Add Playwright OIDC integration tests using local Dex provider

[Copilot]

Adds a self-contained Playwright test harness for the OIDC authorization code flow using a real Dex v2 identity provider. Tests are intentionally small and local-first; OIDC is currently broken server-side so the login flow test is expected to fail until that is fixed.

Provider (tests/oidc-integration/providers/dex/)

• docker-compose.yaml — runs ghcr.io/dexidp/dex:v2.41.1 on port 5556
• config.yaml — in-memory storage, static password testuser@example.com/password, client shuthost-test/shuthost-test-secret, redirect to https://127.0.0.1:18080/oidc/callback, skipApprovalScreen: true

Harness (tests/oidc-integration/)

• global-setup.ts — builds coordinator (respects SKIP_BUILD), generates a self-signed cert via openssl into certs/ (idempotent), starts Dex via docker compose up -d --wait, polls /.well-known/openid-configuration, fills configs/coordinator-dex.tmpl.toml with runtime values, and spawns the coordinator on port 18080
• global-teardown.ts — kills coordinator and runs docker compose down (runs even on test failure)
• helpers/dex.ts — loginWithDex(page, baseUrl) fills credentials and defensively handles the optional grant screen
• specs/dex.spec.ts — three tests: Dex discovery sanity check, full login redirect flow, and error/deny callback handling
• configs/coordinator-dex.tmpl.toml — coordinator config template with {{COORD_PORT}}, {{DEX_PORT}}, {{CERT_PATH}}, {{KEY_PATH}} placeholders

Justfile

[group('tests')]
oidc_integration_tests +flags="":
    cd tests/oidc-integration && npm ci && npx playwright test --reporter=line {{flags}}

CI (.github/workflows/main.yaml)

A new oidc-integration-tests job:

1. Builds the coordinator in release mode
2. Installs npm deps and Playwright Chromium (with system dependencies)
3. Runs the tests with SKIP_BUILD=1 and --reporter=line
4. Always uploads the Playwright HTML report and target/playwright-oidc-test-results as artifacts (even on failure)

The job is wired into tests-aggregate and release-needs-flattened so it runs alongside the rest of CI and gates releases.

Generated files (certs/, filled config, node_modules, reports) are gitignored.

Original prompt

Plan: OIDC Integration Tests (Dex only)

TL;DR: Implement Playwright-based OIDC integration tests using a local Dex provider and a TLS-enabled coordinator instance. Skip Authelia for now to keep the initial harness small. Note: OIDC in shuthost is currently broken — tests are expected to fail until server-side fixes are applied.

Steps

1. Create provider compose: tests/oidc-integration/providers/dex/docker-compose.yaml and config.yaml (Dex v2) exposing issuer at http://127.0.0.1:5556 with test user testuser@example.com / password and client id=shuthost-test / secret=shuthost-test-secret (redirect https://127.0.0.1:18080/oidc/callback).
2. Generate coordinator TLS cert/key via OpenSSL in global-setup.ts and store under tests/oidc-integration/certs/ (gitignored).
3. Add coordinator config template tests/oidc-integration/configs/coordinator-dex.tmpl.toml with placeholders {{COORD_PORT}}, {{DEX_PORT}}, {{CERT_PATH}}, {{KEY_PATH}}.
4. Add Playwright harness files under tests/oidc-integration/: package.json, playwright.config.ts, global-setup.ts, global-teardown.ts, specs/dex.spec.ts, and helpers/dex.ts.
   • global-setup.ts builds coordinator (unless SKIP_BUILD), generates cert if missing, brings up Dex compose, waits for /.well-known/openid-configuration, writes coordinator config from template, and spawns coordinator on port 18080.
   • global-teardown.ts stops coordinator and tears down Dex compose.
   • helpers/dex.ts implements loginWithDex(page, baseUrl) to perform the interactive login and handle grant screens.
5. Implement specs/dex.spec.ts with a full OIDC login flow and an error/deny handling test. Mark expected failures if needed while OIDC is known-broken.
6. Add just recipe to run tests: tests/oidc-integration/package.json script and Justfile entry oidc_integration_tests.

Relevant files (references)

• frontend/tests/global-setup.ts — coordinator spawn / wait patterns to reuse
• frontend/tests/backend-utils.ts — port and kill helpers
• frontend/tests/configs/auth-oidc.toml — example TOML layout
• coordinator/src/http/auth/oidc.rs — code under test
• coordinator/src/config/types.rs — OidcConfig fields

Verification

1. Run just oidc_integration_tests locally with Docker available.
2. Expect at least one failing test due to existing OIDC issues; capture failure logs and provider responses for debugging.
3. Confirm teardown runs even on failure.

Decisions & Notes

• Authelia omitted for initial iteration — can add later by copying Dex pattern.
• Use plain HTTP for provider discovery (http://127.0.0.1:5556) and TLS only for coordinator/browser endpoint (https://127.0.0.1:18080).
• Tests are intentionally small to reduce CI friction; local-first verification recommended.

The user has attached the following file paths as relevant context:

• agents.md

Created from VS Code.

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

[9SMTM6]

@copilot please add a CI job for these tests, so that you can iterate independently in this PR.

[Copilot]

@copilot please add a CI job for these tests, so that you can iterate independently in this PR.

Added in b442904. The new oidc-integration-tests job in .github/workflows/main.yaml:

1. Builds the coordinator in release mode (with OIDC_DANGER_ACCEPT_INVALID_CERTS=1)
2. Installs npm deps and Playwright Chromium (with system deps via --with-deps)
3. Runs the tests with SKIP_BUILD=1 and --reporter=line
4. Always uploads the Playwright report and target/playwright-oidc-test-results as artifacts

It's also wired into tests-aggregate and release-needs-flattened so it gates releases.

[9SMTM6]

goddamnit, it cant iterate on that independently like that. If it doesn't react to CI failures either IDK how this would be better than a local agent in any way, since it needs pretty much the same amount of looking after while progressing.