From 0aab3f3c7ad8c1b14939de3ded60c9f201eab8fc Mon Sep 17 00:00:00 2001
From: Elias Schneider <login@eliasschneider.com>
Date: Sat, 23 Aug 2025 17:28:27 +0200
Subject: [PATCH] fix: authorization can't be revoked

---
 frontend/src/lib/services/oidc-service.ts |  2 +-
 tests/specs/apps-dashboard.spec.ts        | 34 +++++++++++++----------
 tests/utils/auth.util.ts                  |  1 +
 3 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/frontend/src/lib/services/oidc-service.ts b/frontend/src/lib/services/oidc-service.ts
index 1d0a1572..3a1c101a 100644
--- a/frontend/src/lib/services/oidc-service.ts
+++ b/frontend/src/lib/services/oidc-service.ts
@@ -126,7 +126,7 @@ class OidcService extends APIService {
 	}
 
 	async revokeOwnAuthorizedClient(clientId: string) {
-		await this.api.delete(`/oidc/users/me/clients/${clientId}`);
+		await this.api.delete(`/oidc/users/me/authorized-clients/${clientId}`);
 	}
 }
 
diff --git a/tests/specs/apps-dashboard.spec.ts b/tests/specs/apps-dashboard.spec.ts
index 734e10e3..56eeeac1 100644
--- a/tests/specs/apps-dashboard.spec.ts
+++ b/tests/specs/apps-dashboard.spec.ts
@@ -23,18 +23,25 @@ test('Dashboard shows all clients in the correct order', async ({ page }) => {
 	await expect(card2.getByText(new URL(client2.launchURL).hostname)).toBeVisible();
 });
 
-test('Dashboard shows only clients where user has access', async ({ page }) => {
-	await authUtil.changeUser(page, 'craig');
-	const notVisibleClient = oidcClients.immich;
+test.describe('Dashboard shows only clients where user has access', () => {
+	test("User can't see one client", async ({ page }) => {
+		await authUtil.changeUser(page, 'craig');
+		const notVisibleClient = oidcClients.immich;
 
-	await page.goto('/settings/apps');
+		await page.goto('/settings/apps');
 
-	const cards = page.getByTestId('authorized-oidc-client-card');
+		const cards = page.getByTestId('authorized-oidc-client-card');
 
-	await expect(cards).toHaveCount(3);
+		await expect(cards).toHaveCount(3);
 
-	const cardTexts = await cards.allTextContents();
-	expect(cardTexts.some((text) => text.includes(notVisibleClient.name))).toBe(false);
+		const cardTexts = await cards.allTextContents();
+		expect(cardTexts.some((text) => text.includes(notVisibleClient.name))).toBe(false);
+	});
+	test('User can see all clients', async ({ page }) => {
+		await page.goto('/settings/apps');
+		const cards = page.getByTestId('authorized-oidc-client-card');
+		await expect(cards).toHaveCount(4);
+	});
 });
 
 test('Revoke authorized client', async ({ page }) => {
@@ -42,11 +49,9 @@ test('Revoke authorized client', async ({ page }) => {
 
 	await page.goto('/settings/apps');
 
-	page
-		.getByTestId('authorized-oidc-client-card')
-		.first()
-		.getByRole('button', { name: 'Toggle menu' })
-		.click();
+	const card = page.getByTestId('authorized-oidc-client-card').filter({ hasText: client.name });
+
+	card.getByRole('button', { name: 'Toggle menu' }).click();
 
 	await page.getByRole('menuitem', { name: 'Revoke' }).click();
 	await page.getByRole('button', { name: 'Revoke' }).click();
@@ -55,7 +60,8 @@ test('Revoke authorized client', async ({ page }) => {
 		`The access to ${client.name} has been successfully revoked.`
 	);
 
-	await expect(page.getByTestId('authorized-oidc-client-card')).toHaveCount(4);
+	// The ... ago text should be gone as there is no last access anymore
+	await expect(card).not.toContainText('ago');
 });
 
 test('Launch authorized client', async ({ page }) => {
diff --git a/tests/utils/auth.util.ts b/tests/utils/auth.util.ts
index 97e406fa..1844341f 100644
--- a/tests/utils/auth.util.ts
+++ b/tests/utils/auth.util.ts
@@ -15,6 +15,7 @@ async function changeUser(page: Page, username: keyof typeof passkeyUtil.passkey
 
 	await (await passkeyUtil.init(page)).addPasskey(username);
 	await page.getByRole('button', { name: 'Authenticate' }).click();
+	await page.waitForURL('/settings/**');
 }
 
 export default { authenticate, changeUser };