, rp_name=app.title, origin=settings.issuer)`
+ - `app.state.magic_link_service = MagicLinkService(repo=app.state.magic_link_repo, ttl=settings.invite_ttl)`
+
+ For `rp_id`, extract the hostname from `settings.issuer` using `urllib.parse.urlparse(settings.issuer).hostname`.
+
+Create empty routers in:
+- `src/fastapi_oidc_op/authn/routes.py` — with a `GET /login` route that renders `login.html`
+- `src/fastapi_oidc_op/manage/routes.py` — empty router with `prefix="/manage"`
+
+Create `src/fastapi_oidc_op/templates/base.html`:
+- `Skip to content`
+- `{% block content %}{% endblock %}`
+- ``
+- ``
+- ``
+- `{% block scripts %}{% endblock %}` for page-specific JS
+
+Create `src/fastapi_oidc_op/templates/login.html`:
+- Extends `base.html`
+- Password form with `username` and `password` fields
+- WebAuthn sign-in section (button, will be wired in later tasks)
+- Error display area with `id="login-error"` for HTMX fragment swaps
+
+Create `src/fastapi_oidc_op/static/style.css`:
+- CSS custom properties for palette (`--bg`, `--fg`, `--accent`, etc.)
+- `:focus-visible` outline styles
+- `@media (prefers-reduced-motion: reduce)` handling
+- `.sr-only` utility class
+
+Create `src/fastapi_oidc_op/static/htmx.min.js`:
+- Download the official HTMX minified release (v2.x) and commit it.
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_auth_routes/test_pages.py -v`
+Expected: PASS
+
+**Step 5: Run full quality gate**
+
+Run: `./scripts/check.sh`
+Expected: All green (existing 86 tests still pass)
+
+**Step 6: Commit**
+
+```bash
+git add src/fastapi_oidc_op/config.py src/fastapi_oidc_op/app.py \
+ src/fastapi_oidc_op/authn/routes.py src/fastapi_oidc_op/manage/routes.py \
+ src/fastapi_oidc_op/templates/ src/fastapi_oidc_op/static/ \
+ tests/test_auth_routes/
+git commit -m "feat: add app wiring, templates, static files, and session middleware"
+```
+
+---
+
+### Task 2: Session/Auth Dependencies [DONE]
+
+**Files:**
+- Modify: `src/fastapi_oidc_op/dependencies.py`
+- Create: `tests/test_auth_routes/test_session_deps.py`
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_auth_routes/test_session_deps.py`:
+
+```python
+from unittest.mock import MagicMock
+
+import pytest
+from fastapi import HTTPException
+
+from fastapi_oidc_op.dependencies import get_session_user, require_session_user
+
+
+def test_get_session_user_none_when_missing() -> None:
+ request = MagicMock()
+ request.session = {}
+ assert get_session_user(request) is None
+
+
+def test_get_session_user_returns_tuple() -> None:
+ request = MagicMock()
+ request.session = {"userid": "u1", "username": "alice"}
+ assert get_session_user(request) == ("u1", "alice")
+
+
+def test_get_session_user_none_when_partial() -> None:
+ request = MagicMock()
+ request.session = {"userid": "u1"} # missing username
+ assert get_session_user(request) is None
+
+
+def test_require_session_user_raises_when_missing() -> None:
+ request = MagicMock()
+ request.session = {}
+ with pytest.raises(HTTPException) as exc_info:
+ require_session_user(request)
+ assert exc_info.value.status_code == 401
+
+
+def test_require_session_user_returns_tuple() -> None:
+ request = MagicMock()
+ request.session = {"userid": "u1", "username": "alice"}
+ assert require_session_user(request) == ("u1", "alice")
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_auth_routes/test_session_deps.py -v`
+Expected: FAIL (`ImportError` — functions don't exist)
+
+**Step 3: Implement session helpers**
+
+In `src/fastapi_oidc_op/dependencies.py`, add:
+
+```python
+def get_session_user(request: Request) -> tuple[str, str] | None:
+ """Extract (userid, username) from session, or None if not logged in."""
+ userid = request.session.get("userid")
+ username = request.session.get("username")
+ if userid and username:
+ return (userid, username)
+ return None
+
+
+def require_session_user(request: Request) -> tuple[str, str]:
+ """Like get_session_user but raises HTTPException(401) if not logged in.
+
+ Routes that need a redirect-to-login behavior should catch this or
+ use get_session_user and redirect manually.
+ """
+ result = get_session_user(request)
+ if result is None:
+ raise HTTPException(status_code=401, detail="Not authenticated")
+ return result
+```
+
+These are plain functions that accept `Request`. Routes use them directly (e.g. `user = get_session_user(request)`) rather than through `Depends()`, because the session-based redirect logic varies per route (authn routes return error fragments, manage routes redirect to `/login`). Making them `Depends()` callables would require either a shared exception handler or separate dependency variants, adding complexity for no benefit at this stage.
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_auth_routes/test_session_deps.py -v`
+Expected: PASS
+
+**Step 5: Commit**
+
+```bash
+git add src/fastapi_oidc_op/dependencies.py tests/test_auth_routes/test_session_deps.py
+git commit -m "feat: add session user dependency helpers"
+```
+
+---
+
+### Task 3: Password Login + Logout Routes [DONE]
+
+**Files:**
+- Modify: `src/fastapi_oidc_op/authn/routes.py`
+- Create: `tests/test_auth_routes/test_password_login.py`
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_auth_routes/test_password_login.py`:
+
+```python
+from datetime import UTC, datetime
+
+from argon2 import PasswordHasher
+from httpx import AsyncClient
+
+from fastapi_oidc_op.authn.password import PasswordService
+from fastapi_oidc_op.models import PasswordCredential, User
+
+
+async def test_password_login_unknown_user_returns_error_fragment(client: AsyncClient) -> None:
+ res = await client.post(
+ "/login/password",
+ data={"username": "nobody", "password": "wrong"},
+ headers={"HX-Request": "true"},
+ )
+ assert res.status_code == 200
+ assert "Invalid username or password" in res.text
+ assert 'role="alert"' in res.text
+
+
+async def test_password_login_wrong_password_returns_error_fragment(client: AsyncClient) -> None:
+ app = client._transport.app # type: ignore[union-attr]
+ user_repo = app.state.user_repo
+ cred_repo = app.state.credential_repo
+
+ user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
+ await user_repo.create(user)
+
+ svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
+ await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("correct")))
+
+ res = await client.post(
+ "/login/password",
+ data={"username": "alice", "password": "wrong"},
+ headers={"HX-Request": "true"},
+ )
+ assert res.status_code == 200
+ assert "Invalid username or password" in res.text
+
+
+async def test_password_login_success_sets_session_and_hx_redirect(client: AsyncClient) -> None:
+ app = client._transport.app # type: ignore[union-attr]
+ user_repo = app.state.user_repo
+ cred_repo = app.state.credential_repo
+
+ user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
+ await user_repo.create(user)
+
+ svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
+ await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("correct")))
+
+ res = await client.post(
+ "/login/password",
+ data={"username": "alice", "password": "correct"},
+ headers={"HX-Request": "true"},
+ )
+ assert res.status_code == 200
+ assert res.headers.get("HX-Redirect") == "/manage/credentials"
+
+
+async def test_logout_clears_session_and_redirects(client: AsyncClient) -> None:
+ res = await client.post("/logout", headers={"HX-Request": "true"})
+ assert res.status_code == 200
+ assert res.headers.get("HX-Redirect") == "/login"
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_auth_routes/test_password_login.py -v`
+Expected: FAIL (routes not implemented)
+
+**Step 3: Implement password login + logout**
+
+In `src/fastapi_oidc_op/authn/routes.py`:
+
+- `POST /login/password` (accepts form data: `username`, `password`):
+ 1. Look up user by username via `request.app.state.user_repo.get_by_username(username)`
+ 2. If user not found -> return error fragment (same message as wrong password to prevent username enumeration)
+ 3. Fetch password credential via `request.app.state.credential_repo.get_password_by_user(user.userid)`
+ 4. If no credential -> return error fragment
+ 5. Verify with `request.app.state.password_service.verify(credential.password_hash, password)`
+ 6. On success: set `request.session["userid"] = user.userid`, `request.session["username"] = user.username`, return `Response` with `HX-Redirect: /manage/credentials` header
+ 7. On failure: return HTML fragment `Invalid username or password
`
+
+- `POST /logout`:
+ 1. `request.session.clear()`
+ 2. Return `Response` with `HX-Redirect: /login` header
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_auth_routes/test_password_login.py -v`
+Expected: PASS
+
+**Step 5: Commit**
+
+```bash
+git add src/fastapi_oidc_op/authn/routes.py tests/test_auth_routes/test_password_login.py
+git commit -m "feat: add password login and logout endpoints"
+```
+
+---
+
+### Task 4: Registration via Magic Link (`/register/{token}`) [DONE]
+
+**Files:**
+- Modify: `src/fastapi_oidc_op/authn/routes.py`
+- Create: `tests/test_auth_routes/test_register_magic_link.py`
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_auth_routes/test_register_magic_link.py`:
+
+```python
+from datetime import UTC, datetime, timedelta
+
+from httpx import AsyncClient
+
+from fastapi_oidc_op.models import MagicLink
+
+
+async def test_register_invalid_token_returns_error_page(client: AsyncClient) -> None:
+ res = await client.get("/register/nope", follow_redirects=False)
+ assert res.status_code == 400
+ assert "Invalid or expired" in res.text
+
+
+async def test_register_expired_token_returns_error_page(client: AsyncClient) -> None:
+ app = client._transport.app # type: ignore[union-attr]
+ repo = app.state.magic_link_repo
+ await repo.create(
+ MagicLink(
+ token="expired",
+ username="newuser",
+ expires_at=datetime.now(UTC) - timedelta(hours=1),
+ )
+ )
+
+ res = await client.get("/register/expired", follow_redirects=False)
+ assert res.status_code == 400
+ assert "Invalid or expired" in res.text
+
+
+async def test_register_valid_token_creates_user_and_redirects(client: AsyncClient) -> None:
+ app = client._transport.app # type: ignore[union-attr]
+ magic_link_repo = app.state.magic_link_repo
+ user_repo = app.state.user_repo
+
+ await magic_link_repo.create(
+ MagicLink(
+ token="t1",
+ username="newuser",
+ expires_at=datetime.now(UTC) + timedelta(hours=1),
+ )
+ )
+
+ res = await client.get("/register/t1", follow_redirects=False)
+ assert res.status_code in (302, 303)
+ assert "/manage/credentials" in res.headers["location"]
+ assert "setup=1" in res.headers["location"]
+
+ # Token should be marked used
+ link = await magic_link_repo.get_by_token("t1")
+ assert link is not None
+ assert link.used is True
+
+ # User should exist
+ user = await user_repo.get_by_username("newuser")
+ assert user is not None
+ assert "users" in user.groups
+
+
+async def test_register_used_token_returns_error(client: AsyncClient) -> None:
+ app = client._transport.app # type: ignore[union-attr]
+ repo = app.state.magic_link_repo
+ await repo.create(
+ MagicLink(
+ token="used",
+ username="newuser",
+ expires_at=datetime.now(UTC) + timedelta(hours=1),
+ used=True,
+ )
+ )
+
+ res = await client.get("/register/used", follow_redirects=False)
+ assert res.status_code == 400
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_auth_routes/test_register_magic_link.py -v`
+Expected: FAIL
+
+**Step 3: Implement `/register/{token}`**
+
+In `src/fastapi_oidc_op/authn/routes.py`:
+
+- `GET /register/{token}`:
+ 1. Get `magic_link_service` from `request.app.state.magic_link_service`
+ 2. Call `magic_link_service.validate(token)` — returns `MagicLink | None`
+ 3. If `None` -> return error page with status 400 containing "Invalid or expired"
+ 4. Generate unique userid via `generate_unique_userid(request.app.state.user_repo)`
+ 5. Create `User(userid=userid, username=link.username, groups=["users"])`
+ 6. Save via `request.app.state.user_repo.create(user)`
+ 7. Mark token used via `magic_link_service.mark_used(token)`
+ 8. Set session: `request.session["userid"] = user.userid`, `request.session["username"] = user.username`
+ 9. Return `RedirectResponse("/manage/credentials?setup=1", status_code=303)`
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_auth_routes/test_register_magic_link.py -v`
+Expected: PASS
+
+**Step 5: Commit**
+
+```bash
+git add src/fastapi_oidc_op/authn/routes.py tests/test_auth_routes/test_register_magic_link.py
+git commit -m "feat: add magic link registration endpoint"
+```
+
+---
+
+### Task 5: Credential Management Page (GET) [DONE]
+
+**Files:**
+- Modify: `src/fastapi_oidc_op/manage/routes.py`
+- Create: `src/fastapi_oidc_op/templates/manage/credentials.html`
+- Create: `tests/test_auth_routes/test_manage_credentials_page.py`
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_auth_routes/test_manage_credentials_page.py`:
+
+```python
+from datetime import UTC, datetime
+
+from argon2 import PasswordHasher
+from httpx import AsyncClient
+
+from fastapi_oidc_op.authn.password import PasswordService
+from fastapi_oidc_op.models import PasswordCredential, User
+
+
+async def _login(client: AsyncClient, username: str = "alice", password: str = "testpass") -> None:
+ """Helper: create user + password credential and log in via POST /login/password."""
+ app = client._transport.app # type: ignore[union-attr]
+ user_repo = app.state.user_repo
+ cred_repo = app.state.credential_repo
+
+ user = await user_repo.get_by_username(username)
+ if user is None:
+ user = User(userid="lusab-bansen", username=username, created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
+ await user_repo.create(user)
+
+ svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
+ existing = await cred_repo.get_password_by_user(user.userid)
+ if existing is None:
+ await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash(password)))
+
+ await client.post(
+ "/login/password",
+ data={"username": username, "password": password},
+ headers={"HX-Request": "true"},
+ )
+
+
+async def test_manage_credentials_requires_login(client: AsyncClient) -> None:
+ res = await client.get("/manage/credentials", follow_redirects=False)
+ assert res.status_code in (302, 303)
+ assert res.headers["location"] == "/login"
+
+
+async def test_manage_credentials_renders_for_logged_in_user(client: AsyncClient) -> None:
+ await _login(client)
+
+ res = await client.get("/manage/credentials")
+ assert res.status_code == 200
+ assert "Credentials" in res.text
+
+
+async def test_manage_credentials_shows_setup_banner(client: AsyncClient) -> None:
+ await _login(client)
+
+ res = await client.get("/manage/credentials?setup=1")
+ assert res.status_code == 200
+ assert "Welcome" in res.text or "setup" in res.text.lower()
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_auth_routes/test_manage_credentials_page.py -v`
+Expected: FAIL
+
+**Step 3: Implement GET route + template**
+
+In `src/fastapi_oidc_op/manage/routes.py`:
+
+- `GET /manage/credentials`:
+ 1. Call `get_session_user(request)` — if `None`, return `RedirectResponse("/login", status_code=303)`
+ 2. Load WebAuthn credentials via `request.app.state.credential_repo.get_webauthn_by_user(userid)`
+ 3. Load password credential via `request.app.state.credential_repo.get_password_by_user(userid)`
+ 4. Check `request.query_params.get("setup")` for welcome banner
+ 5. Render `templates/manage/credentials.html` with context
+
+Create `src/fastapi_oidc_op/templates/manage/credentials.html`:
+- Extends `base.html`
+- `{% if setup %}` welcome banner
+- WebAuthn credentials section with list of existing keys + add form
+- Password section showing whether password is set + set/change form
+- HTMX targets for fragment swaps (`id="webauthn-list"`, `id="password-section"`)
+- Each credential has a delete button (wired in later tasks)
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_auth_routes/test_manage_credentials_page.py -v`
+Expected: PASS
+
+**Step 5: Commit**
+
+```bash
+git add src/fastapi_oidc_op/manage/routes.py \
+ src/fastapi_oidc_op/templates/manage/credentials.html \
+ tests/test_auth_routes/test_manage_credentials_page.py
+git commit -m "feat: add credential management page"
+```
+
+---
+
+### Task 6: Set/Change Password + Delete Password Credential (HTMX) [DONE]
+
+**Files:**
+- Modify: `src/fastapi_oidc_op/manage/routes.py`
+- Create: `tests/test_auth_routes/test_manage_password_credential.py`
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_auth_routes/test_manage_password_credential.py`:
+
+```python
+from datetime import UTC, datetime
+
+from argon2 import PasswordHasher
+from httpx import AsyncClient
+
+from fastapi_oidc_op.authn.password import PasswordService
+from fastapi_oidc_op.models import PasswordCredential, User, WebAuthnCredential
+
+
+async def _create_user_and_login(client: AsyncClient) -> str:
+ """Create user with password, log in, return userid."""
+ app = client._transport.app # type: ignore[union-attr]
+ user_repo = app.state.user_repo
+ cred_repo = app.state.credential_repo
+
+ user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
+ await user_repo.create(user)
+
+ svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
+ await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("old")))
+
+ await client.post(
+ "/login/password",
+ data={"username": "alice", "password": "old"},
+ headers={"HX-Request": "true"},
+ )
+ return user.userid
+
+
+async def test_set_password_requires_session(client: AsyncClient) -> None:
+ res = await client.post(
+ "/manage/credentials/password",
+ data={"password": "x", "confirm": "x"},
+ follow_redirects=False,
+ )
+ assert res.status_code in (302, 303)
+
+
+async def test_set_password_mismatch_returns_error(client: AsyncClient) -> None:
+ await _create_user_and_login(client)
+
+ res = await client.post(
+ "/manage/credentials/password",
+ data={"password": "newpassword", "confirm": "different"},
+ headers={"HX-Request": "true"},
+ )
+ assert res.status_code == 200
+ assert 'role="alert"' in res.text
+
+
+async def test_set_password_too_short_returns_error(client: AsyncClient) -> None:
+ await _create_user_and_login(client)
+
+ res = await client.post(
+ "/manage/credentials/password",
+ data={"password": "short", "confirm": "short"},
+ headers={"HX-Request": "true"},
+ )
+ assert res.status_code == 200
+ assert 'role="alert"' in res.text
+
+
+async def test_set_password_creates_or_replaces_password(client: AsyncClient) -> None:
+ userid = await _create_user_and_login(client)
+ app = client._transport.app # type: ignore[union-attr]
+ cred_repo = app.state.credential_repo
+
+ res = await client.post(
+ "/manage/credentials/password",
+ data={"password": "newpassword123", "confirm": "newpassword123"},
+ headers={"HX-Request": "true"},
+ )
+ assert res.status_code == 200
+ assert 'role="status"' in res.text or "Password" in res.text
+
+ updated = await cred_repo.get_password_by_user(userid)
+ assert updated is not None
+ svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
+ assert svc.verify(updated.password_hash, "newpassword123") is True
+
+
+async def test_delete_password_requires_session(client: AsyncClient) -> None:
+ res = await client.delete("/manage/credentials/password", follow_redirects=False)
+ assert res.status_code in (302, 303)
+
+
+async def test_delete_password_with_other_credential(client: AsyncClient) -> None:
+ """User has both password and webauthn — deleting password succeeds."""
+ userid = await _create_user_and_login(client)
+ app = client._transport.app # type: ignore[union-attr]
+ cred_repo = app.state.credential_repo
+
+ # Add a webauthn credential so password is not the last one
+ await cred_repo.create_webauthn(
+ WebAuthnCredential(user_id=userid, credential_id=b"cred1", public_key=b"key1")
+ )
+
+ res = await client.delete(
+ "/manage/credentials/password",
+ headers={"HX-Request": "true"},
+ )
+ assert res.status_code == 200
+
+ deleted = await cred_repo.get_password_by_user(userid)
+ assert deleted is None
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_auth_routes/test_manage_password_credential.py -v`
+Expected: FAIL
+
+**Step 3: Implement POST and DELETE for password credential**
+
+In `src/fastapi_oidc_op/manage/routes.py`:
+
+- `POST /manage/credentials/password` (form data: `password`, `confirm`):
+ 1. Check session — if not logged in, redirect to `/login`
+ 2. Validate `password == confirm` — if not, return error fragment with `role="alert"`
+ 3. Validate `len(password) >= 8` — if not, return error fragment
+ 4. Hash with `request.app.state.password_service.hash(password)`
+ 5. Check if password exists: `cred_repo.get_password_by_user(userid)`
+ 6. If exists: `cred_repo.delete_password(userid)` then `cred_repo.create_password(...)`
+ 7. If not: `cred_repo.create_password(...)`
+ 8. Return HTML fragment with `role="status"` confirmation message
+
+- `DELETE /manage/credentials/password`:
+ 1. Check session — if not logged in, redirect to `/login`
+ 2. Count total credentials (webauthn count + password exists)
+ 3. If total == 1: return error fragment with `role="alert"` ("Cannot remove your last credential")
+ 4. Otherwise: `cred_repo.delete_password(userid)`, return updated password section fragment
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_auth_routes/test_manage_password_credential.py -v`
+Expected: PASS
+
+**Step 5: Commit**
+
+```bash
+git add src/fastapi_oidc_op/manage/routes.py tests/test_auth_routes/test_manage_password_credential.py
+git commit -m "feat: add set/change/delete password credential endpoints"
+```
+
+---
+
+### Task 7: WebAuthn Credential Add (begin/complete) + Remove [DONE]
+
+**Files:**
+- Modify: `src/fastapi_oidc_op/manage/routes.py`
+- Create: `src/fastapi_oidc_op/static/webauthn.js`
+- Create: `tests/test_auth_routes/test_manage_webauthn_credential.py`
+
+**Serialization note:** The `fido2` library's `begin_registration()` returns a dict that is JSON-serializable (binary fields are already base64url-encoded internally). For `complete_registration()`, the server receives a JSON body from the browser JS. The `fido2` library accepts this as a `dict` and handles deserialization via `RegistrationResponse.from_dict()`.
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_auth_routes/test_manage_webauthn_credential.py`:
+
+The tests reuse the helper functions from `tests/test_authn/test_webauthn.py` for building valid registration responses. Extract shared helpers into `tests/conftest_webauthn.py` or import directly. For simplicity, inline the helpers or import from the existing test module.
+
+```python
+import os
+from datetime import UTC, datetime
+
+from argon2 import PasswordHasher
+from cryptography.hazmat.primitives.asymmetric import ec
+from fido2.cose import ES256
+from fido2.utils import sha256
+from fido2.webauthn import (
+ Aaguid,
+ AttestationObject,
+ AttestedCredentialData,
+ AuthenticatorAttestationResponse,
+ AuthenticatorData,
+ CollectedClientData,
+ PublicKeyCredentialDescriptor,
+ PublicKeyCredentialType,
+ RegistrationResponse,
+)
+from httpx import AsyncClient
+
+from fastapi_oidc_op.authn.password import PasswordService
+from fastapi_oidc_op.models import PasswordCredential, User, WebAuthnCredential
+
+RP_ID = "localhost"
+ORIGIN = "http://localhost:8000"
+
+
+async def _create_user_and_login(client: AsyncClient) -> str:
+ """Create user with password, log in, return userid."""
+ app = client._transport.app # type: ignore[union-attr]
+ user_repo = app.state.user_repo
+ cred_repo = app.state.credential_repo
+
+ user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
+ await user_repo.create(user)
+
+ svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
+ await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("testpass")))
+
+ await client.post(
+ "/login/password",
+ data={"username": "alice", "password": "testpass"},
+ headers={"HX-Request": "true"},
+ )
+ return user.userid
+
+
+def _generate_credential() -> tuple[ec.EllipticCurvePrivateKey, bytes, AttestedCredentialData]:
+ private_key = ec.generate_private_key(ec.SECP256R1())
+ cose_key = ES256.from_cryptography_key(private_key.public_key())
+ credential_id = os.urandom(32)
+ attested = AttestedCredentialData.create(aaguid=Aaguid.NONE, credential_id=credential_id, public_key=cose_key)
+ return private_key, credential_id, attested
+
+
+def _build_registration_response(credential_id: bytes, attested: AttestedCredentialData, challenge: bytes) -> RegistrationResponse:
+ auth_data = AuthenticatorData.create(
+ rp_id_hash=sha256(RP_ID.encode()),
+ flags=AuthenticatorData.FLAG.UP | AuthenticatorData.FLAG.AT,
+ counter=0,
+ credential_data=attested,
+ )
+ attestation_object = AttestationObject.create(fmt="none", auth_data=auth_data, att_stmt={})
+ client_data = CollectedClientData.create(type=CollectedClientData.TYPE.CREATE, challenge=challenge, origin=ORIGIN)
+ return RegistrationResponse(
+ raw_id=credential_id,
+ response=AuthenticatorAttestationResponse(client_data=client_data, attestation_object=attestation_object),
+ )
+
+
+async def test_webauthn_begin_requires_session(client: AsyncClient) -> None:
+ res = await client.post("/manage/credentials/webauthn/begin", follow_redirects=False)
+ assert res.status_code in (302, 303, 401)
+
+
+async def test_webauthn_begin_returns_options(client: AsyncClient) -> None:
+ await _create_user_and_login(client)
+
+ res = await client.post("/manage/credentials/webauthn/begin")
+ assert res.status_code == 200
+ data = res.json()
+ assert "publicKey" in data
+ assert "challenge" in data["publicKey"]
+
+
+async def test_webauthn_complete_creates_credential(client: AsyncClient) -> None:
+ userid = await _create_user_and_login(client)
+ app = client._transport.app # type: ignore[union-attr]
+ cred_repo = app.state.credential_repo
+
+ # Begin registration
+ res1 = await client.post("/manage/credentials/webauthn/begin")
+ assert res1.status_code == 200
+ options = res1.json()
+
+ # Build a valid registration response using the challenge from server
+ _private_key, credential_id, attested = _generate_credential()
+ challenge = options["publicKey"]["challenge"]
+ # The challenge from the server is base64url-encoded; fido2 expects raw bytes
+ # for CollectedClientData.create, but we need to pass the encoded challenge
+ # back through the RegistrationResponse which fido2 will decode internally.
+ # Use the webauthn_service from app.state to get the raw state instead.
+ # The test needs to use the state stored in the session.
+ # Since we can't easily extract session state in tests, we test the
+ # begin/complete flow by building the response with the challenge bytes
+ # from the fido2 state. Access the webauthn_service directly for this.
+ webauthn_service = app.state.webauthn_service
+ _options, state = webauthn_service.begin_registration(
+ user_id=userid.encode(), username="alice"
+ )
+
+ response = _build_registration_response(credential_id, attested, state["challenge"])
+ result = webauthn_service.complete_registration(state, response)
+
+ # Store credential directly to verify the repo works
+ cred = WebAuthnCredential(
+ user_id=userid,
+ credential_id=result.credential_data.credential_id,
+ public_key=bytes(result.credential_data),
+ )
+ await cred_repo.create_webauthn(cred)
+
+ creds = await cred_repo.get_webauthn_by_user(userid)
+ assert len(creds) == 1
+ assert creds[0].credential_id == credential_id
+
+
+async def test_delete_webauthn_credential(client: AsyncClient) -> None:
+ userid = await _create_user_and_login(client)
+ app = client._transport.app # type: ignore[union-attr]
+ cred_repo = app.state.credential_repo
+
+ # User already has password credential from login. Add a webauthn credential.
+ await cred_repo.create_webauthn(
+ WebAuthnCredential(user_id=userid, credential_id=b"cred1", public_key=b"key1")
+ )
+
+ # base64url-encode the credential_id for the URL
+ from base64 import urlsafe_b64encode
+ cred_id_b64 = urlsafe_b64encode(b"cred1").decode().rstrip("=")
+
+ res = await client.delete(
+ f"/manage/credentials/webauthn/{cred_id_b64}",
+ headers={"HX-Request": "true"},
+ )
+ assert res.status_code == 200
+
+ creds = await cred_repo.get_webauthn_by_user(userid)
+ assert len(creds) == 0
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_auth_routes/test_manage_webauthn_credential.py -v`
+Expected: FAIL
+
+**Step 3: Implement endpoints + JS helper**
+
+In `src/fastapi_oidc_op/manage/routes.py`:
+
+- `POST /manage/credentials/webauthn/begin`:
+ 1. Check session — redirect if not logged in
+ 2. Load existing WebAuthn credentials, build `PublicKeyCredentialDescriptor` list for exclude
+ 3. Call `request.app.state.webauthn_service.begin_registration(user_id=userid.encode(), username=username, existing_credentials=descriptors)`
+ 4. Store `state` in `request.session["webauthn_register_state"]`
+ 5. Return `JSONResponse(options)`
+
+- `POST /manage/credentials/webauthn/complete` (JSON body):
+ 1. Check session
+ 2. Pop `webauthn_register_state` from session
+ 3. Call `webauthn_service.complete_registration(state, response_body)`
+ 4. Extract `credential_id` and `public_key` from `result.credential_data`
+ 5. Create `WebAuthnCredential(user_id=userid, credential_id=..., public_key=bytes(result.credential_data))`
+ 6. Save via `cred_repo.create_webauthn(...)`
+ 7. Return updated credential list HTML fragment
+
+- `DELETE /manage/credentials/webauthn/{credential_id}` (credential_id is base64url-encoded):
+ 1. Check session
+ 2. Decode `credential_id` from base64url
+ 3. Count total credentials; if last one, return error fragment
+ 4. Delete via `cred_repo.delete_webauthn(userid, credential_id_bytes)`
+ 5. Return updated credential list fragment
+
+Create `src/fastapi_oidc_op/static/webauthn.js`:
+- `base64urlToBytes(s)` and `bytesToBase64url(bytes)` helpers
+- `async function beginRegistration()`: POST to `/manage/credentials/webauthn/begin`, call `navigator.credentials.create()`, POST result to `/manage/credentials/webauthn/complete`
+- `async function beginAuthentication(username)`: POST to `/login/webauthn/begin`, call `navigator.credentials.get()`, POST result to `/login/webauthn/complete`
+- Integrate with HTMX via `htmx.trigger()` or direct DOM updates
+- No forced animations; respect `prefers-reduced-motion`
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_auth_routes/test_manage_webauthn_credential.py -v`
+Expected: PASS
+
+**Step 5: Commit**
+
+```bash
+git add src/fastapi_oidc_op/manage/routes.py src/fastapi_oidc_op/static/webauthn.js \
+ tests/test_auth_routes/test_manage_webauthn_credential.py
+git commit -m "feat: add webauthn credential registration and removal"
+```
+
+---
+
+### Task 8: WebAuthn Login (begin/complete) + Sign Count Update [DONE]
+
+**Files:**
+- Modify: `src/fastapi_oidc_op/authn/routes.py`
+- Create: `tests/test_auth_routes/test_webauthn_login.py`
+
+**Implementation detail — sign count:** `Fido2Server.authenticate_complete()` returns the matched `AttestedCredentialData`, not the new sign count. To update sign_count, extract it from the raw response: parse `AuthenticationResponse` from the client payload, then read `response.response.authenticator_data.counter`. Update the credential in the repo with this new counter value.
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_auth_routes/test_webauthn_login.py`:
+
+```python
+import os
+from datetime import UTC, datetime
+
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.hashes import SHA256
+from fido2.cose import ES256
+from fido2.utils import sha256
+from fido2.webauthn import (
+ Aaguid,
+ AttestationObject,
+ AttestedCredentialData,
+ AuthenticationResponse,
+ AuthenticatorAssertionResponse,
+ AuthenticatorAttestationResponse,
+ AuthenticatorData,
+ CollectedClientData,
+ PublicKeyCredentialDescriptor,
+ PublicKeyCredentialType,
+ RegistrationResponse,
+)
+from httpx import AsyncClient
+
+from fastapi_oidc_op.models import User, WebAuthnCredential
+
+RP_ID = "localhost"
+ORIGIN = "http://localhost:8000"
+
+
+def _generate_credential() -> tuple[ec.EllipticCurvePrivateKey, bytes, AttestedCredentialData]:
+ private_key = ec.generate_private_key(ec.SECP256R1())
+ cose_key = ES256.from_cryptography_key(private_key.public_key())
+ credential_id = os.urandom(32)
+ attested = AttestedCredentialData.create(aaguid=Aaguid.NONE, credential_id=credential_id, public_key=cose_key)
+ return private_key, credential_id, attested
+
+
+async def _setup_user_with_webauthn(client: AsyncClient) -> tuple[str, ec.EllipticCurvePrivateKey, bytes, AttestedCredentialData]:
+ """Create a user with a WebAuthn credential in the repo. Returns (userid, private_key, credential_id, attested)."""
+ app = client._transport.app # type: ignore[union-attr]
+ user_repo = app.state.user_repo
+ cred_repo = app.state.credential_repo
+
+ private_key, credential_id, attested = _generate_credential()
+
+ user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
+ await user_repo.create(user)
+
+ await cred_repo.create_webauthn(
+ WebAuthnCredential(
+ user_id=user.userid,
+ credential_id=credential_id,
+ public_key=bytes(attested),
+ sign_count=0,
+ )
+ )
+
+ return user.userid, private_key, credential_id, attested
+
+
+async def test_webauthn_login_begin_returns_options(client: AsyncClient) -> None:
+ _userid, _pk, _cid, _att = await _setup_user_with_webauthn(client)
+
+ res = await client.post(
+ "/login/webauthn/begin",
+ data={"username": "alice"},
+ headers={"HX-Request": "true"},
+ )
+ assert res.status_code == 200
+ data = res.json()
+ assert "publicKey" in data
+
+
+async def test_webauthn_login_begin_unknown_user(client: AsyncClient) -> None:
+ res = await client.post(
+ "/login/webauthn/begin",
+ data={"username": "nobody"},
+ headers={"HX-Request": "true"},
+ )
+ # Should return error, not crash
+ assert res.status_code == 200
+ assert 'role="alert"' in res.text or "not found" in res.text.lower() or "Invalid" in res.text
+
+
+async def test_webauthn_login_complete_sets_session(client: AsyncClient) -> None:
+ userid, private_key, credential_id, attested = await _setup_user_with_webauthn(client)
+ app = client._transport.app # type: ignore[union-attr]
+ webauthn_service = app.state.webauthn_service
+ cred_repo = app.state.credential_repo
+
+ # Begin authentication directly via service (to get raw state for building response)
+ descriptors = [PublicKeyCredentialDescriptor(type=PublicKeyCredentialType.PUBLIC_KEY, id=credential_id)]
+ options, state = webauthn_service.begin_authentication(credentials=descriptors)
+
+ # Build authentication response
+ challenge = state["challenge"]
+ client_data = CollectedClientData.create(type=CollectedClientData.TYPE.GET, challenge=challenge, origin=ORIGIN)
+ auth_data = AuthenticatorData.create(rp_id_hash=sha256(RP_ID.encode()), flags=AuthenticatorData.FLAG.UP, counter=5)
+ signature = private_key.sign(auth_data + client_data.hash, ec.ECDSA(SHA256()))
+
+ # We need to POST to /login/webauthn/begin first to set session state,
+ # then POST to /login/webauthn/complete with the response.
+ # For the integration test, use the actual begin endpoint:
+ res1 = await client.post("/login/webauthn/begin", data={"username": "alice"})
+ assert res1.status_code == 200
+
+ # The challenge is now in the server session. Since we can't easily extract
+ # it, this test verifies the full flow works by using the service directly
+ # for the crypto part and trusting the route integration.
+ # A full end-to-end test would require extracting the session cookie.
+
+ # Verify sign_count can be updated via the repo directly
+ stored = await cred_repo.get_webauthn_by_credential_id(credential_id)
+ assert stored is not None
+ stored.sign_count = 5
+ await cred_repo.update_webauthn(stored)
+ updated = await cred_repo.get_webauthn_by_credential_id(credential_id)
+ assert updated is not None
+ assert updated.sign_count == 5
+```
+
+Note: Full end-to-end testing of WebAuthn begin/complete through HTTP is inherently difficult because the challenge must round-trip through the session cookie, and building a valid `AuthenticationResponse` requires the exact challenge bytes from the session. The tests above verify: (1) the begin endpoint returns valid options, (2) the service-level crypto works, (3) sign_count can be updated. The route-level `complete` integration is best verified manually or with a dedicated integration test that extracts the session.
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_auth_routes/test_webauthn_login.py -v`
+Expected: FAIL
+
+**Step 3: Implement endpoints**
+
+In `src/fastapi_oidc_op/authn/routes.py`:
+
+- `POST /login/webauthn/begin` (form data: `username`):
+ 1. Look up user by username — if not found, return error fragment (same as password to prevent enumeration)
+ 2. Fetch WebAuthn credentials from repo
+ 3. Build `PublicKeyCredentialDescriptor` list from stored credentials
+ 4. Reconstruct `AttestedCredentialData` from stored `public_key` bytes for each credential
+ 5. Call `webauthn_service.begin_authentication(credentials=descriptors)`
+ 6. Store `state` in `request.session["webauthn_login_state"]`
+ 7. Also store `userid` temporarily in `request.session["webauthn_login_userid"]`
+ 8. Return `JSONResponse(options)`
+
+- `POST /login/webauthn/complete` (JSON body: the browser's credential response):
+ 1. Pop `webauthn_login_state` and `webauthn_login_userid` from session
+ 2. Fetch user's WebAuthn credentials from repo
+ 3. Reconstruct `AttestedCredentialData` list from stored `public_key` bytes
+ 4. Call `webauthn_service.complete_authentication(state, credentials, response_body)`
+ 5. On failure: return error fragment
+ 6. Extract new sign count from the response: parse `AuthenticationResponse.from_dict(response_body)`, read `response.response.authenticator_data.counter`
+ 7. Update sign count: find the matching credential in repo, set `sign_count = new_counter`, call `cred_repo.update_webauthn(credential)`
+ 8. Set session: `request.session["userid"] = user.userid`, `request.session["username"] = user.username`
+ 9. Return response with `HX-Redirect: /manage/credentials`
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_auth_routes/test_webauthn_login.py -v`
+Expected: PASS
+
+**Step 5: Commit**
+
+```bash
+git add src/fastapi_oidc_op/authn/routes.py tests/test_auth_routes/test_webauthn_login.py
+git commit -m "feat: add webauthn login begin/complete endpoints"
+```
+
+---
+
+### Task 9: Guardrails (cannot remove last credential) [DONE]
+
+**Files:**
+- Modify: `src/fastapi_oidc_op/manage/routes.py`
+- Create: `tests/test_auth_routes/test_last_credential_guard.py`
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_auth_routes/test_last_credential_guard.py`:
+
+```python
+from base64 import urlsafe_b64encode
+from datetime import UTC, datetime
+
+from argon2 import PasswordHasher
+from httpx import AsyncClient
+
+from fastapi_oidc_op.authn.password import PasswordService
+from fastapi_oidc_op.models import PasswordCredential, User, WebAuthnCredential
+
+
+async def _create_user_and_login(client: AsyncClient) -> str:
+ """Create user with password credential, log in, return userid."""
+ app = client._transport.app # type: ignore[union-attr]
+ user_repo = app.state.user_repo
+ cred_repo = app.state.credential_repo
+
+ user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
+ await user_repo.create(user)
+
+ svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
+ await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("testpass")))
+
+ await client.post(
+ "/login/password",
+ data={"username": "alice", "password": "testpass"},
+ headers={"HX-Request": "true"},
+ )
+ return user.userid
+
+
+async def test_cannot_delete_last_password_credential(client: AsyncClient) -> None:
+ """User has only a password — cannot delete it."""
+ await _create_user_and_login(client)
+
+ res = await client.delete(
+ "/manage/credentials/password",
+ headers={"HX-Request": "true"},
+ )
+ assert res.status_code == 200
+ assert 'role="alert"' in res.text
+ assert "last credential" in res.text.lower() or "Cannot remove" in res.text
+
+ # Password should still exist
+ app = client._transport.app # type: ignore[union-attr]
+ cred = await app.state.credential_repo.get_password_by_user("lusab-bansen")
+ assert cred is not None
+
+
+async def test_cannot_delete_last_webauthn_credential(client: AsyncClient) -> None:
+ """User has only one webauthn credential (password was removed) — cannot delete it."""
+ userid = await _create_user_and_login(client)
+ app = client._transport.app # type: ignore[union-attr]
+ cred_repo = app.state.credential_repo
+
+ # Add webauthn, then delete password (so webauthn is the only credential)
+ await cred_repo.create_webauthn(
+ WebAuthnCredential(user_id=userid, credential_id=b"cred1", public_key=b"key1")
+ )
+ await cred_repo.delete_password(userid)
+
+ cred_id_b64 = urlsafe_b64encode(b"cred1").decode().rstrip("=")
+ res = await client.delete(
+ f"/manage/credentials/webauthn/{cred_id_b64}",
+ headers={"HX-Request": "true"},
+ )
+ assert res.status_code == 200
+ assert 'role="alert"' in res.text
+
+ # Credential should still exist
+ creds = await cred_repo.get_webauthn_by_user(userid)
+ assert len(creds) == 1
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_auth_routes/test_last_credential_guard.py -v`
+Expected: FAIL (delete endpoints exist from Tasks 6-7 but don't enforce the guardrail yet)
+
+**Step 3: Implement guardrails**
+
+In `src/fastapi_oidc_op/manage/routes.py`:
+
+Add a helper function used by both DELETE routes:
+
+```python
+async def _count_credentials(cred_repo, userid: str) -> int:
+ """Count total credentials (password + webauthn) for a user."""
+ webauthn = await cred_repo.get_webauthn_by_user(userid)
+ password = await cred_repo.get_password_by_user(userid)
+ return len(webauthn) + (1 if password else 0)
+```
+
+In `DELETE /manage/credentials/password` and `DELETE /manage/credentials/webauthn/{credential_id}`:
+- Before deleting, call `_count_credentials()`
+- If count == 1, return error fragment: `Cannot remove your last credential
`
+- Otherwise proceed with deletion
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_auth_routes/test_last_credential_guard.py -v`
+Expected: PASS
+
+**Step 5: Commit**
+
+```bash
+git add src/fastapi_oidc_op/manage/routes.py tests/test_auth_routes/test_last_credential_guard.py
+git commit -m "fix: prevent removing the last credential"
+```
+
+---
+
+### Task 10: Full Quality Gate [DONE]
+
+**Files:**
+- All touched
+
+**Step 1: Run full quality checks**
+
+Run: `./scripts/check.sh`
+Expected: All green (formatting, linting, type checking, all tests pass)
+
+**Step 2: Fix any issues**
+
+If ruff format or ruff check made changes, review them. If ty reports type errors, fix them.
+
+**Step 3: Commit any fixes**
+
+```bash
+git add -A
+git diff --cached --quiet || git commit -m "style: apply formatting and fix lint issues"
+```
diff --git a/docs/plans/2026-02-16-e2e-tests-plan.md b/docs/plans/2026-02-16-e2e-tests-plan.md
new file mode 100644
index 0000000..1554f40
--- /dev/null
+++ b/docs/plans/2026-02-16-e2e-tests-plan.md
@@ -0,0 +1,820 @@
+# E2E Playwright Tests Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.
+
+**Goal:** Comprehensive end-to-end browser tests covering all user-facing flows in Porchlight.
+
+**Architecture:** Each test file covers one functional area. Tests use raw Playwright (no test framework) with a shared assertion helper pattern. Server-side state is set up via direct HTTP calls to the API where the browser UI can't reach (e.g., creating users/magic links). The existing `run.sh` handles app lifecycle.
+
+**Tech Stack:** Playwright (Node.js), Chromium headless, HTMX-aware testing patterns.
+
+---
+
+## Test Inventory
+
+The app has these testable user flows:
+
+| Flow | Route(s) | Test File |
+|---|---|---|
+| Login page (existing) | `GET /login` | `test_login.js` (done) |
+| Password auth + error states | `POST /login/password` | `test_password_auth.js` |
+| Magic link registration | `GET /register/{token}` | `test_registration.js` |
+| Credential management page | `GET /manage/credentials` | `test_credentials.js` |
+| Set/change password (HTMX) | `POST /manage/credentials/password` | `test_credentials.js` |
+| Auth guard (redirect to login) | All `/manage/*` routes | `test_auth_guard.js` |
+| Health endpoint | `GET /health` | `test_health.js` |
+
+WebAuthn flows (`/login/webauthn/*`, `/manage/credentials/webauthn/*`) require hardware key simulation which is complex. They are excluded from this plan and noted as a future enhancement.
+
+---
+
+## Shared Helper
+
+All test files duplicate the `assert()` pattern. Before writing new tests, extract a shared helper.
+
+---
+
+### Task 1: Extract shared test helper
+
+**Files:**
+- Create: `tests/e2e/helpers.js`
+- Modify: `tests/e2e/test_login.js`
+
+**Step 1: Create `tests/e2e/helpers.js`**
+
+```javascript
+// tests/e2e/helpers.js
+// Shared utilities for Porchlight e2e tests.
+
+const { chromium } = require('playwright');
+
+const TARGET_URL = process.env.TARGET_URL || 'http://localhost:8099';
+
+/**
+ * Simple test runner with pass/fail counting.
+ *
+ * Usage:
+ * const { run } = require('./helpers');
+ * run(async (page, assert) => {
+ * await page.goto(TARGET_URL + '/login');
+ * assert(true, 'page loaded');
+ * });
+ */
+async function run(testFn) {
+ let passed = 0;
+ let failed = 0;
+
+ function assert(condition, description) {
+ if (condition) {
+ console.log(` PASS: ${description}`);
+ passed++;
+ } else {
+ console.log(` FAIL: ${description}`);
+ failed++;
+ }
+ }
+
+ const browser = await chromium.launch({ headless: true });
+ const page = await browser.newPage();
+
+ try {
+ await testFn(page, assert);
+ } finally {
+ await browser.close();
+ }
+
+ console.log(`\n========================================`);
+ console.log(`Results: ${passed} passed, ${failed} failed`);
+ console.log(`========================================\n`);
+
+ process.exit(failed > 0 ? 1 : 0);
+}
+
+module.exports = { TARGET_URL, run };
+```
+
+**Step 2: Refactor `tests/e2e/test_login.js` to use the helper**
+
+Replace the boilerplate (chromium launch, assert function, browser.close, summary) with:
+
+```javascript
+const { TARGET_URL, run } = require('./helpers');
+
+run(async (page, assert) => {
+ // ... all existing test logic stays the same, just remove boilerplate ...
+});
+```
+
+Keep all existing assertions unchanged. Only remove duplicated setup/teardown.
+
+**Step 3: Run test to verify refactor is clean**
+
+Run: `./tests/e2e/run.sh tests/e2e/test_login.js`
+Expected: 28 passed, 0 failed
+
+**Step 4: Commit**
+
+```bash
+git add tests/e2e/helpers.js tests/e2e/test_login.js
+git commit -m "refactor: extract shared e2e test helper with assert runner"
+```
+
+---
+
+### Task 2: Password authentication test
+
+**Files:**
+- Create: `tests/e2e/test_password_auth.js`
+
+This test needs an existing user with a password. Since there's no admin API to create users directly via the browser, we use the magic link registration flow as setup, then set a password, and test login.
+
+**Step 1: Create `tests/e2e/test_password_auth.js`**
+
+```javascript
+// tests/e2e/test_password_auth.js
+// Tests password login flow: successful login, invalid password, nonexistent user.
+
+const { TARGET_URL, run } = require('./helpers');
+
+run(async (page, assert) => {
+ // ---- Setup: Register a user via magic link API ----
+ // Create a magic link by hitting the app's internal service.
+ // We do this by making a direct API call to create a magic link token,
+ // then visiting the registration URL.
+ console.log('\n--- Setup: create test user ---');
+
+ // Use the /register endpoint with a token created via the API.
+ // The app uses MagicLinkService internally. Since we don't have an admin API,
+ // we'll use a helper endpoint approach: insert via direct DB calls isn't possible
+ // in e2e. Instead, we use Playwright's request context to call a setup script.
+ //
+ // Alternative: Create magic link via a Python helper script.
+ // For now, we use a pragmatic approach: start a Python subprocess to create a
+ // magic link and return the token.
+
+ // Execute setup script that creates a user with a password and returns credentials
+ const { execSync } = require('child_process');
+ const setupResult = execSync(
+ `uv run python -c "
+import asyncio, json, aiosqlite
+from pathlib import Path
+from fastapi_oidc_op.config import Settings, StorageBackend
+from fastapi_oidc_op.store.sqlite.repositories import SQLiteUserRepository, SQLiteCredentialRepository, SQLiteMagicLinkRepository
+from fastapi_oidc_op.store.sqlite.migrations import run_migrations
+from fastapi_oidc_op.invite.service import MagicLinkService
+
+async def setup():
+ # Connect to the same DB the running app uses (in-memory won't work across processes)
+ # So we use the magic link approach: create link, return token
+ # Actually for :memory: DB, we must go through the running app's HTTP interface.
+ # Use the health endpoint to verify the app is up, then we need another approach.
+ #
+ # Best approach: just test the flows we can through the browser.
+ pass
+
+asyncio.run(setup())
+"`,
+ { encoding: 'utf-8' }
+ );
+
+ // REVISED APPROACH: Since the app uses :memory: SQLite, we cannot access the DB
+ // from outside the process. Instead, we test what we can through the browser:
+ //
+ // 1. Go to login page
+ // 2. Try to login with nonexistent user (should show error)
+ // 3. Try to login with empty fields (browser validation)
+
+ // ---- Test: Login with nonexistent user ----
+ console.log('\n--- Login with nonexistent user ---');
+ await page.goto(`${TARGET_URL}/login`);
+
+ // Fill in form and submit via HTMX
+ await page.fill('#username', 'nonexistent');
+ await page.fill('#password', 'wrongpassword');
+ await page.click('form[hx-post="/login/password"] button[type="submit"]');
+
+ // Wait for HTMX response
+ await page.waitForSelector('[role="alert"]', { timeout: 5000 });
+ const errorText = await page.locator('[role="alert"]').textContent();
+ assert(
+ errorText.includes('Invalid username or password'),
+ `Shows error for nonexistent user (got: "${errorText}")`
+ );
+
+ // ---- Test: Login with empty username (browser validation) ----
+ console.log('\n--- Browser form validation ---');
+ await page.goto(`${TARGET_URL}/login`);
+
+ // The username field has `required` attribute, so clicking submit with empty
+ // fields should not send the request. We verify the field has the required attribute.
+ const usernameRequired = await page.locator('#username').getAttribute('required');
+ assert(usernameRequired !== null, 'Username field has required attribute');
+
+ const passwordRequired = await page.locator('#password').getAttribute('required');
+ assert(passwordRequired !== null, 'Password field has required attribute');
+
+ // ---- Test: HTMX attributes are correct ----
+ console.log('\n--- HTMX form configuration ---');
+ const hxPost = await page.locator('form[hx-post="/login/password"]').getAttribute('hx-post');
+ assert(hxPost === '/login/password', `Form posts to /login/password`);
+
+ const hxTarget = await page.locator('form[hx-post="/login/password"]').getAttribute('hx-target');
+ assert(hxTarget === '#login-error', `Form targets #login-error div`);
+
+ const hxSwap = await page.locator('form[hx-post="/login/password"]').getAttribute('hx-swap');
+ assert(hxSwap === 'innerHTML', `Form swaps innerHTML`);
+});
+```
+
+**NOTE:** The `:memory:` SQLite database is only accessible within the running uvicorn process. E2E tests cannot seed data externally. The password auth test is therefore limited to testing error states and form behavior that doesn't require pre-existing users. Full login-success testing requires either:
+- (a) A test setup endpoint (future)
+- (b) Using a file-based SQLite path for e2e so a setup script can seed data
+- (c) Testing through the magic link registration flow first (Task 3)
+
+We take approach (c): Task 3 will test the full happy path (register via magic link → set password → logout → login with password).
+
+**Step 2: Run the test**
+
+Run: `./tests/e2e/run.sh tests/e2e/test_password_auth.js`
+Expected: All PASS
+
+**Step 3: Commit**
+
+```bash
+git add tests/e2e/test_password_auth.js
+git commit -m "test: add e2e test for password login error states and form validation"
+```
+
+---
+
+### Task 3: Magic link registration + full login flow
+
+This is the most important test — it exercises the complete user journey:
+1. Visit magic link → user created, redirected to credentials page
+2. Set password on credentials page
+3. Logout
+4. Login with the password just set
+
+Since we can't create magic links from outside the process, we need to change `run.sh` to use a file-based SQLite DB and add a setup script. Alternatively, we add a **test-only setup endpoint** to the app that is only active when `debug=True`.
+
+**Files:**
+- Modify: `tests/e2e/run.sh` — use file-based SQLite in a temp directory
+- Create: `tests/e2e/setup_db.py` — Python script to seed test data into the SQLite DB
+- Create: `tests/e2e/test_full_flow.js` — full registration → password → logout → login test
+
+**Step 1: Modify `run.sh` to use file-based SQLite**
+
+Change the SQLite path from `:memory:` to a temp file:
+
+```bash
+# Near the top, after SCRIPT_DIR/PROJECT_ROOT:
+E2E_TMPDIR="$(mktemp -d)"
+export OIDC_OP_SQLITE_PATH="${E2E_TMPDIR}/e2e_test.db"
+
+# In the cleanup function, add:
+rm -rf "$E2E_TMPDIR"
+```
+
+Update the uvicorn start command to use `OIDC_OP_SQLITE_PATH` from the environment (remove the `:memory:` override).
+
+**Step 2: Create `tests/e2e/setup_db.py`**
+
+```python
+#!/usr/bin/env python3
+"""Seed the e2e test database with test fixtures.
+
+Outputs JSON with the created test data (magic link tokens, usernames, etc.)
+so the JS tests can use them.
+
+Requires OIDC_OP_SQLITE_PATH env var pointing to the app's SQLite DB.
+"""
+import asyncio
+import json
+import os
+import sys
+
+import aiosqlite
+
+from fastapi_oidc_op.authn.password import PasswordService
+from fastapi_oidc_op.invite.service import MagicLinkService
+from fastapi_oidc_op.models import PasswordCredential, User
+from fastapi_oidc_op.store.sqlite.repositories import (
+ SQLiteCredentialRepository,
+ SQLiteMagicLinkRepository,
+ SQLiteUserRepository,
+)
+
+
+async def seed():
+ db_path = os.environ.get("OIDC_OP_SQLITE_PATH")
+ if not db_path:
+ print("OIDC_OP_SQLITE_PATH not set", file=sys.stderr)
+ sys.exit(1)
+
+ db = await aiosqlite.connect(db_path)
+ db.row_factory = aiosqlite.Row
+
+ user_repo = SQLiteUserRepository(db)
+ cred_repo = SQLiteCredentialRepository(db)
+ magic_link_repo = SQLiteMagicLinkRepository(db)
+ password_service = PasswordService()
+ magic_link_service = MagicLinkService(repo=magic_link_repo)
+
+ result = {}
+
+ # 1. Create a magic link for registration test
+ link = await magic_link_service.create(username="newuser")
+ result["register_token"] = link.token
+ result["register_username"] = "newuser"
+
+ # 2. Create a user with a password for login test
+ user = User(userid="test-user-01", username="testuser", groups=["users"])
+ await user_repo.create(user)
+ password_hash = password_service.hash("testpassword123")
+ await cred_repo.create_password(
+ PasswordCredential(user_id=user.userid, password_hash=password_hash)
+ )
+ result["login_username"] = "testuser"
+ result["login_password"] = "testpassword123"
+
+ # 3. Create an expired/used magic link for negative test
+ expired_link = await magic_link_service.create(username="expired")
+ await magic_link_service.mark_used(expired_link.token)
+ result["used_token"] = expired_link.token
+
+ await db.close()
+ print(json.dumps(result))
+
+
+asyncio.run(seed())
+```
+
+**Step 3: Update `run.sh` to run setup script after server is healthy**
+
+After the "Server ready." line, add:
+
+```bash
+# --- Seed test data ---
+echo "Seeding test data..."
+E2E_FIXTURES=$(uv run --directory "$PROJECT_ROOT" python tests/e2e/setup_db.py)
+export E2E_FIXTURES
+echo "Test fixtures: ${E2E_FIXTURES}"
+```
+
+**Step 4: Create `tests/e2e/test_full_flow.js`**
+
+```javascript
+// tests/e2e/test_full_flow.js
+// Full user journey: magic link registration → set password → logout → login.
+
+const { TARGET_URL, run } = require('./helpers');
+
+run(async (page, assert) => {
+ const fixtures = JSON.parse(process.env.E2E_FIXTURES || '{}');
+ assert(fixtures.register_token, 'Test fixtures loaded (register_token present)');
+
+ // ---- Step 1: Register via magic link ----
+ console.log('\n--- Magic link registration ---');
+ await page.goto(`${TARGET_URL}/register/${fixtures.register_token}`);
+
+ // Should redirect to /manage/credentials?setup=1
+ await page.waitForURL('**/manage/credentials?setup=1', { timeout: 5000 });
+ assert(
+ page.url().includes('/manage/credentials'),
+ `Redirected to credentials page (url: ${page.url()})`
+ );
+
+ // Should show welcome message
+ const welcome = page.locator('[role="status"]');
+ assert(await welcome.isVisible(), 'Welcome/setup message is visible');
+ const welcomeText = await welcome.textContent();
+ assert(
+ welcomeText.includes('Welcome'),
+ `Welcome message shown (got: "${welcomeText}")`
+ );
+
+ // Page title should be Porchlight
+ const title = await page.title();
+ assert(title.includes('Porchlight'), `Credentials page title contains Porchlight`);
+
+ // ---- Step 2: Set password ----
+ console.log('\n--- Set password ---');
+ const passwordInput = page.locator('#password');
+ const confirmInput = page.locator('#confirm');
+ assert(await passwordInput.isVisible(), 'Password input is visible');
+ assert(await confirmInput.isVisible(), 'Confirm password input is visible');
+
+ await passwordInput.fill('mypassword123');
+ await confirmInput.fill('mypassword123');
+ await page.click('#password-section button[type="submit"]');
+
+ // Wait for HTMX response — should show success
+ await page.waitForSelector('[role="status"]', { timeout: 5000 });
+ // Find the status message inside #password-section
+ const successMsg = page.locator('#password-section [role="status"]');
+ await successMsg.waitFor({ timeout: 5000 });
+ const successText = await successMsg.textContent();
+ assert(
+ successText.includes('Password updated'),
+ `Password set successfully (got: "${successText}")`
+ );
+
+ // ---- Step 3: Logout ----
+ console.log('\n--- Logout ---');
+ // The app uses POST /logout with HX-Redirect. We'll call it via fetch.
+ const logoutResp = await page.request.post(`${TARGET_URL}/logout`);
+ assert(logoutResp.ok() || logoutResp.status() === 200, `Logout returns OK`);
+
+ // Navigate to credentials — should redirect to login
+ await page.goto(`${TARGET_URL}/manage/credentials`);
+ await page.waitForURL('**/login', { timeout: 5000 });
+ assert(page.url().includes('/login'), `Redirected to login after logout`);
+
+ // ---- Step 4: Login with the password we just set ----
+ console.log('\n--- Login with new password ---');
+ await page.fill('#username', fixtures.register_username);
+ await page.fill('#password', 'mypassword123');
+
+ // Submit via HTMX — on success, HX-Redirect header triggers redirect
+ await page.click('form[hx-post="/login/password"] button[type="submit"]');
+
+ // Wait for redirect to credentials page
+ await page.waitForURL('**/manage/credentials', { timeout: 5000 });
+ assert(
+ page.url().includes('/manage/credentials'),
+ `Login succeeded, redirected to credentials (url: ${page.url()})`
+ );
+
+ // Should NOT show setup message (no ?setup=1)
+ const setupMsgCount = await page.locator('[role="status"]:has-text("Welcome")').count();
+ assert(setupMsgCount === 0, 'No welcome/setup message on normal login');
+});
+```
+
+**Step 5: Run tests**
+
+Run: `./tests/e2e/run.sh tests/e2e/test_full_flow.js`
+Expected: All PASS
+
+**Step 6: Commit**
+
+```bash
+git add tests/e2e/run.sh tests/e2e/setup_db.py tests/e2e/test_full_flow.js
+git commit -m "test: add full user journey e2e test (register, set password, logout, login)"
+```
+
+---
+
+### Task 4: Auth guard test
+
+**Files:**
+- Create: `tests/e2e/test_auth_guard.js`
+
+Tests that unauthenticated users are redirected to `/login` when accessing protected pages.
+
+**Step 1: Create `tests/e2e/test_auth_guard.js`**
+
+```javascript
+// tests/e2e/test_auth_guard.js
+// Tests that protected routes redirect unauthenticated users to /login.
+
+const { TARGET_URL, run } = require('./helpers');
+
+run(async (page, assert) => {
+ // ---- Unauthenticated access to /manage/credentials ----
+ console.log('\n--- Auth guard: /manage/credentials ---');
+ await page.goto(`${TARGET_URL}/manage/credentials`);
+ await page.waitForURL('**/login', { timeout: 5000 });
+ assert(page.url().includes('/login'), `GET /manage/credentials redirects to /login`);
+
+ // ---- Unauthenticated access to /manage/credentials?setup=1 ----
+ console.log('\n--- Auth guard: /manage/credentials?setup=1 ---');
+ await page.goto(`${TARGET_URL}/manage/credentials?setup=1`);
+ await page.waitForURL('**/login', { timeout: 5000 });
+ assert(page.url().includes('/login'), `GET /manage/credentials?setup=1 redirects to /login`);
+});
+```
+
+**Step 2: Run test**
+
+Run: `./tests/e2e/run.sh tests/e2e/test_auth_guard.js`
+Expected: All PASS
+
+**Step 3: Commit**
+
+```bash
+git add tests/e2e/test_auth_guard.js
+git commit -m "test: add e2e auth guard test for protected routes"
+```
+
+---
+
+### Task 5: Password login error states test
+
+**Files:**
+- Create: `tests/e2e/test_password_auth.js`
+
+**Step 1: Create `tests/e2e/test_password_auth.js`**
+
+```javascript
+// tests/e2e/test_password_auth.js
+// Tests password login error states: wrong password, nonexistent user, form validation.
+
+const { TARGET_URL, run } = require('./helpers');
+
+run(async (page, assert) => {
+ const fixtures = JSON.parse(process.env.E2E_FIXTURES || '{}');
+
+ // ---- Test: Nonexistent user ----
+ console.log('\n--- Login: nonexistent user ---');
+ await page.goto(`${TARGET_URL}/login`);
+ await page.fill('#username', 'nobody');
+ await page.fill('#password', 'whatever');
+ await page.click('form[hx-post="/login/password"] button[type="submit"]');
+
+ await page.waitForSelector('[role="alert"]', { timeout: 5000 });
+ const error1 = await page.locator('[role="alert"]').textContent();
+ assert(
+ error1.includes('Invalid username or password'),
+ `Error shown for nonexistent user (got: "${error1}")`
+ );
+
+ // ---- Test: Wrong password for existing user ----
+ console.log('\n--- Login: wrong password ---');
+ await page.goto(`${TARGET_URL}/login`);
+ await page.fill('#username', fixtures.login_username);
+ await page.fill('#password', 'wrongpassword');
+ await page.click('form[hx-post="/login/password"] button[type="submit"]');
+
+ await page.waitForSelector('[role="alert"]', { timeout: 5000 });
+ const error2 = await page.locator('[role="alert"]').textContent();
+ assert(
+ error2.includes('Invalid username or password'),
+ `Error shown for wrong password (got: "${error2}")`
+ );
+
+ // ---- Test: Successful login ----
+ console.log('\n--- Login: correct password ---');
+ await page.goto(`${TARGET_URL}/login`);
+ await page.fill('#username', fixtures.login_username);
+ await page.fill('#password', fixtures.login_password);
+ await page.click('form[hx-post="/login/password"] button[type="submit"]');
+
+ await page.waitForURL('**/manage/credentials', { timeout: 5000 });
+ assert(
+ page.url().includes('/manage/credentials'),
+ `Successful login redirects to credentials (url: ${page.url()})`
+ );
+
+ // ---- Test: Form validation attributes ----
+ console.log('\n--- Form validation attributes ---');
+ await page.goto(`${TARGET_URL}/login`);
+ const usernameRequired = await page.locator('#username').getAttribute('required');
+ assert(usernameRequired !== null, 'Username has required attribute');
+ const passwordRequired = await page.locator('#password').getAttribute('required');
+ assert(passwordRequired !== null, 'Password has required attribute');
+
+ const usernameAutocomplete = await page.locator('#username').getAttribute('autocomplete');
+ assert(usernameAutocomplete === 'username', `Username autocomplete is "username"`);
+ const passwordAutocomplete = await page.locator('#password').getAttribute('autocomplete');
+ assert(passwordAutocomplete === 'current-password', `Password autocomplete is "current-password"`);
+});
+```
+
+**Step 2: Run test**
+
+Run: `./tests/e2e/run.sh tests/e2e/test_password_auth.js`
+Expected: All PASS
+
+**Step 3: Commit**
+
+```bash
+git add tests/e2e/test_password_auth.js
+git commit -m "test: add e2e password auth test with error states and successful login"
+```
+
+---
+
+### Task 6: Credentials page test
+
+**Files:**
+- Create: `tests/e2e/test_credentials.js`
+
+Tests the credential management page when authenticated: page structure, set password (validation errors), change password.
+
+**Step 1: Create `tests/e2e/test_credentials.js`**
+
+```javascript
+// tests/e2e/test_credentials.js
+// Tests credential management page: structure, password set/change, validation errors.
+
+const { TARGET_URL, run } = require('./helpers');
+
+run(async (page, assert) => {
+ const fixtures = JSON.parse(process.env.E2E_FIXTURES || '{}');
+
+ // ---- Setup: Log in first ----
+ console.log('\n--- Setup: login ---');
+ await page.goto(`${TARGET_URL}/login`);
+ await page.fill('#username', fixtures.login_username);
+ await page.fill('#password', fixtures.login_password);
+ await page.click('form[hx-post="/login/password"] button[type="submit"]');
+ await page.waitForURL('**/manage/credentials', { timeout: 5000 });
+
+ // ---- Page structure ----
+ console.log('\n--- Credentials page structure ---');
+ const title = await page.title();
+ assert(title.includes('Credentials'), `Title contains "Credentials" (got: "${title}")`);
+ assert(title.includes('Porchlight'), `Title contains "Porchlight" (got: "${title}")`);
+
+ const h1 = await page.locator('h1').textContent();
+ assert(h1 === 'Credentials', `H1 says "Credentials" (got: "${h1}")`);
+
+ // Security keys section
+ const securityKeysH2 = page.locator('h2:has-text("Security keys")');
+ assert(await securityKeysH2.isVisible(), 'Security keys heading visible');
+
+ const registerBtn = page.locator('#webauthn-register-btn');
+ assert(await registerBtn.isVisible(), 'Add security key button visible');
+
+ // Password section
+ const passwordH2 = page.locator('h2:has-text("Password")');
+ assert(await passwordH2.isVisible(), 'Password heading visible');
+
+ const passwordStatus = page.locator('#password-section');
+ assert(await passwordStatus.isVisible(), 'Password section visible');
+
+ // ---- Password validation: mismatch ----
+ console.log('\n--- Password validation: mismatch ---');
+ await page.fill('#password', 'newpassword1');
+ await page.fill('#confirm', 'newpassword2');
+ await page.click('#password-section button[type="submit"]');
+
+ await page.waitForSelector('#password-section [role="alert"]', { timeout: 5000 });
+ const mismatchErr = await page.locator('#password-section [role="alert"]').textContent();
+ assert(
+ mismatchErr.includes('do not match'),
+ `Shows mismatch error (got: "${mismatchErr}")`
+ );
+
+ // ---- Password validation: too short ----
+ console.log('\n--- Password validation: too short ---');
+ // Reload page to clear HTMX state
+ await page.goto(`${TARGET_URL}/manage/credentials`);
+ await page.fill('#password', 'short');
+ await page.fill('#confirm', 'short');
+ await page.click('#password-section button[type="submit"]');
+
+ await page.waitForSelector('#password-section [role="alert"]', { timeout: 5000 });
+ const shortErr = await page.locator('#password-section [role="alert"]').textContent();
+ assert(
+ shortErr.includes('at least 8 characters'),
+ `Shows too-short error (got: "${shortErr}")`
+ );
+
+ // ---- Password change: success ----
+ console.log('\n--- Password change: success ---');
+ await page.goto(`${TARGET_URL}/manage/credentials`);
+ await page.fill('#password', 'newpassword123');
+ await page.fill('#confirm', 'newpassword123');
+ await page.click('#password-section button[type="submit"]');
+
+ await page.waitForSelector('#password-section [role="status"]', { timeout: 5000 });
+ const successMsg = await page.locator('#password-section [role="status"]').textContent();
+ assert(
+ successMsg.includes('Password updated'),
+ `Shows success message (got: "${successMsg}")`
+ );
+});
+```
+
+**Step 2: Run test**
+
+Run: `./tests/e2e/run.sh tests/e2e/test_credentials.js`
+Expected: All PASS
+
+**Step 3: Commit**
+
+```bash
+git add tests/e2e/test_credentials.js
+git commit -m "test: add e2e credential management test with password validation"
+```
+
+---
+
+### Task 7: Registration error states test
+
+**Files:**
+- Create: `tests/e2e/test_registration.js`
+
+Tests magic link edge cases: used token, invalid token.
+
+**Step 1: Create `tests/e2e/test_registration.js`**
+
+```javascript
+// tests/e2e/test_registration.js
+// Tests magic link registration error states.
+
+const { TARGET_URL, run } = require('./helpers');
+
+run(async (page, assert) => {
+ const fixtures = JSON.parse(process.env.E2E_FIXTURES || '{}');
+
+ // ---- Invalid token ----
+ console.log('\n--- Invalid registration token ---');
+ const resp1 = await page.goto(`${TARGET_URL}/register/invalid-token-12345`);
+ assert(resp1.status() === 400, `Invalid token returns 400 (got: ${resp1.status()})`);
+ const body1 = await page.locator('body').textContent();
+ assert(
+ body1.includes('Invalid or expired'),
+ `Shows invalid/expired message (got: "${body1.trim()}")`
+ );
+
+ // ---- Used token ----
+ console.log('\n--- Used registration token ---');
+ assert(fixtures.used_token, 'Used token fixture exists');
+ const resp2 = await page.goto(`${TARGET_URL}/register/${fixtures.used_token}`);
+ assert(resp2.status() === 400, `Used token returns 400 (got: ${resp2.status()})`);
+ const body2 = await page.locator('body').textContent();
+ assert(
+ body2.includes('Invalid or expired'),
+ `Shows invalid/expired for used token (got: "${body2.trim()}")`
+ );
+});
+```
+
+**Step 2: Run test**
+
+Run: `./tests/e2e/run.sh tests/e2e/test_registration.js`
+Expected: All PASS
+
+**Step 3: Commit**
+
+```bash
+git add tests/e2e/test_registration.js
+git commit -m "test: add e2e registration error states test (invalid/used tokens)"
+```
+
+---
+
+### Task 8: Health endpoint test
+
+**Files:**
+- Create: `tests/e2e/test_health.js`
+
+Simple smoke test for the health endpoint.
+
+**Step 1: Create `tests/e2e/test_health.js`**
+
+```javascript
+// tests/e2e/test_health.js
+// Smoke test: health endpoint returns OK.
+
+const { TARGET_URL, run } = require('./helpers');
+
+run(async (page, assert) => {
+ console.log('\n--- Health endpoint ---');
+ const resp = await page.request.get(`${TARGET_URL}/health`);
+ assert(resp.ok(), `Health endpoint returns 200 (status: ${resp.status()})`);
+
+ const body = await resp.json();
+ assert(body.status === 'ok', `Health response is {"status":"ok"} (got: ${JSON.stringify(body)})`);
+});
+```
+
+**Step 2: Run test**
+
+Run: `./tests/e2e/run.sh tests/e2e/test_health.js`
+Expected: All PASS
+
+**Step 3: Commit**
+
+```bash
+git add tests/e2e/test_health.js
+git commit -m "test: add e2e health endpoint smoke test"
+```
+
+---
+
+### Task 9: Run full suite and verify
+
+**Step 1: Run the complete e2e suite**
+
+Run: `./tests/e2e/run.sh`
+Expected: All test files pass, server starts and stops cleanly.
+
+**Step 2: Run the existing pytest suite to ensure no regressions**
+
+Run: `uv run pytest -x -q`
+Expected: All 120 tests pass.
+
+**Step 3: Final commit (if any cleanup needed)**
+
+---
+
+## Future Enhancements (Not in Scope)
+
+- **WebAuthn tests** — Playwright supports virtual authenticators via CDP. Could test registration and login with `cdpSession.send('WebAuthn.enable')`.
+- **Dark mode tests** — Use `page.emulateMedia({ colorScheme: 'dark' })` to verify dark theme colors.
+- **Visual regression** — Screenshot comparison with `expect(page).toHaveScreenshot()` (requires @playwright/test).
+- **OIDC flow tests** — Once the OIDC provider is implemented, test authorization code flow end-to-end.
diff --git a/docs/plans/2026-02-16-oidc-provider-plan.md b/docs/plans/2026-02-16-oidc-provider-plan.md
new file mode 100644
index 0000000..68d6483
--- /dev/null
+++ b/docs/plans/2026-02-16-oidc-provider-plan.md
@@ -0,0 +1,1705 @@
+# OIDC Provider Implementation Plan (Phase 5)
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.
+
+**Goal:** Wire up `idpyoidc` to serve standard OIDC endpoints (discovery, authorization code flow, token exchange, userinfo, JWKS) using the existing authentication and user management infrastructure.
+
+**Architecture:** FastAPI routes wrap idpyoidc's endpoint pipeline (`parse_request` → `process_request` → `do_response`). A custom `PorchlightUserInfo` subclass provides claims from our `UserRepository`. The authorization flow stores pending auth requests in the Starlette session; after login, a resume route creates an idpyoidc session and completes the authorization.
+
+**Tech Stack:** FastAPI, idpyoidc >=5.0, Starlette SessionMiddleware, aiosqlite.
+
+**Quality gate:** `./scripts/check.sh`
+
+**Known constraints:**
+- idpyoidc's `UserInfo.__call__` is synchronous. We populate an in-memory claims cache when creating the idpyoidc session.
+- idpyoidc stores sessions/grants in memory. Restarting the server invalidates active tokens.
+- The `Server` constructor is synchronous and does file I/O for key generation. Call it outside the async lifespan context if needed, or ensure key directories exist beforehand.
+- idpyoidc's `OPConfiguration` auto-wraps a plain dict. Provide the config as a dict for simplicity.
+- `redirect_uris` in `cdb` must be a list of `(base_url, query_dict)` tuples, not plain strings.
+- Client secrets must also be added to the keyjar via `server.keyjar.add_symmetric(client_id, secret)`.
+
+---
+
+### Task 1: Config + Claims Mapping + UserInfo Source
+
+**Files:**
+- Modify: `src/fastapi_oidc_op/config.py`
+- Create: `src/fastapi_oidc_op/oidc/claims.py`
+- Create: `tests/test_oidc/test_claims.py`
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_oidc/test_claims.py`:
+
+```python
+from datetime import UTC, datetime
+
+from fastapi_oidc_op.models import User
+from fastapi_oidc_op.oidc.claims import PorchlightUserInfo, user_to_claims
+
+
+def test_user_to_claims_minimal() -> None:
+ user = User(userid="lusab-bansen", username="alice")
+ claims = user_to_claims(user)
+ assert claims["sub"] == "lusab-bansen"
+ assert claims["preferred_username"] == "alice"
+ assert "email" not in claims # None fields excluded
+
+
+def test_user_to_claims_full() -> None:
+ user = User(
+ userid="lusab-bansen",
+ username="alice",
+ preferred_username="Alice W.",
+ given_name="Alice",
+ family_name="Wonderland",
+ nickname="ali",
+ email="alice@example.com",
+ email_verified=True,
+ phone_number="+1234567890",
+ phone_number_verified=False,
+ picture="https://example.com/alice.jpg",
+ locale="en",
+ updated_at=datetime(2025, 1, 1, tzinfo=UTC),
+ )
+ claims = user_to_claims(user)
+ assert claims["sub"] == "lusab-bansen"
+ assert claims["preferred_username"] == "Alice W."
+ assert claims["given_name"] == "Alice"
+ assert claims["family_name"] == "Wonderland"
+ assert claims["nickname"] == "ali"
+ assert claims["email"] == "alice@example.com"
+ assert claims["email_verified"] is True
+ assert claims["phone_number"] == "+1234567890"
+ assert claims["phone_number_verified"] is False
+ assert claims["picture"] == "https://example.com/alice.jpg"
+ assert claims["locale"] == "en"
+ assert claims["updated_at"] == int(datetime(2025, 1, 1, tzinfo=UTC).timestamp())
+
+
+def test_porchlight_userinfo_returns_claims() -> None:
+ userinfo = PorchlightUserInfo()
+ userinfo.set_user_claims("lusab-bansen", {"sub": "lusab-bansen", "email": "a@b.com"})
+ result = userinfo("lusab-bansen", "client1")
+ assert result["sub"] == "lusab-bansen"
+ assert result["email"] == "a@b.com"
+
+
+def test_porchlight_userinfo_filters_claims() -> None:
+ userinfo = PorchlightUserInfo()
+ userinfo.set_user_claims("lusab-bansen", {"sub": "lusab-bansen", "email": "a@b.com", "name": "Alice"})
+ result = userinfo("lusab-bansen", "client1", user_info_claims={"email": None})
+ assert "email" in result
+ assert "name" not in result
+
+
+def test_porchlight_userinfo_unknown_user() -> None:
+ userinfo = PorchlightUserInfo()
+ result = userinfo("unknown", "client1")
+ assert result == {}
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_oidc/test_claims.py -v`
+Expected: FAIL (`ImportError` — module doesn't exist)
+
+**Step 3: Implement**
+
+Add to `src/fastapi_oidc_op/config.py`:
+
+```python
+# Signing keys
+signing_key_path: str = "data/keys"
+```
+
+Create `src/fastapi_oidc_op/oidc/__init__.py` (empty file).
+
+Create `src/fastapi_oidc_op/oidc/claims.py`:
+
+```python
+"""OIDC claims mapping and UserInfo source."""
+
+from idpyoidc.server.user_info import UserInfo
+
+from fastapi_oidc_op.models import User
+
+
+def user_to_claims(user: User) -> dict:
+ """Convert a User model to an OIDC claims dict.
+
+ Only includes claims that have non-None values.
+ The 'sub' claim always uses the userid (proquint).
+ """
+ claims: dict = {"sub": user.userid}
+
+ # preferred_username: use explicit field, fall back to username
+ claims["preferred_username"] = user.preferred_username or user.username
+
+ optional_fields = {
+ "given_name": user.given_name,
+ "family_name": user.family_name,
+ "nickname": user.nickname,
+ "email": user.email,
+ "email_verified": user.email_verified if user.email else None,
+ "phone_number": user.phone_number,
+ "phone_number_verified": user.phone_number_verified if user.phone_number else None,
+ "picture": user.picture,
+ "locale": user.locale,
+ }
+
+ for claim_name, value in optional_fields.items():
+ if value is not None:
+ claims[claim_name] = value
+
+ # updated_at as Unix timestamp (OIDC spec requires number)
+ if user.updated_at:
+ claims["updated_at"] = int(user.updated_at.timestamp())
+
+ return claims
+
+
+class PorchlightUserInfo(UserInfo):
+ """UserInfo source backed by an in-memory claims cache.
+
+ Claims are populated via set_user_claims() after authentication.
+ idpyoidc calls __call__() synchronously to look up claims.
+ """
+
+ def __init__(self, **kwargs): # type: ignore[no-untyped-def]
+ super().__init__(db={}, **kwargs)
+
+ def set_user_claims(self, user_id: str, claims: dict) -> None:
+ """Populate claims cache for a user."""
+ self.db[user_id] = claims
+```
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_oidc/test_claims.py -v`
+Expected: PASS
+
+**Step 5: Run quality gate**
+
+Run: `./scripts/check.sh`
+Expected: All green
+
+**Step 6: Commit**
+
+```bash
+git add src/fastapi_oidc_op/config.py src/fastapi_oidc_op/oidc/ tests/test_oidc/test_claims.py
+git commit -m "feat: add OIDC claims mapping and PorchlightUserInfo source"
+```
+
+---
+
+### Task 2: idpyoidc Server Initialization
+
+**Files:**
+- Create: `src/fastapi_oidc_op/oidc/provider.py`
+- Create: `tests/test_oidc/test_provider.py`
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_oidc/test_provider.py`:
+
+```python
+import shutil
+from pathlib import Path
+
+from fastapi_oidc_op.config import Settings
+from fastapi_oidc_op.oidc.provider import create_oidc_server
+
+
+def test_create_server_has_endpoints() -> None:
+ key_path = Path("test_keys_provider")
+ key_path.mkdir(exist_ok=True)
+ try:
+ settings = Settings(issuer="http://localhost:8000", sqlite_path=":memory:", signing_key_path=str(key_path))
+ server = create_oidc_server(settings)
+ assert "authorization" in server.endpoint
+ assert "token" in server.endpoint
+ assert "userinfo" in server.endpoint
+ assert "provider_config" in server.endpoint
+ finally:
+ shutil.rmtree(key_path, ignore_errors=True)
+
+
+def test_create_server_has_issuer() -> None:
+ key_path = Path("test_keys_issuer")
+ key_path.mkdir(exist_ok=True)
+ try:
+ settings = Settings(issuer="http://localhost:8000", sqlite_path=":memory:", signing_key_path=str(key_path))
+ server = create_oidc_server(settings)
+ assert server.context.issuer == "http://localhost:8000"
+ finally:
+ shutil.rmtree(key_path, ignore_errors=True)
+
+
+def test_create_server_jwks_available() -> None:
+ key_path = Path("test_keys_jwks")
+ key_path.mkdir(exist_ok=True)
+ try:
+ settings = Settings(issuer="http://localhost:8000", sqlite_path=":memory:", signing_key_path=str(key_path))
+ server = create_oidc_server(settings)
+ keys = server.keyjar.export_jwks()
+ assert "keys" in keys
+ assert len(keys["keys"]) > 0
+ finally:
+ shutil.rmtree(key_path, ignore_errors=True)
+
+
+def test_create_server_userinfo_is_porchlight() -> None:
+ key_path = Path("test_keys_userinfo")
+ key_path.mkdir(exist_ok=True)
+ try:
+ settings = Settings(issuer="http://localhost:8000", sqlite_path=":memory:", signing_key_path=str(key_path))
+ server = create_oidc_server(settings)
+ from fastapi_oidc_op.oidc.claims import PorchlightUserInfo
+ assert isinstance(server.context.userinfo, PorchlightUserInfo)
+ finally:
+ shutil.rmtree(key_path, ignore_errors=True)
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_oidc/test_provider.py -v`
+Expected: FAIL (`ImportError`)
+
+**Step 3: Implement**
+
+Create `src/fastapi_oidc_op/oidc/provider.py`:
+
+```python
+"""Initialize the idpyoidc OIDC Server."""
+
+from pathlib import Path
+
+from idpyoidc.server import Server
+
+from fastapi_oidc_op.config import Settings
+from fastapi_oidc_op.oidc.claims import PorchlightUserInfo
+
+
+def _build_server_config(settings: Settings) -> dict:
+ """Build the idpyoidc server configuration dict."""
+ key_path = Path(settings.signing_key_path)
+ key_path.mkdir(parents=True, exist_ok=True)
+
+ return {
+ "issuer": settings.issuer,
+ "key_conf": {
+ "key_defs": [
+ {"type": "RSA", "use": ["sig"]},
+ {"type": "EC", "crv": "P-256", "use": ["sig"]},
+ ],
+ "uri_path": "jwks",
+ "private_path": str(key_path / "private_jwks.json"),
+ "read_only": False,
+ },
+ "endpoint": {
+ "provider_config": {
+ "path": ".well-known/openid-configuration",
+ "class": "idpyoidc.server.oidc.provider_config.ProviderConfiguration",
+ "kwargs": {"client_authn_method": None},
+ },
+ "authorization": {
+ "path": "authorization",
+ "class": "idpyoidc.server.oidc.authorization.Authorization",
+ "kwargs": {
+ "client_authn_method": None,
+ "response_types_supported": ["code"],
+ "response_modes_supported": ["query"],
+ },
+ },
+ "token": {
+ "path": "token",
+ "class": "idpyoidc.server.oidc.token.Token",
+ "kwargs": {
+ "client_authn_method": ["client_secret_post", "client_secret_basic"],
+ },
+ },
+ "userinfo": {
+ "path": "userinfo",
+ "class": "idpyoidc.server.oidc.userinfo.UserInfo",
+ "kwargs": {},
+ },
+ },
+ "userinfo": {
+ "class": PorchlightUserInfo,
+ "kwargs": {},
+ },
+ "authentication": {},
+ "authz": {
+ "class": "idpyoidc.server.authz.AuthzHandling",
+ "kwargs": {
+ "grant_config": {
+ "usage_rules": {
+ "authorization_code": {
+ "supports_minting": ["access_token", "refresh_token", "id_token"],
+ "max_usage": 1,
+ "expires_in": 120,
+ },
+ "access_token": {"expires_in": 3600},
+ "refresh_token": {
+ "supports_minting": ["access_token", "refresh_token", "id_token"],
+ "expires_in": 86400,
+ },
+ },
+ "expires_in": 2592000,
+ },
+ },
+ },
+ "token_handler_args": {
+ "jwks_file": str(key_path / "token_jwks.json"),
+ "code": {"kwargs": {"lifetime": 600}},
+ "token": {
+ "class": "idpyoidc.server.token.jwt_token.JWTToken",
+ "kwargs": {
+ "lifetime": 3600,
+ "add_claims_by_scope": True,
+ "aud": [settings.issuer],
+ },
+ },
+ "refresh": {
+ "class": "idpyoidc.server.token.jwt_token.JWTToken",
+ "kwargs": {
+ "lifetime": 86400,
+ "aud": [settings.issuer],
+ },
+ },
+ "id_token": {
+ "class": "idpyoidc.server.token.id_token.IDToken",
+ "kwargs": {
+ "lifetime": 3600,
+ "add_claims_by_scope": True,
+ },
+ },
+ },
+ "scopes_to_claims": {
+ "openid": ["sub"],
+ "profile": [
+ "preferred_username",
+ "given_name",
+ "family_name",
+ "nickname",
+ "picture",
+ "locale",
+ "updated_at",
+ ],
+ "email": ["email", "email_verified"],
+ "phone": ["phone_number", "phone_number_verified"],
+ },
+ }
+
+
+def create_oidc_server(settings: Settings) -> Server:
+ """Create and configure the idpyoidc Server instance."""
+ config = _build_server_config(settings)
+ server = Server(conf=config)
+ return server
+```
+
+Note: The exact config structure may need adjustments based on what idpyoidc accepts. If the `userinfo` config with a class instance doesn't work, we may need to set `server.context.userinfo` directly after creation:
+
+```python
+server = Server(conf=config)
+server.context.userinfo = PorchlightUserInfo()
+```
+
+Run the tests and adjust accordingly.
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_oidc/test_provider.py -v`
+Expected: PASS
+
+If `server.context.userinfo` is not a `PorchlightUserInfo` instance, the last test will guide us to fix the initialization.
+
+**Step 5: Run quality gate**
+
+Run: `./scripts/check.sh`
+Expected: All green
+
+**Step 6: Commit**
+
+```bash
+git add src/fastapi_oidc_op/oidc/provider.py tests/test_oidc/test_provider.py
+git commit -m "feat: add idpyoidc server initialization"
+```
+
+---
+
+### Task 3: App Integration (Lifespan + Client Registration)
+
+**Files:**
+- Modify: `src/fastapi_oidc_op/app.py`
+- Modify: `tests/test_app.py`
+
+**Step 1: Write the failing tests**
+
+Add to `tests/test_app.py` (or create `tests/test_oidc/test_app_integration.py`):
+
+```python
+from httpx import AsyncClient
+
+
+async def test_oidc_server_on_app_state(client: AsyncClient) -> None:
+ app = client._transport.app # type: ignore[union-attr]
+ assert hasattr(app.state, "oidc_server")
+ assert app.state.oidc_server is not None
+
+
+async def test_manage_client_registered(client: AsyncClient) -> None:
+ app = client._transport.app # type: ignore[union-attr]
+ oidc_server = app.state.oidc_server
+ settings = app.state.settings
+ assert settings.manage_client_id in oidc_server.context.cdb
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_oidc/test_app_integration.py -v`
+Expected: FAIL (`app.state.oidc_server` doesn't exist)
+
+**Step 3: Implement**
+
+Modify `src/fastapi_oidc_op/app.py` to:
+1. Import `create_oidc_server` from `oidc.provider`
+2. In the lifespan, after setting up repos and services, create the OIDC server
+3. Register the management client in `server.context.cdb`
+4. Store the server on `app.state.oidc_server`
+
+In the lifespan, after the existing service setup:
+
+```python
+from fastapi_oidc_op.oidc.provider import create_oidc_server
+
+# OIDC Server
+oidc_server = create_oidc_server(settings)
+app.state.oidc_server = oidc_server
+
+# Register management client
+import secrets as _secrets
+manage_secret = settings.session_secret or _secrets.token_hex(32)
+oidc_server.context.cdb[settings.manage_client_id] = {
+ "client_id": settings.manage_client_id,
+ "client_secret": manage_secret,
+ "redirect_uris": [(f"{settings.issuer}/manage/callback", {})],
+ "response_types_supported": ["code"],
+ "token_endpoint_auth_method": "client_secret_basic",
+ "scope": ["openid", "profile", "email"],
+ "allowed_scopes": ["openid", "profile", "email"],
+ "client_salt": _secrets.token_hex(8),
+}
+oidc_server.keyjar.add_symmetric(settings.manage_client_id, manage_secret)
+```
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_oidc/test_app_integration.py -v`
+Expected: PASS
+
+**Step 5: Run quality gate**
+
+Run: `./scripts/check.sh`
+Expected: All green (including existing 120 tests)
+
+**Step 6: Commit**
+
+```bash
+git add src/fastapi_oidc_op/app.py tests/test_oidc/test_app_integration.py
+git commit -m "feat: integrate idpyoidc server into app lifespan"
+```
+
+---
+
+### Task 4: Discovery + JWKS Endpoints
+
+**Files:**
+- Create: `src/fastapi_oidc_op/oidc/endpoints.py`
+- Modify: `src/fastapi_oidc_op/app.py`
+- Create: `tests/test_oidc/test_discovery.py`
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_oidc/test_discovery.py`:
+
+```python
+from httpx import AsyncClient
+
+
+async def test_discovery_endpoint_returns_metadata(client: AsyncClient) -> None:
+ res = await client.get("/.well-known/openid-configuration")
+ assert res.status_code == 200
+ data = res.json()
+ assert data["issuer"] == "http://localhost:8000"
+ assert "authorization_endpoint" in data
+ assert "token_endpoint" in data
+ assert "userinfo_endpoint" in data
+ assert "jwks_uri" in data
+
+
+async def test_discovery_response_types_supported(client: AsyncClient) -> None:
+ res = await client.get("/.well-known/openid-configuration")
+ data = res.json()
+ assert "code" in data["response_types_supported"]
+
+
+async def test_discovery_scopes_supported(client: AsyncClient) -> None:
+ res = await client.get("/.well-known/openid-configuration")
+ data = res.json()
+ assert "openid" in data["scopes_supported"]
+
+
+async def test_jwks_endpoint_returns_keys(client: AsyncClient) -> None:
+ res = await client.get("/jwks")
+ assert res.status_code == 200
+ data = res.json()
+ assert "keys" in data
+ assert len(data["keys"]) > 0
+ # Each key should have kty and use
+ for key in data["keys"]:
+ assert "kty" in key
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_oidc/test_discovery.py -v`
+Expected: FAIL (404 — routes don't exist)
+
+**Step 3: Implement**
+
+Create `src/fastapi_oidc_op/oidc/endpoints.py`:
+
+```python
+"""FastAPI routes wrapping idpyoidc endpoint processing."""
+
+from fastapi import APIRouter, Request
+from fastapi.responses import JSONResponse
+
+router = APIRouter(tags=["oidc"])
+
+
+@router.get("/.well-known/openid-configuration")
+async def provider_configuration(request: Request) -> JSONResponse:
+ """OIDC Discovery endpoint."""
+ oidc_server = request.app.state.oidc_server
+ endpoint = oidc_server.get_endpoint("provider_config")
+
+ parsed = endpoint.parse_request({})
+ result = endpoint.process_request(parsed)
+ response_info = endpoint.do_response(response_args=result.get("response_args"), request=parsed, **result)
+
+ return JSONResponse(content=response_info["response"].to_dict())
+
+
+@router.get("/jwks")
+async def jwks(request: Request) -> JSONResponse:
+ """Public signing keys (JWK Set)."""
+ oidc_server = request.app.state.oidc_server
+ keys = oidc_server.keyjar.export_jwks()
+ return JSONResponse(content=keys)
+```
+
+Modify `src/fastapi_oidc_op/app.py` to include the OIDC router:
+
+```python
+from fastapi_oidc_op.oidc.endpoints import router as oidc_router
+# ...
+app.include_router(oidc_router)
+```
+
+Note: The discovery endpoint implementation depends on how `do_response` returns data. If `response_info["response"]` is a string (JSON), parse it. If it's a `Message` object, call `.to_dict()`. Adjust based on test output.
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_oidc/test_discovery.py -v`
+Expected: PASS
+
+**Step 5: Run quality gate**
+
+Run: `./scripts/check.sh`
+Expected: All green
+
+**Step 6: Commit**
+
+```bash
+git add src/fastapi_oidc_op/oidc/endpoints.py src/fastapi_oidc_op/app.py tests/test_oidc/test_discovery.py
+git commit -m "feat: add OIDC discovery and JWKS endpoints"
+```
+
+---
+
+### Task 5: Authorization Endpoint (Redirect to Login)
+
+**Files:**
+- Modify: `src/fastapi_oidc_op/oidc/endpoints.py`
+- Create: `tests/test_oidc/test_authorization.py`
+
+This task implements the first half of the authorization flow: receiving the request from an RP and redirecting to the login page when the user is not authenticated.
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_oidc/test_authorization.py`:
+
+```python
+import secrets
+
+from httpx import AsyncClient
+
+
+def _register_test_client(client: AsyncClient, client_id: str = "test-rp", redirect_uri: str = "http://localhost:9000/callback") -> str:
+ """Register a test client in the OIDC server. Returns client_secret."""
+ app = client._transport.app # type: ignore[union-attr]
+ oidc_server = app.state.oidc_server
+ client_secret = secrets.token_hex(16)
+ oidc_server.context.cdb[client_id] = {
+ "client_id": client_id,
+ "client_secret": client_secret,
+ "redirect_uris": [(redirect_uri, {})],
+ "response_types_supported": ["code"],
+ "token_endpoint_auth_method": "client_secret_basic",
+ "scope": ["openid", "profile", "email"],
+ "allowed_scopes": ["openid", "profile", "email"],
+ "client_salt": secrets.token_hex(8),
+ }
+ oidc_server.keyjar.add_symmetric(client_id, client_secret)
+ return client_secret
+
+
+async def test_authorization_redirects_to_login_when_unauthenticated(client: AsyncClient) -> None:
+ _register_test_client(client)
+ res = await client.get(
+ "/authorization",
+ params={
+ "response_type": "code",
+ "client_id": "test-rp",
+ "redirect_uri": "http://localhost:9000/callback",
+ "scope": "openid",
+ "state": "test-state",
+ "nonce": "test-nonce",
+ },
+ follow_redirects=False,
+ )
+ assert res.status_code in (302, 303)
+ assert "/login" in res.headers["location"]
+
+
+async def test_authorization_stores_auth_request_in_session(client: AsyncClient) -> None:
+ _register_test_client(client)
+ # After the redirect, the auth request should be stored in the session
+ # We verify this indirectly: make the auth request, then check that
+ # GET /login works (the session cookie is set by the redirect)
+ res = await client.get(
+ "/authorization",
+ params={
+ "response_type": "code",
+ "client_id": "test-rp",
+ "redirect_uri": "http://localhost:9000/callback",
+ "scope": "openid",
+ "state": "test-state",
+ "nonce": "test-nonce",
+ },
+ follow_redirects=False,
+ )
+ assert res.status_code in (302, 303)
+
+ # Follow up: login page should be accessible
+ login_res = await client.get("/login")
+ assert login_res.status_code == 200
+
+
+async def test_authorization_invalid_client_returns_error(client: AsyncClient) -> None:
+ res = await client.get(
+ "/authorization",
+ params={
+ "response_type": "code",
+ "client_id": "nonexistent",
+ "redirect_uri": "http://evil.com/callback",
+ "scope": "openid",
+ "state": "test-state",
+ },
+ follow_redirects=False,
+ )
+ # Should return an error (not redirect to evil.com)
+ assert res.status_code >= 400 or "error" in res.text.lower()
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_oidc/test_authorization.py -v`
+Expected: FAIL (404 — `/authorization` doesn't exist)
+
+**Step 3: Implement**
+
+Add to `src/fastapi_oidc_op/oidc/endpoints.py`:
+
+```python
+from fastapi.responses import RedirectResponse, HTMLResponse
+from urllib.parse import urlencode
+
+@router.get("/authorization")
+async def authorization(request: Request) -> Response:
+ """OIDC Authorization endpoint.
+
+ Validates the authorization request, then:
+ - If user is authenticated (session): creates grant + redirects to RP
+ - If not authenticated: stores request in session, redirects to /login
+ """
+ oidc_server = request.app.state.oidc_server
+ endpoint = oidc_server.get_endpoint("authorization")
+
+ # Build the query string from request params
+ query_params = dict(request.query_params)
+
+ try:
+ parsed = endpoint.parse_request(query_params)
+ except Exception as exc:
+ return HTMLResponse(f"Invalid Request
{exc}
", status_code=400)
+
+ # Check for parse errors
+ if "error" in parsed:
+ error_desc = parsed.get("error_description", parsed["error"])
+ return HTMLResponse(f"Error
{error_desc}
", status_code=400)
+
+ # Check if user is authenticated via Starlette session
+ userid = request.session.get("userid")
+ username = request.session.get("username")
+
+ if userid and username:
+ # User is authenticated — complete the authorization
+ return await _complete_authorization(request, oidc_server, endpoint, parsed, userid, username)
+
+ # Not authenticated — store auth request in session and redirect to login
+ # Store as a serializable dict
+ request.session["oidc_auth_request"] = query_params
+ return RedirectResponse("/login", status_code=303)
+```
+
+The `_complete_authorization` helper will be implemented in Task 7 (authorization complete). For now, make it return a placeholder:
+
+```python
+async def _complete_authorization(request, oidc_server, endpoint, parsed, userid, username):
+ """Complete the authorization after authentication. Implemented in Task 7."""
+ return HTMLResponse("Authorization completion not yet implemented", status_code=501)
+```
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_oidc/test_authorization.py -v`
+Expected: PASS
+
+**Step 5: Run quality gate**
+
+Run: `./scripts/check.sh`
+Expected: All green
+
+**Step 6: Commit**
+
+```bash
+git add src/fastapi_oidc_op/oidc/endpoints.py tests/test_oidc/test_authorization.py
+git commit -m "feat: add authorization endpoint with login redirect"
+```
+
+---
+
+### Task 6: Login Route Integration (Resume OIDC Flow)
+
+**Files:**
+- Modify: `src/fastapi_oidc_op/authn/routes.py`
+- Create: `tests/test_oidc/test_login_oidc_redirect.py`
+
+After a successful login, if there's a pending OIDC authorization request in the session, the login routes should redirect to `/authorization/complete` instead of `/manage/credentials`.
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_oidc/test_login_oidc_redirect.py`:
+
+```python
+import secrets
+from datetime import UTC, datetime
+
+from argon2 import PasswordHasher
+from httpx import AsyncClient
+
+from fastapi_oidc_op.authn.password import PasswordService
+from fastapi_oidc_op.models import PasswordCredential, User
+
+
+def _register_test_client(client: AsyncClient) -> None:
+ app = client._transport.app # type: ignore[union-attr]
+ oidc_server = app.state.oidc_server
+ oidc_server.context.cdb["test-rp"] = {
+ "client_id": "test-rp",
+ "client_secret": "test-secret",
+ "redirect_uris": [("http://localhost:9000/callback", {})],
+ "response_types_supported": ["code"],
+ "token_endpoint_auth_method": "client_secret_basic",
+ "scope": ["openid", "profile", "email"],
+ "allowed_scopes": ["openid", "profile", "email"],
+ "client_salt": secrets.token_hex(8),
+ }
+ oidc_server.keyjar.add_symmetric("test-rp", "test-secret")
+
+
+async def _create_user(client: AsyncClient) -> None:
+ app = client._transport.app # type: ignore[union-attr]
+ user_repo = app.state.user_repo
+ cred_repo = app.state.credential_repo
+ user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
+ await user_repo.create(user)
+ svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
+ await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("testpass")))
+
+
+async def test_login_with_pending_oidc_redirects_to_authorization_complete(client: AsyncClient) -> None:
+ _register_test_client(client)
+ await _create_user(client)
+
+ # Step 1: Start OIDC authorization (stores request in session, redirects to /login)
+ auth_res = await client.get(
+ "/authorization",
+ params={
+ "response_type": "code",
+ "client_id": "test-rp",
+ "redirect_uri": "http://localhost:9000/callback",
+ "scope": "openid",
+ "state": "test-state",
+ "nonce": "test-nonce",
+ },
+ follow_redirects=False,
+ )
+ assert auth_res.status_code in (302, 303)
+
+ # Step 2: Login via password
+ login_res = await client.post(
+ "/login/password",
+ data={"username": "alice", "password": "testpass"},
+ headers={"HX-Request": "true"},
+ )
+ assert login_res.status_code == 200
+ # Should redirect to /authorization/complete, not /manage/credentials
+ redirect_target = login_res.headers.get("HX-Redirect", "")
+ assert "/authorization/complete" in redirect_target
+
+
+async def test_login_without_pending_oidc_redirects_to_manage(client: AsyncClient) -> None:
+ await _create_user(client)
+
+ login_res = await client.post(
+ "/login/password",
+ data={"username": "alice", "password": "testpass"},
+ headers={"HX-Request": "true"},
+ )
+ assert login_res.status_code == 200
+ redirect_target = login_res.headers.get("HX-Redirect", "")
+ assert redirect_target == "/manage/credentials"
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_oidc/test_login_oidc_redirect.py -v`
+Expected: FAIL (login always redirects to `/manage/credentials`)
+
+**Step 3: Implement**
+
+Modify `src/fastapi_oidc_op/authn/routes.py`:
+
+Add a helper function:
+
+```python
+def _login_redirect_target(request: Request) -> str:
+ """Determine where to redirect after successful login.
+
+ If there's a pending OIDC authorization request, redirect to complete it.
+ Otherwise, redirect to credential management.
+ """
+ if "oidc_auth_request" in request.session:
+ return "/authorization/complete"
+ return "/manage/credentials"
+```
+
+In `login_password`, change:
+```python
+response.headers["HX-Redirect"] = "/manage/credentials"
+```
+to:
+```python
+response.headers["HX-Redirect"] = _login_redirect_target(request)
+```
+
+In `login_webauthn_complete`, change the same line:
+```python
+response.headers["HX-Redirect"] = "/manage/credentials"
+```
+to:
+```python
+response.headers["HX-Redirect"] = _login_redirect_target(request)
+```
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_oidc/test_login_oidc_redirect.py -v`
+Expected: PASS
+
+Also run existing login tests to make sure nothing broke:
+Run: `uv run pytest tests/test_auth_routes/ -v`
+Expected: All PASS
+
+**Step 5: Run quality gate**
+
+Run: `./scripts/check.sh`
+Expected: All green
+
+**Step 6: Commit**
+
+```bash
+git add src/fastapi_oidc_op/authn/routes.py tests/test_oidc/test_login_oidc_redirect.py
+git commit -m "feat: redirect to OIDC authorization after login when pending"
+```
+
+---
+
+### Task 7: Authorization Complete + Token Endpoint
+
+**Files:**
+- Modify: `src/fastapi_oidc_op/oidc/endpoints.py`
+- Create: `tests/test_oidc/test_token.py`
+
+This is the core task: completing the authorization flow and implementing the token endpoint. The `/authorization/complete` route creates an idpyoidc session, mints an authorization code, and redirects to the RP. The token endpoint exchanges the code for tokens.
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_oidc/test_token.py`:
+
+```python
+import secrets
+from base64 import b64encode
+from datetime import UTC, datetime
+from urllib.parse import parse_qs, urlparse
+
+from argon2 import PasswordHasher
+from httpx import AsyncClient
+
+from fastapi_oidc_op.authn.password import PasswordService
+from fastapi_oidc_op.models import PasswordCredential, User
+
+
+def _register_test_client(client: AsyncClient) -> str:
+ app = client._transport.app # type: ignore[union-attr]
+ oidc_server = app.state.oidc_server
+ client_secret = "test-secret-123"
+ oidc_server.context.cdb["test-rp"] = {
+ "client_id": "test-rp",
+ "client_secret": client_secret,
+ "redirect_uris": [("http://localhost:9000/callback", {})],
+ "response_types_supported": ["code"],
+ "token_endpoint_auth_method": "client_secret_basic",
+ "scope": ["openid", "profile", "email"],
+ "allowed_scopes": ["openid", "profile", "email"],
+ "client_salt": secrets.token_hex(8),
+ }
+ oidc_server.keyjar.add_symmetric("test-rp", client_secret)
+ return client_secret
+
+
+async def _create_user_and_login(client: AsyncClient) -> str:
+ """Create user, log in, return userid."""
+ app = client._transport.app # type: ignore[union-attr]
+ user_repo = app.state.user_repo
+ cred_repo = app.state.credential_repo
+
+ user = User(
+ userid="lusab-bansen",
+ username="alice",
+ email="alice@example.com",
+ email_verified=True,
+ created_at=datetime.now(UTC),
+ updated_at=datetime.now(UTC),
+ )
+ await user_repo.create(user)
+
+ svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
+ await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("testpass")))
+
+ await client.post(
+ "/login/password",
+ data={"username": "alice", "password": "testpass"},
+ headers={"HX-Request": "true"},
+ )
+ return user.userid
+
+
+async def _get_authorization_code(client: AsyncClient) -> str:
+ """Run full auth flow and extract the authorization code."""
+ client_secret = _register_test_client(client)
+
+ # Start authorization
+ auth_res = await client.get(
+ "/authorization",
+ params={
+ "response_type": "code",
+ "client_id": "test-rp",
+ "redirect_uri": "http://localhost:9000/callback",
+ "scope": "openid profile email",
+ "state": "test-state",
+ "nonce": "test-nonce",
+ },
+ follow_redirects=False,
+ )
+ assert auth_res.status_code in (302, 303)
+
+ # Create user and log in
+ await _create_user_and_login(client)
+
+ # Start authorization again (now authenticated)
+ auth_res2 = await client.get(
+ "/authorization",
+ params={
+ "response_type": "code",
+ "client_id": "test-rp",
+ "redirect_uri": "http://localhost:9000/callback",
+ "scope": "openid profile email",
+ "state": "test-state",
+ "nonce": "test-nonce",
+ },
+ follow_redirects=False,
+ )
+ assert auth_res2.status_code in (302, 303)
+
+ # Parse the redirect URL to extract the code
+ location = auth_res2.headers["location"]
+ parsed = urlparse(location)
+ params = parse_qs(parsed.query)
+ assert "code" in params, f"No code in redirect: {location}"
+ return params["code"][0]
+
+
+async def test_authorization_complete_redirects_with_code(client: AsyncClient) -> None:
+ code = await _get_authorization_code(client)
+ assert len(code) > 0
+
+
+async def test_token_endpoint_exchanges_code(client: AsyncClient) -> None:
+ code = await _get_authorization_code(client)
+ client_secret = "test-secret-123"
+
+ # Exchange code for tokens
+ auth_header = b64encode(f"test-rp:{client_secret}".encode()).decode()
+ token_res = await client.post(
+ "/token",
+ data={
+ "grant_type": "authorization_code",
+ "code": code,
+ "redirect_uri": "http://localhost:9000/callback",
+ },
+ headers={
+ "Authorization": f"Basic {auth_header}",
+ "Content-Type": "application/x-www-form-urlencoded",
+ },
+ )
+ assert token_res.status_code == 200
+ data = token_res.json()
+ assert "access_token" in data
+ assert "id_token" in data
+ assert data["token_type"].lower() == "bearer"
+
+
+async def test_token_endpoint_invalid_code_returns_error(client: AsyncClient) -> None:
+ _register_test_client(client)
+ client_secret = "test-secret-123"
+
+ auth_header = b64encode(f"test-rp:{client_secret}".encode()).decode()
+ token_res = await client.post(
+ "/token",
+ data={
+ "grant_type": "authorization_code",
+ "code": "invalid-code",
+ "redirect_uri": "http://localhost:9000/callback",
+ },
+ headers={
+ "Authorization": f"Basic {auth_header}",
+ "Content-Type": "application/x-www-form-urlencoded",
+ },
+ )
+ assert token_res.status_code == 400 or "error" in token_res.json()
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_oidc/test_token.py -v`
+Expected: FAIL
+
+**Step 3: Implement**
+
+Modify `src/fastapi_oidc_op/oidc/endpoints.py`:
+
+Replace the placeholder `_complete_authorization` with the real implementation, and add the token and authorization complete endpoints:
+
+```python
+import json
+from urllib.parse import urlencode
+
+from fastapi import APIRouter, Request, Response
+from fastapi.responses import HTMLResponse, JSONResponse, RedirectResponse
+from idpyoidc.server.authn_event import create_authn_event
+from idpyoidc.time_util import utc_time_sans_frac
+
+from fastapi_oidc_op.oidc.claims import PorchlightUserInfo, user_to_claims
+
+router = APIRouter(tags=["oidc"])
+
+
+async def _complete_authorization(
+ request: Request,
+ oidc_server,
+ endpoint,
+ parsed_request,
+ userid: str,
+ username: str,
+) -> Response:
+ """Complete OIDC authorization after user authentication.
+
+ Creates an idpyoidc session, populates the userinfo cache, and
+ returns a redirect to the RP with an authorization code.
+ """
+ # Populate userinfo cache
+ user_repo = request.app.state.user_repo
+ user = await user_repo.get_by_userid(userid)
+ if user is None:
+ return HTMLResponse("Error
User not found
", status_code=400)
+
+ userinfo: PorchlightUserInfo = oidc_server.context.userinfo
+ claims = user_to_claims(user)
+ userinfo.set_user_claims(username, claims)
+
+ # Create idpyoidc session
+ session_id = endpoint.create_session(
+ request=parsed_request,
+ user_id=username,
+ acr="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
+ time_stamp=utc_time_sans_frac(),
+ authn_method=None,
+ )
+
+ # Complete authorization (mints code, builds redirect)
+ result = endpoint.authz_part2(request=parsed_request, session_id=session_id)
+
+ if "error" in result:
+ error_desc = result.get("error_description", result["error"])
+ return HTMLResponse(f"Error
{error_desc}
", status_code=400)
+
+ resp_info = endpoint.do_response(
+ response_args=result.get("response_args"),
+ request=parsed_request,
+ **result,
+ )
+
+ # The response is the redirect URL
+ redirect_url = resp_info["response"]
+ if hasattr(redirect_url, "to_dict"):
+ # It's a Message object — build URL from return_uri + params
+ params = redirect_url.to_dict()
+ return_uri = result.get("return_uri", parsed_request.get("redirect_uri", ""))
+ redirect_url = f"{return_uri}?{urlencode(params)}"
+
+ return RedirectResponse(str(redirect_url), status_code=303)
+
+
+@router.get("/authorization/complete")
+async def authorization_complete(request: Request) -> Response:
+ """Resume OIDC authorization after login.
+
+ Called after the user authenticates via /login. Pops the pending
+ auth request from the session and completes the authorization.
+ """
+ oidc_server = request.app.state.oidc_server
+ endpoint = oidc_server.get_endpoint("authorization")
+
+ # Pop the stored auth request
+ auth_request_params = request.session.pop("oidc_auth_request", None)
+ if auth_request_params is None:
+ return HTMLResponse("Error
No pending authorization request
", status_code=400)
+
+ userid = request.session.get("userid")
+ username = request.session.get("username")
+ if not userid or not username:
+ return RedirectResponse("/login", status_code=303)
+
+ # Re-parse the original authorization request
+ try:
+ parsed = endpoint.parse_request(auth_request_params)
+ except Exception as exc:
+ return HTMLResponse(f"Error
{exc}
", status_code=400)
+
+ if "error" in parsed:
+ error_desc = parsed.get("error_description", parsed["error"])
+ return HTMLResponse(f"Error
{error_desc}
", status_code=400)
+
+ return await _complete_authorization(request, oidc_server, endpoint, parsed, userid, username)
+
+
+@router.post("/token")
+async def token_endpoint(request: Request) -> JSONResponse:
+ """OIDC Token endpoint."""
+ oidc_server = request.app.state.oidc_server
+ endpoint = oidc_server.get_endpoint("token")
+
+ # Read form body
+ body = await request.body()
+ body_str = body.decode("utf-8")
+
+ # Build http_info for client authentication
+ http_info = {
+ "headers": dict(request.headers),
+ "url": str(request.url),
+ }
+
+ try:
+ parsed = endpoint.parse_request(body_str, http_info=http_info)
+ except Exception as exc:
+ return JSONResponse({"error": "invalid_request", "error_description": str(exc)}, status_code=400)
+
+ if "error" in parsed:
+ return JSONResponse(parsed.to_dict(), status_code=400)
+
+ result = endpoint.process_request(parsed)
+
+ if "error" in result:
+ return JSONResponse(result, status_code=400)
+
+ resp_info = endpoint.do_response(response_args=result.get("response_args"), request=parsed, **result)
+
+ # Parse the response
+ response_data = resp_info["response"]
+ if isinstance(response_data, str):
+ response_data = json.loads(response_data)
+ elif hasattr(response_data, "to_dict"):
+ response_data = response_data.to_dict()
+
+ return JSONResponse(response_data)
+```
+
+Note: The exact way idpyoidc returns responses (as strings, Message objects, or dicts) may vary. The implementation should handle all cases. Adjust based on test output.
+
+Also note: `create_session` with `authn_method=None` may fail. If so, create a minimal `UserAuthnMethod` subclass or pass a different value. The test output will guide the fix.
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_oidc/test_token.py -v`
+Expected: PASS
+
+**Step 5: Run quality gate**
+
+Run: `./scripts/check.sh`
+Expected: All green
+
+**Step 6: Commit**
+
+```bash
+git add src/fastapi_oidc_op/oidc/endpoints.py tests/test_oidc/test_token.py
+git commit -m "feat: add authorization complete and token endpoints"
+```
+
+---
+
+### Task 8: UserInfo Endpoint
+
+**Files:**
+- Modify: `src/fastapi_oidc_op/oidc/endpoints.py`
+- Create: `tests/test_oidc/test_userinfo.py`
+
+**Step 1: Write the failing tests**
+
+Create `tests/test_oidc/test_userinfo.py`:
+
+```python
+import secrets
+from base64 import b64encode
+from datetime import UTC, datetime
+from urllib.parse import parse_qs, urlparse
+
+from argon2 import PasswordHasher
+from httpx import AsyncClient
+
+from fastapi_oidc_op.authn.password import PasswordService
+from fastapi_oidc_op.models import PasswordCredential, User
+
+
+def _register_test_client(client: AsyncClient) -> str:
+ app = client._transport.app # type: ignore[union-attr]
+ oidc_server = app.state.oidc_server
+ client_secret = "test-secret-456"
+ oidc_server.context.cdb["test-rp"] = {
+ "client_id": "test-rp",
+ "client_secret": client_secret,
+ "redirect_uris": [("http://localhost:9000/callback", {})],
+ "response_types_supported": ["code"],
+ "token_endpoint_auth_method": "client_secret_basic",
+ "scope": ["openid", "profile", "email"],
+ "allowed_scopes": ["openid", "profile", "email"],
+ "client_salt": secrets.token_hex(8),
+ }
+ oidc_server.keyjar.add_symmetric("test-rp", client_secret)
+ return client_secret
+
+
+async def _get_access_token(client: AsyncClient) -> str:
+ """Full OIDC flow to get an access token."""
+ client_secret = _register_test_client(client)
+ app = client._transport.app # type: ignore[union-attr]
+
+ # Create user
+ user_repo = app.state.user_repo
+ cred_repo = app.state.credential_repo
+ user = User(
+ userid="lusab-bansen",
+ username="alice",
+ email="alice@example.com",
+ email_verified=True,
+ given_name="Alice",
+ family_name="Wonderland",
+ created_at=datetime.now(UTC),
+ updated_at=datetime.now(UTC),
+ )
+ await user_repo.create(user)
+ svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
+ await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("testpass")))
+
+ # Start auth flow
+ await client.get(
+ "/authorization",
+ params={
+ "response_type": "code",
+ "client_id": "test-rp",
+ "redirect_uri": "http://localhost:9000/callback",
+ "scope": "openid profile email",
+ "state": "test-state",
+ "nonce": "test-nonce",
+ },
+ follow_redirects=False,
+ )
+
+ # Login
+ await client.post(
+ "/login/password",
+ data={"username": "alice", "password": "testpass"},
+ headers={"HX-Request": "true"},
+ )
+
+ # Complete authorization
+ auth_res = await client.get("/authorization/complete", follow_redirects=False)
+ location = auth_res.headers["location"]
+ params = parse_qs(urlparse(location).query)
+ code = params["code"][0]
+
+ # Exchange code for tokens
+ auth_header = b64encode(f"test-rp:{client_secret}".encode()).decode()
+ token_res = await client.post(
+ "/token",
+ data={
+ "grant_type": "authorization_code",
+ "code": code,
+ "redirect_uri": "http://localhost:9000/callback",
+ },
+ headers={
+ "Authorization": f"Basic {auth_header}",
+ "Content-Type": "application/x-www-form-urlencoded",
+ },
+ )
+ return token_res.json()["access_token"]
+
+
+async def test_userinfo_returns_claims(client: AsyncClient) -> None:
+ access_token = await _get_access_token(client)
+
+ res = await client.get(
+ "/userinfo",
+ headers={"Authorization": f"Bearer {access_token}"},
+ )
+ assert res.status_code == 200
+ data = res.json()
+ assert data["sub"] == "lusab-bansen"
+
+
+async def test_userinfo_includes_email_claims(client: AsyncClient) -> None:
+ access_token = await _get_access_token(client)
+
+ res = await client.get(
+ "/userinfo",
+ headers={"Authorization": f"Bearer {access_token}"},
+ )
+ data = res.json()
+ assert data.get("email") == "alice@example.com"
+ assert data.get("email_verified") is True
+
+
+async def test_userinfo_invalid_token_returns_error(client: AsyncClient) -> None:
+ res = await client.get(
+ "/userinfo",
+ headers={"Authorization": "Bearer invalid-token"},
+ )
+ assert res.status_code in (401, 403)
+```
+
+**Step 2: Run tests to verify they fail**
+
+Run: `uv run pytest tests/test_oidc/test_userinfo.py -v`
+Expected: FAIL
+
+**Step 3: Implement**
+
+Add to `src/fastapi_oidc_op/oidc/endpoints.py`:
+
+```python
+@router.get("/userinfo")
+@router.post("/userinfo")
+async def userinfo_endpoint(request: Request) -> Response:
+ """OIDC UserInfo endpoint."""
+ oidc_server = request.app.state.oidc_server
+ endpoint = oidc_server.get_endpoint("userinfo")
+
+ # Extract access token from Authorization header
+ http_info = {
+ "headers": dict(request.headers),
+ "url": str(request.url),
+ }
+
+ # For POST requests, include the body
+ if request.method == "POST":
+ body = await request.body()
+ request_data = body.decode("utf-8")
+ else:
+ request_data = {}
+
+ try:
+ parsed = endpoint.parse_request(request_data, http_info=http_info)
+ except Exception:
+ return JSONResponse({"error": "invalid_token"}, status_code=401)
+
+ if "error" in parsed:
+ return JSONResponse(parsed.to_dict() if hasattr(parsed, "to_dict") else parsed, status_code=401)
+
+ result = endpoint.process_request(parsed)
+
+ if "error" in result:
+ return JSONResponse(result, status_code=401)
+
+ resp_info = endpoint.do_response(response_args=result.get("response_args"), request=parsed, **result)
+
+ response_data = resp_info["response"]
+ if isinstance(response_data, str):
+ response_data = json.loads(response_data)
+ elif hasattr(response_data, "to_dict"):
+ response_data = response_data.to_dict()
+
+ return JSONResponse(response_data)
+```
+
+**Step 4: Run tests to verify they pass**
+
+Run: `uv run pytest tests/test_oidc/test_userinfo.py -v`
+Expected: PASS
+
+**Step 5: Run quality gate**
+
+Run: `./scripts/check.sh`
+Expected: All green
+
+**Step 6: Commit**
+
+```bash
+git add src/fastapi_oidc_op/oidc/endpoints.py tests/test_oidc/test_userinfo.py
+git commit -m "feat: add OIDC userinfo endpoint"
+```
+
+---
+
+### Task 9: End-to-End Flow Test
+
+**Files:**
+- Create: `tests/test_oidc/test_e2e_flow.py`
+
+A comprehensive test that exercises the entire OIDC flow from start to finish, including verifying the ID token.
+
+**Step 1: Write the test**
+
+Create `tests/test_oidc/test_e2e_flow.py`:
+
+```python
+"""End-to-end OIDC Authorization Code flow test."""
+
+import json
+import secrets
+from base64 import b64encode
+from datetime import UTC, datetime
+from urllib.parse import parse_qs, urlparse
+
+from argon2 import PasswordHasher
+from cryptojwt.jwk.jwk import key_from_jwk_dict
+from cryptojwt.jws.jws import JWS
+from httpx import AsyncClient
+
+from fastapi_oidc_op.authn.password import PasswordService
+from fastapi_oidc_op.models import PasswordCredential, User
+
+
+async def test_full_authorization_code_flow(client: AsyncClient) -> None:
+ """Complete OIDC Authorization Code flow: authorize → login → code → token → userinfo → validate ID token."""
+ app = client._transport.app # type: ignore[union-attr]
+ oidc_server = app.state.oidc_server
+ user_repo = app.state.user_repo
+ cred_repo = app.state.credential_repo
+
+ # --- Setup: register client ---
+ client_secret = "e2e-secret"
+ oidc_server.context.cdb["e2e-rp"] = {
+ "client_id": "e2e-rp",
+ "client_secret": client_secret,
+ "redirect_uris": [("http://localhost:9000/callback", {})],
+ "response_types_supported": ["code"],
+ "token_endpoint_auth_method": "client_secret_basic",
+ "scope": ["openid", "profile", "email"],
+ "allowed_scopes": ["openid", "profile", "email"],
+ "client_salt": secrets.token_hex(8),
+ }
+ oidc_server.keyjar.add_symmetric("e2e-rp", client_secret)
+
+ # --- Setup: create user ---
+ user = User(
+ userid="lusab-bansen",
+ username="alice",
+ given_name="Alice",
+ family_name="Wonderland",
+ email="alice@example.com",
+ email_verified=True,
+ created_at=datetime.now(UTC),
+ updated_at=datetime.now(UTC),
+ )
+ await user_repo.create(user)
+ svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
+ await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("testpass")))
+
+ # --- Step 1: Authorization request (unauthenticated) ---
+ auth_res = await client.get(
+ "/authorization",
+ params={
+ "response_type": "code",
+ "client_id": "e2e-rp",
+ "redirect_uri": "http://localhost:9000/callback",
+ "scope": "openid profile email",
+ "state": "e2e-state",
+ "nonce": "e2e-nonce",
+ },
+ follow_redirects=False,
+ )
+ assert auth_res.status_code in (302, 303), f"Expected redirect, got {auth_res.status_code}"
+ assert "/login" in auth_res.headers["location"]
+
+ # --- Step 2: Password login ---
+ login_res = await client.post(
+ "/login/password",
+ data={"username": "alice", "password": "testpass"},
+ headers={"HX-Request": "true"},
+ )
+ assert login_res.status_code == 200
+ assert "/authorization/complete" in login_res.headers.get("HX-Redirect", "")
+
+ # --- Step 3: Complete authorization ---
+ complete_res = await client.get("/authorization/complete", follow_redirects=False)
+ assert complete_res.status_code in (302, 303)
+ location = complete_res.headers["location"]
+ assert location.startswith("http://localhost:9000/callback")
+
+ params = parse_qs(urlparse(location).query)
+ assert "code" in params
+ assert params.get("state", [None])[0] == "e2e-state"
+ code = params["code"][0]
+
+ # --- Step 4: Token exchange ---
+ auth_header = b64encode(f"e2e-rp:{client_secret}".encode()).decode()
+ token_res = await client.post(
+ "/token",
+ data={
+ "grant_type": "authorization_code",
+ "code": code,
+ "redirect_uri": "http://localhost:9000/callback",
+ },
+ headers={
+ "Authorization": f"Basic {auth_header}",
+ "Content-Type": "application/x-www-form-urlencoded",
+ },
+ )
+ assert token_res.status_code == 200
+ token_data = token_res.json()
+ assert "access_token" in token_data
+ assert "id_token" in token_data
+ assert token_data["token_type"].lower() == "bearer"
+
+ # --- Step 5: Validate ID token ---
+ id_token_raw = token_data["id_token"]
+ # Get JWKS
+ jwks_res = await client.get("/jwks")
+ jwks = jwks_res.json()
+
+ # Verify the JWT signature
+ jws = JWS()
+ _keys = [key_from_jwk_dict(k) for k in jwks["keys"]]
+ id_token_payload = jws.verify_compact(id_token_raw, _keys)
+
+ assert id_token_payload["iss"] == "http://localhost:8000"
+ assert id_token_payload["sub"] == "lusab-bansen"
+ assert "e2e-rp" in id_token_payload["aud"]
+
+ # --- Step 6: UserInfo ---
+ userinfo_res = await client.get(
+ "/userinfo",
+ headers={"Authorization": f"Bearer {token_data['access_token']}"},
+ )
+ assert userinfo_res.status_code == 200
+ userinfo = userinfo_res.json()
+ assert userinfo["sub"] == "lusab-bansen"
+ assert userinfo.get("email") == "alice@example.com"
+```
+
+**Step 2: Run the test**
+
+Run: `uv run pytest tests/test_oidc/test_e2e_flow.py -v`
+Expected: PASS (if Tasks 1-8 are all correct)
+
+If the test fails, this is where integration issues surface. Debug and fix based on the error output. Common issues:
+- idpyoidc's `create_session` needs `authn_method` to not be None
+- Response format mismatches (string vs Message vs dict)
+- `user_id` in idpyoidc session vs `userid` in our model (the session uses `username` as the `user_id` key for idpyoidc, not `userid`)
+- Cookie handling between requests
+
+**Step 3: Commit**
+
+```bash
+git add tests/test_oidc/test_e2e_flow.py
+git commit -m "test: add end-to-end OIDC authorization code flow test"
+```
+
+---
+
+### Task 10: Full Quality Gate
+
+**Step 1: Run full quality checks**
+
+Run: `./scripts/check.sh`
+Expected: All green (formatting, linting, type checking, all tests pass)
+
+**Step 2: Fix any issues**
+
+If ruff or ty reports issues, fix them. Common fixes:
+- Type ignore comments for idpyoidc's untyped APIs
+- Import sorting
+- Unused imports
+
+**Step 3: Commit any fixes**
+
+```bash
+git add -A
+git diff --cached --quiet || git commit -m "style: fix formatting and lint issues"
+```
diff --git a/docs/plans/2026-02-16-porchlight-branding-design.md b/docs/plans/2026-02-16-porchlight-branding-design.md
new file mode 100644
index 0000000..8fa953c
--- /dev/null
+++ b/docs/plans/2026-02-16-porchlight-branding-design.md
@@ -0,0 +1,88 @@
+# Porchlight Branding & Theme Design
+
+## Summary
+
+Create a logo, favicon, and redesigned CSS theme for the project, now branded as "Porchlight."
+
+## Logo
+
+**Concept:** Icon + wordmark combo. The icon is a minimal doorway/arch with a light element (filled circle) above it, suggesting an entrance illuminated by a porch light.
+
+**Variants:**
+- Full combo (icon + "Porchlight" text) — page header in `base.html`
+- Icon only — favicon and tight spaces
+
+**Files:**
+- `static/logo.svg` — standalone icon SVG
+- `static/favicon.png` — 32x32 PNG of the icon
+
+## Color Palette
+
+Warm amber/gold accent on neutral stone backgrounds. Automatic dark mode via `prefers-color-scheme`.
+
+### Light Mode
+| Variable | Value | Description |
+|---|---|---|
+| `--bg` | `#fafaf9` | Warm white (stone-50) |
+| `--fg` | `#1c1917` | Warm black (stone-900) |
+| `--fg-muted` | `#78716c` | Secondary text (stone-500) |
+| `--accent` | `#d97706` | Amber-600 |
+| `--accent-hover` | `#b45309` | Amber-700 |
+| `--accent-fg` | `#ffffff` | White on accent |
+| `--surface` | `#f5f5f4` | Card/input bg (stone-100) |
+| `--border` | `#d6d3d1` | Stone-300 |
+| `--error-bg` | `#fef2f2` | Red-50 |
+| `--error-fg` | `#dc2626` | Red-600 |
+| `--success-bg` | `#f0fdf4` | Green-50 |
+| `--success-fg` | `#16a34a` | Green-600 |
+
+### Dark Mode
+| Variable | Value | Description |
+|---|---|---|
+| `--bg` | `#1c1917` | Stone-900 |
+| `--fg` | `#fafaf9` | Stone-50 |
+| `--fg-muted` | `#a8a29e` | Stone-400 |
+| `--accent` | `#f59e0b` | Amber-500 |
+| `--accent-hover` | `#fbbf24` | Amber-400 |
+| `--accent-fg` | `#1c1917` | Dark text on bright accent |
+| `--surface` | `#292524` | Stone-800 |
+| `--border` | `#44403c` | Stone-700 |
+| `--error-bg` | `#451a1a` | Dark red |
+| `--error-fg` | `#f87171` | Red-400 |
+| `--success-bg` | `#14532d` | Dark green |
+| `--success-fg` | `#4ade80` | Green-400 |
+
+## CSS Redesign
+
+Full rewrite of `style.css` with a design system:
+
+- **Custom properties** for colors, spacing (4px base), typography, and radius
+- **System font stack** (no webfonts)
+- **Centered single-column layout** (`max-width: 40rem`)
+- **Header bar** with logo + wordmark
+- **Button variants:** primary (amber), secondary (outlined), danger (red)
+- **Form styling:** full-width inputs, labels, focus states, error display
+- **Cards/sections:** surface background with border for grouping
+- **Alerts:** error (`role="alert"`) and success (`role="status"`)
+- **Typography scale:** h1-h3, body, small
+- **Accessibility:** skip link, `:focus-visible`, `.sr-only`, `prefers-reduced-motion`
+- **Dark mode** via `@media (prefers-color-scheme: dark)`
+
+## Template Updates
+
+- `base.html`: add header with logo, update `` to "Porchlight", add favicon link
+- `login.html`: update title to "Login — Porchlight"
+- `manage/credentials.html`: update title to "Credentials — Porchlight"
+- `app.py`: update FastAPI title to "Porchlight"
+
+## Files Changed
+
+| File | Action |
+|---|---|
+| `static/style.css` | Rewrite |
+| `static/logo.svg` | Create |
+| `static/favicon.png` | Create |
+| `templates/base.html` | Update (header, favicon, title) |
+| `templates/login.html` | Update (title) |
+| `templates/manage/credentials.html` | Update (title) |
+| `app.py` | Update (title) |
diff --git a/src/fastapi_oidc_op/__init__.py b/src/porchlight/__init__.py
similarity index 100%
rename from src/fastapi_oidc_op/__init__.py
rename to src/porchlight/__init__.py
diff --git a/src/fastapi_oidc_op/app.py b/src/porchlight/app.py
similarity index 100%
rename from src/fastapi_oidc_op/app.py
rename to src/porchlight/app.py
diff --git a/src/fastapi_oidc_op/authn/__init__.py b/src/porchlight/authn/__init__.py
similarity index 100%
rename from src/fastapi_oidc_op/authn/__init__.py
rename to src/porchlight/authn/__init__.py
diff --git a/src/fastapi_oidc_op/authn/password.py b/src/porchlight/authn/password.py
similarity index 100%
rename from src/fastapi_oidc_op/authn/password.py
rename to src/porchlight/authn/password.py
diff --git a/src/fastapi_oidc_op/authn/routes.py b/src/porchlight/authn/routes.py
similarity index 100%
rename from src/fastapi_oidc_op/authn/routes.py
rename to src/porchlight/authn/routes.py
diff --git a/src/fastapi_oidc_op/authn/webauthn.py b/src/porchlight/authn/webauthn.py
similarity index 100%
rename from src/fastapi_oidc_op/authn/webauthn.py
rename to src/porchlight/authn/webauthn.py
diff --git a/src/fastapi_oidc_op/config.py b/src/porchlight/config.py
similarity index 100%
rename from src/fastapi_oidc_op/config.py
rename to src/porchlight/config.py
diff --git a/src/fastapi_oidc_op/dependencies.py b/src/porchlight/dependencies.py
similarity index 100%
rename from src/fastapi_oidc_op/dependencies.py
rename to src/porchlight/dependencies.py
diff --git a/src/fastapi_oidc_op/invite/__init__.py b/src/porchlight/invite/__init__.py
similarity index 100%
rename from src/fastapi_oidc_op/invite/__init__.py
rename to src/porchlight/invite/__init__.py
diff --git a/src/fastapi_oidc_op/invite/service.py b/src/porchlight/invite/service.py
similarity index 100%
rename from src/fastapi_oidc_op/invite/service.py
rename to src/porchlight/invite/service.py
diff --git a/src/fastapi_oidc_op/manage/__init__.py b/src/porchlight/manage/__init__.py
similarity index 100%
rename from src/fastapi_oidc_op/manage/__init__.py
rename to src/porchlight/manage/__init__.py
diff --git a/src/fastapi_oidc_op/manage/routes.py b/src/porchlight/manage/routes.py
similarity index 100%
rename from src/fastapi_oidc_op/manage/routes.py
rename to src/porchlight/manage/routes.py
diff --git a/src/fastapi_oidc_op/models.py b/src/porchlight/models.py
similarity index 100%
rename from src/fastapi_oidc_op/models.py
rename to src/porchlight/models.py
diff --git a/src/fastapi_oidc_op/oidc/__init__.py b/src/porchlight/oidc/__init__.py
similarity index 100%
rename from src/fastapi_oidc_op/oidc/__init__.py
rename to src/porchlight/oidc/__init__.py
diff --git a/src/fastapi_oidc_op/oidc/claims.py b/src/porchlight/oidc/claims.py
similarity index 100%
rename from src/fastapi_oidc_op/oidc/claims.py
rename to src/porchlight/oidc/claims.py
diff --git a/src/fastapi_oidc_op/oidc/endpoints.py b/src/porchlight/oidc/endpoints.py
similarity index 100%
rename from src/fastapi_oidc_op/oidc/endpoints.py
rename to src/porchlight/oidc/endpoints.py
diff --git a/src/fastapi_oidc_op/oidc/provider.py b/src/porchlight/oidc/provider.py
similarity index 100%
rename from src/fastapi_oidc_op/oidc/provider.py
rename to src/porchlight/oidc/provider.py
diff --git a/src/fastapi_oidc_op/static/favicon.png b/src/porchlight/static/favicon.png
similarity index 100%
rename from src/fastapi_oidc_op/static/favicon.png
rename to src/porchlight/static/favicon.png
diff --git a/src/fastapi_oidc_op/static/htmx.min.js b/src/porchlight/static/htmx.min.js
similarity index 100%
rename from src/fastapi_oidc_op/static/htmx.min.js
rename to src/porchlight/static/htmx.min.js
diff --git a/src/fastapi_oidc_op/static/logo.svg b/src/porchlight/static/logo.svg
similarity index 100%
rename from src/fastapi_oidc_op/static/logo.svg
rename to src/porchlight/static/logo.svg
diff --git a/src/fastapi_oidc_op/static/style.css b/src/porchlight/static/style.css
similarity index 100%
rename from src/fastapi_oidc_op/static/style.css
rename to src/porchlight/static/style.css
diff --git a/src/fastapi_oidc_op/static/webauthn.js b/src/porchlight/static/webauthn.js
similarity index 100%
rename from src/fastapi_oidc_op/static/webauthn.js
rename to src/porchlight/static/webauthn.js
diff --git a/src/fastapi_oidc_op/store/__init__.py b/src/porchlight/store/__init__.py
similarity index 100%
rename from src/fastapi_oidc_op/store/__init__.py
rename to src/porchlight/store/__init__.py
diff --git a/src/fastapi_oidc_op/store/exceptions.py b/src/porchlight/store/exceptions.py
similarity index 100%
rename from src/fastapi_oidc_op/store/exceptions.py
rename to src/porchlight/store/exceptions.py
diff --git a/src/fastapi_oidc_op/store/mongodb/__init__.py b/src/porchlight/store/mongodb/__init__.py
similarity index 100%
rename from src/fastapi_oidc_op/store/mongodb/__init__.py
rename to src/porchlight/store/mongodb/__init__.py
diff --git a/src/fastapi_oidc_op/store/protocols.py b/src/porchlight/store/protocols.py
similarity index 100%
rename from src/fastapi_oidc_op/store/protocols.py
rename to src/porchlight/store/protocols.py
diff --git a/src/fastapi_oidc_op/store/sqlite/__init__.py b/src/porchlight/store/sqlite/__init__.py
similarity index 100%
rename from src/fastapi_oidc_op/store/sqlite/__init__.py
rename to src/porchlight/store/sqlite/__init__.py
diff --git a/src/fastapi_oidc_op/store/sqlite/migrations.py b/src/porchlight/store/sqlite/migrations.py
similarity index 100%
rename from src/fastapi_oidc_op/store/sqlite/migrations.py
rename to src/porchlight/store/sqlite/migrations.py
diff --git a/src/fastapi_oidc_op/store/sqlite/migrations/001_initial.sql b/src/porchlight/store/sqlite/migrations/001_initial.sql
similarity index 100%
rename from src/fastapi_oidc_op/store/sqlite/migrations/001_initial.sql
rename to src/porchlight/store/sqlite/migrations/001_initial.sql
diff --git a/src/fastapi_oidc_op/store/sqlite/repositories.py b/src/porchlight/store/sqlite/repositories.py
similarity index 100%
rename from src/fastapi_oidc_op/store/sqlite/repositories.py
rename to src/porchlight/store/sqlite/repositories.py
diff --git a/src/fastapi_oidc_op/templates/base.html b/src/porchlight/templates/base.html
similarity index 100%
rename from src/fastapi_oidc_op/templates/base.html
rename to src/porchlight/templates/base.html
diff --git a/src/fastapi_oidc_op/templates/login.html b/src/porchlight/templates/login.html
similarity index 100%
rename from src/fastapi_oidc_op/templates/login.html
rename to src/porchlight/templates/login.html
diff --git a/src/fastapi_oidc_op/templates/manage/credentials.html b/src/porchlight/templates/manage/credentials.html
similarity index 100%
rename from src/fastapi_oidc_op/templates/manage/credentials.html
rename to src/porchlight/templates/manage/credentials.html
diff --git a/src/fastapi_oidc_op/userid.py b/src/porchlight/userid.py
similarity index 100%
rename from src/fastapi_oidc_op/userid.py
rename to src/porchlight/userid.py
diff --git a/tests/e2e/package-lock.json b/tests/e2e/package-lock.json
new file mode 100644
index 0000000..2b80a34
--- /dev/null
+++ b/tests/e2e/package-lock.json
@@ -0,0 +1,57 @@
+{
+ "name": "porchlight-e2e",
+ "lockfileVersion": 3,
+ "requires": true,
+ "packages": {
+ "": {
+ "name": "porchlight-e2e",
+ "dependencies": {
+ "playwright": "^1.52.0"
+ }
+ },
+ "node_modules/fsevents": {
+ "version": "2.3.2",
+ "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+ "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+ "hasInstallScript": true,
+ "license": "MIT",
+ "optional": true,
+ "os": [
+ "darwin"
+ ],
+ "engines": {
+ "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+ }
+ },
+ "node_modules/playwright": {
+ "version": "1.58.2",
+ "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.58.2.tgz",
+ "integrity": "sha512-vA30H8Nvkq/cPBnNw4Q8TWz1EJyqgpuinBcHET0YVJVFldr8JDNiU9LaWAE1KqSkRYazuaBhTpB5ZzShOezQ6A==",
+ "license": "Apache-2.0",
+ "dependencies": {
+ "playwright-core": "1.58.2"
+ },
+ "bin": {
+ "playwright": "cli.js"
+ },
+ "engines": {
+ "node": ">=18"
+ },
+ "optionalDependencies": {
+ "fsevents": "2.3.2"
+ }
+ },
+ "node_modules/playwright-core": {
+ "version": "1.58.2",
+ "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.58.2.tgz",
+ "integrity": "sha512-yZkEtftgwS8CsfYo7nm0KE8jsvm6i/PTgVtB8DL726wNf6H2IMsDuxCpJj59KDaxCtSnrWan2AeDqM7JBaultg==",
+ "license": "Apache-2.0",
+ "bin": {
+ "playwright-core": "cli.js"
+ },
+ "engines": {
+ "node": ">=18"
+ }
+ }
+ }
+}