Use PasswordChange model (requires current password) for users with
existing passwords and PasswordSet for first-time setup. Add zxcvbn
strength validation and current password field to credentials template.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace manual validation error formatting with shared helper in both
admin and manage profile routes. Add UsernameInput validation to invite
route and GroupListInput validation to groups route.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add slowapi-based rate limiting: 5/min on password login, 10/min on
WebAuthn login. Includes shared rate limiter reset fixture for tests.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add active-user checks to password login, WebAuthn login, and magic
link registration to prevent deactivated accounts from authenticating.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add BCP 47 locale validator to ProfileUpdate, UsernameInput model,
GroupListInput model, PasswordSet/PasswordChange with zxcvbn strength
checking, and shared format_validation_errors HTML helper.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add 7 new e2e tests verifying profile form validation in both manage
and admin UIs: invalid phone number, phone normalization, E.164 hint
attributes, and admin-side email/phone/picture URL validation errors.
Fix 3 pre-existing test failures:
- Replace invalid seeded phone number (+1234567890) with valid E.164
(+12025551234) that was causing profile update tests to fail
- Update email validation error assertion to match actual pydantic
message (value_error type uses raw message, not label-prefixed)
The CSRF middleware added to main after the admin-pages branch was
created caused all admin test POSTs/DELETEs to be rejected. Add
get_csrf_token() calls and X-CSRF-Token headers to login helpers and
all mutation requests, matching the pattern used by other tests.
Add /manage/profile page where authenticated users can view and edit
their OIDC profile fields (given_name, family_name, preferred_username,
email, phone_number, picture, locale).
- Create manage/base.html with tab-style nav for Profile/Credentials
- Update credentials.html to extend manage/base.html
- Add GET/POST routes with server-side validation
- Add input styling for tel and url input types
- Add profile test user with pre-filled data in setup_db.py
- Add 19 E2E tests covering structure, navigation, updates, validation
- All 76 E2E tests and 172 Python tests pass
- Use localhost instead of 127.0.0.1 as TARGET_URL so the WebAuthn RP ID
is a valid domain (the spec forbids IP addresses)
- Replace request.post('/logout') with page.context().clearCookies() since
Playwright's request fixture has a separate cookie jar from the page
- Add registerPasskey() helper that waits for 'load' event to reliably
detect the page reload after successful registration
- Track credential count with getCredentialCount() since credentials
accumulate across serial tests sharing the same database
- Fix login.spec.js selector from #webauthn-login-form to #webauthn-login-btn
to match the actual template
All 57 E2E tests now pass (50 migrated + 7 WebAuthn).
Replace direct playwright dependency with @playwright/test and add
playwright.config.js for centralized test configuration. Update run.sh
to invoke 'npx playwright test' instead of running test files with node.
Extract shared test runner (helpers.js), add file-based SQLite with
setup_db.py for fixture seeding, and add tests for auth guard, credentials
management, full registration flow, health endpoint, password auth, and
magic link registration errors. 66 checks across 7 test files.
