Add Cypress e2e tests with authenticated user login via magic links (#1379)

Author: BenjaminCharmes

pydatalab/src/pydatalab/routes/v0_1/auth.py

@@ -14,7 +14,7 @@
 
 import jwt
 from bson import ObjectId
-from flask import Blueprint, g, jsonify, redirect, request
+from flask import Blueprint, Response, g, jsonify, redirect, request
 from flask_dance.consumer import OAuth2ConsumerBlueprint, oauth_authorized
 from flask_login import current_user, login_user
 from flask_login.utils import LocalProxy
@@ -420,24 +420,15 @@ def attach_identity_to_user(
         wrapped_login_user(get_by_id(str(user.immutable_id)))
 
 
-@EMAIL_BLUEPRINT.route("/magic-link", methods=["POST"])
-def generate_and_share_magic_link():
-    """Generates a JWT-based magic link with which a user can log in, stores it
-    in the database and sends it to the verified email address.
-
-    """
-    request_json = request.get_json()
-    email = request_json.get("email")
-    referrer = request_json.get("referrer")
-
+def _validate_magic_link_request(email: str, referrer: str) -> tuple[Response | None, int]:
     if not email:
         return jsonify({"status": "error", "detail": "No email provided."}), 400
 
     if not re.match(r"^\S+@\S+.\S+$", email):
         return jsonify({"status": "error", "detail": "Invalid email provided."}), 400
 
     if not referrer:
-        LOGGER.warning("No referrer provided for magic link request: %s", request_json)
+        LOGGER.warning("No referrer provided for magic link request")
         return (
             jsonify(
                 {
@@ -448,25 +439,42 @@ def generate_and_share_magic_link():
             400,
         )
 
-    # Generate a JWT for the user with a short expiration; the session itself
-    # should persist
-    # The key `exp` is a standard part of JWT; pyjwt treats this as an expiration time
-    # and will correctly encode the datetime
+    return None, 200
+
+
+def _generate_and_store_token(email: str, is_test: bool = False) -> str:
+    """Generate a JWT for the user with a short expiration and store it in the session.
+
+    The session itself persists beyond the JWT expiration. The `exp` key is a standard
+    part of JWT that PyJWT treats as an expiration time and will correctly encode the datetime.
+
+    Args:
+        email: The user's email address to include in the token.
+        is_test: If True, generates a token for testing purposes that may have different
+                 expiration or validation rules. Defaults to False.
+
+    Returns:
+        The generated JWT token string.
+    """
+    payload = {
+        "exp": datetime.datetime.now(datetime.timezone.utc) + LINK_EXPIRATION,
+        "email": email,
+    }
+    if is_test:
+        payload["is_test"] = True
+
     token = jwt.encode(
-        {"exp": datetime.datetime.now(datetime.timezone.utc) + LINK_EXPIRATION, "email": email},
+        payload,
         CONFIG.SECRET_KEY,
         algorithm="HS256",
     )
 
-    flask_mongo.db.magic_links.insert_one(
-        {"jwt": token},
-    )
+    flask_mongo.db.magic_links.insert_one({"jwt": token})
 
-    link = f"{referrer}?token={token}"
+    return token
 
-    instance_url = referrer.replace("https://", "")
 
-    # See if the user already exists and adjust the email if so
+def _check_user_registration_allowed(email: str) -> tuple[Response | None, int]:
     user = find_user_with_identity(email, IdentityType.EMAIL, verify=False)
 
     if not user:
@@ -483,6 +491,14 @@ def generate_and_share_magic_link():
                 403,
             )
 
+    return None, 200
+
+
+def _send_magic_link_email(email: str, token: str, referrer: str) -> tuple[Response | None, int]:
+    link = f"{referrer}?token={token}"
+    instance_url = referrer.replace("https://", "")
+    user = find_user_with_identity(email, IdentityType.EMAIL, verify=False)
+
     if user is not None:
         subject = "Datalab Sign-in Magic Link"
         body = f"Click the link below to sign-in to the datalab instance at {instance_url}:\n\n{link}\n\nThis link is single-use and will expire in 1 hour."
@@ -496,6 +512,34 @@ def generate_and_share_magic_link():
         LOGGER.warning("Failed to send email to %s: %s", email, exc)
         return jsonify({"status": "error", "detail": "Email not sent successfully."}), 400
 
+    return None, 200
+
+
+@EMAIL_BLUEPRINT.route("/magic-link", methods=["POST"])
+def generate_and_share_magic_link():
+    """Generates a JWT-based magic link with which a user can log in, stores it
+    in the database and sends it to the verified email address.
+
+    """
+
+    request_json = request.get_json()
+    email = request_json.get("email")
+    referrer = request_json.get("referrer")
+
+    error_response, status_code = _validate_magic_link_request(email, referrer)
+    if error_response:
+        return error_response, status_code
+
+    error_response, status_code = _check_user_registration_allowed(email)
+    if error_response:
+        return error_response, status_code
+
+    token = _generate_and_store_token(email)
+
+    error_response, status_code = _send_magic_link_email(email, token, referrer)
+    if error_response:
+        return error_response, status_code
+
     return jsonify({"status": "success", "detail": "Email sent successfully."}), 200
 
 
@@ -536,17 +580,19 @@ def email_logged_in():
     # If the email domain list is explicitly configured to None, this allows any
     # email address to make an active account, otherwise the email domain must match
     # the list of allowed domains and the admin must verify the user
-    allowed = _check_email_domain(email, CONFIG.EMAIL_DOMAIN_ALLOW_LIST)
-    if not allowed:
-        # If this point is reached, the token is valid but the server settings have
-        # changed since the link was generated, so best to fail safe
-        raise UserRegistrationForbidden
+    is_test = data.get("is_test", False)
+
+    if not is_test:
+        allowed = _check_email_domain(email, CONFIG.EMAIL_DOMAIN_ALLOW_LIST)
+        if not allowed:
+            raise UserRegistrationForbidden
 
     create_account = AccountStatus.UNVERIFIED
     if (
         CONFIG.EMAIL_DOMAIN_ALLOW_LIST is None
         or CONFIG.EMAIL_AUTO_ACTIVATE_ACCOUNTS
         or CONFIG.AUTO_ACTIVATE_ACCOUNTS
+        or is_test
     ):
         create_account = AccountStatus.ACTIVE
 
@@ -686,3 +732,29 @@ def generate_user_api_key():
             ),
             401,
         )
+
+
+@AUTH.route("/testing/create-magic-link", methods=["POST"])
+def create_test_magic_link():
+    """Create a magic link for testing purposes.
+
+    This endpoint is only available when TESTING=True.
+    It creates a user with the specified email and role, generates a magic link,
+    and returns the token.
+    """
+    if not CONFIG.TESTING:
+        return jsonify(
+            {"status": "error", "detail": "This endpoint is only available in testing mode."}
+        ), 403
+
+    request_json = request.get_json()
+    email = request_json.get("email")
+    referrer = request_json.get("referrer", "http://localhost:8080")
+
+    error_response, status_code = _validate_magic_link_request(email, referrer)
+    if error_response:
+        return error_response, status_code
+
+    token = _generate_and_store_token(email, is_test=True)
+
+    return jsonify({"status": "success", "token": token}), 200

pydatalab/src/pydatalab/routes/v0_1/items.py

@@ -503,7 +503,7 @@ def _create_sample(
         # so no creators are assigned
         new_sample["creator_ids"] = []
         new_sample["creators"] = []
-    elif CONFIG.TESTING:
+    elif CONFIG.TESTING and not current_user.is_authenticated:
         # Set fake ID to ObjectId("000000000000000000000000") so a dummy user can be created
         # locally for testing creator UI elements
         new_sample["creator_ids"] = [PUBLIC_USER_ID]

webapp/cypress/e2e/authenticatedSampleTests.cy.js

@@ -0,0 +1,120 @@
+describe("Authenticated sample tests", () => {
+  beforeEach(() => {
+    cy.loginViaTestMagicLink("[email protected]", "user");
+    cy.visit("/");
+  });
+
+  afterEach(() => {
+    cy.logout();
+  });
+
+  it("Creates a sample as authenticated user", () => {
+    cy.createSample("auth-test-1", "Sample created by authenticated user");
+    cy.verifySample("auth-test-1", "Sample created by authenticated user");
+
+    cy.findByText("auth-test-1").click();
+    cy.contains("[email protected]").should("exist");
+
+    cy.visit("/");
+    cy.deleteSample("auth-test-1");
+  });
+
+  it("Shows correct user info when logged in", () => {
+    cy.get(".alert-info").should("not.exist");
+
+    cy.contains("[email protected]").should("exist");
+  });
+});
+
+describe("Admin-specific functionality", () => {
+  beforeEach(() => {
+    cy.loginViaTestMagicLink("[email protected]", "admin");
+    cy.visit("/admin");
+  });
+
+  afterEach(() => {
+    cy.logout();
+  });
+
+  it("Accesses admin dashboard", () => {
+    cy.visit("/admin");
+    cy.url().should("include", "/admin");
+    cy.contains("Admin Menu").should("exist");
+    cy.get('[data-testid="admin-table"]').should("exist");
+  });
+});
+
+describe("Multi-user sample visibility", () => {
+  const user1Email = "[email protected]";
+  const user2Email = "[email protected]";
+  const user1SampleId = "user1-sample";
+  const user2SampleId = "user2-sample";
+
+  it("User 1 creates a sample", () => {
+    cy.loginViaTestMagicLink(user1Email, "user");
+    cy.visit("/");
+
+    cy.createSample(user1SampleId, "User 1's sample");
+    cy.verifySample(user1SampleId, "User 1's sample");
+
+    cy.logout();
+  });
+
+  it("User 2 creates a different sample", () => {
+    cy.loginViaTestMagicLink(user2Email, "user");
+    cy.visit("/");
+
+    cy.createSample(user2SampleId, "User 2's sample");
+    cy.verifySample(user2SampleId, "User 2's sample");
+
+    cy.logout();
+  });
+
+  it("User 1 can see their own sample", () => {
+    cy.loginViaTestMagicLink(user1Email, "user");
+    cy.visit("/");
+
+    cy.verifySample(user1SampleId, "User 1's sample");
+
+    cy.logout();
+  });
+
+  it("User 2 can see their own sample", () => {
+    cy.loginViaTestMagicLink(user2Email, "user");
+    cy.visit("/");
+
+    cy.verifySample(user2SampleId, "User 2's sample");
+
+    cy.logout();
+  });
+
+  it("User 1 cannot see User 2's sample", () => {
+    cy.loginViaTestMagicLink(user1Email, "user");
+    cy.visit("/");
+
+    cy.get("[data-testid=sample-table]").should("not.contain", user2SampleId);
+
+    cy.logout();
+  });
+
+  it("User 2 cannot see User 1's sample", () => {
+    cy.loginViaTestMagicLink(user2Email, "user");
+    cy.visit("/");
+
+    cy.get("[data-testid=sample-table]").should("not.contain", user1SampleId);
+
+    cy.logout();
+  });
+
+  after(() => {
+    cy.loginViaTestMagicLink(user1Email, "user");
+    cy.visit("/");
+    cy.deleteSample(user1SampleId);
+    cy.logout();
+
+    cy.loginViaTestMagicLink(user2Email, "user");
+    cy.visit("/");
+    cy.deleteSample(user2SampleId);
+    cy.logout();
+  });
+});

webapp/cypress/e2e/batchSampleFeature.cy.js

@@ -69,6 +69,14 @@ let sample_ids = [
   "cell_3",
 ];
 
+before(() => {
+  cy.loginViaTestMagicLink("[email protected]", "user");
+});
+
+after(() => {
+  cy.logout();
+});
+
 before(() => {
   cy.visit("/");
   cy.removeAllTestSamples(sample_ids, true);

webapp/cypress/e2e/editPage.cy.js

@@ -8,6 +8,14 @@ Cypress.on("window:before:load", (win) => {
 
 let item_ids = ["editable_sample", "component1", "component2"];
 
+before(() => {
+  cy.loginViaTestMagicLink("[email protected]", "user");
+});
+
+after(() => {
+  cy.logout();
+});
+
 before(() => {
   cy.visit("/");
   cy.removeAllTestSamples(item_ids, true);

webapp/cypress/e2e/equipment.cy.js

@@ -8,6 +8,14 @@ Cypress.on("window:before:load", (win) => {
 
 let item_ids = ["test_e1", "test_e2", "test_e3", "123equipment", "test_e3_copy"];
 
+before(() => {
+  cy.loginViaTestMagicLink("[email protected]", "user");
+});
+
+after(() => {
+  cy.logout();
+});
+
 before(() => {
   cy.visit("/equipment");
   cy.removeAllTestSamples(item_ids);

webapp/cypress/e2e/sampleTablePage.cy.js

@@ -6,6 +6,14 @@ Cypress.on("window:before:load", (win) => {
   consoleSpy = cy.spy(win.console, "error");
 });
 
+before(() => {
+  cy.loginViaTestMagicLink("[email protected]", "user");
+});
+
+after(() => {
+  cy.logout();
+});
+
 let sample_ids = [
   "12345678910",
   "test1",

webapp/cypress/e2e/startingMaterial.cy.js

@@ -1,6 +1,14 @@
 const API_URL = Cypress.config("apiUrl");
 console.log(API_URL);
 
+before(() => {
+  cy.loginViaTestMagicLink("[email protected]", "user");
+});
+
+after(() => {
+  cy.logout();
+});
+
 describe("Starting material table page - editable_inventory FALSE", () => {
   beforeEach(() => {
     cy.visit("/starting-materials");