arbret/frontend/e2e/admin-invites.spec.ts

import { test, expect, Page } from "@playwright/test";

// Admin credentials from seed data
const ADMIN_EMAIL = "admin@example.com";
const ADMIN_PASSWORD = "admin123";

// Regular user from seed data
const REGULAR_USER_EMAIL = "user@example.com";

async function loginAsAdmin(page: Page) {
  await page.goto("/login");
  await page.fill('input[type="email"]', ADMIN_EMAIL);
  await page.fill('input[type="password"]', ADMIN_PASSWORD);
  await page.click('button[type="submit"]');
  await expect(page).toHaveURL("/admin/trades");
}

test.describe("Admin Invites Page", () => {
  test.beforeEach(async ({ context, page }) => {
    await context.addInitScript(() => {
      window.localStorage.setItem("arbret-locale", "en");
    });
    await page.context().clearCookies();
    await loginAsAdmin(page);
  });

  test("admin can access invites page and UI elements are correct", async ({ page }) => {
    await page.goto("/admin/invites");

    // Check page headings
    await expect(page.getByRole("heading", { name: "Create Invite" })).toBeVisible();
    await expect(page.getByRole("heading", { name: "All Invites" })).toBeVisible();

    // The godfather selector should be a <select> element, not an <input type="number">
    const selectElement = page.locator("select").first();
    await expect(selectElement).toBeVisible();

    // Wait for users to load by checking for a known user in the dropdown
    await expect(selectElement).toContainText(REGULAR_USER_EMAIL);

    // Verify it has user options (at least the seeded users)
    const options = selectElement.locator("option");
    const optionCount = await options.count();

    // Should have at least 2 options: placeholder + at least one user
    expect(optionCount).toBeGreaterThanOrEqual(2);

    // There should NOT be a number input for godfather ID
    const numberInput = page.locator('input[type="number"]');
    await expect(numberInput).toHaveCount(0);
  });

  test("can create invite with proper button state management", async ({ page }) => {
    await page.goto("/admin/invites");

    // Wait for page to load
    await page.waitForSelector("select");

    // The create button should be disabled initially (no user selected)
    const createButton = page.locator('button:has-text("Create Invite")');
    await expect(createButton).toBeDisabled();

    // Select a user
    const godfatherSelect = page.locator("select").first();
    await godfatherSelect.selectOption({ label: REGULAR_USER_EMAIL });

    // Now the button should be enabled
    await expect(createButton).toBeEnabled();

    // Click create invite
    await page.click('button:has-text("Create Invite")');

    // Wait for the invite to appear in the table
    await expect(page.locator("table")).toContainText(REGULAR_USER_EMAIL);

    // Verify an invite code appears (format: word-word-NN)
    const inviteCodeCell = page.locator("td").first();
    await expect(inviteCodeCell).toHaveText(/^[a-z]+-[a-z]+-\d{2}$/);
  });

  test("can revoke invite and filter by status", async ({ page }) => {
    await page.goto("/admin/invites");
    await page.waitForSelector("select");

    // Create an invite first
    const godfatherSelect = page.locator("select").first();
    await godfatherSelect.selectOption({ label: REGULAR_USER_EMAIL });

    // Wait for create invite response
    const createPromise = page.waitForResponse(
      (resp) => resp.url().includes("/api/admin/invites") && resp.request().method() === "POST"
    );
    await page.click('button:has-text("Create Invite")');
    await createPromise;

    // Wait for table to update with new invite
    await expect(page.locator("table")).toContainText("ready");

    // Wait for the new invite to appear and capture its code
    const newInviteRow = page
      .locator("tr")
      .filter({ hasText: REGULAR_USER_EMAIL })
      .filter({ hasText: "ready" })
      .first();
    await expect(newInviteRow).toBeVisible();

    // Get the invite code from this row (first cell)
    const inviteCode = await newInviteRow.locator("td").first().textContent();

    // Click revoke and wait for the response
    // The revoke endpoint is POST /api/admin/invites/{invite_id}/revoke
    const revokePromise = page.waitForResponse(
      (resp) =>
        resp.url().includes("/api/admin/invites") &&
        resp.url().includes("/revoke") &&
        resp.request().method() === "POST"
    );
    await newInviteRow.locator('button:has-text("Revoke")').click();
    await revokePromise;

    // Wait for table to refresh and verify this specific invite now shows "revoked"
    const revokedRow = page.locator("tr").filter({ hasText: inviteCode! });
    await expect(revokedRow).toContainText("revoked", { timeout: 5000 });

    // Test status filter - filter by "revoked" status
    const statusFilter = page.locator("select").nth(1); // Second select is the status filter

    // Wait for filter response, but don't fail if it doesn't come (might be cached)
    const filterPromise = page
      .waitForResponse((resp) => resp.url().includes("status=revoked"), { timeout: 5000 })
      .catch(() => null); // Ignore timeout - filter might be cached

    await statusFilter.selectOption("revoked");
    await filterPromise; // Wait for response if it comes

    // Verify revoked invite is visible
    await expect(revokedRow).toBeVisible({ timeout: 5000 });

    // Filter by "ready" status - should not show our revoked invite
    const readyFilterPromise = page
      .waitForResponse((resp) => resp.url().includes("status=ready"), { timeout: 5000 })
      .catch(() => null); // Ignore timeout - filter might be cached

    await statusFilter.selectOption("ready");
    await readyFilterPromise; // Wait for response if it comes
    await expect(revokedRow).not.toBeVisible({ timeout: 5000 });
  });
});

test.describe("Admin Invites Access Control", () => {
  test("regular user and unauthenticated user cannot access admin invites page", async ({
    page,
  }) => {
    // Test unauthenticated access
    await page.context().clearCookies();
    await page.goto("/admin/invites");
    await expect(page).toHaveURL("/login");

    // Test regular user access
    await page.goto("/login");
    await page.fill('input[type="email"]', REGULAR_USER_EMAIL);
    await page.fill('input[type="password"]', "user123");
    await page.click('button[type="submit"]');
    // Regular users are redirected to /exchange after login
    await expect(page).toHaveURL("/exchange");

    // Try to access admin invites page
    await page.goto("/admin/invites");

    // Should be redirected away (to exchange page based on fallbackRedirect)
    await expect(page).not.toHaveURL("/admin/invites");
  });
});