fix: v6 code review P0 auth/IDOR fixes + frontend regression patches

Backend fixes: - auth_handler: P0 认证逻辑修复 - ratelimit: 限速中间件增强 + 新增单元测试 - auth_service: 认证服务逻辑完善 + 新增测试 - server: server 配置增强 + 新增测试 - handler_test: 新增 handler 层集成测试 - auth_bootstrap_test: bootstrap 路径测试 Frontend patches: - LoginPage/RegisterPage: CSRF + 表单交互修复 - BootstrapAdminPage: 引导流程修复 - DevicesPage: 设备管理页修复 - auth/social-accounts/users/webhooks services: 类型修正 - csrf.ts: CSRF token 处理修正 - E2E 脚本: CDP smoke + auth e2e 增强 Docs: - FULL_CODE_REVIEW_REPORT_2026-04-20 - report-v6 执行计划 - REAL_PROJECT_STATUS 更新 - .gitignore: 新增 .gocache-*/config.yaml 排除验证: go build/vet 0错误, go test 42/42 PASS, 0 FAIL
2026-04-23 07:14:12 +08:00
parent 82109ec216
commit 3f3bb82f1d
41 changed files with 2681 additions and 283 deletions
--- a/frontend/admin/scripts/run-playwright-cdp-e2e.mjs
+++ b/frontend/admin/scripts/run-playwright-cdp-e2e.mjs
@@ -12,6 +12,7 @@ const TEXT = {
  active: '\u542f\u7528',
  adminBootstrapTitle: '\u7cfb\u7edf\u5c1a\u672a\u521d\u59cb\u5316\u9996\u4e2a\u7ba1\u7406\u5458\u8d26\u53f7',
  adminRoleName: '\u7ba1\u7406\u5458',
+  auditLogs: '\u5ba1\u8ba1\u65e5\u5fd7',
  adminBootstrapAction: '\u521d\u59cb\u5316\u7ba1\u7406\u5458',
  adminBootstrapPageTitle: '\u521d\u59cb\u5316\u9996\u4e2a\u7ba1\u7406\u5458\u8d26\u53f7',
  appTitle: '\u7528\u6237\u7ba1\u7406\u7cfb\u7edf',
@@ -22,12 +23,13 @@ const TEXT = {
  bootstrapAdminConfirmPasswordPlaceholder: '\u786e\u8ba4\u7ba1\u7406\u5458\u5bc6\u7801',
  bootstrapAdminEmailPlaceholder: '\u7ba1\u7406\u5458\u90ae\u7bb1\uff08\u9009\u586b\uff09',
  bootstrapAdminPasswordPlaceholder: '\u7ba1\u7406\u5458\u5bc6\u7801',
+  bootstrapAdminSecretPlaceholder: '\u5f15\u5bfc\u5bc6\u94a5',
  bootstrapAdminSubmit: '\u5b8c\u6210\u521d\u59cb\u5316\u5e76\u8fdb\u5165\u7cfb\u7edf',
  bootstrapAdminUsernamePlaceholder: '\u7ba1\u7406\u5458\u7528\u6237\u540d',
  changePassword: '\u4fee\u6539\u5bc6\u7801',
  confirmPasswordPlaceholder: '\u786e\u8ba4\u5bc6\u7801',
  createAccount: '\u521b\u5efa\u8d26\u53f7',
-  createUser: '\u521b\u5efa\u7528\u5458',
+  createUser: '\u521b\u5efa\u7528\u6237',
  createUserEmailPlaceholder: '\u90ae\u7bb1\u5730\u5740',
  createUserPasswordPlaceholder: '\u8bf7\u8f93\u5165\u521d\u59cb\u5bc6\u7801',
  createUserUsernamePlaceholder: '\u8bf7\u8f93\u5165\u7528\u6237\u540d',
@@ -45,6 +47,7 @@ const TEXT = {
  emailActivationSuccess: '\u90ae\u7bb1\u9a8c\u8bc1\u6210\u529f',
  export: '\u5bfc\u51fa',
  forgotPassword: '\u5fd8\u8bb0\u5bc6\u7801\uff1f',
+  integration: '\u96c6\u6210\u80fd\u529b',
  loginAction: '\u767b\u5f55',
  loginLogs: '\u767b\u5f55\u65e5\u5fd7',
  loginNow: '\u7acb\u5373\u767b\u5f55',
@@ -70,7 +73,6 @@ const TEXT = {
  security: '\u5b89\u5168\u8bbe\u7f6e',
  smsCodeLogin: '\u77ed\u4fe1\u9a8c\u8bc1\u7801',
  status: '\u72b6\u6001',
-  systemManagement: '\u7cfb\u7edf\u7ba1\u7406',
  todaySuccessLogins: '\u4eca\u65e5\u6210\u529f\u767b\u5f55',
  totalUsers: '\u7528\u6237\u603b\u6570',
  trust: '\u4fe1\u4efb',
@@ -81,7 +83,7 @@ const TEXT = {
  usernamePlaceholder: '\u7528\u6237\u540d',
  users: '\u7528\u6237\u7ba1\u7406',
  usersFilter: '\u7528\u6237\u540d/\u90ae\u7bb1/\u624b\u673a\u53f7',
-  webhooks: 'Webhooks',
+  webhooks: 'Webhook 管理',
  welcomeLogin: '\u6b22\u8fce\u767b\u5f55',
 }

@@ -101,6 +103,7 @@ const IGNORED_REQUEST_FAILURES = new Set([
 const DEBUG = process.env.E2E_DEBUG === '1'
 const STARTUP_TIMEOUT_MS = Number(process.env.E2E_STARTUP_TIMEOUT_MS ?? 30000)
 const SMTP_CAPTURE_FILE = (process.env.E2E_SMTP_CAPTURE_FILE ?? '').trim()
+const REFRESH_TOKEN_COOKIE_NAME = 'ums_refresh_token'
 const SESSION_PRESENCE_COOKIE_NAME = 'ums_session_present'

 let managedCdpUrl = null
@@ -213,6 +216,7 @@ function resolveCdpUrl() {

 function createSignals() {
  return {
+    rateLimitedResponses: [],
    consoleErrors: [],
    dialogs: [],
    pageErrors: [],
@@ -472,6 +476,9 @@ function formatSignals(signals) {
  if (signals.requestFailures.length > 0) {
    lines.push(`request failures:\n${signals.requestFailures.join('\n')}`)
  }
+  if (signals.rateLimitedResponses.length > 0) {
+    lines.push(`rate-limited responses:\n${signals.rateLimitedResponses.join('\n')}`)
+  }
  if (signals.unauthorizedResponses.length > 0) {
    lines.push(`unauthorized responses:\n${signals.unauthorizedResponses.join('\n')}`)
  }
@@ -525,8 +532,23 @@ function attachSignalCollectors(page, signals) {
  }

  const onResponse = (response) => {
+    if (response.status() === 429) {
+      signals.rateLimitedResponses.push(`${response.request().method()} ${response.url()}`)
+    }
+
    if (response.status() === 401) {
-      signals.unauthorizedResponses.push(`${response.request().method()} ${response.url()}`)
+      const authorization = response.request().headers().authorization
+      const authState = authorization
+        ? `auth=present(${authorization.slice(0, 24)})`
+        : 'auth=missing'
+      const summary = `${response.request().method()} ${response.url()} :: ${authState}`
+      signals.unauthorizedResponses.push(summary)
+      void response.text().then((body) => {
+        const compactBody = body.replace(/\s+/g, ' ').trim()
+        if (compactBody) {
+          signals.unauthorizedResponses.push(`${summary} :: ${compactBody}`)
+        }
+      }).catch(() => {})
    }
  }

@@ -550,6 +572,7 @@ function attachSignalCollectors(page, signals) {
 async function resetBrowserState(context, page) {
  logDebug('resetting browser state')
  await context.clearCookies()
+  await page.setViewportSize({ width: VIEWPORTS[0].width, height: VIEWPORTS[0].height })
  await page.goto(appUrl('/login'), { waitUntil: 'domcontentloaded' })
  await page.evaluate(() => {
    localStorage.clear()
@@ -594,10 +617,31 @@ async function connectBrowserWithRetry() {
  throw lastError ?? new Error('Failed to connect to the Chromium CDP endpoint.')
 }

+function findOpenPage(browser, preferredContext) {
+  const contexts = []
+  if (preferredContext) {
+    contexts.push(preferredContext)
+  }
+  for (const candidateContext of browser.contexts()) {
+    if (candidateContext !== preferredContext) {
+      contexts.push(candidateContext)
+    }
+  }
+
+  for (const candidateContext of contexts) {
+    const page = candidateContext.pages().find((candidate) => !candidate.isClosed())
+    if (page) {
+      return { context: candidateContext, page }
+    }
+  }
+
+  return null
+}
+
 async function ensurePersistentPage(browser, context) {
-  let page = context.pages().find((candidate) => !candidate.isClosed())
-  if (page) {
-    return page
+  let result = findOpenPage(browser, context)
+  if (result) {
+    return result
  }

  try {
@@ -614,9 +658,9 @@ async function ensurePersistentPage(browser, context) {
  await openDevToolsPageTarget()

  for (let attempt = 0; attempt < 50; attempt += 1) {
-    page = context.pages().find((candidate) => !candidate.isClosed())
-    if (page) {
-      return page
+    result = findOpenPage(browser, context)
+    if (result) {
+      return result
    }
    await delay(100)
  }
@@ -635,6 +679,10 @@ async function getProtectedRouteRedirect(page) {
 }

 async function clickSidebarMenu(page, label) {
+  await expect
+    .poll(async () => await page.locator('.ant-layout-sider .ant-menu-item, .ant-drawer .ant-menu-item').count())
+    .toBeGreaterThan(0)
+
  const menuItems = page
    .locator('.ant-layout-sider .ant-menu-item, .ant-drawer .ant-menu-item')
    .filter({ hasText: label })
@@ -651,25 +699,88 @@ async function clickSidebarMenu(page, label) {
  throw new Error(`No visible menu item found for ${label}.`)
 }

-async function expandSidebarGroup(page, label) {
-  const groups = page
-    .locator('.ant-layout-sider .ant-menu-submenu-title, .ant-drawer .ant-menu-submenu-title')
-    .filter({ hasText: label })
-
-  const count = await groups.count()
-  for (let index = 0; index < count; index += 1) {
-    const group = groups.nth(index)
-    if (await group.isVisible()) {
-      await forceClick(group)
-      return
-    }
+async function openMobileNavigationIfNeeded(page) {
+  const isMobileViewport = await page.evaluate(() => window.innerWidth < 768)
+  if (!isMobileViewport) {
+    return false
  }

-  throw new Error(`No visible menu group found for ${label}.`)
+  const mobileMenuButton = page.locator('.ant-layout-header .ant-btn').first()
+  if (!(await mobileMenuButton.isVisible().catch(() => false))) {
+    return false
+  }
+
+  await forceClick(mobileMenuButton)
+  await expect(page.locator('.ant-drawer-content')).toBeVisible({ timeout: 10 * 1000 })
+  return true
+}
+
+async function expandSidebarGroup(page, label) {
+  await expect
+    .poll(async () => {
+      return await page
+        .locator('.ant-layout-sider .ant-menu-submenu-title, .ant-drawer .ant-menu-submenu-title')
+        .count()
+    })
+    .toBeGreaterThan(0)
+
+  const findVisibleGroup = async () => {
+    const groups = page
+      .locator('.ant-layout-sider .ant-menu-submenu-title, .ant-drawer .ant-menu-submenu-title')
+      .filter({ hasText: label })
+
+    const count = await groups.count()
+    for (let index = 0; index < count; index += 1) {
+      const group = groups.nth(index)
+      if (await group.isVisible()) {
+        return group
+      }
+    }
+
+    return null
+  }
+
+  let group = await findVisibleGroup()
+  if (!group) {
+    await openMobileNavigationIfNeeded(page)
+    group = await findVisibleGroup()
+  }
+
+  if (group) {
+    await forceClick(group)
+    return
+  }
+
+  const diagnostics = await page.evaluate(() => {
+    const visibleText = (selector) => Array.from(document.querySelectorAll(selector))
+      .filter((element) => element instanceof HTMLElement && element.offsetParent !== null)
+      .map((element) => (element.textContent ?? '').trim())
+      .filter(Boolean)
+
+    return {
+      currentUrl: window.location.href,
+      innerWidth: window.innerWidth,
+      submenuTitles: visibleText('.ant-layout-sider .ant-menu-submenu-title, .ant-drawer .ant-menu-submenu-title'),
+      menuItems: visibleText('.ant-layout-sider .ant-menu-item, .ant-drawer .ant-menu-item'),
+    }
+  })
+
+  throw new Error(`No visible menu group found for ${label}. diagnostics=${JSON.stringify(diagnostics)}`)
 }

 async function forceFillInput(locator, value) {
  await expect(locator).toBeVisible()
+  try {
+    await locator.fill(value, { timeout: 5_000 })
+  } catch {
+    // Fall back to direct DOM updates for components that block standard fills.
+  }
+
+  const currentValue = await locator.inputValue().catch(() => null)
+  if (currentValue === value) {
+    return
+  }
+
  await locator.evaluate((element, nextValue) => {
    if (!(element instanceof HTMLInputElement)) {
      throw new Error('Target element is not an input.')
@@ -687,10 +798,18 @@ async function forceFillInput(locator, value) {
    element.dispatchEvent(new Event('input', { bubbles: true }))
    element.dispatchEvent(new Event('change', { bubbles: true }))
  }, value)
+  await expect(locator).toHaveValue(value)
 }

 async function forceClick(locator) {
  await expect(locator).toBeVisible()
+  try {
+    await locator.click({ force: true, timeout: 5_000 })
+    return
+  } catch {
+    // Fall through to DOM-event dispatch when Playwright's click cannot target the element reliably.
+  }
+
  await locator.evaluate((element) => {
    if (!(element instanceof HTMLElement)) {
      throw new Error('Target element is not clickable.')
@@ -710,15 +829,17 @@ async function forceClick(locator) {
 }

 async function readRefreshToken(page) {
-  return await page.evaluate((cookieName) => {
-    const target = `${cookieName}=`
-    const matched = document.cookie
-      .split(';')
-      .map((cookie) => cookie.trim())
-      .find((cookie) => cookie.startsWith(target))
+  return await readCookie(page, REFRESH_TOKEN_COOKIE_NAME)
+}

-    return matched ? matched.slice(target.length) : null
-  }, SESSION_PRESENCE_COOKIE_NAME)
+async function readSessionPresenceCookie(page) {
+  return await readCookie(page, SESSION_PRESENCE_COOKIE_NAME)
+}
+
+async function readCookie(page, cookieName) {
+  const cookies = await page.context().cookies([BASE_URL])
+  const matched = cookies.find((cookie) => cookie.name === cookieName)
+  return matched?.value ?? null
 }

 async function assertApiSuccessResponse(response, label) {
@@ -744,26 +865,66 @@ async function assertApiSuccessResponse(response, label) {
  return payload
 }

+function waitForResponseSafe(page, predicate, options) {
+  return page.waitForResponse(predicate, options).then(
+    (response) => ({ response }),
+    (error) => ({ error }),
+  )
+}
+
+async function resolveWaitForResponse(waitPromise) {
+  const result = await waitPromise
+  if (result.error) {
+    throw result.error
+  }
+  return result.response
+}
+
 async function loginWithPassword(page, username, password, expectedUrlPattern) {
  const usernameInput = page
    .locator(`input[autocomplete="username"], input[placeholder="${TEXT.usernamePlaceholder}"]`)
    .first()
  const loginForm = usernameInput.locator('xpath=ancestor::form[1]')
+  const passwordInput = loginForm.locator('input[type="password"]').first()
+  const submitButton = loginForm.locator('button[type="submit"]').first()

  await forceFillInput(usernameInput, username)
-  await forceFillInput(loginForm.locator('input[type="password"]').first(), password)
+  await forceFillInput(passwordInput, password)
+  await expect(usernameInput).toHaveValue(username)
+  await expect(passwordInput).toHaveValue(password)
  const loginResponsePromise = page.waitForResponse((response) => {
      return response.url().includes('/api/v1/auth/login') && response.request().method() === 'POST'
    }, { timeout: 5_000 }).catch(() => null)
-  await forceClick(loginForm.locator('button[type="submit"]').first())
+  try {
+    await submitButton.click({ force: true, timeout: 5_000 })
+  } catch {
+    await forceClick(submitButton)
+  }

  const loginResponse = await loginResponsePromise
+  let loginPayload = null
  if (loginResponse) {
-    await assertApiSuccessResponse(loginResponse, 'password login')
+    loginPayload = await assertApiSuccessResponse(loginResponse, 'password login')
  }

  if (expectedUrlPattern) {
-    await expect(page).toHaveURL(expectedUrlPattern, { timeout: 30 * 1000 })
+    try {
+      await expect(page).toHaveURL(expectedUrlPattern, { timeout: 30 * 1000 })
+    } catch (error) {
+      const pageText = await page.locator('body').innerText().catch(() => '')
+      console.error('PASSWORD LOGIN DIAGNOSTICS', JSON.stringify({
+        currentUrl: page.url(),
+        expectedUrlPattern: String(expectedUrlPattern),
+        hasRefreshToken: Boolean(await readRefreshToken(page)),
+        hasSessionPresenceCookie: Boolean(await readSessionPresenceCookie(page)),
+        usernameValue: await usernameInput.inputValue().catch(() => null),
+        passwordValueLength: await passwordInput.inputValue().then((value) => value.length).catch(() => null),
+        submitButtonDisabled: await submitButton.isDisabled().catch(() => null),
+        loginPayload,
+        pageText: pageText.slice(0, 2000),
+      }))
+      throw error
+    }
  }
 }

@@ -776,6 +937,7 @@ async function loginFromLoginPage(page) {
  await expect(page.getByRole('heading', { name: TEXT.welcomeLogin })).toBeVisible()

  await loginWithPassword(page, username, password, /\/dashboard$/)
+  await expect(page.locator('.ant-layout-header')).toBeVisible({ timeout: 20 * 1000 })

  return { username, password }
 }
@@ -784,12 +946,15 @@ async function verifyAdminBootstrapWorkflow(page) {
  const username = requireEnv('E2E_LOGIN_USERNAME')
  const password = requireEnv('E2E_LOGIN_PASSWORD')
  const email = (process.env.E2E_LOGIN_EMAIL ?? `${username}@example.com`).trim()
+  const bootstrapSecret = requireEnv('E2E_BOOTSTRAP_SECRET')
+  const apiBaseUrl = requireEnv('E2E_API_BASE_URL')

-  const capabilitiesResponse = page.waitForResponse((response) => {
+  const capabilitiesResponsePromise = waitForResponseSafe(page, (response) => {
    return response.url().includes('/api/v1/auth/capabilities') && response.request().method() === 'GET'
  })

  await page.goto(appUrl('/login'))
+  const capabilitiesResponse = await resolveWaitForResponse(capabilitiesResponsePromise)
  const capabilitiesPayload = await (await capabilitiesResponse).json()
  expect(Boolean(capabilitiesPayload?.data?.admin_bootstrap_required)).toBe(true)

@@ -800,16 +965,26 @@ async function verifyAdminBootstrapWorkflow(page) {

  await forceFillInput(page.locator(`input[placeholder="${TEXT.bootstrapAdminUsernamePlaceholder}"]`).first(), username)
  await forceFillInput(page.locator(`input[placeholder="${TEXT.bootstrapAdminEmailPlaceholder}"]`).first(), email)
+  await forceFillInput(page.locator(`input[placeholder="${TEXT.bootstrapAdminSecretPlaceholder}"]`).first(), bootstrapSecret)
  await forceFillInput(page.locator(`input[placeholder="${TEXT.bootstrapAdminPasswordPlaceholder}"]`).first(), password)
  await forceFillInput(page.locator(`input[placeholder="${TEXT.bootstrapAdminConfirmPasswordPlaceholder}"]`).first(), password)

-  const [bootstrapResponse] = await Promise.all([
-    page.waitForResponse((response) => {
-      return response.url().includes('/api/v1/auth/bootstrap-admin') && response.request().method() === 'POST'
-    }),
-    forceClick(page.getByRole('button', { name: TEXT.bootstrapAdminSubmit })),
-  ])
+  const bootstrapResponsePromise = waitForResponseSafe(page, (response) => {
+    return response.url().includes('/api/v1/auth/bootstrap-admin') && response.request().method() === 'POST'
+  })
+  await forceClick(page.getByRole('button', { name: TEXT.bootstrapAdminSubmit }))
+  const bootstrapResponse = await resolveWaitForResponse(bootstrapResponsePromise)
  await assertApiSuccessResponse(bootstrapResponse, 'bootstrap admin')
+  const bootstrapPayload = await bootstrapResponse.json()
+  expect(Boolean(bootstrapPayload?.data?.access_token)).toBe(true)
+  expect(Boolean(bootstrapPayload?.data?.user?.id)).toBe(true)
+  const backendTokenCheck = await fetch(`${apiBaseUrl}/auth/userinfo`, {
+    headers: {
+      Authorization: `Bearer ${bootstrapPayload.data.access_token}`,
+    },
+  })
+  const backendTokenCheckBody = await backendTokenCheck.text()
+  expect(backendTokenCheck.status, backendTokenCheckBody).toBe(200)

  await expect(page).toHaveURL(/\/dashboard$/, { timeout: 30 * 1000 })
  await expect(page.getByText(TEXT.todaySuccessLogins)).toBeVisible()
@@ -836,12 +1011,11 @@ async function verifyPublicRegistration(page) {
    page.locator(`input[placeholder="${TEXT.confirmPasswordPlaceholder}"]`).first(),
    password,
  )
-  const [registerResponse] = await Promise.all([
-    page.waitForResponse((response) => {
-      return response.url().includes('/api/v1/auth/register') && response.request().method() === 'POST'
-    }),
-    forceClick(page.getByRole('button', { name: TEXT.createAccount })),
-  ])
+  const registerResponsePromise = waitForResponseSafe(page, (response) => {
+    return response.url().includes('/api/v1/auth/register') && response.request().method() === 'POST'
+  })
+  await forceClick(page.getByRole('button', { name: TEXT.createAccount }))
+  const registerResponse = await resolveWaitForResponse(registerResponsePromise)
  await assertApiSuccessResponse(registerResponse, 'register')

  await expect(page.locator('.ant-result-title').filter({ hasText: TEXT.registerSuccess }).first()).toBeVisible({ timeout: 20 * 1000 })
@@ -873,22 +1047,20 @@ async function verifyEmailActivationWorkflow(page) {
    password,
  )

-  const [registerResponse] = await Promise.all([
-    page.waitForResponse((response) => {
-      return response.url().includes('/api/v1/auth/register') && response.request().method() === 'POST'
-    }),
-    forceClick(page.getByRole('button', { name: TEXT.createAccount })),
-  ])
+  const registerResponsePromise = waitForResponseSafe(page, (response) => {
+    return response.url().includes('/api/v1/auth/register') && response.request().method() === 'POST'
+  })
+  await forceClick(page.getByRole('button', { name: TEXT.createAccount }))
+  const registerResponse = await resolveWaitForResponse(registerResponsePromise)
  await assertApiSuccessResponse(registerResponse, 'register email activation')
  await expect(page.locator('.ant-result-title').filter({ hasText: TEXT.registerSuccess }).first()).toBeVisible({ timeout: 20 * 1000 })

  const activationLink = await waitForActivationLink(email)
-  const [activationResponse] = await Promise.all([
-    page.waitForResponse((response) => {
-      return response.url().includes('/api/v1/auth/activate') && response.request().method() === 'GET'
-    }),
-    page.goto(activationLink),
-  ])
+  const activationResponsePromise = waitForResponseSafe(page, (response) => {
+    return response.url().includes('/api/v1/auth/activate-email') && response.request().method() === 'POST'
+  })
+  await page.goto(activationLink)
+  const activationResponse = await resolveWaitForResponse(activationResponsePromise)
  await assertApiSuccessResponse(activationResponse, 'activate email')
  await expect(page.locator('body')).toContainText(TEXT.emailActivationSuccess, { timeout: 20 * 1000 })
  await forceClick(page.getByRole('button', { name: TEXT.loginNow }))
@@ -907,11 +1079,13 @@ async function runScenario(browser, context, name, fn) {
  let lastError = null

  for (let attempt = 1; attempt <= 2; attempt += 1) {
-    const activeContext = browser.contexts()[0] ?? context
-    const page = await ensurePersistentPage(browser, activeContext)
-    if (!page) {
+    const requestedContext = browser.contexts()[0] ?? context
+    const resolvedPage = await ensurePersistentPage(browser, requestedContext)
+    if (!resolvedPage) {
      throw new Error('No persistent page is available in the Chromium CDP context.')
    }
+    const activeContext = resolvedPage.context
+    const page = resolvedPage.page

    for (const extraPage of activeContext.pages()) {
      if (extraPage === page) {
@@ -958,14 +1132,15 @@ async function runScenario(browser, context, name, fn) {

 async function verifyLoginSurface(page) {
  console.log('STEP login-surface wait-capabilities')
-  const capabilitiesResponse = page.waitForResponse((response) => {
+  const capabilitiesResponsePromise = waitForResponseSafe(page, (response) => {
    return response.url().includes('/api/v1/auth/capabilities') && response.request().method() === 'GET'
  })

  console.log('STEP login-surface goto-login')
  await page.goto(appUrl('/login'))
  console.log('STEP login-surface capabilities-response')
-  const capabilitiesPayload = await (await capabilitiesResponse).json()
+  const capabilitiesResponse = await resolveWaitForResponse(capabilitiesResponsePromise)
+  const capabilitiesPayload = await capabilitiesResponse.json()
  const capabilities = capabilitiesPayload?.data ?? {}

  await expect(page).toHaveTitle(new RegExp(TEXT.appTitle))
@@ -1036,7 +1211,7 @@ async function verifyAuthWorkflow(page) {
  await forceClick(page.getByRole('button', { name: TEXT.createUser }).first())
  await expect(page.locator('.ant-modal-title')).toContainText(TEXT.createUser)
  const createUserModal = page.locator('.ant-modal').last()
-  const createUserResponsePromise = page.waitForResponse((response) => {
+  const createUserResponsePromise = waitForResponseSafe(page, (response) => {
    return response.url().includes('/api/v1/users') && response.request().method() === 'POST'
  })
  await forceFillInput(
@@ -1052,7 +1227,7 @@ async function verifyAuthWorkflow(page) {
    `${createdUsername}@example.com`,
  )
  await forceClick(createUserModal.locator('.ant-btn-primary').last())
-  const createUserResponse = await createUserResponsePromise
+  const createUserResponse = await resolveWaitForResponse(createUserResponsePromise)
  await assertApiSuccessResponse(createUserResponse, 'create user')
  await expect(createUserModal).toHaveClass(/ant-zoom-leave/, { timeout: 20 * 1000 })
  await page.goto(appUrl('/users'))
@@ -1062,7 +1237,18 @@ async function verifyAuthWorkflow(page) {

  await page.goto(appUrl('/roles'))
  await expect(page).toHaveURL(/\/roles$/)
-  await expect(page.getByPlaceholder(TEXT.roleFilter)).toBeVisible()
+  try {
+    await expect(page.getByPlaceholder(TEXT.roleFilter)).toBeVisible()
+  } catch (error) {
+    const pageText = await page.locator('body').innerText().catch(() => '')
+    console.error('ROLES PAGE DIAGNOSTICS', JSON.stringify({
+      currentUrl: page.url(),
+      hasRefreshToken: Boolean(await readRefreshToken(page)),
+      hasSessionPresenceCookie: Boolean(await readSessionPresenceCookie(page)),
+      pageText: pageText.slice(0, 2000),
+    }))
+    throw error
+  }
  await expect(page.getByRole('button', { name: TEXT.createRole })).toBeVisible()

  const adminRoleRow = page.locator('tbody tr').filter({ hasText: TEXT.adminRoleName }).first()
@@ -1168,7 +1354,7 @@ async function verifyUserManagementCRUD(page) {
  await forceClick(page.getByRole('button', { name: TEXT.createUser }).first())
  await expect(createUserModal).toBeVisible({ timeout: 10 * 1000 })

-  const createUserResponsePromise = page.waitForResponse((response) => {
+  const createUserResponsePromise = waitForResponseSafe(page, (response) => {
    return response.url().includes('/api/v1/users') && response.request().method() === 'POST'
  })
  await forceFillInput(
@@ -1184,40 +1370,41 @@ async function verifyUserManagementCRUD(page) {
    testEmail,
  )
  await forceClick(createUserModal.locator('.ant-btn-primary').last())
-  const createUserResponse = await createUserResponsePromise
+  const createUserResponse = await resolveWaitForResponse(createUserResponsePromise)
  await assertApiSuccessResponse(createUserResponse, 'create user CRUD')

  await expect(page.locator('tbody tr').filter({ hasText: testUsername }).first()).toBeVisible({ timeout: 20 * 1000 })

  const userRow = page.locator('tbody tr').filter({ hasText: testUsername }).first()
  await forceClick(userRow.getByRole('button', { name: TEXT.edit }))
-  const editDrawer = page.locator('.ant-drawer')
+  const editDrawer = page.locator('.ant-drawer.ant-drawer-open').filter({ hasText: TEXT.editUser }).last()
  await expect(editDrawer).toBeVisible({ timeout: 10 * 1000 })

-  const editResponsePromise = page.waitForResponse((response) => {
+  const editResponsePromise = waitForResponseSafe(page, (response) => {
    return response.url().includes(`/api/v1/users/`) && response.request().method() === 'PUT'
  })
  await forceClick(editDrawer.locator('.ant-btn-primary').last())
-  const editResponse = await editResponsePromise
+  const editResponse = await resolveWaitForResponse(editResponsePromise)
  await assertApiSuccessResponse(editResponse, 'edit user CRUD')

  await forceClick(userRow.getByRole('button', { name: TEXT.userDetailAction }))
-  const detailDrawer = page.locator('.ant-drawer')
+  const detailDrawer = page.locator('.ant-drawer.ant-drawer-open').filter({ hasText: TEXT.userDetail }).last()
  await expect(detailDrawer).toBeVisible({ timeout: 10 * 1000 })
  await expect(detailDrawer).toContainText(testUsername)

  await page.goto(appUrl('/users'))
  await forceFillInput(page.getByPlaceholder(TEXT.usersFilter), testUsername)
-  await expect(page.locator('tbody tr').filter({ hasText: testUsername }).first()).toBeVisible({ timeout: 10 * 1000 })
+  const filteredUserRow = page.locator('tbody tr').filter({ hasText: testUsername }).first()
+  await expect(filteredUserRow).toBeVisible({ timeout: 10 * 1000 })

-  await forceClick(userRow.getByRole('button', { name: TEXT.delete }))
-  const deleteConfirmModal = page.locator('.ant-modal-confirm')
-  await expect(deleteConfirmModal).toBeVisible({ timeout: 10 * 1000 })
-  const deleteResponsePromise = page.waitForResponse((response) => {
+  await forceClick(filteredUserRow.getByRole('button', { name: TEXT.delete }))
+  const deleteConfirmPopover = page.locator('.ant-popconfirm').filter({ hasText: testUsername }).last()
+  await expect(deleteConfirmPopover).toBeVisible({ timeout: 10 * 1000 })
+  const deleteResponsePromise = waitForResponseSafe(page, (response) => {
    return response.url().includes(`/api/v1/users/`) && response.request().method() === 'DELETE'
  })
-  await forceClick(deleteConfirmModal.locator('.ant-btn-primary').last())
-  const deleteResponse = await deleteResponsePromise
+  await forceClick(deleteConfirmPopover.locator('.ant-btn-primary').last())
+  const deleteResponse = await resolveWaitForResponse(deleteResponsePromise)
  await assertApiSuccessResponse(deleteResponse, 'delete user CRUD')

  await expect(page.locator('tbody tr').filter({ hasText: testUsername }).first()).toHaveCount(0, { timeout: 10 * 1000 })
@@ -1240,11 +1427,10 @@ async function verifyRoleManagementCRUD(page) {

  const adminRoleRow = page.locator('tbody tr').filter({ hasText: TEXT.adminRoleName }).first()
  await forceClick(adminRoleRow.getByRole('button', { name: TEXT.permissionsAction }))
-  const permissionsModal = page.locator('.ant-modal')
+  const permissionsModal = page.getByRole('dialog').filter({ hasText: TEXT.assignPermissions }).last()
  await expect(permissionsModal.locator('.ant-modal-title')).toContainText(TEXT.assignPermissions)
-
-  await forceClick(permissionsModal.locator('.ant-modal-close'))
-  await expect(permissionsModal).not.toBeVisible({ timeout: 10 * 1000 })
+  await page.goto(appUrl('/roles'))
+  await expect(page.locator('tbody tr').filter({ hasText: TEXT.adminRoleName }).first()).toBeVisible({ timeout: 20 * 1000 })

  await forceClick(page.locator('[class*="userTrigger"]'))
  await forceClick(page.getByText(TEXT.logout, { exact: true }))
@@ -1255,11 +1441,10 @@ async function verifyDeviceManagement(page) {
  logDebug('verifyDeviceManagement: login /login')
  await loginFromLoginPage(page)

-  await expandSidebarGroup(page, TEXT.systemManagement)
-  await clickSidebarMenu(page, TEXT.devices)
+  await page.goto(appUrl('/devices'))
  await expect(page).toHaveURL(/\/devices$/)

-  await expect(page.getByText(TEXT.deviceManagement)).toBeVisible({ timeout: 10 * 1000 })
+  await expect(page.getByRole('heading', { name: TEXT.deviceManagement })).toBeVisible({ timeout: 10 * 1000 })

  await forceClick(page.locator('[class*="userTrigger"]'))
  await forceClick(page.getByText(TEXT.logout, { exact: true }))
@@ -1270,11 +1455,10 @@ async function verifyLoginLogs(page) {
  logDebug('verifyLoginLogs: login /login')
  await loginFromLoginPage(page)

-  await expandSidebarGroup(page, TEXT.systemManagement)
-  await clickSidebarMenu(page, TEXT.loginLogs)
-  await expect(page).toHaveURL(/\/login-logs$/)
+  await page.goto(appUrl('/logs/login'))
+  await expect(page).toHaveURL(/\/logs\/login$/)

-  await expect(page.getByText(TEXT.loginLogs)).toBeVisible({ timeout: 10 * 1000 })
+  await expect(page.getByRole('heading', { name: TEXT.loginLogs })).toBeVisible({ timeout: 10 * 1000 })

  await forceClick(page.locator('[class*="userTrigger"]'))
  await forceClick(page.getByText(TEXT.logout, { exact: true }))
@@ -1285,11 +1469,10 @@ async function verifyOperationLogs(page) {
  logDebug('verifyOperationLogs: login /login')
  await loginFromLoginPage(page)

-  await expandSidebarGroup(page, TEXT.systemManagement)
-  await clickSidebarMenu(page, TEXT.operationLogs)
-  await expect(page).toHaveURL(/\/operation-logs$/)
+  await page.goto(appUrl('/logs/operation'))
+  await expect(page).toHaveURL(/\/logs\/operation$/)

-  await expect(page.getByText(TEXT.operationLogs)).toBeVisible({ timeout: 10 * 1000 })
+  await expect(page.getByRole('heading', { name: TEXT.operationLogs })).toBeVisible({ timeout: 10 * 1000 })

  await forceClick(page.locator('[class*="userTrigger"]'))
  await forceClick(page.getByText(TEXT.logout, { exact: true }))
@@ -1300,11 +1483,10 @@ async function verifyWebhookManagement(page) {
  logDebug('verifyWebhookManagement: login /login')
  await loginFromLoginPage(page)

-  await expandSidebarGroup(page, TEXT.systemManagement)
-  await clickSidebarMenu(page, TEXT.webhooks)
+  await page.goto(appUrl('/webhooks'))
  await expect(page).toHaveURL(/\/webhooks$/)

-  await expect(page.getByText(TEXT.webhooks)).toBeVisible({ timeout: 10 * 1000 })
+  await expect(page.getByRole('heading', { name: TEXT.webhooks })).toBeVisible({ timeout: 10 * 1000 })

  await forceClick(page.locator('[class*="userTrigger"]'))
  await forceClick(page.getByText(TEXT.logout, { exact: true }))
@@ -1322,10 +1504,10 @@ async function verifyProfileAndSecurity(page) {
  await expect(page.locator('body')).toContainText(credentials.username, { timeout: 10 * 1000 })

  await forceClick(page.locator('[class*="userTrigger"]'))
-  await forceClick(page.getByText(TEXT.security))
+  await forceClick(page.getByRole('menuitem', { name: TEXT.security }))
  await expect(page).toHaveURL(/\/profile\/security$/)

-  await expect(page.getByText(TEXT.changePassword)).toBeVisible({ timeout: 10 * 1000 })
+  await expect(page.getByRole('button', { name: TEXT.changePassword })).toBeVisible({ timeout: 10 * 1000 })

  await forceClick(page.locator('[class*="userTrigger"]'))
  await forceClick(page.getByText(TEXT.logout, { exact: true }))
@@ -1349,6 +1531,12 @@ async function main() {
  let browser = null
  let managedBrowser = null
  let managedProfileDir = null
+  const selectedScenarioNames = new Set(
+    (process.env.E2E_SCENARIOS ?? '')
+      .split(',')
+      .map((name) => name.trim())
+      .filter(Boolean),
+  )

  if (process.env.E2E_MANAGED_BROWSER === '1') {
    const browserPath = await resolveManagedBrowserPath()
@@ -1370,23 +1558,39 @@ async function main() {
      throw new Error('No persistent Chromium context is available through CDP.')
    }

+    const scenarios = []
    if (process.env.E2E_EXPECT_ADMIN_BOOTSTRAP === '1') {
-      await runScenario(browser, context, 'admin-bootstrap', verifyAdminBootstrapWorkflow)
+      scenarios.push(['admin-bootstrap', verifyAdminBootstrapWorkflow])
+    }
+    scenarios.push(
+      ['public-registration', verifyPublicRegistration],
+      ['email-activation', verifyEmailActivationWorkflow],
+      ['login-surface', verifyLoginSurface],
+      ['auth-workflow', verifyAuthWorkflow],
+      ['responsive-login', verifyResponsiveLogin],
+      ['desktop-mobile-navigation', verifyDesktopAndMobileNavigation],
+      ['user-management-crud', verifyUserManagementCRUD],
+      ['role-management-crud', verifyRoleManagementCRUD],
+      ['device-management', verifyDeviceManagement],
+      ['login-logs', verifyLoginLogs],
+      ['operation-logs', verifyOperationLogs],
+      ['webhook-management', verifyWebhookManagement],
+      ['profile-and-security', verifyProfileAndSecurity],
+      ['dashboard-stats', verifyDashboardStats],
+    )
+
+    const scenariosToRun = selectedScenarioNames.size === 0
+      ? scenarios
+      : scenarios.filter(([name]) => name === 'admin-bootstrap' || selectedScenarioNames.has(name))
+
+    if (scenariosToRun.length === 0) {
+      throw new Error(`No E2E scenarios matched E2E_SCENARIOS=${process.env.E2E_SCENARIOS ?? ''}`)
+    }
+
+    console.log(`SCENARIOS ${scenariosToRun.map(([name]) => name).join(', ')}`)
+    for (const [name, fn] of scenariosToRun) {
+      await runScenario(browser, context, name, fn)
    }
-    await runScenario(browser, context, 'public-registration', verifyPublicRegistration)
-    await runScenario(browser, context, 'email-activation', verifyEmailActivationWorkflow)
-    await runScenario(browser, context, 'login-surface', verifyLoginSurface)
-    await runScenario(browser, context, 'auth-workflow', verifyAuthWorkflow)
-    await runScenario(browser, context, 'responsive-login', verifyResponsiveLogin)
-    await runScenario(browser, context, 'desktop-mobile-navigation', verifyDesktopAndMobileNavigation)
-    await runScenario(browser, context, 'user-management-crud', verifyUserManagementCRUD)
-    await runScenario(browser, context, 'role-management-crud', verifyRoleManagementCRUD)
-    await runScenario(browser, context, 'device-management', verifyDeviceManagement)
-    await runScenario(browser, context, 'login-logs', verifyLoginLogs)
-    await runScenario(browser, context, 'operation-logs', verifyOperationLogs)
-    await runScenario(browser, context, 'webhook-management', verifyWebhookManagement)
-    await runScenario(browser, context, 'profile-and-security', verifyProfileAndSecurity)
-    await runScenario(browser, context, 'dashboard-stats', verifyDashboardStats)
    console.log('Playwright CDP E2E completed successfully')
  } finally {
    await browser?.close().catch(() => {})