fix(playwright): inject access token via addInitScript to bypass silent refresh

Use page.addInitScript to set __pw_access_token before React runs on
every navigation. auth-context reads it in getInitialState() and calls
setAccessToken() directly, so no refresh cookie is needed.

Also fix strict mode violation in workflow.spec.ts (3 matching spans).

Author: andermanasalb

packages/frontend/context/auth-context.tsx

@@ -67,13 +67,24 @@ function getInitialState(): AuthStateWithInit {
     return defaultState; // SSR — isInitialized: false
   }
 
+  // Playwright test injection: addInitScript sets __pw_access_token before
+  // any page scripts run so we can inject the token directly, bypassing the
+  // silent-refresh flow that depends on the refresh cookie.
+  const win = window as Record<string, unknown>;
+  const pwToken = typeof win['__pw_access_token'] === 'string'
+    ? (win['__pw_access_token'] as string)
+    : null;
+  if (pwToken) {
+    setAccessToken(pwToken);
+  }
+
   const userId = sessionStorage.getItem(SESSION_KEY_USER_ID);
   const role   = sessionStorage.getItem(SESSION_KEY_ROLE) as UserRole | null;
   const email  = sessionStorage.getItem(SESSION_KEY_EMAIL);
 
   if (userId && role) {
     return {
-      accessToken:     null, // se renueva vía silent refresh en la primera petición
+      accessToken:     pwToken, // direct token injection in tests; null in production (silent refresh)
       userId,
       role,
       email,

packages/frontend/e2e/helpers/auth.helper.ts

@@ -80,18 +80,16 @@ export async function injectAuth(
   loginResult: LoginResult,
   targetPath = '/dashboard',
 ): Promise<void> {
-  // First visit — page needs to load at least once so JS is running
-  await page.goto('/login', { waitUntil: 'domcontentloaded' });
-
-  await page.evaluate(
+  // Register an init script that runs BEFORE any page scripts on every
+  // navigation in this page (including subsequent test gotos).
+  // This ensures sessionStorage auth metadata and __pw_access_token are
+  // available when auth-context.tsx's getInitialState() executes, so the
+  // access token is injected directly — no silent refresh needed.
+  await page.addInitScript(
     ({ userId, role, email, accessToken }) => {
       sessionStorage.setItem('auth:userId', userId);
       sessionStorage.setItem('auth:role', role);
       sessionStorage.setItem('auth:email', email);
-      // Store token so the axios interceptor picks it up on the
-      // first authenticated request (silent-refresh path).
-      // We expose it via a well-known window property; the interceptor
-      // in api.ts will read it before the first 401 is thrown.
       (window as Record<string, unknown>)['__pw_access_token'] = accessToken;
     },
     {
@@ -102,7 +100,6 @@ export async function injectAuth(
     },
   );
 
-  // Navigate to the actual target page
   await page.goto(targetPath, { waitUntil: 'load' });
 }
 

packages/frontend/e2e/workflow.spec.ts

@@ -105,7 +105,7 @@ test.describe('Workflow — send to validation', () => {
 
     // Status badge should update to READY_FOR_VALIDATION
     await expect(
-      page.getByText(/needs validation|ready.for.validation/i),
+      page.getByText(/needs validation|ready.for.validation/i).first(),
     ).toBeVisible({ timeout: 10_000 });
   });
 });