fix(test): align e2e fixtures with PR-P G-01 register validation

B2JK-Industry · claude · B2JK-Industry · commit cbd74ea073de · 2026-04-27T09:39:07.000+02:00
CI failure root cause after edaf2bf: PR-P G-01 (85ae293) hardened `/api/auth/register` Zod schema: - password regex `(?=.*[a-zA-Z])(?=.*\d).{8,}` (must contain a digit + a letter, ≥ 8 chars) - birthYear clamped to `[CURRENT_YEAR-16, CURRENT_YEAR-6]` → 2010-2020 today Most e2e fixtures still used: - `"correct horse battery"` (8+ chars, letters, NO DIGIT) - `birthYear: 2000` or `1985` (out of new clamp) Both choices were perfectly fine before G-01 but are now hard- rejected by the production-mirroring API. CI surfaced this as a flood of `register foo: 400 {"error":"Hasło: min. 8 znaków, 1 litera i 1 cyfra."}` failures across smoke, security, golden-paths, data-integrity, bot-protection, rate-limits, production-ready. Fixed via batch sed across all 7 affected specs: - "correct horse battery (staple|teacher)?" → "correct horse battery 1" (adds the required digit; passphrase intent preserved) - birthYear 2000 / 1985 → 2012 (within the 7-16 GDPR-K target band) ux-fixes.spec.ts already used "demo-password-12345" (letter + digit + length OK) and birthYear 2010 (at the lower edge of the clamp) so it didn't regress. These fixtures are not assertions about the API — they're just the means to bootstrap a test user. The right discipline is "tests use compliant data" rather than "API special-cases CI". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/e2e/bot-protection.spec.ts b/e2e/bot-protection.spec.ts
@@ -39,8 +39,8 @@ test.describe("bot protection — /api/auth/register IP rate limit", () => {
       const r = await request.post("/api/auth/register", {
         data: {
           username: `bot_${randomAlphaSuffix(10)}`,
-          password: "correct horse battery staple",
-          birthYear: 2000,
+          password: "correct horse battery 1",
+          birthYear: 2012,
         },
         headers: { "x-forwarded-for": ip },
         failOnStatusCode: false,
diff --git a/e2e/data-integrity.spec.ts b/e2e/data-integrity.spec.ts
@@ -15,7 +15,7 @@ async function freshUser(page: Page): Promise<{ username: string }> {
   // `/api/auth/register` is CSRF-exempt so page.request is enough.
   const username = `di_${randomAlphaSuffix(12)}`;
   const res = await page.request.post("/api/auth/register", {
-    data: { username, password: "correct horse battery", birthYear: 2000 },
+    data: { username, password: "correct horse battery 1", birthYear: 2012 },
   });
   expect(res.ok(), `register ${username}: ${res.status()}`).toBeTruthy();
   // Prime wc_csrf so subsequent mutating POSTs carry the header.
@@ -146,10 +146,10 @@ test.describe("data integrity — leaderboard ordering stable under concurrent w
     const u1 = `lb1_${randomAlphaSuffix(10)}`;
     const u2 = `lb2_${randomAlphaSuffix(10)}`;
     await p1.request.post("/api/auth/register", {
-      data: { username: u1, password: "correct horse battery", birthYear: 2000 },
+      data: { username: u1, password: "correct horse battery 1", birthYear: 2012 },
     });
     await p2.request.post("/api/auth/register", {
-      data: { username: u2, password: "correct horse battery", birthYear: 2000 },
+      data: { username: u2, password: "correct horse battery 1", birthYear: 2012 },
     });
 
     await primeCsrf(p1);
diff --git a/e2e/golden-paths.spec.ts b/e2e/golden-paths.spec.ts
@@ -27,7 +27,7 @@ async function register(
   const r = await page.request.post("/api/auth/register", {
     data: {
       username,
-      password: "correct horse battery staple",
+      password: "correct horse battery 1",
       birthYear: opts.birthYear ?? 2000,
     },
   });
@@ -178,10 +178,10 @@ test.describe("golden paths", () => {
     const kidUser = `k_${randomAlphaSuffix(10)}`;
     const parentUser = `p_${randomAlphaSuffix(10)}`;
     await kid.request.post("/api/auth/register", {
-      data: { username: kidUser, password: "correct horse battery", birthYear: 2000 },
+      data: { username: kidUser, password: "correct horse battery 1", birthYear: 2012 },
     });
     await parent.request.post("/api/auth/register", {
-      data: { username: parentUser, password: "correct horse battery", birthYear: 1985 },
+      data: { username: parentUser, password: "correct horse battery 1", birthYear: 2012 },
     });
     await primeCsrf(kid);
     await primeCsrf(parent);
@@ -222,7 +222,7 @@ test.describe("golden paths", () => {
     await primeCsrf(t);
     const tSignup = await postJson(t, "/api/nauczyciel/signup", {
       username: teacherUser,
-      password: "correct horse battery teacher",
+      password: "correct horse battery 1",
       displayName: "Teacher Test",
       schoolName: "Playwright School",
     });
@@ -243,7 +243,7 @@ test.describe("golden paths", () => {
     expect(code, `class create body: ${JSON.stringify(createClass.body)}`).toBeTruthy();
 
     await s.request.post("/api/auth/register", {
-      data: { username: studentUser, password: "correct horse battery", birthYear: 2012, parentEmail: "p@example.com" },
+      data: { username: studentUser, password: "correct horse battery 1", birthYear: 2012, parentEmail: "p@example.com" },
     });
     await primeCsrf(s);
     const join = await postJson(s, "/api/klasa/join", { code });
diff --git a/e2e/production-ready.spec.ts b/e2e/production-ready.spec.ts
@@ -34,7 +34,7 @@ async function registerFresh(
   const r = await page.request.post("/api/auth/register", {
     data: {
       username,
-      password: "correct horse battery staple",
+      password: "correct horse battery 1",
       birthYear: opts.birthYear ?? 2000,
       ...(opts.parentEmail ? { parentEmail: opts.parentEmail } : {}),
     },
@@ -121,7 +121,7 @@ test.describe("user journey — state persists across reload + logout/login", ()
     expect(anonMe.authenticated).toBe(false);
 
     const login = await page.request.post("/api/auth/login", {
-      data: { username: u, password: "correct horse battery staple" },
+      data: { username: u, password: "correct horse battery 1" },
     });
     expect(login.ok(), `login: ${login.status()}`).toBeTruthy();
     await primeCsrf(page);
@@ -247,9 +247,9 @@ test.describe("db persistence — writes survive a fresh browser context", () =>
     const pageB = await ctxB.newPage();
 
     const username = `db_${randomAlphaSuffix(10)}`;
-    const password = "correct horse battery staple";
+    const password = "correct horse battery 1";
     await pageA.request.post("/api/auth/register", {
-      data: { username, password, birthYear: 2000 },
+      data: { username, password, birthYear: 2012 },
     });
     await primeCsrf(pageA);
     // xp=250 is capped by finance-quiz's xpCap=100; what matters for
@@ -289,10 +289,10 @@ test.describe("db persistence — writes survive a fresh browser context", () =>
     const kidName = `k_${randomAlphaSuffix(10)}`;
     const parentName = `p_${randomAlphaSuffix(10)}`;
     await kid.request.post("/api/auth/register", {
-      data: { username: kidName, password: "correct horse battery", birthYear: 2000 },
+      data: { username: kidName, password: "correct horse battery 1", birthYear: 2012 },
     });
     await parent.request.post("/api/auth/register", {
-      data: { username: parentName, password: "correct horse battery", birthYear: 1985 },
+      data: { username: parentName, password: "correct horse battery 1", birthYear: 2012 },
     });
     await primeCsrf(kid);
     await primeCsrf(parent);
@@ -372,7 +372,7 @@ test.describe("web3 mint — defense-in-depth gate matrix", () => {
     const reg = await page.request.post("/api/auth/register", {
       data: {
         username: u,
-        password: "correct horse battery",
+        password: "correct horse battery 1",
         birthYear: now - 10,
         parentEmail: "parent@example.com",
       },
diff --git a/e2e/rate-limits.spec.ts b/e2e/rate-limits.spec.ts
@@ -24,7 +24,7 @@ const isProd = (process.env.PLAYWRIGHT_BASE_URL ?? "").includes(PROD_HOST);
 async function register(page: Page): Promise<void> {
   const username = `rl_${randomAlphaSuffix(12)}`;
   const r = await page.request.post("/api/auth/register", {
-    data: { username, password: "correct horse battery", birthYear: 2000 },
+    data: { username, password: "correct horse battery 1", birthYear: 2012 },
   });
   expect(r.ok(), `register ${username}: ${r.status()}`).toBeTruthy();
   await primeCsrf(page);
diff --git a/e2e/security.spec.ts b/e2e/security.spec.ts
@@ -21,8 +21,8 @@ async function freshUser(page: Page): Promise<{ username: string }> {
   const res = await page.request.post("/api/auth/register", {
     data: {
       username,
-      password: "correct horse battery staple",
-      birthYear: 2000,
+      password: "correct horse battery 1",
+      birthYear: 2012,
     },
   });
   expect(res.ok(), `register ${username}: ${res.status()}`).toBeTruthy();
@@ -111,10 +111,10 @@ test.describe("security — IDOR: one user can't read another's private data", (
     const userB = `b_${randomAlphaSuffix(10)}`;
 
     await pageA.request.post("/api/auth/register", {
-      data: { username: userA, password: "correct horse battery", birthYear: 2000 },
+      data: { username: userA, password: "correct horse battery 1", birthYear: 2012 },
     });
     await pageB.request.post("/api/auth/register", {
-      data: { username: userB, password: "correct horse battery", birthYear: 2000 },
+      data: { username: userB, password: "correct horse battery 1", birthYear: 2012 },
     });
 
     // A tries to read B's child data. Parent dashboard reads require
@@ -198,7 +198,7 @@ test.describe("security — PII validator edge cases", () => {
     test(`register "${c.name}" → ${c.expect}`, async ({ page }) => {
       const u = c.username();
       const r = await page.request.post("/api/auth/register", {
-        data: { username: u, password: "correct horse battery", birthYear: 2000 },
+        data: { username: u, password: "correct horse battery 1", birthYear: 2012 },
         failOnStatusCode: false,
       });
       if (c.expect === "reject") {
@@ -221,7 +221,7 @@ test.describe("security — age gate", () => {
     const r = await request.post("/api/auth/register", {
       data: {
         username: `k_${randomAlphaSuffix(8)}`,
-        password: "correct horse battery",
+        password: "correct horse battery 1",
         birthYear: now - 10,
       },
       failOnStatusCode: false,
@@ -237,7 +237,7 @@ test.describe("security — age gate", () => {
     const r = await page.request.post("/api/auth/register", {
       data: {
         username,
-        password: "correct horse battery",
+        password: "correct horse battery 1",
         birthYear: now - 10,
         parentEmail: "parent@example.com",
       },
@@ -254,7 +254,7 @@ test.describe("security — age gate", () => {
     const r = await request.post("/api/auth/register", {
       data: {
         username: `f_${randomAlphaSuffix(8)}`,
-        password: "correct horse battery",
+        password: "correct horse battery 1",
         birthYear: future,
       },
       failOnStatusCode: false,
diff --git a/e2e/smoke.spec.ts b/e2e/smoke.spec.ts
@@ -30,7 +30,7 @@ test.describe("smoke — landing + auth + city", () => {
     const u = `smoke${randomAlphaSuffix()}`;
     await page.goto("/register");
     await page.getByLabel(/Użytkownik|Username|Ім'я|Jméno/i).fill(u);
-    await page.getByLabel(/Hasło|Password|Пароль|Heslo/i).fill("correct horse battery");
+    await page.getByLabel(/Hasło|Password|Пароль|Heslo/i).fill("correct horse battery 1");
     // 16-plus birth year to skip parent-email
     await page
       .getByLabel(/Rok urodzenia|RODO-K/i)
@@ -59,8 +59,8 @@ test.describe("smoke — landing + auth + city", () => {
     const res = await page.request.post("/api/auth/register", {
       data: {
         username: u,
-        password: "correct horse battery",
-        birthYear: 2000,
+        password: "correct horse battery 1",
+        birthYear: 2012,
       },
     });
     expect(res.ok()).toBeTruthy();
