github/AutoGPT
1
1
Fork 0
mirror of https://github.com/Significant-Gravitas/AutoGPT.git synced 2026-04-30 03:00:41 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
90fb2231146ea72e83dfbd76ecf41151cc06e325
AutoGPT/autogpt_platform/frontend/playwright.config.ts
Ubbe 2af9d75dec feat(frontend): enforce auth through httpOnly cookies (#10201) 
### Changes 🏗️

Implemented `httpOnly` cookies 🍪 for secure session management 💆🏽 

- 🙏🏽 **Moved all API requests to server-side execution** for maximum XSS
protection
- All authentication now happens server-side with `httpOnly` cookies (no
JWT tokens exposed to client)
- Created `proxyApiRequest()` and `proxyFileUpload()` server actions to
handle all communication with API
- Updated `BackendAPI._request()` to always use proxy approach for
consistent security

- 🚧 **Exception: WebSocket authentication** requires client-side token
exposure
- Added `getWebSocketToken()` server action to securely provide tokens
only for WebSocket connections
  - Maintains secure architecture while we keep the real-time features

- 🧹 **Abstracted implementation details** into reusable helper functions
  - Reduced proxy actions from 157 lines to 48 lines (70% reduction)
- Added flexible content-type support ( _JSON, form-urlencoded, custom_
)
  - Enhanced error handling for graceful logout scenarios
  
- 📙 **Renamed `/reset_password` page to `/reset-password`**
  - couldn't resist sorry... snake case URLs get me 

### Checklist 📋

#### For code changes:
- [x] I have clearly listed my changes in the PR description
- [x] I have made a test plan
- [x] I have tested my changes according to the test plan:
  <!-- Put your test plan here: -->
  - [x] Verify all API requests work through server-side proxy
  - [x] Confirm httpOnly cookies prevent client-side JWT access
  - [x] Test WebSocket connections work with server-provided tokens
  - [x] Verify logout scenarios don't throw authentication errors
  - [x] Check file uploads work securely through proxy
  - [x] Validate zero breaking changes for existing BackendAPI calls

---------

Co-authored-by: Nicholas Tindle <nicholas.tindle@agpt.co>
Co-authored-by: Nicholas Tindle <nicktindle@outlook.com>
Co-authored-by: Swifty <craigswift13@gmail.com>
2025-06-26 13:27:23 +00:00

85 lines
2.4 KiB
TypeScript
Raw Blame History

import { defineConfig, devices } from "@playwright/test";
/**
* Read environment variables from file.
* https://github.com/motdotla/dotenv
*/
import dotenv from "dotenv";
import path from "path";
dotenv.config({ path: path.resolve(__dirname, ".env") });
dotenv.config({ path: path.resolve(__dirname, "../backend/.env") });
/**
* See https://playwright.dev/docs/test-configuration.
*/
export default defineConfig({
testDir: "./src/tests",
/* Run tests in files in parallel */
fullyParallel: true,
/* Fail the build on CI if you accidentally left test.only in the source code. */
forbidOnly: !!process.env.CI,
/* Retry on CI only */
retries: process.env.CI ? 2 : 0,
/* Opt out of parallel tests on CI. */
workers: process.env.CI ? 1 : undefined,
/* Reporter to use. See https://playwright.dev/docs/test-reporters */
reporter: [["html"], ["line"]],
/* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */
use: {
/* Base URL to use in actions like `await page.goto('/')`. */
baseURL: "http://localhost:3000/",
/* Collect trace when retrying the failed test. See https://playwright.dev/docs/trace-viewer */
trace: "on-first-retry",
screenshot: "only-on-failure",
bypassCSP: true,
},
/* Maximum time one test can run for */
timeout: 30000,
/* Configure web server to start automatically */
webServer: {
command: "NEXT_PUBLIC_PW_TEST=true pnpm start",
url: "http://localhost:3000",
reuseExistingServer: !process.env.CI,
timeout: 120 * 1000,
},
/* Configure projects for major browsers */
projects: [
{
name: "chromium",
use: { ...devices["Desktop Chrome"] },
},
// {
// name: "firefox",
// use: { ...devices["Desktop Firefox"] },
// },
{
name: "webkit",
use: { ...devices["Desktop Safari"] },
},
// /* Test against mobile viewports. */
// // {
// // name: 'Mobile Chrome',
// // use: { ...devices['Pixel 5'] },
// // },
// // {
// // name: 'Mobile Safari',
// // use: { ...devices['iPhone 12'] },
// // },
// /* Test against branded browsers. */
// {
// name: "Microsoft Edge",
// use: { ...devices["Desktop Edge"], channel: "msedge" },
// },
// {
// name: 'Google Chrome',
// use: { ...devices['Desktop Chrome'], channel: 'chrome' },
// },
],
});
Reference in New Issue View Git Blame Copy Permalink