   if (!magicLink) {

  70.     throw new Error(`Magic link not found in email to ${email}`);

  71.   }

  72. 

  73.   console.log(`📧 Email received. Magic link extracted: ${magicLink}`);

  74.   return magicLink;

  75. }

  76. 

  77. test.describe('Magic Link Authentication', () => {

  78.   test('should authenticate user via magic link', async ({ page, context }) => {

  79.     // Arrange: Generate unique test email

  80.     const randomId = Math.floor(Math.random() * 1000000);

  81.     const testEmail = `user-${randomId}@${MAILOSAUR_SERVER_ID}.mailosaur.net`;

  82. 

  83.     // Act: Request magic link

  84.     await page.goto('/login');

  85.     await page.getByTestId('email-input').fill(testEmail);

  86.     await page.getByTestId('send-magic-link').click();

  87. 

  88.     // Assert: Success message

  89.     await expect(page.getByTestId('check-email-message')).toBeVisible();

  90.     await expect(page.getByTestId('check-email-message')).toContainText('Check your email');

  91. 

  92.     // Retrieve magic link from email

  93.     const magicLink = await getMagicLinkFromEmail(testEmail);

  94. 

  95.     // Visit magic link

  96.     await page.goto(magicLink);

  97. 

  98.     // Assert: User is authenticated

  99.     await expect(page.getByTestId('user-menu')).toBeVisible();

  100.     await expect(page.getByTestId('user-email')).toContainText(testEmail);

  101. 

  102.     // Verify session storage preserved

  103.     const localStorage = await page.evaluate(() => JSON.stringify(window.localStorage));

  104.     expect(localStorage).toContain('authToken');

  105.   });

  106. 

  107.   test('should handle expired magic link', async ({ page }) => {

  108.     // Use pre-expired link (older than 15 minutes)

  109.     const expiredLink = 'http://localhost:3000/auth/verify?token=expired-token-123';

  110. 

  111.     await page.goto(expiredLink);

  112. 

  113.     // Assert: Error message displayed

  114.     await expect(page.getByTestId('error-message')).toBeVisible();

  115.     await expect(page.getByTestId('error-message')).toContainText('link has expired');

  116. 

  117.     // Assert: User NOT authenticated

  118.     await expect(page.getByTestId('user-menu')).not.toBeVisible();

  119.   });

  120. 

  121.   test('should prevent reusing magic link', async ({ page }) => {

  122.     const randomId = Math.floor(Math.random() * 1000000);

  123.     const testEmail = `user-${randomId}@${MAILOSAUR_SERVER_ID}.mailosaur.net`;

  124. 

  125.     // Request magic link

  126.     await page.goto('/login');

  127.     await page.getByTestId('email-input').fill(testEmail);

  128.     await page.getByTestId('send-magic-link').click();

  129. 

  130.     const magicLink = await getMagicLinkFromEmail(testEmail);

  131. 

  132.     // Visit link first time (success)

  133.     await page.goto(magicLink);

  134.     await expect(page.getByTestId('user-menu')).toBeVisible();

  135. 

  136.     // Sign out

  137.     await page.getByTestId('sign-out').click();

  138. 

  139.     // Try to reuse same link (should fail)

  140.     await page.goto(magicLink);

  141.     await expect(page.getByTestId('error-message')).toBeVisible();

  142.     await expect(page.getByTestId('error-message')).toContainText('link has already been used');

  143.   });

  144. });

  145. ```

  146. 

  147. **Cypress equivalent with Mailosaur plugin**:

  148. 

  149. ```javascript

  150. // cypress/e2e/magic-link-auth.cy.ts

  151. describe('Magic Link Authentication', () => {

  152.   it('should authenticate user via magic link', () => {

  153.     const serverId = Cypress.env('MAILOSAUR_SERVERID');

  154.     const randomId = Cypress._.random(1e6);

  155.     const testEmail = `user-${randomId}@${serverId}.mailosaur.net`;

  156. 

  157.     // Request magic link

  158.     cy.visit('/login');

  159.     cy.get('[data-cy="email-input"]').type(testEmail);

  160.     cy.get('[data-cy="send-magic-link"]').click();

  161.     cy.get('[data-cy="check-email-message"]').should('be.visible');

  162. 

  163.     // Retrieve and visit magic link

  164.     cy.mailosaurGetMessage(serverId, { sentTo: testEmail })

  165.       .its('html.links.0.href') // Mailosaur extracts links automatically!

  166.       .should('exist')

  167.       .then((magicLink) => {

  168.         cy.log(`Magic link: ${magicLink}`);

  169.         cy.visit(magicLink);

  170.       });

  171. 

  172.     // Verify authenticated

  173.     cy.get('[data-cy="user-menu"]').should('be.visible');

  174.     cy.get('[data-cy="user-email"]').should('contain', testEmail);

  175.   });

  176. });

  177. ```

  178. 

  179. **Key Points**:

  180. 

  181. - **Mailosaur auto-extraction**: `html.links[0].href` or `html.codes[0].value`

  182. - **Unique emails**: Random ID prevents collisions

  183. - **Negative testing**: Expired and reused links tested

  184. - **State verification**: localStorage/session checked

  185. - **Fast email retrieval**: 30 second timeout typical

  186. 

  187. ---

  188. 

  189. ### Example 2: State Preservation Pattern with cy.session / Playwright storageState

  190. 

  191. **Context**: Cache authenticated session to avoid requesting magic link on every test.

  192. 

  193. **Implementation**:

  194. 

  195. ```typescript

  196. // playwright/fixtures/email-auth-fixture.ts

  197. import { test as base } from '@playwright/test';

  198. import { getMagicLinkFromEmail } from '../support/mailosaur-helpers';

  199. 

  200. type EmailAuthFixture = {

  201.   authenticatedUser: { email: string; token: string };

  202. };

  203. 

  204. export const test = base.extend<EmailAuthFixture>({

  205.   authenticatedUser: async ({ page, context }, use) => {

  206.     const randomId = Math.floor(Math.random() * 1000000);

  207.     const testEmail = `user-${randomId}@${process.env.MAILOSAUR_SERVER_ID}.mailosaur.net`;

  208. 

  209.     // Check if we have cached auth state for this email

  210.     const storageStatePath = `./test-results/auth-state-${testEmail}.json`;

  211. 

  212.     try {

  213.       // Try to reuse existing session

  214.       await context.storageState({ path: storageStatePath });

  215.       await page.goto('/dashboard');

  216. 

  217.       // Validate session is still valid

  218.       const isAuthenticated = await page.getByTestId('user-menu').isVisible({ timeout: 2000 });

  219. 

  220.       if (isAuthenticated) {

  221.         console.log(`✅ Reusing cached session for ${testEmail}`);

  222.         await use({ email: testEmail, token: 'cached' });

  223.         return;

  224.       }

  225.     } catch (error) {

  226.       console.log(`📧 No cached session, requesting magic link for ${testEmail}`);

  227.     }

  228. 

  229.     // Request new magic link

  230.     await page.goto('/login');

  231.     await page.getByTestId('email-input').fill(testEmail);

  232.     await page.getByTestId('send-magic-link').click();

  233. 

  234.     // Get magic link from email

  235.     const magicLink = await getMagicLinkFromEmail(testEmail);

  236. 

  237.     // Visit link and authenticate

  238.     await page.goto(magicLink);

  239.     await expect(page.getByTestId('user-menu')).toBeVisible();

  240. 

  241.     // Extract auth token from localStorage

  242.     const authToken = await page.evaluate(() => localStorage.getItem('authToken'));

  243. 

  244.     // Save session state for reuse

  245.     await context.storageState({ path: storageStatePath });

  246. 

  247.     console.log(`💾 Cached session for ${testEmail}`);

  248. 

  249.     await use({ email: testEmail, token: authToken || '' });

  250.   },

  251. });

  252. ```

  253. 

  254. **Cypress equivalent with cy.session + data-session**:

  255. 

  256. ```javascript

  257. // cypress/support/commands/email-auth.js

  258. import { dataSession } from 'cypress-data-session';

  259. 

  260. /**

  261.  * Authenticate via magic link with session caching

  262.  * - First run: Requests email, extracts link, authenticates

  263.  * - Subsequent runs: Reuses cached session (no email)

  264.  */

  265. Cypress.Commands.add('authViaMagicLink', (email) => {

  266.   return dataSession({

  267.     name: `magic-link-${email}`,

  268. 

  269.     // First-time setup: Request and process magic link

  270.     setup: () => {

  271.       cy.visit('/login');

  272.       cy.get('[data-cy="email-input"]').type(email);

  273.       cy.get('[data-cy="send-magic-link"]').click();

  274. 

  275.       // Get magic link from Mailosaur

  276.       cy.mailosaurGetMessage(Cypress.env('MAILOSAUR_SERVERID'), {

  277.         sentTo: email,

  278.       })

  279.         .its('html.links.0.href')

  280.         .should('exist')

  281.         .then((magicLink) => {

  282.           cy.visit(magicLink);

  283.         });

  284. 

  285.       // Wait for authentication

  286.       cy.get('[data-cy="user-menu"]', { timeout: 10000 }).should('be.visible');

  287. 

  288.       // Preserve authentication state

  289.       return cy.getAllLocalStorage().then((storage) => {

  290.         return { storage, email };

  291.       });

  292.     },

  293. 

  294.     // Validate cached session is still valid

  295.     validate: (cached) => {

  296.       return cy.wrap(Boolean(cached?.storage));

  297.     },

  298. 

  299.     // Recreate session from cache (no email needed)

  300.     recreate: (cached) => {

  301.       // Restore localStorage

  302.       cy.setLocalStorage(cached.storage);

  303.       cy.visit('/dashboard');

  304.       cy.get('[data-cy="user-menu"]', { timeout: 5000 }).should('be.visible');

  305.     },

  306. 

  307.     shareAcrossSpecs: true, // Share session across all tests

  308.   });

  309. });

  310. ```

  311. 

  312. **Usage in tests**:

  313. 

  314. ```javascript

  315. // cypress/e2e/dashboard.cy.ts

  316. describe('Dashboard', () => {

  317.   const serverId = Cypress.env('MAILOSAUR_SERVERID');

  318.   const testEmail = `test-user@${serverId}.mailosaur.net`;

  319. 

  320.   beforeEach(() => {

  321.     // First test: Requests magic link

  322.     // Subsequent tests: Reuses cached session (no email!)

  323.     cy.authViaMagicLink(testEmail);

  324.   });

  325. 

  326.   it('should display user dashboard', () => {

  327.     cy.get('[data-cy="dashboard-content"]').should('be.visible');

  328.   });

  329. 

  330.   it('should show user profile', () => {

  331.     cy.get('[data-cy="user-email"]').should('contain', testEmail);

  332.   });

  333. 

  334.   // Both tests share same session - only 1 email consumed!

  335. });

  336. ```

  337. 

  338. **Key Points**:

  339. 

  340. - **Session caching**: First test requests email, rest reuse session

  341. - **State preservation**: localStorage/cookies saved and restored

  342. - **Validation**: Check cached session is still valid

  343. - **Quota optimization**: Massive reduction in email consumption

  344. - **Fast tests**: Cached auth takes seconds vs. minutes

  345. 

  346. ---

  347. 

  348. ### Example 3: Negative Flow Tests (Expired, Invalid, Reused Links)

  349. 

  350. **Context**: Comprehensive negative testing for email authentication edge cases.

  351. 

  352. **Implementation**:

  353. 

  354. ```typescript

  355. // tests/e2e/email-auth-negative.spec.ts

  356. import { test, expect } from '@playwright/test';

  357. import { getMagicLinkFromEmail } from '../support/mailosaur-helpers';

  358. 

  359. const MAILOSAUR_SERVER_ID = process.env.MAILOSAUR_SERVER_ID!;

  360. 

  361. test.describe('Email Auth Negative Flows', () => {

  362.   test('should reject expired magic link', async ({ page }) => {

  363.     // Generate expired link (simulate 24 hours ago)

  364.     const expiredToken = Buffer.from(

  365.       JSON.stringify({

  366.         email: 'test@example.com',

  367.         exp: Date.now() - 24 * 60 * 60 * 1000, // 24 hours ago

  368.       }),

  369.     ).toString('base64');

  370. 

  371.     const expiredLink = `http://localhost:3000/auth/verify?token=${expiredToken}`;

  372. 

  373.     // Visit expired link

  374.     await page.goto(expiredLink);

  375. 

  376.     // Assert: Error displayed

  377.     await expect(page.getByTestId('error-message')).toBeVisible();

  378.     await expect(page.getByTestId('error-message')).toContainText(/link.*expired|expired.*link/i);

  379. 

  380.     // Assert: Link to request new one

  381.     await expect(page.getByTestId('request-new-link')).toBeVisible();

  382. 

  383.     // Assert: User NOT authenticated

  384.     await expect(page.getByTestId('user-menu')).not.toBeVisible();

  385.   });

  386. 

  387.   test('should reject invalid magic link token', async ({ page }) => {

  388.     const invalidLink = 'http://localhost:3000/auth/verify?token=invalid-garbage';

  389. 

  390.     await page.goto(invalidLink);

  391. 

  392.     // Assert: Error displayed

  393.     await expect(page.getByTestId('error-message')).toBeVisible();

  394.     await expect(page.getByTestId('error-message')).toContainText(/invalid.*link|link.*invalid/i);

  395. 

  396.     // Assert: User not authenticated

  397.     await expect(page.getByTestId('user-menu')).not.toBeVisible();

  398.   });

  399. 

  400.   test('should reject already-used magic link', async ({ page, context }) => {

  401.     const randomId = Math.floor(Math.random() * 1000000);

  402.     const testEmail = `user-${randomId}@${MAILOSAUR_SERVER_ID}.mailosaur.net`;

  403. 

  404.     // Request magic link

  405.     await page.goto('/login');

  406.     await page.getByTestId('email-input').fill(testEmail);

  407.     await page.getByTestId('send-magic-link').click();

  408. 

  409.     const magicLink = await getMagicLinkFromEmail(testEmail);

  410. 

  411.     // Visit link FIRST time (success)

  412.     await page.goto(magicLink);

  413.     await expect(page.getByTestId('user-menu')).toBeVisible();

  414. 

  415.     // Sign out

  416.     await page.getByTestId('user-menu').click();

  417.     await page.getByTestId('sign-out').click();

  418.     await expect(page.getByTestId('user-menu')).not.toBeVisible();

  419. 

  420.     // Try to reuse SAME link (should fail)

  421.     await page.goto(magicLink);

  422. 

  423.     // Assert: Link already used error

  424.     await expect(page.getByTestId('error-message')).toBeVisible();

  425.     await expect(page.getByTestId('error-message')).toContainText(/already.*used|link.*used/i);

  426. 

  427.     // Assert: User not authenticated

  428.     await expect(page.getByTestId('user-menu')).not.toBeVisible();

  429.   });

  430. 

  431.   test('should handle rapid successive link requests', async ({ page }) => {

  432.     const randomId = Math.floor(Math.random() * 1000000);

  433.     const testEmail = `user-${randomId}@${MAILOSAUR_SERVER_ID}.mailosaur.net`;

  434. 

  435.     // Request magic link 3 times rapidly

  436.     for (let i = 0; i < 3; i++) {

  437.       await page.goto('/login');

  438.       await page.getByTestId('email-input').fill(testEmail);

  439.       await page.getByTestId('send-magic-link').click();

  440.       await expect(page.getByTestId('check-email-message')).toBeVisible();

  441.     }

  442. 

  443.     // Only the LATEST link should work

  444.     const MailosaurClient = require('mailosaur');

  445.     const mailosaur = new MailosaurClient(process.env.MAILOSAUR_API_KEY);

  446. 

  447.     const messages = await mailosaur.messages.list(MAILOSAUR_SERVER_ID, {

  448.       sentTo: testEmail,

  449.     });

  450. 

  451.     // Should receive 3 emails

  452.     expect(messages.items.length).toBeGreaterThanOrEqual(3);

  453. 

  454.     // Get the LATEST magic link

  455.     const latestMessage = messages.items[0]; // Most recent first

  456.     const latestLink = latestMessage.html.links[0].href;

  457. 

  458.     // Latest link works

  459.     await page.goto(latestLink);

  460.     await expect(page.getByTestId('user-menu')).toBeVisible();

  461. 

  462.     // Older links should NOT work (if backend invalidates previous)

  463.     await page.getByTestId('sign-out').click();

  464.     const olderLink = messages.items[1].html.links[0].href;

  465. 

  466.     await page.goto(olderLink);

  467.     await expect(page.getByTestId('error-message')).toBeVisible();

  468.   });

  469. 

  470.   test('should rate-limit excessive magic link requests', async ({ page }) => {

  471.     const randomId = Math.floor(Math.random() * 1000000);

  472.     const testEmail = `user-${randomId}@${MAILOSAUR_SERVER_ID}.mailosaur.net`;

  473. 

  474.     // Request magic link 10 times rapidly (should hit rate limit)

  475.     for (let i = 0; i < 10; i++) {

  476.       await page.goto('/login');

  477.       await page.getByTestId('email-input').fill(testEmail);

  478.       await page.getByTestId('send-magic-link').click();

  479. 

  480.       // After N requests, should show rate limit error

  481.       const errorVisible = await page

  482.         .getByTestId('rate-limit-error')

  483.         .isVisible({ timeout: 1000 })

  484.         .catch(() => false);

  485. 

  486.       if (errorVisible) {

  487.         console.log(`Rate limit hit after ${i + 1} requests`);

  488.         await expect(page.getByTestId('rate-limit-error')).toContainText(/too many.*requests|rate.*limit/i);

  489.         return;

  490.       }

  491.     }

  492. 

  493.     // If no rate limit after 10 requests, log warning

  494.     console.warn('⚠️  No rate limit detected after 10 requests');

  495.   });

  496. });

  497. ```

  498. 

  499. **Key Points**:

  500. 

  501. - **Expired links**: Test 24+ hour old tokens

  502. - **Invalid tokens**: Malformed or garbage tokens rejected

  503. - **Reuse prevention**: Same link can't be used twice

  504. - **Rapid requests**: Multiple requests handled gracefully

  505. - **Rate limiting**: Excessive requests blocked

  506. 

  507. ---

  508. 

  509. ### Example 4: Caching Strategy with cypress-data-session / Playwright Projects

  510. 

  511. **Context**: Minimize email consumption by sharing authentication state across tests and specs.

  512. 

  513. **Implementation**:

  514. 

  515. ```javascript

  516. // cypress/support/commands/register-and-sign-in.js

  517. import { dataSession } from 'cypress-data-session';

  518. 

  519. /**

  520.  * Email Authentication Caching Strategy

  521.  * - One email per test run (not per spec, not per test)

  522.  * - First spec: Full registration flow (form → email → code → sign in)

  523.  * - Subsequent specs: Only sign in (reuse user)

  524.  * - Subsequent tests in same spec: Session already active (no sign in)

  525.  */

  526. 

  527. // Helper: Fill registration form

  528. function fillRegistrationForm({ fullName, userName, email, password }) {

  529.   cy.intercept('POST', 'https://cognito-idp*').as('cognito');

  530.   cy.contains('Register').click();

  531.   cy.get('#reg-dialog-form').should('be.visible');

  532.   cy.get('#first-name').type(fullName, { delay: 0 });

  533.   cy.get('#last-name').type(lastName, { delay: 0 });

  534.   cy.get('#email').type(email, { delay: 0 });

  535.   cy.get('#username').type(userName, { delay: 0 });

  536.   cy.get('#password').type(password, { delay: 0 });

  537.   cy.contains('button', 'Create an account').click();

  538.   cy.wait('@cognito').its('response.statusCode').should('equal', 200);

  539. }

  540. 

  541. // Helper: Confirm registration with email code

  542. function confirmRegistration(email) {

  543.   return cy

  544.     .mailosaurGetMessage(Cypress.env('MAILOSAUR_SERVERID'), { sentTo: email })

  545.     .its('html.codes.0.value') // Mailosaur auto-extracts codes!

  546.     .then((code) => {

  547.       cy.intercept('POST', 'https://cognito-idp*').as('cognito');

  548.       cy.get('#verification-code').type(code, { delay: 0 });

  549.       cy.contains('button', 'Confirm registration').click();

  550.       cy.wait('@cognito');

  551.       cy.contains('You are now registered!').should('be.visible');

  552.       cy.contains('button', /ok/i).click();

  553.       return cy.wrap(code); // Return code for reference

  554.     });

  555. }

  556. 

  557. // Helper: Full registration (form + email)

  558. function register({ fullName, userName, email, password }) {

  559.   fillRegistrationForm({ fullName, userName, email, password });

  560.   return confirmRegistration(email);

  561. }

  562. 

  563. // Helper: Sign in

  564. function signIn({ userName, password }) {

  565.   cy.intercept('POST', 'https://cognito-idp*').as('cognito');

  566.   cy.contains('Sign in').click();

  567.   cy.get('#sign-in-username').type(userName, { delay: 0 });

  568.   cy.get('#sign-in-password').type(password, { delay: 0 });

  569.   cy.contains('button', 'Sign in').click();

  570.   cy.wait('@cognito');

  571.   cy.contains('Sign out').should('be.visible');

  572. }

  573. 

  574. /**

  575.  * Register and sign in with email caching

  576.  * ONE EMAIL PER MACHINE (cypress run or cypress open)

  577.  */

  578. Cypress.Commands.add('registerAndSignIn', ({ fullName, userName, email, password }) => {

  579.   return dataSession({

  580.     name: email, // Unique session per email

  581. 

  582.     // First time: Full registration (form → email → code)

  583.     init: () => register({ fullName, userName, email, password }),

  584. 

  585.     // Subsequent specs: Just check email exists (code already used)

  586.     setup: () => confirmRegistration(email),

  587. 

  588.     // Always runs after init/setup: Sign in

  589.     recreate: () => signIn({ userName, password }),

  590. 

  591.     // Share across ALL specs (one email for entire test run)

  592.     shareAcrossSpecs: true,

  593.   });

  594. });

  595. ```

  596. 

  597. **Usage across multiple specs**:

  598. 

  599. ```javascript

  600. // cypress/e2e/place-order.cy.ts

  601. describe('Place Order', () => {

  602.   beforeEach(() => {

  603.     cy.visit('/');

  604.     cy.registerAndSignIn({

  605.       fullName: Cypress.env('fullName'), // From cypress.config

  606.       userName: Cypress.env('userName'),

  607.       email: Cypress.env('email'), // SAME email across all specs

  608.       password: Cypress.env('password'),

  609.     });

  610.   });

  611. 

  612.   it('should place order', () => {

  613.     /* ... */

  614.   });

  615.   it('should view order history', () => {

  616.     /* ... */

  617.   });

  618. });

  619. 

  620. // cypress/e2e/profile.cy.ts

  621. describe('User Profile', () => {

  622.   beforeEach(() => {

  623.     cy.visit('/');

  624.     cy.registerAndSignIn({

  625.       fullName: Cypress.env('fullName'),

  626.       userName: Cypress.env('userName'),

  627.       email: Cypress.env('email'), // SAME email - no new email sent!

  628.       password: Cypress.env('password'),

  629.     });

  630.   });

  631. 

  632.   it('should update profile', () => {

  633.     /* ... */

  634.   });

  635. });

  636. ```

  637. 

  638. **Playwright equivalent with storageState**:

  639. 

  640. ```typescript

  641. // playwright.config.ts

  642. import { defineConfig } from '@playwright/test';

  643. 

  644. export default defineConfig({

  645.   projects: [

  646.     {

  647.       name: 'setup',

  648.       testMatch: /global-setup\.ts/,

  649.     },

  650.     {

  651.       name: 'authenticated',

  652.       testMatch: /.*\.spec\.ts/,

  653.       dependencies: ['setup'],

  654.       use: {

  655.         storageState: '.auth/user-session.json', // Reuse auth state

  656.       },

  657.     },

  658.   ],

  659. });

  660. ```

  661. 

  662. ```typescript

  663. // tests/global-setup.ts (runs once)

  664. import { test as setup } from '@playwright/test';

  665. import { getMagicLinkFromEmail } from './support/mailosaur-helpers';

  666. 

  667. const authFile = '.auth/user-session.json';

  668. 

  669. setup('authenticate via magic link', async ({ page }) => {

  670.   const testEmail = process.env.TEST_USER_EMAIL!;

  671. 

  672.   // Request magic link

  673.   await page.goto('/login');

  674.   await page.getByTestId('email-input').fill(testEmail);

  675.   await page.getByTestId('send-magic-link').click();

  676. 

  677.   // Get and visit magic link

  678.   const magicLink = await getMagicLinkFromEmail(testEmail);

  679.   await page.goto(magicLink);

  680. 

  681.   // Verify authenticated

  682.   await expect(page.getByTestId('user-menu')).toBeVisible();

  683. 

  684.   // Save authenticated state (ONE TIME for all tests)

  685.   await page.context().storageState({ path: authFile });

  686. 

  687.   console.log('✅ Authentication state saved to', authFile);

  688. });

  689. ```

  690. 

  691. **Key Points**:

  692. 

  693. - **One email per run**: Global setup authenticates once

  694. - **State reuse**: All tests use cached storageState

  695. - **cypress-data-session**: Intelligently manages cache lifecycle

  696. - **shareAcrossSpecs**: Session shared across all spec files

  697. - **Massive savings**: 500 tests = 1 email (not 500!)

  698. 

  699. ---

  700. 

  701. ## Email Authentication Testing Checklist

  702. 

  703. Before implementing email auth tests, verify:

  704. 

  705. - [ ] **Email service**: Mailosaur/Ethereal/MailHog configured with API keys

  706. - [ ] **Link extraction**: Use built-in parsing (html.links[0].href) over regex

  707. - [ ] **State preservation**: localStorage/session/cookies saved and restored

  708. - [ ] **Session caching**: cypress-data-session or storageState prevents redundant emails

  709. - [ ] **Negative flows**: Expired, invalid, reused, rapid requests tested

  710. - [ ] **Quota awareness**: One email per run (not per test)

  711. - [ ] **PII scrubbing**: Email IDs logged for debug, but scrubbed from artifacts

  712. - [ ] **Timeout handling**: 30 second email retrieval timeout configured

  713. 

  714. ## Integration Points

  715. 

  716. - Used in workflows: `*framework` (email auth setup), `*automate` (email auth test generation)

  717. - Related fragments: `fixture-architecture.md`, `test-quality.md`

  718. - Email services: Mailosaur (recommended), Ethereal (free), MailHog (self-hosted)

  719. - Plugins: cypress-mailosaur, cypress-data-session

  720. 

  721. _Source: Email authentication blog, Murat testing toolkit, Mailosaur documentation_