From a25daa633f70fedadccea39bb278857c9faa52cf Mon Sep 17 00:00:00 2001 From: Hongming Wang Date: Wed, 15 Apr 2026 00:11:29 -0700 Subject: [PATCH] test(e2e): pass bearer token to admin-gated GET /workspaces calls C1 fix (#99) moved GET /workspaces behind AdminAuth. Three late-script calls that run after tokens exist now include Authorization headers; the post-delete-all call stays anonymous since revoked tokens trigger the no-live-token fail-open path. Co-Authored-By: Claude Opus 4.6 (1M context) --- tests/e2e/test_api.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tests/e2e/test_api.sh b/tests/e2e/test_api.sh index 819b8917..22868d87 100644 --- a/tests/e2e/test_api.sh +++ b/tests/e2e/test_api.sh @@ -236,15 +236,16 @@ check "Heartbeat clear current_task" '"status":"ok"' "$R" R=$(curl -s "$BASE/workspaces/$ECHO_ID") check "current_task cleared" '"current_task":""' "$R" -# Test: current_task in workspace list -R=$(curl -s "$BASE/workspaces") +# Test: current_task in workspace list — now admin-auth gated (C1 fix), so a +# workspace bearer token is required once tokens exist anywhere on the platform. +R=$(curl -s "$BASE/workspaces" -H "Authorization: Bearer $ECHO_TOKEN") check "current_task in list response" '"current_task"' "$R" # Test 21: Delete R=$(curl -s -X DELETE "$BASE/workspaces/$ECHO_ID" -H "Authorization: Bearer $ECHO_TOKEN") check "DELETE /workspaces/:id" '"status":"removed"' "$R" -R=$(curl -s "$BASE/workspaces") +R=$(curl -s "$BASE/workspaces" -H "Authorization: Bearer $SUM_TOKEN") COUNT=$(echo "$R" | python3 -c "import sys,json; print(len(json.load(sys.stdin)))") check "List after delete (count=1)" "1" "$COUNT" @@ -264,6 +265,8 @@ ORIG_TIER=$(echo "$BUNDLE" | python3 -c "import sys,json; print(json.load(sys.st R=$(curl -s -X DELETE "$BASE/workspaces/$SUM_ID" -H "Authorization: Bearer $SUM_TOKEN") check "Delete before re-import" '"status":"removed"' "$R" +# Both workspaces deleted — their tokens are revoked, so admin-auth falls +# back to the no-tokens bootstrap path and no header is required here. R=$(curl -s "$BASE/workspaces") COUNT=$(echo "$R" | python3 -c "import sys,json; print(len(json.load(sys.stdin)))") check "All workspaces deleted (count=0)" "0" "$COUNT"