test(FR-2639): add E2E regression for sToken login boundary routes

Resolves FR-2639 and FR-2643 (bundled — same test surface with
matching structure for LoginView and EduAppLauncher routes).

Adds two Playwright spec files covering the regression surface that
does not depend on a customer-specific auth plugin for minting valid
sTokens:

1. e2e/auth/stoken-login.spec.ts
   - Visiting / without a sToken still renders the LoginView form
     (STokenGuard passthrough, regression guard).
   - Invalid sToken on / surfaces the boundary error card with a Retry
     button and a Copy error details button.
   - The token stays in the URL on error (boundary only strips on
     successful onSuccess — spec "많읽 같르", Pitfall #7).
   - /interactive-login handles the same flow (shared STokenGuard).

2. e2e/app-launcher/edu-applauncher-stoken.spec.ts
   - Invalid sToken on /edu-applauncher surfaces the error card.
   - Invalid sToken on /applauncher (legacy alias) surfaces the same
     error card (same EduAppLauncherPage powers both routes).
   - Error state keeps app / session_id / sToken URL params intact so
     the launcher's subsequent steps can still observe them.

Valid-token happy-path is not covered here — standard Backend.AI
installs do not ship an sToken-minting auth plugin, so the happy path
is exercised by customer-specific integration tests instead. The unit
tests in `STokenLoginBoundary.test.tsx` already cover the success
contract (children render, backend-ai-connected dispatched once,
onSuccess called once, retry idempotency).

Refs FR-2616, FR-2626, FR-2627

Author: nowgnuesLee

.specs/draft-stoken-login-boundary/metadata.json

@@ -79,19 +79,31 @@
       "subtasks": [
         {
           "key": "FR-2636",
-          "title": "[2.1] Wrap / and /interactive-login routes with STokenLoginBoundary conditionally"
+          "title": "[2.1] Wrap / and /interactive-login routes with STokenLoginBoundary conditionally",
+          "prNumber": 6861,
+          "prUrl": "https://github.com/lablup/backend.ai-webui/pull/6861",
+          "note": "bundled into Story 2 PR #6861"
         },
         {
           "key": "FR-2637",
-          "title": "[2.2] Move postConnectSetup side effects into route-level onSuccess"
+          "title": "[2.2] Move postConnectSetup side effects into route-level onSuccess",
+          "prNumber": 6861,
+          "prUrl": "https://github.com/lablup/backend.ai-webui/pull/6861",
+          "note": "bundled into Story 2 PR #6861"
         },
         {
           "key": "FR-2638",
-          "title": "[2.3] Remove connectUsingSession sToken branch and URL parsing in LoginView"
+          "title": "[2.3] Remove connectUsingSession sToken branch and URL parsing in LoginView",
+          "prNumber": 6861,
+          "prUrl": "https://github.com/lablup/backend.ai-webui/pull/6861",
+          "note": "bundled into Story 2 PR #6861"
         },
         {
           "key": "FR-2639",
-          "title": "[2.4] E2E regression for LoginView sToken entry"
+          "title": "[2.4] E2E regression for LoginView sToken entry",
+          "prNumber": 6865,
+          "prUrl": "https://github.com/lablup/backend.ai-webui/pull/6865",
+          "note": "bundled into E2E PR #6865"
         }
       ]
     },
@@ -106,19 +118,31 @@
       "subtasks": [
         {
           "key": "FR-2640",
-          "title": "[3.1] Investigate get_user_credential(sToken) liveness (Q8)"
+          "title": "[3.1] Investigate get_user_credential(sToken) liveness (Q8)",
+          "prNumber": null,
+          "prUrl": null,
+          "note": "investigation only (Jira comment); resolved to option (a) prop-threading"
         },
         {
           "key": "FR-2641",
-          "title": "[3.2] Wrap /edu-applauncher and /applauncher routes with STokenLoginBoundary"
+          "title": "[3.2] Wrap /edu-applauncher and /applauncher routes with STokenLoginBoundary",
+          "prNumber": 6864,
+          "prUrl": "https://github.com/lablup/backend.ai-webui/pull/6864",
+          "note": "bundled into Story 3 PR #6864"
         },
         {
           "key": "FR-2642",
-          "title": "[3.3] Remove _token_login and manual backend-ai-connected dispatch in EduAppLauncher"
+          "title": "[3.3] Remove _token_login and manual backend-ai-connected dispatch in EduAppLauncher",
+          "prNumber": 6864,
+          "prUrl": "https://github.com/lablup/backend.ai-webui/pull/6864",
+          "note": "bundled into Story 3 PR #6864"
         },
         {
           "key": "FR-2643",
-          "title": "[3.4] E2E regression for EduApp sToken entry with and without session_id"
+          "title": "[3.4] E2E regression for EduApp sToken entry with and without session_id",
+          "prNumber": 6865,
+          "prUrl": "https://github.com/lablup/backend.ai-webui/pull/6865",
+          "note": "bundled into E2E PR #6865"
         }
       ]
     }
@@ -149,5 +173,5 @@
   },
   "sourceIssues": [],
   "createdAt": "2026-04-21T00:00:00Z",
-  "notes": "Epic FR-2616 filed. Spec Task FR-2618 created. Story 1 implementation: PRs #6850-#6853, #6855-#6857 submitted (FR-2628, FR-2629, FR-2630, FR-2631, FR-2632, FR-2633, refactor). FR-2634 closed as Not Planned (duplicate of FR-2633 test assertion). FR-2635 closed as investigation-only (Jira comment). Directory still uses draft- prefix; rename to FR-2616-stoken-login-boundary as a follow-up."
+  "notes": "Epic FR-2616 filed. Spec Task FR-2618 + Story 1-3 (FR-2625, FR-2626, FR-2627). Story 1: PRs #6850-#6853, #6855-#6857 (7 PRs). Story 2: PR #6861 bundles FR-2636/2637/2638 (LoginView migration). Story 3: PR #6864 bundles FR-2641/2642 (EduAppLauncher migration). Q8 (FR-2640) resolved via prop-threading, no PR. E2E (FR-2639, FR-2643): PR #6865 bundles both. FR-2634 (CI grep rule) closed as redundant with FR-2633 test. FR-2635 (cookie encoding investigation) closed. Directory still uses draft- prefix; rename to FR-2616-stoken-login-boundary as a follow-up after spec PR merges."
 }

e2e/app-launcher/edu-applauncher-stoken.spec.ts

@@ -0,0 +1,69 @@
+/**
+ * E2E regression for FR-2616 Story 3 — `STokenLoginBoundary` applied to
+ * the EduAppLauncher routes (`/edu-applauncher` and `/applauncher`).
+ *
+ * Parity checks with the LoginView sToken flow:
+ *   - the boundary mounts on both route aliases,
+ *   - an invalid token surfaces the error card with a Retry button.
+ *
+ * URL handling differs from the LoginView path:
+ *   - LoginView (`/`, `/interactive-login`) strips `sToken` from the URL
+ *     on successful auth (security, via `clearSToken(null)` in
+ *     `onSuccess`).
+ *   - EduAppLauncher (`/edu-applauncher`, `/applauncher`) intentionally
+ *     does NOT strip: `_createEduSession` re-reads `sToken` for the
+ *     customer-specific `eduApp.get_user_credential(sToken)` call, and
+ *     the `app` / `session_id` / resource-hint params drive downstream
+ *     Relay loaders. The edu token URL is LMS-issued so leaving it in
+ *     browser history is an accepted trade-off.
+ *
+ * Valid-token happy-path is out of scope here for the same reason as
+ * `stoken-login.spec.ts`: a customer-specific auth plugin is required
+ * to mint real sTokens.
+ */
+import { webuiEndpoint } from '../utils/test-util';
+import { expect, test } from '@playwright/test';
+
+test.describe(
+  'EduAppLauncher sToken boundary',
+  { tag: ['@regression', '@app-launcher', '@functional'] },
+  () => {
+    test('invalid sToken on `/edu-applauncher` surfaces the boundary error card', async ({
+      page,
+    }) => {
+      await page.goto(
+        `${webuiEndpoint}/edu-applauncher?sToken=invalid-token-for-e2e&app=jupyter&session_id=test-session`,
+      );
+      await expect(page.getByRole('button', { name: /retry/i })).toBeVisible({
+        timeout: 15_000,
+      });
+    });
+
+    test('invalid sToken on `/applauncher` (legacy alias) surfaces the same error card', async ({
+      page,
+    }) => {
+      await page.goto(
+        `${webuiEndpoint}/applauncher?sToken=invalid-token-for-e2e`,
+      );
+      await expect(page.getByRole('button', { name: /retry/i })).toBeVisible({
+        timeout: 15_000,
+      });
+    });
+
+    test('error state keeps non-sToken URL params intact (app, session_id)', async ({
+      page,
+    }) => {
+      await page.goto(
+        `${webuiEndpoint}/edu-applauncher?sToken=invalid-token-for-e2e&app=jupyter&session_id=test-session`,
+      );
+      await expect(page.getByRole('button', { name: /retry/i })).toBeVisible({
+        timeout: 15_000,
+      });
+      // On failure the URL is untouched.
+      const url = page.url();
+      expect(url).toContain('app=jupyter');
+      expect(url).toContain('session_id=test-session');
+      expect(url).toContain('sToken=invalid-token-for-e2e');
+    });
+  },
+);

e2e/auth/stoken-login.spec.ts

@@ -0,0 +1,76 @@
+/**
+ * E2E regression for FR-2616 Story 2 — `STokenLoginBoundary` applied to
+ * the LoginView route tree (`/` and `/interactive-login`).
+ *
+ * Valid-token happy-path coverage requires a Backend.AI install with a
+ * customer-specific auth plugin (auth-keypair / OpenID) to mint real
+ * sTokens; standard installs do not provide one. These tests therefore
+ * focus on:
+ *   - invalid-token error UI renders and exposes a Retry button;
+ *   - the non-sToken entry points still render the regular login form
+ *     (regression guard — the boundary must not leak into non-sToken
+ *     flows);
+ *   - URL preservation on error: the boundary only strips `sToken`
+ *     after a successful login, so an invalid token remains in the URL
+ *     and the user's Retry can still pick it up.
+ */
+import { webuiEndpoint } from '../utils/test-util';
+import { expect, test } from '@playwright/test';
+
+test.describe(
+  'sToken login boundary (LoginView routes)',
+  { tag: ['@regression', '@auth', '@functional'] },
+  () => {
+    test('visiting `/` without a sToken still renders the login form', async ({
+      page,
+    }) => {
+      await page.goto(webuiEndpoint);
+      // Regression guard: the route-level STokenGuard passes through when
+      // no sToken is present, so the ordinary LoginView panel still mounts.
+      await expect(page.getByLabel('Email or Username')).toBeVisible();
+      await expect(page.getByLabel('Password')).toBeVisible();
+    });
+
+    test('invalid sToken on `/` surfaces the boundary error card with a Retry button', async ({
+      page,
+    }) => {
+      await page.goto(`${webuiEndpoint}/?sToken=invalid-token-for-e2e`);
+
+      // The boundary renders one of the `STokenLoginError.kind`-specific
+      // cards. Depending on reachability the kind will be either
+      // `token-invalid` (server rejected the token) or `server-unreachable`
+      // (no cluster), and in edge cases `endpoint-unresolved`. Match the
+      // Retry button that is present in every kind's default card.
+      await expect(page.getByRole('button', { name: /retry/i })).toBeVisible({
+        timeout: 15_000,
+      });
+      await expect(
+        page.getByRole('button', { name: /copy error details/i }),
+      ).toBeVisible();
+    });
+
+    test('invalid sToken on `/` does not strip the token from the URL', async ({
+      page,
+    }) => {
+      await page.goto(`${webuiEndpoint}/?sToken=invalid-token-for-e2e`);
+      await expect(page.getByRole('button', { name: /retry/i })).toBeVisible({
+        timeout: 15_000,
+      });
+      // The boundary only calls `clearSToken(null)` from `onSuccess`.
+      // On failure the token stays in the URL so the user can read it,
+      // report it, or Retry which re-consumes the same value.
+      expect(page.url()).toContain('sToken=invalid-token-for-e2e');
+    });
+
+    test('invalid sToken on `/interactive-login` surfaces the same error card', async ({
+      page,
+    }) => {
+      await page.goto(
+        `${webuiEndpoint}/interactive-login?sToken=invalid-token-for-e2e`,
+      );
+      await expect(page.getByRole('button', { name: /retry/i })).toBeVisible({
+        timeout: 15_000,
+      });
+    });
+  },
+);