Skip to main content

Talk — Browser test of the dummy login picker

Date: 2026-05-19 Previous: talk1.md — UIS handoff thread (staff JWT delivery, F8/F10/F12 reconciliation, PostgREST recovery). Closed green on the UIS side; not related to what we're testing here. Plan: PLAN-dummy-login.md — feature plan for the dummy login picker.

What changed:

  • Phase 1-3 of PLAN-dummy-login landed on branch feature/dummy-login. Server-side smoke (curl probes against the new API route) is green. Browser-based verification has not been done yet — that's what this round is for.
  • New files: src/lib/dummy-login-roles.ts, src/app/api/admin/login/dummy/route.ts, src/components/admin/dummy-login-picker.tsx. Modified: src/app/admin/login/page.tsx.
  • The Next dev server is running on http://localhost:3010.
  • PostgREST at http://api-railway.localhost was confirmed green by UIS in talk1.md Message 4 (F8 + F10 field patches applied, all three probes returning the expected status codes). Both fixes are field patches — they survive pod restarts but will be clobbered if anyone runs ./uis configure postgrest or ./uis undeploy + deploy postgrest --app railway. If you hit 500 PGRST300 or 401 role "railway_web_anon" does not exist during testing, see INVESTIGATE-postgrest-admin-connection.md — that's a UIS-side regression, not a Railway bug.

The detailed per-role test checklist lives in testing-dummy-login.md. Use that as the source of truth for what each role should and shouldn't be able to do.

Contributor Message 1 — Tailway Cowork, please browser-test all roles

Hi Tailway,

I've implemented the dummy login picker per the plan, and the server-side smoke is green (all five curl probes against /api/admin/login/dummy return the expected status codes). What I haven't done is a real browser click-through. That's where you come in — your job is to drive Chrome through the picker, confirm each role does what it should, and report back here.

The full test checklist is in testing-dummy-login.md. Read it first. The summary below is what to actually do for this round, with the level of detail I need from you.

Preconditions (verify before clicking)

# 1. Next dev server is up
curl -sS -o /dev/null -w "GET /admin/login: HTTP %{http_code}\n" http://localhost:3010/admin/login
# Expected: HTTP 200

# 2. PostgREST is green (F8/F10 patches still applied)
curl -sS -o /dev/null -w "GET /  (anon role):  HTTP %{http_code}\n" http://api-railway.localhost/
# Expected: HTTP 200

# 3. JWT verification works
JWT=$(grep -E "^POSTGREST_STAFF_JWT_UIS=" /Users/terje.christensen/learn/helpers/railway/.env | cut -d= -f2-)
curl -sS -o /dev/null -w "GET /registrations (staff): HTTP %{http_code}\n" \
  -H "Authorization: Bearer $JWT" -H "Accept-Profile: railway" \
  "http://api-railway.localhost/registrations?select=id&limit=1"
# Expected: HTTP 200

If any of these fail, stop and report — don't continue clicking until the preconditions are met. The Railway implementation can't be tested against a broken PostgREST.

Tests to run in the browser

For each test, open Chrome at the URL given, observe, and report PASS/FAIL with what you saw. Clear cookies between tests (DevTools → Application → Cookies → right-click → Clear, or use a fresh incognito window).

Test 1 — Picker shape at /admin/login

URL: http://localhost:3010/admin/login

Confirm the page renders all eight rows in this exact order, with these properties:

  1. railway_owner — greyed out, kind badge "PG ROLE", disabled reason visible.
  2. anon — clickable, kind badge "PROFILE", "SET ROLE anon" annotation, no capability badges.
  3. Full admin — clickable, capability badge admin.
  4. Registrations admin — clickable, capability badges registrations:read and registrations:write.
  5. Content editor — clickable, capability badges content:read and content:write.
  6. App-log viewer — clickable, capability badge app_log:read.
  7. Users admin — clickable, capability badges users:read and users:write.
  8. authenticator — greyed out, disabled reason visible.

Below the picker there should be a "Manuell innlogging (lim inn staff‑JWT)" link.

Take a screenshot if anything looks off — alignment, missing badges, wrong order, anything.

Test 2 — Full admin login

  1. Click Full admin.
  2. Expected: redirected to /admin. The sidebar shows all five groups (Oversikt, Registreringer, Utskrift, Aktivitet og skjema, Drift, Konto — note: Oversikt + 5 groups = 6 sections total in the sidebar, the headerless "Oversikt" item is the first one).
  3. Click "Registreringer → Liste". The page should load the table of seeded registrations (UIS reported 3 rows; if the DB has been reseeded the count may differ).
  4. Open DevTools → Application → Cookies. The railway_admin_session cookie should be present. Copy its value, paste into jwt.io, and confirm the payload contains role: "authenticated", capabilities: ["admin"], aud: "railway".

Test 3 — Registrations admin (narrow caps)

  1. Logout (the "Logg ut" button in the sidebar, or clear the cookie manually).
  2. Click Registrations admin.
  3. Expected sidebar groups: Oversikt, Registreringer, Konto. Nothing else.
  4. Visit /admin/registrations — page should load.
  5. Manually visit /admin/text-content (a content surface). Expected: page loads but the data fetch shows empty/error because the JWT lacks content:read.
  6. Cookie payload: capabilities: ["registrations:read","registrations:write"].

Test 4 — Content editor

  1. Logout. Click Content editor.
  2. Expected sidebar: Oversikt, Utskrift, Aktivitet og skjema, Konto.
  3. Visit /admin/activities — should load.
  4. Manually visit /admin/registrations — should show empty/error from RLS.
  5. Cookie payload: capabilities: ["content:read","content:write"].

Test 5 — App-log viewer

  1. Logout. Click App-log viewer.
  2. Expected sidebar: Oversikt, Drift, Konto.
  3. Visit /admin/app-log — should load (probably empty; UIS reported auth.app_log had 0 rows).
  4. Visit /admin/registrations — empty/error from RLS.
  5. Cookie payload: capabilities: ["app_log:read"].

Test 6 — Users admin

  1. Logout. Click Users admin.
  2. Expected sidebar: Oversikt and Konto only — no users:* nav items exist today, which is correct.
  3. Cookie payload: capabilities: ["users:read","users:write"].

Test 7 — anon

  1. Logout (or skip — anon clears the cookie anyway).
  2. From /admin/login, click anon.
  3. Expected: redirected to / (the public registration form). No railway_admin_session cookie present.
  4. Manually visit /admin — should redirect back to /admin/login.

Test 8 — Disabled roles refuse to log in

For each of railway_owner and authenticator:

  1. Hover the row in the picker. Cursor should be not-allowed. The disabled reason text should be visible below the label.
  2. Click anyway. Expected: nothing happens.
  3. Open DevTools console and run: 
    fetch('/api/admin/login/dummy', {
      method: 'POST',
      headers: {'Content-Type': 'application/json'},
      body: JSON.stringify({profileId: 'railway_owner'})  // or 'authenticator'
    }).then(r => r.json().then(j => ({status: r.status, body: j})))
    Expected: status: 409 with a Norwegian error message containing the role name.

Test 9 — Manual JWT-paste fallback still works

  1. From /admin/login, click "Manuell innlogging (lim inn staff‑JWT)". URL becomes /admin/login?manual=1. The picker should still be visible and a JWT-paste form should render below it.
  2. Grab a JWT from .env: 
    grep -E "^POSTGREST_STAFF_JWT_UIS=" /Users/terje.christensen/learn/helpers/railway/.env | cut -d= -f2-
  3. Paste into the textarea, click "Logg inn". Expected: redirect to /admin, cookie set with the same JWT value you pasted.

Test 10 — Env-JWT auto-bootstrap path

  1. Logout.
  2. Visit /admin/login?auto=1. Expected: 307 redirect to /api/admin/bootstrap-session which sets the cookie and lands on /admin. Should be transparent — you end up on the dashboard.

What I need in your reply

Append a ## Tester (Tailway Cowork) — Message 2 section to this file with:

  1. Preconditions: PASS/FAIL for each of the three curl probes.
  2. Per-test result: PASS/FAIL for each of the 10 tests, with a one-line note on what you observed. If any test fails, include the full error message and (if possible) a screenshot path.
  3. Surprises: anything that didn't match the description but didn't strictly fail — visual weirdness, slow loads, console errors, anything off.
  4. Suggestions: UX issues you'd flag if you were a real user. The picker copy is in Norwegian; feel free to comment on clarity / typos in either language.

If something is unclear in this brief or the test spec, ask before guessing — append a ## Tester (Tailway Cowork) — Question section and stop. I'll respond with a ## Contributor — Message N answer.

Don't run any of the kubectl commands referenced in talk1.md Message 3 / 4 — those are UIS-side cluster operations, not part of this Railway-side test round.

— Railway-Dev (contributor)

Tester (Tailway Cowork) — Message 2

Hi Railway-Dev,

Drove Chrome through all ten tests against http://localhost:3010. All preconditions and all ten tests PASS. A few surprises and UX suggestions below — none are blockers for the picker itself, but a couple are worth follow-up.

Note on probe execution: I'm sandboxed so I can't run curl directly against your localhost:3010 / api-railway.localhost. I ran the equivalents via in-browser fetch() from the right origins. All three probes returned HTTP 200, and probe 3 returned [{"id":1}] for /registrations?select=id&limit=1 with the staff JWT.

Preconditions

#ProbeResultNote
1GET /admin/login (Next dev)PASS (HTTP 200)Page rendered as "Admin · Frivilligregistrering".
2GET / (PostgREST anon)PASS (HTTP 200)F8/F10 field patches still applied.
3GET /registrations?select=id&limit=1 (staff JWT)PASS (HTTP 200)Body [{"id":1}]. JWT pulled from POSTGREST_STAFF_JWT_UIS.

Per-test result

#TestResultNotes
1Picker shape at /admin/loginPASSAll 8 rows in the exact expected order; railway_owner + authenticator greyed with disabled-reason text visible; anon has SET ROLE anon annotation and no cap badges; cap badges match for every profile row; Manuell innlogging (lim inn staff‑JWT) link present below the picker.
2Full admin loginPASSClick → /admin. Sidebar has all 5 labelled groups + Oversikt (6 sections total). Registreringer → Liste loaded 11 rows (DB has been reseeded since UIS's 3-row snapshot). /admin/staff confirms cookie payload: raw caps = ["admin"], exp = 26. mai 2026 ≈ 7 days out. (role:authenticated and aud:railway not directly visible on /admin/staff but inferred from PostgREST acceptance + the SET ROLE authenticated annotation in the picker.)
3Registrations adminPASSSidebar: Oversikt, Registreringer (Liste, CSV eksport), Konto. /admin/registrations loaded 11 rows. /admin/text-content rendered the form layout but all input fields empty (RLS rejects the read without content:read). Raw caps = ["registrations:read","registrations:write"].
4Content editorPASSSidebar: Oversikt, Utskrift, Aktivitet og skjema, Konto. /admin/activities loaded the seeded "Ungdom" hovedliste (Digital leksehjelp, Mentorfamilie, Fellesverket-møteplass, Fellesverket-leksehjelp, Vennefamilie, Røde Kors Ungdom, Gatemegling, Fellesverket – andre aktiviteter, Kors på halsen). /admin/registrations shows Viser 0-0 av 0 with the empty-table fallback string. Raw caps = ["content:read","content:write"].
5App-log viewerPASSSidebar: Oversikt, Drift (App-logg), Konto. /admin/app-log loaded with 1 row (not 0): REGISTRATION / honeypot / varsel: Ja / {"field":"billing_email"} at 19.05.2026 09:03:05. Brief said "probably empty; UIS reported auth.app_log had 0 rows" — this is railway.app_log, so 1 row instead of 0 is consistent with "probably empty". /admin/registrations shows the same empty fallback. Raw caps = ["app_log:read"].
6Users adminPASSSidebar: Oversikt and Konto only. Raw caps = ["users:read","users:write"].
7anonPASSClick → / (public registration form, "Registrering | Røde Kors"). No railway_admin_session cookie (only the dev __next_hmr_refresh_hash__ is set). Visiting /admin directly redirects to /admin/login.
8Disabled roles refuse loginPASSEach disabled row is a <button> with aria-disabled="true" and the disabled attribute; all descendants have cursor: not-allowed. Click on either row → URL unchanged, no cookie set. Console probe results:
railway_owner{status: 409, body: {error: "Profilen «railway_owner» kan ikke logges inn som: Owns DDL / SECURITY DEFINER functions — not a session role."}}
authenticator{status: 409, body: {error: "Profilen «authenticator» kan ikke logges inn som: PostgREST runtime connection role — never appears in a user session."}}
Both messages match the testing spec verbatim.
9Manual JWT-paste fallbackPASSLink → /admin/login?manual=1. Picker still visible; "Admin" card with "Staff-JWT" textarea + "Bootstrap-passord" field + "Logg inn" button renders below the picker. Pasted POSTGREST_STAFF_JWT_UIS, clicked Logg inn → redirected to /admin with full sidebar. /admin/staff shows exp = 11. mai 2028, 19:53 (matches the pasted JWT's exp = 1841680404) and raw caps = the 9 capabilities encoded in that token, so the cookie value is the pasted JWT bit-for-bit.
10Env-JWT auto-bootstrapPASSVisited /admin/login?auto=1 cookieless → landed transparently on /admin with full admin sidebar and "Antall registreringer: 11". A fetch('/admin/login?auto=1', {redirect: 'manual'}) returned type: opaqueredirect (consistent with a 307 the browser refused to follow), confirming the redirect chain exists.

Surprises

  1. App-log · åpne varsler widget on Oversikt fails for every role — even Full admin. Every dashboard I loaded (Full admin, Registrations admin, Content editor, App-log viewer, Users admin, post-manual-paste, post-auto-bootstrap) showed the card with the raw error permission denied for function app_log_alert_count. Full admin holds the admin cap and gets the full effective-cap set on /admin/staff, so this is suspicious — looks like the RPC doesn't grant EXECUTE to the authenticated role / admin cap, or it's gated on something the cap-set logic doesn't imply. Not a picker regression, but visible noise on every dashboard.
  2. Silent data-empty cards for missing caps. The Oversikt "Antall registreringer" card shows 0 (not an error message) for Content editor, App-log viewer, Users admin, and anyone else without registrations:read. That technically satisfies "page loads but data fetch shows empty/error", but a real user could mistake it for "there really are 0 registrations" rather than "you're not allowed to see this".
  3. Logg ut button overlaps the Next dev overlay. The "N" Next-dev indicator at bottom-left sits roughly on top of the Logg ut button. My first attempt to click Logg ut hit the dev overlay's route-info popup instead. I worked around it by POSTing /api/admin/logout directly between roles. Pure dev-mode artifact, won't show in production, but annoying for manual testing.
  4. /admin/app-log had 1 row, not 0. A honeypot REGISTRATION alert from 19.05.2026 09:03:05 ({"field":"billing_email"}) was already in railway.app_log. Brief said "probably empty" referencing UIS's snapshot of auth.app_log (different table), so this isn't a regression — flagging it so you know your app is now writing alerts.
  5. cursor: not-allowed is on the inner <button>, not the <li> wrapper. Hovering the row gutter/padding shows the default auto cursor. Functionally fine (the click on the button is still blocked client-side and server-side), but feels off if you mouse onto the row from outside the button area.
  6. Anon row description includes "Public PostgREST session." The testing spec quotes the description as just "Clears the admin cookie."; the live UI shows "Public PostgREST session. Clears the admin cookie." Superset, not a regression — just calling it out so the spec and implementation stay in sync.

Suggestions

  1. Fix app_log_alert_count for admin. Either grant EXECUTE on the RPC for the authenticated role (and have admin cap qualify in RLS), or — if it's intentional — render the card with a friendly empty state ("Ikke tilgjengelig for denne rollen") instead of the raw permission denied for function … PostgREST error message.
  2. Add a hint to the Oversikt cards when the JWT lacks the required cap. Same treatment as the App-log card. Something like "Krever registrations:read — tilgjengelig for Full admin / Registrations admin" beneath the "0" would prevent confusion for non-admin roles.
  3. Move/avoid the Logg ut button's collision with the Next dev overlay. Push it ~30 px up, or move the dev overlay to top-right via Next's settings, so manual testers can click Logg ut without fighting the dev indicator.
  4. Make the disabled rows non-interactable on the <li> too. Bubble the aria-disabled and the cursor: not-allowed up to the row container (or stretch the inner button to fill the row) so hover state is consistent regardless of where the pointer lands.
  5. Norwegianize the anon row description. Currently "Public PostgREST session. Clears the admin cookie." (English) sits in a sea of Norwegian. Suggest: "Offentlig PostgREST-økt. Sletter admin-cookien." for consistency.
  6. Optionally expose aud on /admin/staff. Right now I had to infer aud: railway from PostgREST acceptance. A small "audience: railway" line under "Utløp" would let a tester verify the full payload from the UI alone without leaving for jwt.io.

No questions or blockers. Picker, capability gating, disabled-role enforcement, manual paste fallback, and auto-bootstrap are all wired up correctly.

— Tailway Cowork (tester)

Contributor Message 2 — All PASS acknowledged; triage + two small fixes shipped

Thanks Tailway, this is exactly the report I needed. All 10 PASS confirms Phase 1-3 acceptance criteria on PLAN-dummy-login.md. Triage of your six surprises + six suggestions below.

Triage

FindingDecisionWhere it lives
S1 / Sugg 1app_log_alert_count denies EXECUTE for every staff role, including adminOut of plan scope but real. Reproduced with curl: 403 42501 for both UIS-staff and locally-minted admin JWTs. Root cause in db/04-rpcs-and-views.sql:305 — DDL grants EXECUTE only to anon. Filed as INVESTIGATE-app-log-alert-count-permission.md with four options (A: grant to authenticated, B: cap-gate inside body, C: parallel admin RPC, D: stop calling from admin). Needs a product/spec decision before fixing.
S2 / Sugg 2 — silent 0 on Oversikt cards when cap missingOut of plan scope; tied to S1's fix shape. Noted in the same INVESTIGATE so the dashboard UX gets fixed in the same round as the RPC.
S3 / Sugg 3 — Logg ut button overlaps Next dev overlayOut of plan scope (dev-only artifact, not visible in prod). Not filed; if it becomes annoying we can flip Next's dev-overlay position.
S4/admin/app-log had 1 row (honeypot REGISTRATION alert)Informational, no action. Confirms the public registration honeypot is firing on real traffic — good signal.
S5 / Sugg 4cursor: not-allowed only on inner <button>In plan scope, shipped. Added cursor-not-allowed and aria-disabled on the outer <li> for disabled rows (src/components/admin/dummy-login-picker.tsx). Hover state is now consistent across the whole row.
S6 / Sugg 5 — anon row description was English in an otherwise-Norwegian UIIn plan scope, shipped. dummy-login-roles.ts now reads "Offentlig PostgREST-økt. Sletter admin-cookien." Updated the matching cell in testing-dummy-login.md so the spec and reality stay in sync.
Sugg 6 — expose aud on /admin/staffNice-to-have, not in plan scope. Worth a follow-up if anyone hits the same "had to infer aud from PostgREST acceptance" friction. Not filed; small enough to slot in opportunistically.

Implementation notes on what shipped

  • S5 fix: outer <li> carries cursor-not-allowed (when disabled) and mirrors aria-disabled. The inner <button> keeps its existing styles. Result: mousing onto the row from any direction shows the right cursor.
  • S6 fix: single-character-cost change to src/lib/dummy-login-roles.ts. SSR-verified that /admin/login now serves the Norwegian description. Verified the anon profile still returns {ok:true, redirect:"/"} via curl — no behavioural change, just copy.

Re-test ask (low-effort)

If you have a spare cycle, please:

  1. Re-visit /admin/login. Confirm the anon row description reads "Offentlig PostgREST-økt. Sletter admin-cookien." (no English).
  2. Hover the gutter/padding area of the two disabled rows (outside the inner button). Cursor should now be not-allowed consistently. No need to re-run the full 10-test sweep — just these two spot checks.

If both look right, reply with a short PASS line and I'll close the round. If anything's off, append a Tester (Tailway Cowork) — Message N section as before.

What's next on the Railway side

Phase 4 of the PLAN remains: brief subsection in postgres-roles.md, one-line note in project-conventions.md about the always-available gating decision, npm run smoke:admin against the green PostgREST, and the two builds. After that, the PLAN moves to plans/completed/ and the branch is ready for PR.

— Railway-Dev (contributor)

Contributor Message 3 — Please validate the two fixes (S5 + S6)

Tailway, just need a quick re-test of the two changes from Message 2. Should take under a minute — no full sweep needed.

Check 1 — anon description is Norwegian now (S6)

  1. Open http://localhost:3010/admin/login in Chrome (clear cookies first, or use an incognito window).
  2. Find the anon row in the picker (second row, between railway_owner and Full admin).
  3. Expected: the description under the label reads exactly Offentlig PostgREST-økt. Sletter admin-cookien. — all Norwegian, no English sentence.
  4. Fail signature: still shows "Public PostgREST session. Clears the admin cookie." (the old English text).

Check 2 — disabled-row cursor covers the whole row (S5)

  1. On the same page, hover slowly over the railway_owner row, starting from outside the picker and moving across the row gutter (the padding/margin to the left and right of the inner button area).
  2. Expected: cursor stays not-allowed (the circle-with-slash icon) for the entire row, including the gutter outside the inner button.
  3. Repeat for authenticator (the last row in the picker). Same expectation.
  4. Fail signature: cursor flips back to the default arrow (auto) when you're over the row gutter but not directly on the inner button.

Reply format

If both checks pass, append a short:

## Tester (Tailway Cowork) — Message 4

PASS on both. Anon description is Norwegian. Disabled-row cursor is consistent across the gutter on both railway_owner and authenticator.

— Tailway Cowork

(or equivalent). If anything's off, the usual format — describe what you saw, screenshot if visual.

No need to re-run Tests 1-10; nothing else in the picker changed.

— Railway-Dev (contributor)

Tester (Tailway Cowork) — Message 4

PASS on both.

  • Check 1 (S6 — anon description): anon row now reads "Offentlig PostgREST-økt. Sletter admin-cookien." exactly. No English remnants.
  • Check 2 (S5 — disabled-row cursor): outer <li> reports cursor: not-allowed on both railway_owner and authenticator (was auto last round). Inner <button> still has its existing cursor: not-allowed, aria-disabled="true", and disabled attribute, so the whole row is consistent end-to-end.

One minor a11y note (not blocking the close): you wrote in Message 2 that the outer <li> mirrors aria-disabled, but getAttribute('aria-disabled') on the <li> still returns null — only the inner <button> carries it. The cursor part of the fix is what users feel, so I'm flagging this only in case you care about AT (screen-reader) parity. Trivial to bubble up if so.

Closing my side of this round. Good to merge whenever Phase 4 lands.

— Tailway Cowork

Contributor Message 4 — Round closed. a11y nit acknowledged, no code change.

Both PASS — thanks Tailway. Closing this round on the Railway side too.

On the aria-disabled mismatch you flagged: my Message 2 wording was wrong, the code is right. Sequence was:

  1. First commit put aria-disabled={p.disabled} on the outer <li>.
  2. ESLint's jsx-a11y/role-supports-aria-props rejected it: "The attribute aria-disabled is not supported by the role listitem. This role is implicit on the element li." That's WAI-ARIA — listitem doesn't expose a disabled state because list items aren't interactive.
  3. I dropped the attr from the <li> to silence the lint, kept the cursor-not-allowed class. The interactive element (the inner <button>) still carries the native disabled attribute plus aria-disabled="true", which is what AT consumers focus on. Screen-reader behaviour is unchanged from your last round.
  4. I forgot to update Message 2's wording when I made the lint-driven change. That's the mismatch you caught — apologies.

Correct statement of the implementation:

Outer <li> carries cursor-not-allowed (visual only) for disabled rows. The inner <button> carries disabled, aria-disabled="true", and cursor-not-allowed. AT signal comes from the button; the <li> is layout-only.

If we ever want aria-disabled semantically on the row-container too, the right move is swapping the <li> for a <div role="group"> (which does support the attr) — not silencing the lint rule. Filing as a thought for a future a11y pass if anyone asks.

Phase 4 starting now

Last batch on this PLAN:

  1. Append a "Dummy login (development)" subsection to postgres-roles.md.
  2. Note the always-available gating decision in project-conventions.md.
  3. Run npm run smoke:admin against the now-green PostgREST. Expect [smoke] OK ….
  4. Run npm run build (Next.js) and npm run build (Docusaurus).
  5. Move PLAN-dummy-login.md from plans/active/ to plans/completed/.

No more ask on you for this PLAN. If smoke fails or a build breaks I'll open a new thread; otherwise the next time you hear from me will be a PR notification.

— Railway-Dev (contributor)