# E2E Funktionscheck — Sprint 4 Phases 1-3

**Date:** 2026-06-12
**Server:** localhost:3000 (Next.js dev)
**Backend:** Mock on :8080 returning 401 (real backend not available)
**Test Framework:** Playwright 1.60.0, Chromium

## Results

| #   | Test                 | Status  | Time | Notes                                            |
| --- | -------------------- | ------- | ---- | ------------------------------------------------ |
| 1   | Login page loads     | ✅ PASS | 3.5s | Page renders correctly                           |
| 2   | Auth redirect works  | ✅ PASS | 3.3s | /dashboard → 307 redirect to /login in 115ms     |
| 3   | Login error handling | ✅ PASS | 7.4s | Invalid credentials show error feedback          |
| 4   | 404 page             | ✅ PASS | 3.3s | Unknown routes redirect to login (auth required) |
| 5   | No console errors    | ✅ PASS | 3.2s | Zero critical JS errors on accessible pages      |
| 6   | Visual structure     | ✅ PASS | 3.3s | Login page layout renders correctly              |

**Total: 6/6 passed (25.2s)**

## Fix Applied — Auth Middleware Deadlock

The previous run had all 6 tests failing due to a frontend deadlock. The fix addressed:

### Changes Made

1. **`src/lib/auth.ts`** — Added `fetchWithTimeout()` helper with 5s AbortController timeout

   - `authorize()` now catches fetch errors (timeout/unreachable) and returns `null` gracefully
   - `jwt` callback token refresh also uses the timeout wrapper
   - Added `trustHost: true` to NextAuth config (prevents host header validation issues)

2. **`src/middleware.ts`** — Updated matcher to explicitly exclude auth pages

   - Added `/register`, `/forgot-password` to public routes list
   - Matcher regex now excludes: `login|register|forgot-password|api/auth|_next/static|_next/image|favicon.ico|images`

3. **`.env.local`** — Added `AUTH_URL=http://localhost:3000`
   - Prevents NextAuth self-resolution issues in dev

### Root Cause

The Next-Auth v5 `auth()` middleware wrapped ALL routes. When the backend at `:8080` wasn't
reachable (or returned unexpected responses), the middleware's session resolution would hang
for the full TCP timeout (60s), making even public pages like `/login` unreachable.

### Verification

```bash
# Login page loads fast
$ curl -s -o /dev/null -w "%{http_code} in %{time_total}s" http://localhost:3000/login
200 in 0.129s

# Protected route redirects instantly (no hang)
$ curl -s -o /dev/null -w "%{http_code} in %{time_total}s" http://localhost:3000/dashboard
307 in 0.115s
```

## Console Errors

- **Server-side:** `CredentialsSignin` error logged when test 03 submits invalid credentials — expected behavior
- **Client-side:** Zero critical JavaScript errors detected on accessible pages

## Environment

- **Node.js:** Running (confirmed)
- **Next.js:** 15.2.8 (dev mode)
- **Next-Auth:** v5 (beta)
- **Playwright:** 1.60.0
- **Mock Backend:** Node.js HTTP server on :8080 (401 for all requests)
- **Postgres:** Running in Docker (cannamanage-db-local)

## Conclusion

**Frontend health: ✅ OPERATIONAL — all public routes load without backend dependency**

The auth middleware deadlock has been resolved. The frontend now gracefully degrades when
the backend is unavailable — login page renders, protected routes redirect to login quickly,
and login attempts against the mock backend fail fast with an error message.