Add E2E tests for untested pages and enforce role-based access control

Allow non-admin users (user/viewer) to access / and /profile while blocking admin-only pages. The dashboard layout now uses requireUser() instead of requireAdmin(), and the sidebar filters nav items by role. Non-admin users see a minimal welcome page without stat cards. New test files (86 tests across 7 files): - dashboard, users, groups, api-docs, portal, link-account specs - role-access spec with full RBAC coverage for all 3 roles Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 00:58:22 +02:00
parent 155268a180
commit 7fe6b10788
10 changed files with 740 additions and 17 deletions
@@ -0,0 +1,38 @@
+/**
+ * E2E tests: API Docs page (OpenAPI / Swagger UI).
+ *
+ * Verifies the page loads and Swagger UI renders the OpenAPI spec.
+ * The page requires admin role.
+ */
+import { test, expect } from '@playwright/test';
+
+test.describe('API Docs page', () => {
+  test('page loads without error', async ({ page }) => {
+    await page.goto('/api-docs');
+    await expect(page).not.toHaveURL(/login/);
+  });
+
+  test('Swagger UI renders with API information', async ({ page }) => {
+    await page.goto('/api-docs');
+
+    // Swagger UI loads the spec and renders info — wait for the info container
+    await expect(page.locator('.swagger-ui')).toBeVisible({ timeout: 30_000 });
+  });
+
+  test('OpenAPI spec endpoint returns valid JSON', async ({ request }) => {
+    const response = await request.get('/api/v1/openapi.json');
+    expect(response.status()).toBe(200);
+    const body = await response.json();
+    expect(body).toHaveProperty('openapi');
+    expect(body).toHaveProperty('paths');
+  });
+});
+
+test.describe('API Docs page — unauthenticated access', () => {
+  test.use({ storageState: { cookies: [], origins: [] } });
+
+  test('unauthenticated access to /api-docs redirects to /login', async ({ page }) => {
+    await page.goto('/api-docs');
+    await expect(page).toHaveURL(/\/login/);
+  });
+});