Skip to content

test: add E2E tests for all four adapters against a local Supabase stack#99

Merged
mandarini merged 5 commits into
mainfrom
test/add-e2e-suite
Jul 9, 2026
Merged

test: add E2E tests for all four adapters against a local Supabase stack#99
mandarini merged 5 commits into
mainfrom
test/add-e2e-suite

Conversation

@mandarini

@mandarini mandarini commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Adds an e2e vitest project covering what the mocked unit tests cannot: real GoTrue-issued JWTs verified against the live JWKS endpoint, real Supabase client operations via supabaseAdmin, resolveEnv() reading process.env, and imports from dist/ so packaging regressions fail here.

One scenario set (auth + data access + isolation) runs over real HTTP against minimal Hono, H3, Elysia, and NestJS apps. Elysia runs behind a node:http server (srvx) so CI needs no Bun. A separate E2E workflow starts the local stack with the Supabase CLI, builds, and runs the suite.

Adds an e2e vitest project (SDK-1143) covering what the mocked unit tests
cannot: real GoTrue-issued JWTs verified against the live JWKS endpoint,
real Supabase client operations via supabaseAdmin, resolveEnv() reading
process.env, and imports from dist/ so packaging regressions fail here.

One scenario set (auth + data access + isolation) runs over real HTTP
against minimal Hono, H3, Elysia, and NestJS apps. Elysia runs behind a
node:http server (srvx) so CI needs no Bun. A separate E2E workflow
starts the local stack with the Supabase CLI, builds, and runs the suite.
@mandarini mandarini requested review from a team as code owners July 8, 2026 08:53
@pkg-pr-new

pkg-pr-new Bot commented Jul 8, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/@supabase/server@99

commit: ed5bb26

mandarini and others added 2 commits July 8, 2026 12:15
Newer Supabase stacks make new tables private by default — the API roles
(anon/authenticated/service_role) no longer receive DML grants on table
creation. CI installs the latest CLI, so all supabaseAdmin queries failed
with "permission denied for table notes" while JWT scenarios passed.
Reproduced locally on CLI 2.109.1; explicit grants fix it on both old and
new stacks.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The NestJS app silently inserted an empty note when the body was missing,
while the other three adapters returned 400 — and no scenario exercised
those 400 branches. NestJS now throws BadRequestException like the rest,
and a shared missing-body scenario keeps all four aligned.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

@grdsdev grdsdev left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very good! 👏

@mandarini mandarini self-assigned this Jul 8, 2026
@mandarini

Copy link
Copy Markdown
Collaborator Author

Thanks! I also want @kallebysantos, @tomaspozo and @awaseem to take a look!

…ection

Closes the three gaps from PR review: the garbage-token scenario failed at
header decode without ever reaching signature verification, ctx.supabase
(the RLS-scoped client) was never exercised, and nothing pinned that a
present-but-invalid token on an optional route is rejected rather than
downgraded to anonymous.

- Mint a well-formed JWT with the live JWKS kid but a wrong signing key in
  global setup; every adapter must 401 it — proving signature verification
  end-to-end, not just structure checks.
- Add GET /my-notes reading through ctx.supabase with no WHERE clause,
  backed by a user_id = auth.uid() select policy — proving the caller's
  token reaches PostgREST and Postgres RLS scopes the rows.
- Assert GET /me-optional with an invalid token → 401.

10 → 14 scenarios per adapter (56 tests).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Comment thread e2e/apps/notes.ts
Comment thread e2e/setup/token.ts Outdated
Comment thread e2e/README.md Outdated

@kallebysantos kallebysantos left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just a few comments

@awaseem awaseem left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Much needed! Thank you <3

Addresses PR review comments:

- New fifth app on the core withSupabase(config, handler) fetch wrapper —
  the exact programming model Supabase Edge Functions deploy — running the
  full scenario set behind node:http. A real Deno runtime e2e via
  `supabase functions serve` is tracked in SDK-1280.
- New GET /all-notes route (admin client, no filter) + scenario: user2's
  request sees user1's rows through supabaseAdmin, directly proving the
  admin client is not scoped to the caller's identity.
- Replace the `;({ data, error } = ...)` destructuring-reassignment in the
  sign-in helper with a plain result variable.

15 scenarios × 5 apps (75 tests).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@mandarini mandarini merged commit 09a6750 into main Jul 9, 2026
8 checks passed
@mandarini mandarini deleted the test/add-e2e-suite branch July 9, 2026 07:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants