triggerdotdev · matt-aitken · Apr 24, 2026 · Apr 23, 2026 · Apr 23, 2026 · Apr 23, 2026
diff --git a/apps/webapp/test/api-auth.e2e.test.ts b/apps/webapp/test/api-auth.e2e.test.ts
@@ -0,0 +1,121 @@
+/**
+ * E2E auth baseline tests.
+ *
+ * These tests capture current auth behavior before the apiBuilder migration to RBAC.
+ * Run them before and after the migration to verify behavior is identical.
+ *
+ * Requires a pre-built webapp: pnpm run build --filter webapp
+ */
+import { afterAll, beforeAll, describe, expect, it } from "vitest";
+import type { TestServer } from "@internal/testcontainers/webapp";
+import { startTestServer } from "@internal/testcontainers/webapp";
+import { generateJWT } from "@trigger.dev/core/v3/jwt";
+import { seedTestEnvironment } from "./helpers/seedTestEnvironment";
+
+vi.setConfig({ testTimeout: 180_000 });
+
+// Shared across all tests in this file — one postgres container + one webapp instance.
+let server: TestServer;
+
+beforeAll(async () => {
+  server = await startTestServer();
+}, 180_000);
+
+afterAll(async () => {
+  await server?.stop();
+}, 120_000);
+
+async function generateTestJWT(
+  environment: { id: string; apiKey: string },
+  options: { scopes?: string[] } = {}
+): Promise<string> {
+  const scopes = options.scopes ?? ["read:runs"];
+  return generateJWT({
+    secretKey: environment.apiKey,
+    payload: { pub: true, sub: environment.id, scopes },
+    expirationTime: "15m",
+  });
+}
+
+describe("API bearer auth — baseline behavior", () => {
+  it("valid API key: auth passes (404 not 401)", async () => {
+    const { apiKey } = await seedTestEnvironment(server.prisma);
+    const res = await server.webapp.fetch("/api/v1/runs/run_doesnotexist/result", {
+      headers: { Authorization: `Bearer ${apiKey}` },
+    });
+    // Auth passed — resource just doesn't exist
+    expect(res.status).not.toBe(401);
+    expect(res.status).not.toBe(403);
+  });
+
+  it("missing Authorization header: 401", async () => {
+    const res = await server.webapp.fetch("/api/v1/runs/run_doesnotexist/result");
+    expect(res.status).toBe(401);
+  });
+
+  it("invalid API key: 401", async () => {
+    const res = await server.webapp.fetch("/api/v1/runs/run_doesnotexist/result", {
+      headers: { Authorization: "Bearer tr_dev_completely_invalid_key_xyz_not_real" },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  it("401 response has error field", async () => {
+    const res = await server.webapp.fetch("/api/v1/runs/run_doesnotexist/result");
+    const body = await res.json();
+    expect(body).toHaveProperty("error");
+  });
+});
+
+describe("JWT bearer auth — baseline behavior", () => {
+  it("valid JWT on JWT-enabled route: auth passes", async () => {
+    const { environment } = await seedTestEnvironment(server.prisma);
+    const jwt = await generateTestJWT(environment, { scopes: ["read:runs"] });
+
+    // /api/v1/runs has allowJWT: true with superScopes: ["read:runs", ...]
+    const res = await server.webapp.fetch("/api/v1/runs", {
+      headers: { Authorization: `Bearer ${jwt}` },
+    });
+
+    // Auth passed — 200 (empty list) or 400 (bad search params), not 401
+    expect(res.status).not.toBe(401);
+  });
+
+  it("valid JWT on non-JWT route: 401", async () => {
+    const { environment } = await seedTestEnvironment(server.prisma);
+    const jwt = await generateTestJWT(environment, { scopes: ["read:runs"] });
+
+    // /api/v1/runs/$runParam/result does NOT have allowJWT: true
+    const res = await server.webapp.fetch("/api/v1/runs/run_doesnotexist/result", {
+      headers: { Authorization: `Bearer ${jwt}` },
+    });
+
+    expect(res.status).toBe(401);
+  });
+
+  it("JWT with empty scopes on JWT-enabled route: 403", async () => {
+    const { environment } = await seedTestEnvironment(server.prisma);
+    const jwt = await generateTestJWT(environment, { scopes: [] });
+
+    const res = await server.webapp.fetch("/api/v1/runs", {
+      headers: { Authorization: `Bearer ${jwt}` },
+    });
+
+    // Empty scopes → no read:runs permission → 403
+    expect(res.status).toBe(403);
+  });
+
+  it("JWT signed with wrong key: 401", async () => {
+    const { environment } = await seedTestEnvironment(server.prisma);
+    const jwt = await generateJWT({
+      secretKey: "wrong-signing-key-that-does-not-match-environment-key",
+      payload: { pub: true, sub: environment.id, scopes: ["read:runs"] },
+    });
+
+    const res = await server.webapp.fetch("/api/v1/runs", {
+      headers: { Authorization: `Bearer ${jwt}` },
+    });
+
+    expect(res.status).toBe(401);
+  });
+});
diff --git a/apps/webapp/test/helpers/seedTestEnvironment.ts b/apps/webapp/test/helpers/seedTestEnvironment.ts
@@ -0,0 +1,43 @@
+import type { PrismaClient } from "@trigger.dev/database";
+
+function randomHex(len = 12): string {
+  return Math.random().toString(16).slice(2, 2 + len).padEnd(len, "0");
+}
+
+export async function seedTestEnvironment(prisma: PrismaClient) {
+  const suffix = randomHex(8);
+  const apiKey = `tr_dev_${randomHex(24)}`;
+  const pkApiKey = `pk_dev_${randomHex(24)}`;
+
+  const organization = await prisma.organization.create({
+    data: {
+      title: `e2e-test-org-${suffix}`,
+      slug: `e2e-org-${suffix}`,
+      v3Enabled: true,
+    },
+  });
+
+  const project = await prisma.project.create({
+    data: {
+      name: `e2e-test-project-${suffix}`,
+      slug: `e2e-proj-${suffix}`,
+      externalRef: `proj_${suffix}`,
+      organizationId: organization.id,
+      engine: "V2",
+    },
+  });
+
+  const environment = await prisma.runtimeEnvironment.create({
+    data: {
+      slug: "dev",
+      type: "DEVELOPMENT",
+      apiKey,
+      pkApiKey,
+      shortcode: suffix.slice(0, 4),
+      projectId: project.id,
+      organizationId: organization.id,
+    },
+  });
+
+  return { organization, project, environment, apiKey };
+}
diff --git a/internal-packages/testcontainers/package.json b/internal-packages/testcontainers/package.json
@@ -4,6 +4,10 @@
   "version": "0.0.1",
   "main": "./src/index.ts",
   "types": "./src/index.ts",
+  "exports": {
+    ".": "./src/index.ts",
+    "./webapp": "./src/webapp.ts"
+  },
   "dependencies": {
     "@clickhouse/client": "^1.11.1",
     "@opentelemetry/api": "^1.9.0",

diff --git a/internal-packages/testcontainers/src/index.ts b/internal-packages/testcontainers/src/index.ts
@@ -18,7 +18,7 @@ import { StartedClickHouseContainer } from "./clickhouse";
 import { StartedMinIOContainer, type MinIOConnectionConfig } from "./minio";
 import { ClickHouseClient, createClient } from "@clickhouse/client";
 
-export { assertNonNullable } from "./utils";
+export { assertNonNullable, createPostgresContainer } from "./utils";
 export { logCleanup };
 export type { MinIOConnectionConfig };
 

diff --git a/internal-packages/testcontainers/src/webapp.ts b/internal-packages/testcontainers/src/webapp.ts
@@ -0,0 +1,146 @@
+import { spawn } from "child_process";
+import { createServer } from "net";
+import { resolve } from "path";
+import { Network } from "testcontainers";
+import { PrismaClient } from "@trigger.dev/database";
+import { createPostgresContainer } from "./utils";
+
+const WEBAPP_ROOT = resolve(__dirname, "../../../apps/webapp");
+// pnpm hoists transitive deps to node_modules/.pnpm/node_modules but does NOT symlink them
+// to the root node_modules. We need NODE_PATH so the webapp process can find them at runtime.
+const PNPM_HOISTED_MODULES = resolve(__dirname, "../../../node_modules/.pnpm/node_modules");
+
+async function findFreePort(): Promise<number> {
+  return new Promise((res, rej) => {
+    const srv = createServer();
+    srv.listen(0, () => {
+      const port = (srv.address() as { port: number }).port;
+      srv.close((err) => (err ? rej(err) : res(port)));
+    });
+  });
+}
+
+async function waitForHealthcheck(url: string, timeoutMs = 60000): Promise<void> {
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    try {
+      const res = await fetch(url);
+      if (res.ok) return;
+    } catch {}
+    await new Promise((r) => setTimeout(r, 500));
+  }
+  throw new Error(`Webapp did not become healthy at ${url} within ${timeoutMs}ms`);
+}
+
+export interface WebappInstance {
+  baseUrl: string;
+  fetch(path: string, init?: RequestInit): Promise<Response>;
+}
+
+export async function startWebapp(databaseUrl: string): Promise<{
+  instance: WebappInstance;
+  stop: () => Promise<void>;
+}> {
+  const port = await findFreePort();
+
+  // Merge NODE_PATH so transitive pnpm deps (hoisted to .pnpm/node_modules) are resolvable
+  const existingNodePath = process.env.NODE_PATH;
+  const nodePath = existingNodePath
+    ? `${PNPM_HOISTED_MODULES}:${existingNodePath}`
+    : PNPM_HOISTED_MODULES;
+
+  const proc = spawn(process.execPath, ["build/server.js"], {
+    cwd: WEBAPP_ROOT,
+    env: {
+      ...process.env,
+      NODE_ENV: "test",
+      DATABASE_URL: databaseUrl,
+      DIRECT_URL: databaseUrl,
+      PORT: String(port),
+      REMIX_APP_PORT: String(port), // override .env file value (vitest loads .env via Vite)
+      SESSION_SECRET: "test-session-secret-for-e2e-tests",
+      MAGIC_LINK_SECRET: "test-magic-link-secret-32chars!!",
+      ENCRYPTION_KEY: "test-encryption-key-for-e2e!!!!!", // exactly 32 bytes
+      CLICKHOUSE_URL: "http://localhost:19123", // dummy, auth paths never connect
+      DEPLOY_REGISTRY_HOST: "registry.example.com", // dummy, not needed for auth tests
+      ELECTRIC_ORIGIN: "http://localhost:3060",
+      NODE_PATH: nodePath,
+    },
+    stdio: ["ignore", "pipe", "pipe"],
+  });
+
+  const stderr: string[] = [];
+  proc.stderr?.on("data", (d: Buffer) => {
+    const line = d.toString();
+    stderr.push(line);
+    if (process.env.WEBAPP_TEST_VERBOSE) {
+      process.stderr.write(line);
+    }
+  });
+
+  const stdout: string[] = [];
+  proc.stdout?.on("data", (d: Buffer) => {
+    const line = d.toString();
+    stdout.push(line);
+    if (process.env.WEBAPP_TEST_VERBOSE) {
+      process.stdout.write(line);
+    }
+  });
+
+  proc.on("error", (err) => {
+    throw new Error(`Failed to start webapp: ${err.message}`);
+  });
+
+  const baseUrl = `http://localhost:${port}`;
+
+  try {
+    await waitForHealthcheck(`${baseUrl}/healthcheck`);
+  } catch (err) {
+    proc.kill("SIGTERM");
+    const output = [...stdout, ...stderr].join("\n");
+    throw new Error(`Webapp failed to start.\nOutput:\n${output}\n\nOriginal error: ${err}`);
+  }
+
+  return {
+    instance: {
+      baseUrl,
+      fetch: (path: string, init?: RequestInit) => fetch(`${baseUrl}${path}`, init),
+    },
+    stop: () =>
+      new Promise<void>((res) => {
+        const timer = setTimeout(() => {
+          proc.kill("SIGKILL");
+          res();
+        }, 10_000);
+        proc.once("exit", () => {
+          clearTimeout(timer);
+          res();
+        });
+        proc.kill("SIGTERM");
+      }),
+  };
+}
+
+export interface TestServer {
+  webapp: WebappInstance;
+  prisma: PrismaClient;
+  stop: () => Promise<void>;
+}
+
+/** Convenience helper: starts a postgres container + webapp and returns both for testing. */
+export async function startTestServer(): Promise<TestServer> {
+  const network = await new Network().start();
+  const { url: databaseUrl, container } = await createPostgresContainer(network);
+
+  const prisma = new PrismaClient({ datasources: { db: { url: databaseUrl } } });
+  const { instance: webapp, stop: stopWebapp } = await startWebapp(databaseUrl);
+
+  const stop = async () => {
+    await stopWebapp();
+    await prisma.$disconnect();
+    await container.stop();
+    await network.stop();
+  };
+
+  return { webapp, prisma, stop };
+}