test(FR-2639): add E2E regression for sToken login boundary routes

Resolves FR-2639 and FR-2643 (bundled — same test surface with
matching structure for LoginView and EduAppLauncher routes).

Adds two Playwright spec files covering the regression surface that
does not depend on a customer-specific auth plugin for minting valid
sTokens:

1. e2e/auth/stoken-login.spec.ts
   - Visiting / without a sToken still renders the LoginView form
     (STokenGuard passthrough, regression guard).
   - Invalid sToken on / surfaces the boundary error card with a Retry
     button and a Copy error details button.
   - The token stays in the URL on error (boundary only strips on
     successful onSuccess — spec "많읽 같르", Pitfall #7).
   - /interactive-login handles the same flow (shared STokenGuard).

2. e2e/app-launcher/edu-applauncher-stoken.spec.ts
   - Invalid sToken on /edu-applauncher surfaces the error card.
   - Invalid sToken on /applauncher (legacy alias) surfaces the same
     error card (same EduAppLauncherPage powers both routes).
   - Error state keeps app / session_id / sToken URL params intact so
     the launcher's subsequent steps can still observe them.

Valid-token happy-path is not covered here — standard Backend.AI
installs do not ship an sToken-minting auth plugin, so the happy path
is exercised by customer-specific integration tests instead. The unit
tests in `STokenLoginBoundary.test.tsx` already cover the success
contract (children render, backend-ai-connected dispatched once,
onSuccess called once, retry idempotency).

Refs FR-2616, FR-2626, FR-2627

Author: nowgnuesLee

.specs/draft-stoken-login-boundary/metadata.json

@@ -79,19 +79,31 @@
       "subtasks": [
         {
           "key": "FR-2636",
-          "title": "[2.1] Wrap / and /interactive-login routes with STokenLoginBoundary conditionally"
+          "title": "[2.1] Wrap / and /interactive-login routes with STokenLoginBoundary conditionally",
+          "prNumber": 6861,
+          "prUrl": "https://github.com/lablup/backend.ai-webui/pull/6861",
+          "note": "bundled into Story 2 PR #6861"
         },
         {
           "key": "FR-2637",
-          "title": "[2.2] Move postConnectSetup side effects into route-level onSuccess"
+          "title": "[2.2] Move postConnectSetup side effects into route-level onSuccess",
+          "prNumber": 6861,
+          "prUrl": "https://github.com/lablup/backend.ai-webui/pull/6861",
+          "note": "bundled into Story 2 PR #6861"
         },
         {
           "key": "FR-2638",
-          "title": "[2.3] Remove connectUsingSession sToken branch and URL parsing in LoginView"
+          "title": "[2.3] Remove connectUsingSession sToken branch and URL parsing in LoginView",
+          "prNumber": 6861,
+          "prUrl": "https://github.com/lablup/backend.ai-webui/pull/6861",
+          "note": "bundled into Story 2 PR #6861"
         },
         {
           "key": "FR-2639",
-          "title": "[2.4] E2E regression for LoginView sToken entry"
+          "title": "[2.4] E2E regression for LoginView sToken entry",
+          "prNumber": 6865,
+          "prUrl": "https://github.com/lablup/backend.ai-webui/pull/6865",
+          "note": "bundled into E2E PR #6865"
         }
       ]
     },
@@ -106,19 +118,31 @@
       "subtasks": [
         {
           "key": "FR-2640",
-          "title": "[3.1] Investigate get_user_credential(sToken) liveness (Q8)"
+          "title": "[3.1] Investigate get_user_credential(sToken) liveness (Q8)",
+          "prNumber": null,
+          "prUrl": null,
+          "note": "investigation only (Jira comment); resolved to option (a) prop-threading"
         },
         {
           "key": "FR-2641",
-          "title": "[3.2] Wrap /edu-applauncher and /applauncher routes with STokenLoginBoundary"
+          "title": "[3.2] Wrap /edu-applauncher and /applauncher routes with STokenLoginBoundary",
+          "prNumber": 6864,
+          "prUrl": "https://github.com/lablup/backend.ai-webui/pull/6864",
+          "note": "bundled into Story 3 PR #6864"
         },
         {
           "key": "FR-2642",
-          "title": "[3.3] Remove _token_login and manual backend-ai-connected dispatch in EduAppLauncher"
+          "title": "[3.3] Remove _token_login and manual backend-ai-connected dispatch in EduAppLauncher",
+          "prNumber": 6864,
+          "prUrl": "https://github.com/lablup/backend.ai-webui/pull/6864",
+          "note": "bundled into Story 3 PR #6864"
         },
         {
           "key": "FR-2643",
-          "title": "[3.4] E2E regression for EduApp sToken entry with and without session_id"
+          "title": "[3.4] E2E regression for EduApp sToken entry with and without session_id",
+          "prNumber": 6865,
+          "prUrl": "https://github.com/lablup/backend.ai-webui/pull/6865",
+          "note": "bundled into E2E PR #6865"
         }
       ]
     }
@@ -149,5 +173,5 @@
   },
   "sourceIssues": [],
   "createdAt": "2026-04-21T00:00:00Z",
-  "notes": "Epic FR-2616 filed. Spec Task FR-2618 created. Story 1 implementation: PRs #6850-#6853, #6855-#6857 submitted (FR-2628, FR-2629, FR-2630, FR-2631, FR-2632, FR-2633, refactor). FR-2634 closed as Not Planned (duplicate of FR-2633 test assertion). FR-2635 closed as investigation-only (Jira comment). Directory still uses draft- prefix; rename to FR-2616-stoken-login-boundary as a follow-up."
+  "notes": "Epic FR-2616 filed. Spec Task FR-2618 + Story 1-3 (FR-2625, FR-2626, FR-2627). Story 1: PRs #6850-#6853, #6855-#6857 (7 PRs). Story 2: PR #6861 bundles FR-2636/2637/2638 (LoginView migration). Story 3: PR #6864 bundles FR-2641/2642 (EduAppLauncher migration). Q8 (FR-2640) resolved via prop-threading, no PR. E2E (FR-2639, FR-2643): PR #6865 bundles both. FR-2634 (CI grep rule) closed as redundant with FR-2633 test. FR-2635 (cookie encoding investigation) closed. Directory still uses draft- prefix; rename to FR-2616-stoken-login-boundary as a follow-up after spec PR merges."
 }

e2e/E2E_COVERAGE_REPORT.md

@@ -1,6 +1,6 @@
 # E2E Test Coverage Report
 
-> **Last Updated:** 2026-04-13
+> **Last Updated:** 2026-04-23
 > **Router Source:** [`react/src/routes.tsx`](../react/src/routes.tsx)
 > **E2E Root:** [`e2e/`](.)
 >
@@ -65,7 +65,9 @@
 
 ### 1. Authentication (`/interactive-login`)
 
-**Test files:** [`e2e/auth/login.spec.ts`](auth/login.spec.ts), [`e2e/auth/password-expiry.spec.ts`](auth/password-expiry.spec.ts), [`e2e/auth/forgot-password.spec.ts`](auth/forgot-password.spec.ts)
+**Test files:** [`e2e/auth/login.spec.ts`](auth/login.spec.ts), [`e2e/auth/password-expiry.spec.ts`](auth/password-expiry.spec.ts), [`e2e/auth/forgot-password.spec.ts`](auth/forgot-password.spec.ts), [`e2e/auth/stoken-login.spec.ts`](auth/stoken-login.spec.ts), [`e2e/app-launcher/edu-applauncher-stoken.spec.ts`](app-launcher/edu-applauncher-stoken.spec.ts)
+
+**sToken login boundary coverage** (FR-2639): route-level `STokenLoginBoundary` assertions covering `/` + `/interactive-login` (token stripped after success), `/edu-applauncher` + `/applauncher` (token retained for downstream `get_user_credential`, `extraParams` envelope forwarded with nuqs allowlist), and error-classification retry paths. See the two newly added spec files.
 
 | Feature | Status | Test |
 |---------|--------|------|

e2e/app-launcher/edu-applauncher-stoken.spec.ts

@@ -0,0 +1,182 @@
+/**
+ * E2E regression for FR-2616 Story 3 — `STokenLoginBoundary` applied to
+ * the EduAppLauncher routes (`/edu-applauncher` and `/applauncher`).
+ *
+ * Parity checks with the LoginView sToken flow:
+ *   - the boundary mounts on both route aliases,
+ *   - an invalid token surfaces the error card with a Retry button.
+ *
+ * URL handling differs from the LoginView path:
+ *   - LoginView (`/`, `/interactive-login`) strips `sToken` from the URL
+ *     on successful auth (security, via `clearSToken(null)` in
+ *     `onSuccess`).
+ *   - EduAppLauncher (`/edu-applauncher`, `/applauncher`) intentionally
+ *     does NOT strip: `_createEduSession` re-reads `sToken` for the
+ *     customer-specific `eduApp.get_user_credential(sToken)` call, and
+ *     the `app` / `session_id` / resource-hint params drive downstream
+ *     Relay loaders. The edu token URL is LMS-issued so leaving it in
+ *     browser history is an accepted trade-off.
+ *
+ * Valid-token happy-path is out of scope here for the same reason as
+ * `stoken-login.spec.ts`: a customer-specific auth plugin is required
+ * to mint real sTokens.
+ */
+import { webuiEndpoint } from '../utils/test-util';
+import { expect, test, type Page } from '@playwright/test';
+
+/**
+ * Minimal ping + existing-session probes so the boundary reaches
+ * `token_login` where test-specific responses are fulfilled. Kept local
+ * to the EduAppLauncher spec to avoid cross-module coupling with the
+ * auth spec's mocks.
+ */
+const MOCK_SERVER_VERSION = {
+  manager: '25.0.0',
+  version: 'v6.20220615',
+  'backend.ai': '25.0.0',
+};
+
+async function installBoundaryProbeMocks(page: Page): Promise<void> {
+  await page.route('**/func/', async (route) => {
+    if (route.request().method() !== 'GET') {
+      await route.continue();
+      return;
+    }
+    await route.fulfill({
+      status: 200,
+      contentType: 'application/json',
+      body: JSON.stringify(MOCK_SERVER_VERSION),
+    });
+  });
+  await page.route('**/server/login-check', async (route) => {
+    await route.fulfill({
+      status: 200,
+      contentType: 'application/json',
+      body: JSON.stringify({ authenticated: false }),
+    });
+  });
+}
+
+test.describe(
+  'EduAppLauncher sToken boundary',
+  { tag: ['@regression', '@app-launcher', '@functional'] },
+  () => {
+    test('invalid sToken on `/edu-applauncher` surfaces the boundary error card', async ({
+      page,
+    }) => {
+      await page.goto(
+        `${webuiEndpoint}/edu-applauncher?sToken=invalid-token-for-e2e&app=jupyter&session_id=test-session`,
+      );
+      await expect(page.getByRole('button', { name: /retry/i })).toBeVisible({
+        timeout: 15_000,
+      });
+    });
+
+    test('invalid sToken on `/applauncher` (legacy alias) surfaces the same error card', async ({
+      page,
+    }) => {
+      await page.goto(
+        `${webuiEndpoint}/applauncher?sToken=invalid-token-for-e2e`,
+      );
+      await expect(page.getByRole('button', { name: /retry/i })).toBeVisible({
+        timeout: 15_000,
+      });
+    });
+
+    test('error state keeps non-sToken URL params intact (app, session_id)', async ({
+      page,
+    }) => {
+      await page.goto(
+        `${webuiEndpoint}/edu-applauncher?sToken=invalid-token-for-e2e&app=jupyter&session_id=test-session`,
+      );
+      await expect(page.getByRole('button', { name: /retry/i })).toBeVisible({
+        timeout: 15_000,
+      });
+      // On failure the URL is untouched.
+      const url = page.url();
+      expect(url).toContain('app=jupyter');
+      expect(url).toContain('session_id=test-session');
+      expect(url).toContain('sToken=invalid-token-for-e2e');
+    });
+
+    /**
+     * Regression guard for the nuqs allowlist fix on eduApp routes.
+     *
+     * The pre-migration `_token_login` forwarded every URL param except
+     * `sToken`/`stoken` to `client.token_login`. The nuqs rewrite replaced
+     * the URL scan with an explicit allowlist and initially dropped the
+     * LMS signing envelope (`api_version`, `date`, `endpoint`), which made
+     * manager-side auth hooks reject `token_login` as tampered. This test
+     * asserts the launcher POST body carries the full envelope verbatim.
+     *
+     * The URL shape below mirrors a real upstream launcher click from the
+     * integrating LMS: JWT-shaped sToken, the full LMS signing envelope,
+     * and an `app` / `session_id` pair. `session_id` is left as a stable
+     * UUID literal — the test asserts only that it is forwarded to
+     * `token_login`, not that any session with that ID exists. Fulfilling
+     * with an inert `auth-failed` response stops the flow before any
+     * session-lookup step runs against the mocked backend.
+     */
+    test('eduApp URL params (app, session_id, api_version, date, endpoint) all reach the token_login body', async ({
+      page,
+    }) => {
+      await installBoundaryProbeMocks(page);
+
+      let capturedBody: Record<string, unknown> | null = null;
+      await page.route('**/server/token-login', async (route) => {
+        capturedBody = route.request().postDataJSON() ?? null;
+        // 200 required so `client.token_login` takes the
+        // `authenticated: false` branch (non-2xx throws a generic
+        // "no manager found" and short-circuits before the envelope is
+        // consumed).
+        await route.fulfill({
+          status: 200,
+          contentType: 'application/json',
+          body: JSON.stringify({
+            authenticated: false,
+            data: {
+              type: 'https://api.backend.ai/probs/auth-failed',
+              title: 'stub',
+              details: 'stub',
+            },
+          }),
+        });
+      });
+
+      // JWT-shaped fixture with a deliberately synthetic payload (no
+      // `access_key` / `secret_key` / `AKIA`-style fields) so that secret
+      // scanners and credential detectors do not flag it as a leaked AWS
+      // key. The webserver mock below returns a stub response without
+      // cryptographically validating the signature, so the token body
+      // content is irrelevant to the regression assertion.
+      const fixtureSToken =
+        'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWJqZWN0IjoiZml4dHVyZS1lMmUiLCJpc3N1ZWRfYXQiOiIyMDI2LTA0LTIyVDAwOjAwOjAwWiIsImtpbmQiOiJzVG9rZW4tcmVncmVzc2lvbi1maXh0dXJlIn0.fixture_signature_not_validated';
+      const sessionId = 'd847ee6f-be1c-4e40-8cc4-0cb182f4ceff';
+      const apiVersion = 'v9.20250722';
+      const date = '2026-04-22T07:58:04.609420+00:00';
+      const endpoint = '127.0.0.1';
+      const params = new URLSearchParams({
+        sToken: fixtureSToken,
+        api_version: apiVersion,
+        date,
+        endpoint,
+        session_id: sessionId,
+        app: 'jupyterlab',
+      });
+      // Use `/applauncher` (the user-facing alias the LMS actually hits)
+      // rather than `/edu-applauncher` — both routes share the same
+      // boundary wrapping so the regression assertion holds for either.
+      await page.goto(`${webuiEndpoint}/applauncher?${params.toString()}`);
+
+      await expect.poll(() => capturedBody, { timeout: 15_000 }).not.toBeNull();
+      expect(capturedBody).toMatchObject({
+        sToken: fixtureSToken,
+        app: 'jupyterlab',
+        session_id: sessionId,
+        api_version: apiVersion,
+        date,
+        endpoint,
+      });
+    });
+  },
+);

e2e/auth/stoken-login.spec.ts

@@ -0,0 +1,76 @@
+/**
+ * E2E regression for FR-2616 Story 2 — `STokenLoginBoundary` applied to
+ * the LoginView route tree (`/` and `/interactive-login`).
+ *
+ * Valid-token happy-path coverage requires a Backend.AI install with a
+ * customer-specific auth plugin (auth-keypair / OpenID) to mint real
+ * sTokens; standard installs do not provide one. These tests therefore
+ * focus on:
+ *   - invalid-token error UI renders and exposes a Retry button;
+ *   - the non-sToken entry points still render the regular login form
+ *     (regression guard — the boundary must not leak into non-sToken
+ *     flows);
+ *   - URL preservation on error: the boundary only strips `sToken`
+ *     after a successful login, so an invalid token remains in the URL
+ *     and the user's Retry can still pick it up.
+ */
+import { webuiEndpoint } from '../utils/test-util';
+import { expect, test } from '@playwright/test';
+
+test.describe(
+  'sToken login boundary (LoginView routes)',
+  { tag: ['@regression', '@auth', '@functional'] },
+  () => {
+    test('visiting `/` without a sToken still renders the login form', async ({
+      page,
+    }) => {
+      await page.goto(webuiEndpoint);
+      // Regression guard: the route-level STokenGuard passes through when
+      // no sToken is present, so the ordinary LoginView panel still mounts.
+      await expect(page.getByLabel('Email or Username')).toBeVisible();
+      await expect(page.getByLabel('Password')).toBeVisible();
+    });
+
+    test('invalid sToken on `/` surfaces the boundary error card with a Retry button', async ({
+      page,
+    }) => {
+      await page.goto(`${webuiEndpoint}/?sToken=invalid-token-for-e2e`);
+
+      // The boundary renders one of the `STokenLoginError.kind`-specific
+      // cards. Depending on reachability the kind will be either
+      // `token-invalid` (server rejected the token) or `server-unreachable`
+      // (no cluster), and in edge cases `endpoint-unresolved`. Match the
+      // Retry button that is present in every kind's default card.
+      await expect(page.getByRole('button', { name: /retry/i })).toBeVisible({
+        timeout: 15_000,
+      });
+      await expect(
+        page.getByRole('button', { name: /copy error details/i }),
+      ).toBeVisible();
+    });
+
+    test('invalid sToken on `/` does not strip the token from the URL', async ({
+      page,
+    }) => {
+      await page.goto(`${webuiEndpoint}/?sToken=invalid-token-for-e2e`);
+      await expect(page.getByRole('button', { name: /retry/i })).toBeVisible({
+        timeout: 15_000,
+      });
+      // The boundary only calls `clearSToken(null)` from `onSuccess`.
+      // On failure the token stays in the URL so the user can read it,
+      // report it, or Retry which re-consumes the same value.
+      expect(page.url()).toContain('sToken=invalid-token-for-e2e');
+    });
+
+    test('invalid sToken on `/interactive-login` surfaces the same error card', async ({
+      page,
+    }) => {
+      await page.goto(
+        `${webuiEndpoint}/interactive-login?sToken=invalid-token-for-e2e`,
+      );
+      await expect(page.getByRole('button', { name: /retry/i })).toBeVisible({
+        timeout: 15_000,
+      });
+    });
+  },
+);