feat(next): add e2e session injection and chat spec infra

[gaboesquivel]

Summary by CodeRabbit

• Documentation

  • Clarified E2E testing docs with details about chat auth being currently skipped and test session endpoints.

• Bug Fixes

  • Increased chat E2E timeout and added extra UI visibility checks for chat input.

• Chores

  • Removed test-only API endpoints from the public spec.
  • Added test-mode environment flag and a helper flow to inject sessions for E2E authentication.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
basilic-docs	Ready	Preview, Comment	Feb 18, 2026 9:29am
basilic-fastify	Error		Feb 18, 2026 9:29am
basilic-next	Ready	Preview, Comment	Feb 18, 2026 9:29am

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Registers test routes only when ALLOW_TEST or an explicit allowTest option is enabled, removes two deprecated test endpoints from the OpenAPI spec, adds a test-set-session API to inject auth cookies for E2E, and provides an E2E helper to perform token-based session injection; minor E2E test adjustments and docs note added.

Changes

Cohort / File(s)	Summary
Docs & Spec apps/docu/content/docs/testing/e2e-testing.mdx, apps/fastify/openapi/openapi.json	Docs updated to explain skipped Chat E2E; two test endpoints (/test/authed/, /test/magic-link/last) removed from OpenAPI JSON.
Server config & env apps/next/lib/env.ts, apps/fastify/scripts/generate-openapi.ts, apps/fastify/src/app.ts	Added optional ALLOW_TEST env var and runtime export; app registration now accepts { allowTest }; Fastify autoload ignoreFilter disables /test/ routes unless allowed.
Auth proxy & test handler apps/next/app/api/auth/[...path]/handlers.ts, apps/next/app/api/auth/[...path]/handlers/test-set-session.ts	Added test-set-session route wiring and new handler that validates ALLOW_TEST, requires token+refreshToken query params, sets auth cookies, and issues a 303 redirect.
E2E helpers & tests apps/next/e2e/auth-helpers.ts, apps/next/e2e/chat-assistant.spec.ts	New loginAsTestUserWithTokenInjection(page) to obtain tokens and hit test-set-session for cookie injection; chat test timeout raised, skip rationale clarified, and an extra placeholder visibility assertion added.

Sequence Diagram

sequenceDiagram
    participant Test as E2E Test
    participant NextAPI as Next API (proxy)
    participant Handler as test-set-session Handler
    participant Cookie as Cookie Setter

    Test->>NextAPI: Request magic-link (POST /magic-link/request)
    NextAPI-->>Test: Success

    Test->>NextAPI: Query test magic token (GET /test/magic-link/last)
    NextAPI-->>Test: Magic token

    Test->>NextAPI: Verify token (POST /verify) -> receive token & refreshToken
    NextAPI-->>Test: { token, refreshToken }

    Test->>NextAPI: GET /api/auth/test-set-session?token=X&refreshToken=Y
    NextAPI->>Handler: proxy to test-set-session
    Handler->>Handler: check ALLOW_TEST enabled
    Handler->>Handler: validate token & refreshToken
    Handler->>Cookie: set auth cookies on response
    Cookie-->>Handler: cookies attached
    Handler-->>Test: 303 Redirect to /

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• feat: chat assistant #83: Adds similar test-set-session handler and E2E token/cookie injection helpers; touches auth cookie plumbing.
• feat(next): add e2e session injection and chat spec infra #103: Also introduces ALLOW_TEST/AppOptions gating and updates the auth proxy to handle test routes.
• feat(chat): json-render unser info card  #100: Modifies the same E2E chat test and related auth/magic-link flows.

Poem

🐰 I hop to the test-set-session door,
Tokens in paw, cookies to pour,
No chasing links, I nibble and plant,
E2E naps while CI does a chant — hooray, we ran! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: adding E2E session injection capability and chat specification infrastructure, which are reflected across the modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chat-tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

apps/next/e2e/auth-helpers.ts (1)

110-141: Consider extracting shared login preamble to reduce duplication.

Lines 110–117 duplicate the logic from loginAsTestUser (lines 95–103): send magic link → assert status → wait for success message → delay → extract token. Extracting a shared helper (e.g., sendAndExtractMagicToken(page)) would keep both methods DRY.

♻️ Sketch

+  /** Shared: send magic link and extract the token */
+  async _sendAndExtractMagicToken(page: Page): Promise<string> {
+    const response = await this.sendMagicLink(page)
+    if (response.status() !== 200) throw new Error('Magic link request failed')
+    const successMessage = page.getByText(/check your email for the magic link/i)
+    await successMessage.waitFor({ state: 'visible', timeout: 10000 })
+    await new Promise(r => setTimeout(r, 200))
+    const token = await this.extractToken(page)
+    if (!token) throw new Error('Failed to extract magic link token')
+    return token
+  },
+
   async loginAsTestUser(page: Page) {
-    const response = await this.sendMagicLink(page)
-    if (response.status() !== 200) throw new Error('Magic link request failed')
-    const successMessage = page.getByText(/check your email for the magic link/i)
-    await successMessage.waitFor({ state: 'visible', timeout: 10000 })
-    await new Promise(r => setTimeout(r, 200))
-    const token = await this.extractToken(page)
-    if (!token) throw new Error('Failed to extract magic link token')
+    const token = await this._sendAndExtractMagicToken(page)
     await this.verifyMagicLink(page, token)
   },

   async loginAsTestUserWithTokenInjection(page: Page) {
-    const response = await this.sendMagicLink(page)
-    if (response.status() !== 200) throw new Error('Magic link request failed')
-    const successMessage = page.getByText(/check your email for the magic link/i)
-    await successMessage.waitFor({ state: 'visible', timeout: 10000 })
-    await new Promise(r => setTimeout(r, 200))
-    const magicToken = await this.extractToken(page)
-    if (!magicToken) throw new Error('Failed to extract magic link token')
+    const magicToken = await this._sendAndExtractMagicToken(page)
     // ... rest of token injection

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/next/e2e/auth-helpers.ts` around lines 110 - 141, The
loginAsTestUserWithTokenInjection function duplicates the preamble from
loginAsTestUser (sendMagicLink → response check → successMessage wait → small
delay → extractToken); refactor by extracting that sequence into a shared helper
(e.g., sendAndExtractMagicToken(page)) that calls sendMagicLink, awaits the
visible success message, performs the short delay, and returns the extracted
magicToken using extractToken, then update both
loginAsTestUserWithTokenInjection and loginAsTestUser to call
sendAndExtractMagicToken(page) and use its returned token for the subsequent
verify and injection logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/fastify/src/app.ts`:
- Line 39: The ignoreFilter currently evaluates !(opts?.allowTest ??
env.ALLOW_TEST) which treats the string 'false' as truthy; change the check to
compare the value to the string 'true' explicitly, e.g. use (opts?.allowTest ??
env.ALLOW_TEST) !== 'true' (or equivalent explicit comparison) when computing
ignoreFilter so that env.ALLOW_TEST='false' properly disables test routes;
update the expression referencing ignoreFilter, opts?.allowTest and
env.ALLOW_TEST accordingly and ensure parentheses are used to preserve
evaluation order.

---

Nitpick comments:
In `@apps/next/e2e/auth-helpers.ts`:
- Around line 110-141: The loginAsTestUserWithTokenInjection function duplicates
the preamble from loginAsTestUser (sendMagicLink → response check →
successMessage wait → small delay → extractToken); refactor by extracting that
sequence into a shared helper (e.g., sendAndExtractMagicToken(page)) that calls
sendMagicLink, awaits the visible success message, performs the short delay, and
returns the extracted magicToken using extractToken, then update both
loginAsTestUserWithTokenInjection and loginAsTestUser to call
sendAndExtractMagicToken(page) and use its returned token for the subsequent
verify and injection logic.