fix: accessibility improvements and test infrastructure hardening

Add aria-labels to form controls (selects, checkboxes, switches), set html lang attribute and page title, fix color contrast for --candle-dim and --text-faint tokens, underline inline links, remove opacity hack. Harden dev login endpoints with atomic findOneAndUpdate and tokenVersion in JWT. Update Playwright timeouts and E2E test helpers.
2026-04-05 21:59:02 +01:00 · 2026-04-05 21:59:02 +01:00 · c40f2c7c63
commit c40f2c7c63
parent 61c16d8bac
35 changed files with 787 additions and 173 deletions
--- a/tests/server/api/dev-endpoints.test.js
+++ b/tests/server/api/dev-endpoints.test.js
@ -3,7 +3,7 @@ import { readFileSync } from 'node:fs'
 import { resolve } from 'node:path'

 vi.mock('../../../server/models/member.js', () => ({
-  default: { findOne: vi.fn(), create: vi.fn() }
+  default: { findOne: vi.fn(), create: vi.fn(), findOneAndUpdate: vi.fn() }
 }))

 vi.mock('../../../server/utils/mongoose.js', () => ({
@ -74,34 +74,38 @@ describe('dev endpoints', () => {
    })

    it('creates admin user when none exists', async () => {
-      Member.findOne.mockResolvedValue(null)
-      Member.create.mockResolvedValue(mockMember)
+      Member.findOneAndUpdate.mockResolvedValue(mockMember)

      const event = createMockEvent({ method: 'GET', path: '/api/dev/test-login' })
      await testLoginHandler(event)

-      expect(Member.findOne).toHaveBeenCalledWith({ email: 'test-admin@ghostguild.dev' })
-      expect(Member.create).toHaveBeenCalledWith(
+      expect(Member.findOneAndUpdate).toHaveBeenCalledWith(
+        { email: 'test-admin@ghostguild.dev' },
        expect.objectContaining({
-          email: 'test-admin@ghostguild.dev',
-          role: 'admin',
-          circle: 'founder'
-        })
+          $setOnInsert: expect.objectContaining({
+            role: 'admin',
+            circle: 'founder'
+          })
+        }),
+        { upsert: true, new: true }
      )
    })

    it('uses existing admin when found', async () => {
-      Member.findOne.mockResolvedValue(mockMember)
+      Member.findOneAndUpdate.mockResolvedValue(mockMember)

      const event = createMockEvent({ method: 'GET', path: '/api/dev/test-login' })
      await testLoginHandler(event)

-      expect(Member.findOne).toHaveBeenCalledWith({ email: 'test-admin@ghostguild.dev' })
-      expect(Member.create).not.toHaveBeenCalled()
+      expect(Member.findOneAndUpdate).toHaveBeenCalledWith(
+        { email: 'test-admin@ghostguild.dev' },
+        expect.any(Object),
+        { upsert: true, new: true }
+      )
    })

    it('sets auth cookie', async () => {
-      Member.findOne.mockResolvedValue(mockMember)
+      Member.findOneAndUpdate.mockResolvedValue(mockMember)

      const event = createMockEvent({ method: 'GET', path: '/api/dev/test-login' })
      await testLoginHandler(event)