Fixed 2FA being skipped on first login attempt

Author: cmraible

compose.yml

@@ -202,6 +202,7 @@ services:
 # ================================================
 # Profile: `test`
 # Runs playwright tests against Ghost
+# Default services duplicated to keep full isolation between dev and test environments
 # ================================================
   mysql-test:
     image: mysql:8.4.5
@@ -214,6 +215,8 @@ services:
     restart: always
     networks:
       - test-network
+    tmpfs:
+      - /var/lib/mysql:rw,noexec,nosuid,size=1g
     healthcheck:
       test: mysql -uroot -proot ghost_test -e 'select 1'
       interval: 1s
@@ -338,4 +341,4 @@ volumes:
 
 networks:
   test-network:
-    driver: bridge
+    driver: bridge

e2e/src/database/index.ts

@@ -1,5 +1,5 @@
 import knex from 'knex';
-import logging from '@tryghost/logging';
+import type {Knex} from 'knex';
 
 interface DatabaseConfig {
     client: string;
@@ -25,11 +25,8 @@ function getDatabaseConfig(): DatabaseConfig {
 
 export async function resetDb(): Promise<void> {
     const config = getDatabaseConfig();
-    console.log('Resetting database', config);
     const db = knex(config);
 
     await db('sessions').truncate();
-
-    const result = await db.raw('SELECT * FROM sessions');
-    console.log('Result', result);
+    await db('brute').truncate();
 }

e2e/src/playwright/global-setup.ts

@@ -1,6 +1,8 @@
 import logging from '@tryghost/logging';
+import {resetDb} from '../database';
 
 async function globalSetup() {
+    logging.debug('globalSetup:begin');
     const baseURL = process.env.BASE_URL || 'http://localhost:2368';
     const adminUsername = process.env.ADMIN_USERNAME || '[email protected]';
     const adminPassword = process.env.ADMIN_PASSWORD || 'testpassword123';
@@ -45,41 +47,38 @@ async function globalSetup() {
             }
 
             logging.info('✅ Admin user created successfully');
-        } else {
-            logging.info('✅ Ghost setup already completed');
 
-            // Try to login to verify the admin user exists and credentials are correct
-            const sessionResponse = await fetch(`${baseURL}/ghost/api/admin/session`, {
+            // Perform initial login to mark user as having logged in
+            // Otherwise 2FA is skipped because it's the first login
+            logging.info('🔐 Performing initial login...');
+            const loginResponse = await fetch(`${baseURL}/ghost/api/admin/session`, {
                 method: 'POST',
                 headers: {
                     'Content-Type': 'application/json',
-                    'Accept-Version': 'v5.0',
-                    Origin: baseURL
+                    'Accept-Version': 'v5.0'
                 },
                 body: JSON.stringify({
                     username: adminUsername,
                     password: adminPassword
                 })
             });
 
-            if (sessionResponse.status === 201) {
-                logging.info('✅ Admin user credentials verified');
-            } else if (sessionResponse.status === 403) {
-                // This might be a 2FA requirement, which is fine
-                const responseBody = await sessionResponse.json();
-                if (responseBody.errors && responseBody.errors[0] && responseBody.errors[0].type === 'Needs2FAError') {
-                    logging.info('✅ Admin user exists (2FA required)');
-                } else {
-                    logging.warn('⚠️  Could not verify admin credentials:', responseBody);
-                }
+            if (!loginResponse.ok) {
+                const error = await loginResponse.text();
+                logging.warn(`Initial login failed: ${loginResponse.status} - ${error}`);
             } else {
-                logging.warn('⚠️  Could not verify admin credentials. Status:', sessionResponse.status);
+                logging.info('✅ Initial login completed');
             }
+        } else {
+            throw new Error('Ghost setup already completed');
         }
     } catch (error) {
         logging.error('❌ Global setup failed:', error);
         throw error;
     }
+
+    await resetDb();
+    logging.debug('globalSetup:end');
 }
 
 export default globalSetup;

e2e/src/playwright/test-fixtures.ts

@@ -6,6 +6,7 @@ import {EmailServiceFactory} from '../services/email/EmailServiceFactory';
 import type {IEmailService} from '../services/email/IEmailService';
 import {resetDb} from '../database';
 import Errors from '@tryghost/errors';
+import logging from '@tryghost/logging';
 
 // Define types for our custom fixtures
 export type TestFixtures = {
@@ -85,8 +86,11 @@ export const test = baseTest.extend<TestFixtures>({
 });
 
 // Global beforeEach hook to reset database sessions before each test
-test.beforeEach(async () => {
+test.beforeEach(async ({page}) => {
+    logging.debug('globalBeforeEach:begin');
+    await page.context().clearCookies();
     await resetDb();
+    logging.debug('globalBeforeEach:end');
 });
 
 export {expect} from '@playwright/test';

package.json

@@ -46,7 +46,7 @@
     "docker:test:unit": "COMPOSE_PROFILES=${COMPOSE_PROFILES:-ghost} NX_DAEMON=false docker compose run --rm --no-deps ghost yarn test:unit",
     "docker:test:browser": "COMPOSE_PROFILES=${COMPOSE_PROFILES:-ghost} docker compose run --rm ghost yarn test:browser",
     "docker:test:all": "COMPOSE_PROFILES=${COMPOSE_PROFILES:-ghost} NX_DAEMON=false docker compose run --rm ghost yarn nx run ghost:test:all",
-    "docker:test:e2e": "COMPOSE_PROFILES=test,e2e docker compose up --exit-code-from tests-e2e --abort-on-container-exit --attach=tests-e2e",
+    "docker:test:e2e": "COMPOSE_PROFILES=test,e2e docker compose up --force-recreate --exit-code-from tests-e2e --abort-on-container-exit --attach=tests-e2e --attach=e2e-server",
     "docker:reset": "docker compose down -v && docker compose up -d --wait",
     "docker:restart": "docker compose down && docker compose up -d --wait",
     "docker:down": "docker compose down",