refactor: move e2e tests to root of repository

2026-02-04 13:21:45 +00:00 · 2025-05-22 22:02:44 +02:00
parent 5fa15f6098
commit 966a566ade
33 changed files with 1476 additions and 1153 deletions
--- a/tests/specs/account-settings.spec.ts
+++ b/tests/specs/account-settings.spec.ts
@@ -0,0 +1,126 @@
+import test, { expect } from "@playwright/test";
+import { users } from "../data";
+import authUtil from "../utils/auth.util";
+import { cleanupBackend } from "../utils/cleanup.util";
+import passkeyUtil from "../utils/passkey.util";
+
+test.beforeEach(cleanupBackend);
+
+test("Update account details", async ({ page }) => {
+  await page.goto("/settings/account");
+
+  await page.getByLabel("First name").fill("Timothy");
+  await page.getByLabel("Last name").fill("Apple");
+  await page.getByLabel("Email").fill("timothy.apple@test.com");
+  await page.getByLabel("Username").fill("timothy");
+  await page.getByRole("button", { name: "Save" }).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "Account details updated successfully"
+  );
+});
+
+test("Update account details fails with already taken email", async ({
+  page,
+}) => {
+  await page.goto("/settings/account");
+
+  await page.getByLabel("Email").fill(users.craig.email);
+
+  await page.getByRole("button", { name: "Save" }).click();
+
+  await expect(page.locator('[data-type="error"]')).toHaveText(
+    "Email is already in use"
+  );
+});
+
+test("Update account details fails with already taken username", async ({
+  page,
+}) => {
+  await page.goto("/settings/account");
+
+  await page.getByLabel("Username").fill(users.craig.username);
+
+  await page.getByRole("button", { name: "Save" }).click();
+
+  await expect(page.locator('[data-type="error"]')).toHaveText(
+    "Username is already in use"
+  );
+});
+
+test("Change Locale", async ({ page }) => {
+  await page.goto("/settings/account");
+
+  await page.getByLabel("Select Locale").click();
+  await page.getByRole("option", { name: "Nederlands" }).click();
+
+  // Check if th language heading now says 'Taal' instead of 'Language'
+  await expect(page.getByRole("heading", { name: "Taal" })).toBeVisible();
+
+  // Clear all cookies and sign in again to check if the language is still set to Dutch
+  await page.context().clearCookies();
+  await authUtil.authenticate(page);
+
+  await expect(page.getByRole("heading", { name: "Taal" })).toBeVisible();
+});
+
+test("Add passkey to an account", async ({ page }) => {
+  await page.goto("/settings/account");
+
+  await (await passkeyUtil.init(page)).addPasskey("timNew");
+
+  await page.click('button:text("Add Passkey")');
+
+  await page.getByLabel("Name", { exact: true }).fill("Test Passkey");
+  await page
+    .getByLabel("Name Passkey")
+    .getByRole("button", { name: "Save" })
+    .click();
+
+  await expect(page.getByText("Test Passkey")).toBeVisible();
+});
+
+test("Rename passkey", async ({ page }) => {
+  await page.goto("/settings/account");
+
+  await page.getByLabel("Rename").first().click();
+
+  await page.getByLabel("Name", { exact: true }).fill("Renamed Passkey");
+  await page
+    .getByLabel("Name Passkey")
+    .getByRole("button", { name: "Save" })
+    .click();
+
+  await expect(page.getByText("Renamed Passkey")).toBeVisible();
+});
+
+test("Delete passkey from account", async ({ page }) => {
+  await page.goto("/settings/account");
+
+  await page.getByLabel("Delete").first().click();
+  await page.getByText("Delete", { exact: true }).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "Passkey deleted successfully"
+  );
+});
+
+test("Generate own one time access token as non admin", async ({
+  page,
+  context,
+}) => {
+  await context.clearCookies();
+  await page.goto("/login");
+  await (await passkeyUtil.init(page)).addPasskey("craig");
+
+  await page.getByRole("button", { name: "Authenticate" }).click();
+  await page.waitForURL("/settings/account");
+
+  await page.getByRole("button", { name: "Create" }).click();
+  const link = await page.getByTestId("login-code-link").textContent();
+
+  await context.clearCookies();
+
+  await page.goto(link!);
+  await page.waitForURL("/settings/account");
+});
--- a/tests/specs/api-key.spec.ts
+++ b/tests/specs/api-key.spec.ts
@@ -0,0 +1,76 @@
+// frontend/tests/api-key.spec.ts
+import { expect, test } from "@playwright/test";
+import { apiKeys } from "../data";
+import { cleanupBackend } from "../utils/cleanup.util";
+
+test.describe("API Key Management", () => {
+  test.beforeEach(async ({ page }) => {
+    await cleanupBackend();
+    await page.goto("/settings/admin/api-keys");
+  });
+
+  test("Create new API key", async ({ page }) => {
+    await page.getByRole("button", { name: "Add API Key" }).click();
+
+    // Fill out the API key form
+    const name = "New Test API Key";
+    await page.getByLabel("Name").fill(name);
+    await page.getByLabel("Description").fill("Created by automated test");
+
+    // Choose the date
+    const currentDate = new Date();
+    await page.getByLabel("Expires At").click();
+    await page.getByLabel("Select year").click();
+    // Select the next year
+    await page.getByText((currentDate.getFullYear() + 1).toString()).click();
+    // Select the first day of the month
+    await page
+      .getByRole("button", { name: /([A-Z][a-z]+), ([A-Z][a-z]+) 1, (\d{4})/ })
+      .first()
+      .click();
+
+    // Submit the form
+    await page.getByRole("button", { name: "Save" }).click();
+
+    // Verify the success dialog appears
+    await expect(
+      page.getByRole("heading", { name: "API Key Created" })
+    ).toBeVisible();
+
+    // Verify the key details are shown
+    await expect(page.getByRole("cell", { name })).toBeVisible();
+
+    // Verify the token is displayed (should be 32 characters)
+    const token = await page.locator(".font-mono").textContent();
+    expect(token?.length).toBe(32);
+
+    // Close the dialog
+    await page.getByRole("button", { name: "Close" }).click();
+
+    await page.reload();
+
+    // Verify the key appears in the list
+    await expect(page.getByRole("cell", { name }).first()).toContainText(name);
+  });
+
+  test("Revoke API key", async ({ page }) => {
+    const apiKey = apiKeys[0];
+
+    await page
+      .getByRole("row", { name: apiKey.name })
+      .getByRole("button", { name: "Revoke" })
+      .click();
+
+    await page.getByText("Revoke", { exact: true }).click();
+
+    // Verify success message
+    await expect(page.locator('[data-type="success"]')).toHaveText(
+      "API key revoked successfully"
+    );
+
+    // Verify key is no longer in the list
+    await expect(
+      page.getByRole("cell", { name: apiKey.name })
+    ).not.toBeVisible();
+  });
+});
--- a/tests/specs/application-configuration.spec.ts
+++ b/tests/specs/application-configuration.spec.ts
@@ -0,0 +1,99 @@
+import test, { expect } from "@playwright/test";
+import { cleanupBackend } from "../utils/cleanup.util";
+
+test.beforeEach(cleanupBackend);
+
+test("Update general configuration", async ({ page }) => {
+  await page.goto("/settings/admin/application-configuration");
+
+  await page
+    .getByLabel("Application Name", { exact: true })
+    .fill("Updated Name");
+  await page.getByLabel("Session Duration").fill("30");
+  await page.getByRole("button", { name: "Save" }).first().click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "Application configuration updated successfully"
+  );
+  await expect(page.getByTestId("application-name")).toHaveText("Updated Name");
+
+  await page.reload();
+
+  await expect(
+    page.getByLabel("Application Name", { exact: true })
+  ).toHaveValue("Updated Name");
+  await expect(page.getByLabel("Session Duration")).toHaveValue("30");
+});
+
+test("Update email configuration", async ({ page }) => {
+  await page.goto("/settings/admin/application-configuration");
+
+  await page.getByRole("button", { name: "Expand card" }).nth(1).click();
+
+  await page.getByLabel("SMTP Host").fill("smtp.gmail.com");
+  await page.getByLabel("SMTP Port").fill("587");
+  await page.getByLabel("SMTP User").fill("test@gmail.com");
+  await page.getByLabel("SMTP Password").fill("password");
+  await page.getByLabel("SMTP From").fill("test@gmail.com");
+  await page.getByLabel("Email Login Notification").click();
+  await page.getByLabel("Email Login Code Requested by User").click();
+  await page.getByLabel("Email Login Code from Admin").click();
+  await page.getByLabel("API Key Expiration").click();
+
+  await page.getByRole("button", { name: "Save" }).nth(1).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "Email configuration updated successfully"
+  );
+
+  await page.reload();
+
+  await expect(page.getByLabel("SMTP Host")).toHaveValue("smtp.gmail.com");
+  await expect(page.getByLabel("SMTP Port")).toHaveValue("587");
+  await expect(page.getByLabel("SMTP User")).toHaveValue("test@gmail.com");
+  await expect(page.getByLabel("SMTP Password")).toHaveValue("password");
+  await expect(page.getByLabel("SMTP From")).toHaveValue("test@gmail.com");
+  await expect(page.getByLabel("Email Login Notification")).toBeChecked();
+  await expect(
+    page.getByLabel("Email Login Code Requested by User")
+  ).toBeChecked();
+  await expect(page.getByLabel("Email Login Code from Admin")).toBeChecked();
+  await expect(page.getByLabel("API Key Expiration")).toBeChecked();
+});
+
+test("Update application images", async ({ page }) => {
+  await page.goto("/settings/admin/application-configuration");
+
+  await page.getByRole("button", { name: "Expand card" }).nth(3).click();
+
+  await page
+    .getByLabel("Favicon")
+    .setInputFiles("assets/w3-schools-favicon.ico");
+  await page
+    .getByLabel("Light Mode Logo")
+    .setInputFiles("assets/pingvin-share-logo.png");
+  await page
+    .getByLabel("Dark Mode Logo")
+    .setInputFiles("assets/nextcloud-logo.png");
+  await page
+    .getByLabel("Background Image")
+    .setInputFiles("assets/clouds.jpg");
+  await page.getByRole("button", { name: "Save" }).nth(1).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "Images updated successfully"
+  );
+
+  await page.request
+    .get("/api/application-configuration/favicon")
+    .then((res) => expect.soft(res.status()).toBe(200));
+  await page.request
+    .get("/api/application-configuration/logo?light=true")
+    .then((res) => expect.soft(res.status()).toBe(200));
+  await page.request
+    .get("/api/application-configuration/logo?light=false")
+    .then((res) => expect.soft(res.status()).toBe(200));
+  await page.request
+    .get("/api/application-configuration/background-image")
+    .then((res) => expect.soft(res.status()).toBe(200));
+});
--- a/tests/specs/ldap.spec.ts
+++ b/tests/specs/ldap.spec.ts
@@ -0,0 +1,94 @@
+import test, { expect } from '@playwright/test';
+import { cleanupBackend } from '../utils/cleanup.util';
+
+test.beforeEach(cleanupBackend);
+
+test.describe('LDAP Integration', () => {
+	test('LDAP configuration is working properly', async ({ page }) => {
+		await page.goto('/settings/admin/application-configuration');
+
+		await page.getByRole('button', { name: 'Expand card' }).nth(2).click();
+
+		await expect(page.getByRole('button', { name: 'Disable' })).toBeVisible();
+		await expect(page.getByLabel('LDAP URL')).toHaveValue(/ldap:\/\/.*/);
+		await expect(page.getByLabel('LDAP Base DN')).not.toBeEmpty();
+
+		await expect(page.getByLabel('User Unique Identifier Attribute')).not.toBeEmpty();
+		await expect(page.getByLabel('Username Attribute')).not.toBeEmpty();
+		await expect(page.getByLabel('User Mail Attribute')).not.toBeEmpty();
+		await expect(page.getByLabel('Group Name Attribute')).not.toBeEmpty();
+
+		const syncButton = page.getByRole('button', { name: 'Sync now' });
+		await syncButton.click();
+		await expect(page.locator('[data-type="success"]')).toHaveText('LDAP sync finished');
+	});
+
+	test('LDAP users are synced into PocketID', async ({ page }) => {
+		// Navigate to user management
+		await page.goto('/settings/admin/users');
+
+		// Verify the LDAP users exist
+		await expect(page.getByText('testuser1@pocket-id.org')).toBeVisible();
+		await expect(page.getByText('testuser2@pocket-id.org')).toBeVisible();
+
+		// Check LDAP user details
+		await page.getByRole('row', { name: 'testuser1' }).getByRole('button').click();
+		await page.getByRole('menuitem', { name: 'Edit' }).click();
+
+		// Verify user source is LDAP
+		await expect(page.getByText('LDAP').first()).toBeVisible();
+
+		// Verify essential fields are filled
+		await expect(page.getByLabel('Username')).not.toBeEmpty();
+		await expect(page.getByLabel('Email')).not.toBeEmpty();
+	});
+
+	test('LDAP groups are synced into PocketID', async ({ page }) => {
+		// Navigate to user groups
+		await page.goto('/settings/admin/user-groups');
+
+		// Verify LDAP groups exist
+		await expect(page.getByRole('cell', { name: 'test_group' }).first()).toBeVisible();
+		await expect(page.getByRole('cell', { name: 'admin_group' }).first()).toBeVisible();
+
+		await page
+			.getByRole('row', { name: 'test_group' })
+			.locator('#bits-10')
+			.getByRole('button', { name: 'Toggle menu' })
+			.click();
+		await page.getByRole('menuitem', { name: 'Edit' }).click();
+
+		// Verify group source is LDAP
+		await expect(page.getByText('LDAP').first()).toBeVisible();
+	});
+
+	test('LDAP users cannot be modified in PocketID', async ({ page }) => {
+		// Navigate to LDAP user details
+		await page.goto('/settings/admin/users');
+		await page.waitForLoadState('networkidle');
+
+		await page.getByRole('row', { name: 'testuser1' }).getByRole('button').click();
+		await page.getByRole('menuitem', { name: 'Edit' }).click();
+
+		// Verify key fields are disabled
+		const usernameInput = page.getByLabel('Username');
+		await expect(usernameInput).toBeDisabled();
+	});
+
+	test('LDAP groups cannot be modified in PocketID', async ({ page }) => {
+		// Navigate to LDAP group details
+		await page.goto('/settings/admin/user-groups');
+		await page.waitForLoadState('networkidle');
+
+		await page
+			.getByRole('row', { name: 'test_group' })
+			.locator('#bits-10')
+			.getByRole('button', { name: 'Toggle menu' })
+			.click();
+		await page.getByRole('menuitem', { name: 'Edit' }).click();
+
+		// Verify key fields are disabled
+		const nameInput = page.getByLabel('Name', { exact: true });
+		await expect(nameInput).toBeDisabled();
+	});
+});
--- a/tests/specs/oidc-client-settings.spec.ts
+++ b/tests/specs/oidc-client-settings.spec.ts
@@ -0,0 +1,103 @@
+import test, { expect } from "@playwright/test";
+import { oidcClients } from "../data";
+import { cleanupBackend } from "../utils/cleanup.util";
+
+test.beforeEach(cleanupBackend);
+
+test("Create OIDC client", async ({ page }) => {
+  await page.goto("/settings/admin/oidc-clients");
+  const oidcClient = oidcClients.pingvinShare;
+
+  await page.getByRole("button", { name: "Add OIDC Client" }).click();
+  await page.getByLabel("Name").fill(oidcClient.name);
+
+  await page.getByTestId("callback-url-1").fill(oidcClient.callbackUrl);
+  await page.getByRole("button", { name: "Add another" }).click();
+  await page.getByTestId("callback-url-2").fill(oidcClient.secondCallbackUrl!);
+
+  await page
+    .getByLabel("logo")
+    .setInputFiles("assets/pingvin-share-logo.png");
+  await page.getByRole("button", { name: "Save" }).click();
+
+  const clientId = await page.getByTestId("client-id").textContent();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "OIDC client created successfully"
+  );
+  expect(clientId?.length).toBe(36);
+  expect((await page.getByTestId("client-secret").textContent())?.length).toBe(
+    32
+  );
+  await expect(page.getByLabel("Name")).toHaveValue(oidcClient.name);
+  await expect(page.getByTestId("callback-url-1")).toHaveValue(
+    oidcClient.callbackUrl
+  );
+  await expect(page.getByTestId("callback-url-2")).toHaveValue(
+    oidcClient.secondCallbackUrl!
+  );
+  await expect(
+    page.getByRole("img", { name: `${oidcClient.name} logo` })
+  ).toBeVisible();
+  await page.request
+    .get(`/api/oidc/clients/${clientId}/logo`)
+    .then((res) => expect.soft(res.status()).toBe(200));
+});
+
+test("Edit OIDC client", async ({ page }) => {
+  const oidcClient = oidcClients.nextcloud;
+  await page.goto(`/settings/admin/oidc-clients/${oidcClient.id}`);
+
+  await page.getByLabel("Name").fill("Nextcloud updated");
+  await page
+    .getByTestId("callback-url-1")
+    .first()
+    .fill("http://nextcloud-updated/auth/callback");
+  await page
+    .getByLabel("logo")
+    .setInputFiles("assets/nextcloud-logo.png");
+  await page.getByRole("button", { name: "Save" }).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "OIDC client updated successfully"
+  );
+  await expect(
+    page.getByRole("img", { name: "Nextcloud updated logo" })
+  ).toBeVisible();
+  await page.request
+    .get(`/api/oidc/clients/${oidcClient.id}/logo`)
+    .then((res) => expect.soft(res.status()).toBe(200));
+});
+
+test("Create new OIDC client secret", async ({ page }) => {
+  const oidcClient = oidcClients.nextcloud;
+  await page.goto(`/settings/admin/oidc-clients/${oidcClient.id}`);
+
+  await page.getByLabel("Create new client secret").click();
+  await page.getByRole("button", { name: "Generate" }).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "New client secret created successfully"
+  );
+  expect((await page.getByTestId("client-secret").textContent())?.length).toBe(
+    32
+  );
+});
+
+test("Delete OIDC client", async ({ page }) => {
+  const oidcClient = oidcClients.nextcloud;
+  await page.goto("/settings/admin/oidc-clients");
+
+  await page
+    .getByRole("row", { name: oidcClient.name })
+    .getByLabel("Delete")
+    .click();
+  await page.getByText("Delete", { exact: true }).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "OIDC client deleted successfully"
+  );
+  await expect(
+    page.getByRole("row", { name: oidcClient.name })
+  ).not.toBeVisible();
+});
--- a/tests/specs/oidc.spec.ts
+++ b/tests/specs/oidc.spec.ts
@@ -0,0 +1,451 @@
+import test, { expect } from "@playwright/test";
+import { oidcClients, refreshTokens, users } from "../data";
+import { cleanupBackend } from "../utils/cleanup.util";
+import { generateIdToken, generateOauthAccessToken } from "../utils/jwt.util";
+import oidcUtil from "../utils/oidc.util";
+import passkeyUtil from "../utils/passkey.util";
+
+test.beforeEach(cleanupBackend);
+
+test("Authorize existing client", async ({ page }) => {
+  const oidcClient = oidcClients.nextcloud;
+  const urlParams = createUrlParams(oidcClient);
+  await page.goto(`/authorize?${urlParams.toString()}`);
+
+  // Ignore DNS resolution error as the callback URL is not reachable
+  await page.waitForURL(oidcClient.callbackUrl).catch((e) => {
+    if (!e.message.includes("net::ERR_NAME_NOT_RESOLVED")) {
+      throw e;
+    }
+  });
+});
+
+test("Authorize existing client while not signed in", async ({ page }) => {
+  const oidcClient = oidcClients.nextcloud;
+  const urlParams = createUrlParams(oidcClient);
+  await page.context().clearCookies();
+  await page.goto(`/authorize?${urlParams.toString()}`);
+
+  await (await passkeyUtil.init(page)).addPasskey();
+  await page.getByRole("button", { name: "Sign in" }).click();
+
+  // Ignore DNS resolution error as the callback URL is not reachable
+  await page.waitForURL(oidcClient.callbackUrl).catch((e) => {
+    if (!e.message.includes("net::ERR_NAME_NOT_RESOLVED")) {
+      throw e;
+    }
+  });
+});
+
+test("Authorize new client", async ({ page }) => {
+  const oidcClient = oidcClients.immich;
+  const urlParams = createUrlParams(oidcClient);
+  await page.goto(`/authorize?${urlParams.toString()}`);
+
+  await expect(
+    page.getByTestId("scopes").getByRole("heading", { name: "Email" })
+  ).toBeVisible();
+  await expect(
+    page.getByTestId("scopes").getByRole("heading", { name: "Profile" })
+  ).toBeVisible();
+
+  await page.getByRole("button", { name: "Sign in" }).click();
+
+  // Ignore DNS resolution error as the callback URL is not reachable
+  await page.waitForURL(oidcClient.callbackUrl).catch((e) => {
+    if (!e.message.includes("net::ERR_NAME_NOT_RESOLVED")) {
+      throw e;
+    }
+  });
+});
+
+test("Authorize new client while not signed in", async ({ page }) => {
+  const oidcClient = oidcClients.immich;
+  const urlParams = createUrlParams(oidcClient);
+  await page.context().clearCookies();
+  await page.goto(`/authorize?${urlParams.toString()}`);
+
+  await (await passkeyUtil.init(page)).addPasskey();
+  await page.getByRole("button", { name: "Sign in" }).click();
+
+  await expect(
+    page.getByTestId("scopes").getByRole("heading", { name: "Email" })
+  ).toBeVisible();
+  await expect(
+    page.getByTestId("scopes").getByRole("heading", { name: "Profile" })
+  ).toBeVisible();
+
+  await page.getByRole("button", { name: "Sign in" }).click();
+
+  // Ignore DNS resolution error as the callback URL is not reachable
+  await page.waitForURL(oidcClient.callbackUrl).catch((e) => {
+    if (!e.message.includes("net::ERR_NAME_NOT_RESOLVED")) {
+      throw e;
+    }
+  });
+});
+
+test("Authorize new client fails with user group not allowed", async ({
+  page,
+}) => {
+  const oidcClient = oidcClients.immich;
+  const urlParams = createUrlParams(oidcClient);
+  await page.context().clearCookies();
+  await page.goto(`/authorize?${urlParams.toString()}`);
+
+  await (await passkeyUtil.init(page)).addPasskey("craig");
+  await page.getByRole("button", { name: "Sign in" }).click();
+
+  await expect(
+    page.getByTestId("scopes").getByRole("heading", { name: "Email" })
+  ).toBeVisible();
+  await expect(
+    page.getByTestId("scopes").getByRole("heading", { name: "Profile" })
+  ).toBeVisible();
+
+  await page.getByRole("button", { name: "Sign in" }).click();
+
+  await expect(page.getByRole("paragraph").first()).toHaveText(
+    "You're not allowed to access this service."
+  );
+});
+
+function createUrlParams(oidcClient: { id: string; callbackUrl: string }) {
+  return new URLSearchParams({
+    client_id: oidcClient.id,
+    response_type: "code",
+    scope: "openid profile email",
+    redirect_uri: oidcClient.callbackUrl,
+    state: "nXx-6Qr-owc1SHBa",
+    nonce: "P1gN3PtpKHJgKUVcLpLjm",
+  });
+}
+
+test("End session without id token hint shows confirmation page", async ({
+  page,
+}) => {
+  await page.goto("/api/oidc/end-session");
+
+  await expect(page).toHaveURL("/logout");
+  await page.getByRole("button", { name: "Sign out" }).click();
+
+  await expect(page).toHaveURL("/login");
+});
+
+test("End session with id token hint redirects to callback URL", async ({
+  page,
+}) => {
+  const client = oidcClients.nextcloud;
+  const idToken = await generateIdToken(users.tim, client.id);
+  let redirectedCorrectly = false;
+  await page
+    .goto(
+      `/api/oidc/end-session?id_token_hint=${idToken}&post_logout_redirect_uri=${client.logoutCallbackUrl}`
+    )
+    .catch((e) => {
+      if (e.message.includes("net::ERR_NAME_NOT_RESOLVED")) {
+        redirectedCorrectly = true;
+      } else {
+        throw e;
+      }
+    });
+
+  expect(redirectedCorrectly).toBeTruthy();
+});
+
+test("Successfully refresh tokens with valid refresh token", async ({
+  request,
+}) => {
+  const { token, clientId } = refreshTokens.filter(
+    (token) => !token.expired
+  )[0];
+  const clientSecret = "w2mUeZISmEvIDMEDvpY0PnxQIpj1m3zY";
+
+  const refreshResponse = await request.post("/api/oidc/token", {
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    form: {
+      grant_type: "refresh_token",
+      client_id: clientId,
+      refresh_token: token,
+      client_secret: clientSecret,
+    },
+  });
+
+  // Verify we got new tokens
+  const tokenData = await refreshResponse.json();
+  expect(tokenData.access_token).toBeDefined();
+  expect(tokenData.refresh_token).toBeDefined();
+  expect(tokenData.token_type).toBe("Bearer");
+  expect(tokenData.expires_in).toBe(3600);
+
+  // The new refresh token should be different from the old one
+  expect(tokenData.refresh_token).not.toBe(token);
+});
+
+test("Using refresh token invalidates it for future use", async ({
+  request,
+}) => {
+  const { token, clientId } = refreshTokens.filter(
+    (token) => !token.expired
+  )[0];
+  const clientSecret = "w2mUeZISmEvIDMEDvpY0PnxQIpj1m3zY";
+
+  await request.post("/api/oidc/token", {
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    form: {
+      grant_type: "refresh_token",
+      client_id: clientId,
+      refresh_token: token,
+      client_secret: clientSecret,
+    },
+  });
+
+  const refreshResponse = await request.post("/api/oidc/token", {
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    form: {
+      grant_type: "refresh_token",
+      client_id: clientId,
+      refresh_token: token,
+      client_secret: clientSecret,
+    },
+  });
+  expect(refreshResponse.status()).toBe(400);
+});
+
+test.describe("Introspection endpoint", () => {
+  const client = oidcClients.nextcloud;
+  test("without client_id and client_secret fails", async ({ request }) => {
+    const validAccessToken = await generateOauthAccessToken(
+      users.tim,
+      client.id
+    );
+    const introspectionResponse = await request.post("/api/oidc/introspect", {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      form: {
+        token: validAccessToken,
+      },
+    });
+
+    expect(introspectionResponse.status()).toBe(400);
+  });
+
+  test("with client_id and client_secret succeeds", async ({
+    request,
+    baseURL,
+  }) => {
+    const validAccessToken = await generateOauthAccessToken(
+      users.tim,
+      client.id
+    );
+    const introspectionResponse = await request.post("/api/oidc/introspect", {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization:
+          "Basic " +
+          Buffer.from(`${client.id}:${client.secret}`).toString("base64"),
+      },
+      form: {
+        token: validAccessToken,
+      },
+    });
+
+    expect(introspectionResponse.status()).toBe(200);
+    const introspectionBody = await introspectionResponse.json();
+    expect(introspectionBody.active).toBe(true);
+    expect(introspectionBody.token_type).toBe("access_token");
+    expect(introspectionBody.iss).toBe(baseURL);
+    expect(introspectionBody.sub).toBe(users.tim.id);
+    expect(introspectionBody.aud).toStrictEqual([oidcClients.nextcloud.id]);
+  });
+
+  test("non-expired refresh_token can be verified", async ({ request }) => {
+    const { token } = refreshTokens.filter((token) => !token.expired)[0];
+
+    const introspectionResponse = await request.post("/api/oidc/introspect", {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization:
+          "Basic " +
+          Buffer.from(`${client.id}:${client.secret}`).toString("base64"),
+      },
+      form: {
+        token: token,
+      },
+    });
+
+    expect(introspectionResponse.status()).toBe(200);
+    const introspectionBody = await introspectionResponse.json();
+    expect(introspectionBody.active).toBe(true);
+    expect(introspectionBody.token_type).toBe("refresh_token");
+  });
+
+  test("expired refresh_token can be verified", async ({ request }) => {
+    const { token } = refreshTokens.filter((token) => token.expired)[0];
+
+    const introspectionResponse = await request.post("/api/oidc/introspect", {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization:
+          "Basic " +
+          Buffer.from(`${client.id}:${client.secret}`).toString("base64"),
+      },
+      form: {
+        token: token,
+      },
+    });
+
+    expect(introspectionResponse.status()).toBe(200);
+    const introspectionBody = await introspectionResponse.json();
+    expect(introspectionBody.active).toBe(false);
+  });
+
+  test("expired access_token can't be verified", async ({ request }) => {
+    const expiredAccessToken = await generateOauthAccessToken(
+      users.tim,
+      client.id,
+      true
+    );
+    const introspectionResponse = await request.post("/api/oidc/introspect", {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      form: {
+        token: expiredAccessToken,
+      },
+    });
+
+    expect(introspectionResponse.status()).toBe(400);
+  });
+});
+
+test("Authorize new client with device authorization flow", async ({
+  page,
+}) => {
+  const client = oidcClients.immich;
+  const userCode = await oidcUtil.getUserCode(page, client.id, client.secret);
+
+  await page.goto(`/device?code=${userCode}`);
+
+  await expect(
+    page.getByTestId("scopes").getByRole("heading", { name: "Email" })
+  ).toBeVisible();
+  await expect(
+    page.getByTestId("scopes").getByRole("heading", { name: "Profile" })
+  ).toBeVisible();
+
+  await page.getByRole("button", { name: "Authorize" }).click();
+
+  await expect(
+    page
+      .getByRole("paragraph")
+      .filter({ hasText: "The device has been authorized." })
+  ).toBeVisible();
+});
+
+test("Authorize new client with device authorization flow while not signed in", async ({
+  page,
+}) => {
+  await page.context().clearCookies();
+  const client = oidcClients.immich;
+  const userCode = await oidcUtil.getUserCode(page, client.id, client.secret);
+
+  await page.goto(`/device?code=${userCode}`);
+
+  await (await passkeyUtil.init(page)).addPasskey();
+  await page.getByRole("button", { name: "Authorize" }).click();
+
+  await expect(
+    page.getByTestId("scopes").getByRole("heading", { name: "Email" })
+  ).toBeVisible();
+  await expect(
+    page.getByTestId("scopes").getByRole("heading", { name: "Profile" })
+  ).toBeVisible();
+
+  await page.getByRole("button", { name: "Authorize" }).click();
+
+  await expect(
+    page
+      .getByRole("paragraph")
+      .filter({ hasText: "The device has been authorized." })
+  ).toBeVisible();
+});
+
+test("Authorize existing client with device authorization flow", async ({
+  page,
+}) => {
+  const client = oidcClients.nextcloud;
+  const userCode = await oidcUtil.getUserCode(page, client.id, client.secret);
+
+  await page.goto(`/device?code=${userCode}`);
+
+  await expect(
+    page
+      .getByRole("paragraph")
+      .filter({ hasText: "The device has been authorized." })
+  ).toBeVisible();
+});
+
+test("Authorize existing client with device authorization flow while not signed in", async ({
+  page,
+}) => {
+  await page.context().clearCookies();
+  const client = oidcClients.nextcloud;
+  const userCode = await oidcUtil.getUserCode(page, client.id, client.secret);
+
+  await page.goto(`/device?code=${userCode}`);
+
+  await (await passkeyUtil.init(page)).addPasskey();
+  await page.getByRole("button", { name: "Authorize" }).click();
+
+  await expect(
+    page
+      .getByRole("paragraph")
+      .filter({ hasText: "The device has been authorized." })
+  ).toBeVisible();
+});
+
+test("Authorize client with device authorization flow with invalid code", async ({
+  page,
+}) => {
+  await page.goto("/device?code=invalid-code");
+
+  await expect(
+    page.getByRole("paragraph").filter({ hasText: "Invalid device code." })
+  ).toBeVisible();
+});
+
+test("Authorize new client with device authorization with user group not allowed", async ({
+  page,
+}) => {
+  await page.context().clearCookies();
+  const client = oidcClients.immich;
+  const userCode = await oidcUtil.getUserCode(page, client.id, client.secret);
+
+  await page.goto(`/device?code=${userCode}`);
+
+  await (await passkeyUtil.init(page)).addPasskey("craig");
+  await page.getByRole("button", { name: "Authorize" }).click();
+
+  await expect(
+    page.getByTestId("scopes").getByRole("heading", { name: "Email" })
+  ).toBeVisible();
+  await expect(
+    page.getByTestId("scopes").getByRole("heading", { name: "Profile" })
+  ).toBeVisible();
+
+  await page.getByRole("button", { name: "Authorize" }).click();
+
+  await expect(
+    page
+      .getByRole("paragraph")
+      .filter({ hasText: "You're not allowed to access this service." })
+  ).toBeVisible();
+});
--- a/tests/specs/one-time-access-token.spec.ts
+++ b/tests/specs/one-time-access-token.spec.ts
@@ -0,0 +1,48 @@
+import test, { expect } from "@playwright/test";
+import { oneTimeAccessTokens } from "../data";
+import { cleanupBackend } from "../utils/cleanup.util";
+
+test.beforeEach(cleanupBackend);
+
+// Disable authentication for these tests
+test.use({ storageState: { cookies: [], origins: [] } });
+
+test("Sign in with login code", async ({ page }) => {
+  const token = oneTimeAccessTokens.filter((t) => !t.expired)[0];
+  await page.goto(`/lc/${token.token}`);
+
+  await page.waitForURL("/settings/account");
+});
+
+test("Sign in with login code entered manually", async ({ page }) => {
+  const token = oneTimeAccessTokens.filter((t) => !t.expired)[0];
+  await page.goto("/lc");
+
+  await page.getByPlaceholder("Code").first().fill(token.token);
+
+  await page.getByText("Submit").first().click();
+
+  await page.waitForURL("/settings/account");
+});
+
+test("Sign in with expired login code fails", async ({ page }) => {
+  const token = oneTimeAccessTokens.filter((t) => t.expired)[0];
+  await page.goto(`/lc/${token.token}`);
+
+  await expect(page.getByRole("paragraph")).toHaveText(
+    "Token is invalid or expired. Please try again."
+  );
+});
+
+test("Sign in with login code entered manually fails", async ({ page }) => {
+  const token = oneTimeAccessTokens.filter((t) => t.expired)[0];
+  await page.goto("/lc");
+
+  await page.getByPlaceholder("Code").first().fill(token.token);
+
+  await page.getByText("Submit").first().click();
+
+  await expect(page.getByRole("paragraph")).toHaveText(
+    "Token is invalid or expired. Please try again."
+  );
+});
--- a/tests/specs/user-group.spec.ts
+++ b/tests/specs/user-group.spec.ts
@@ -0,0 +1,153 @@
+import test, { expect } from "@playwright/test";
+import { userGroups, users } from "../data";
+import { cleanupBackend } from "../utils/cleanup.util";
+
+test.beforeEach(cleanupBackend);
+
+test("Create user group", async ({ page }) => {
+  await page.goto("/settings/admin/user-groups");
+  const group = userGroups.humanResources;
+
+  await page.getByRole("button", { name: "Add Group" }).click();
+  await page.getByLabel("Friendly Name").fill(group.friendlyName);
+
+  await page.getByRole("button", { name: "Save" }).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "User group created successfully"
+  );
+
+  await page.waitForURL("/settings/admin/user-groups/*");
+
+  await expect(page.getByLabel("Friendly Name")).toHaveValue(
+    group.friendlyName
+  );
+  await expect(page.getByLabel("Name", { exact: true })).toHaveValue(
+    group.name
+  );
+});
+
+test("Edit user group", async ({ page }) => {
+  await page.goto("/settings/admin/user-groups");
+  const group = userGroups.developers;
+
+  await page
+    .getByRole("row", { name: group.name })
+    .locator("#bits-5")
+    .getByRole("button")
+    .click();
+  await page.getByRole("menuitem", { name: "Edit" }).click();
+
+  await page.getByLabel("Friendly Name").fill("Developers updated");
+
+  await expect(page.getByLabel("Name", { exact: true })).toHaveValue(
+    group.name
+  );
+
+  await page.getByLabel("Name", { exact: true }).fill("developers_updated");
+
+  await page.getByRole("button", { name: "Save" }).nth(0).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "User group updated successfully"
+  );
+  await expect(page.getByLabel("Friendly Name")).toHaveValue(
+    "Developers updated"
+  );
+  await expect(page.getByLabel("Name", { exact: true })).toHaveValue(
+    "developers_updated"
+  );
+});
+
+test("Update user group users", async ({ page }) => {
+  const group = userGroups.designers;
+  await page.goto(`/settings/admin/user-groups/${group.id}`);
+
+  await page
+    .getByRole("row", { name: users.tim.email })
+    .getByRole("checkbox")
+    .click();
+  await page
+    .getByRole("row", { name: users.craig.email })
+    .getByRole("checkbox")
+    .click();
+
+  await page.getByRole("button", { name: "Save" }).nth(1).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "Users updated successfully"
+  );
+
+  await page.reload();
+
+  await expect(
+    page.getByRole("row", { name: users.tim.email }).getByRole("checkbox")
+  ).toHaveAttribute("data-state", "unchecked");
+  await expect(
+    page.getByRole("row", { name: users.craig.email }).getByRole("checkbox")
+  ).toHaveAttribute("data-state", "checked");
+});
+
+test("Delete user group", async ({ page }) => {
+  const group = userGroups.developers;
+  await page.goto("/settings/admin/user-groups");
+
+  await page.getByRole("row", { name: group.name }).getByRole("button").click();
+  await page.getByRole("menuitem", { name: "Delete" }).click();
+  await page.getByRole("button", { name: "Delete" }).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "User group deleted successfully"
+  );
+  await expect(page.getByRole("row", { name: group.name })).not.toBeVisible();
+});
+
+test("Update user group custom claims", async ({ page }) => {
+  await page.goto(`/settings/admin/user-groups/${userGroups.designers.id}`);
+
+  await page.getByRole("button", { name: "Expand card" }).click();
+
+  // Add two custom claims
+  await page.getByRole("button", { name: "Add custom claim" }).click();
+
+  await page.getByPlaceholder("Key").fill("customClaim1");
+  await page.getByPlaceholder("Value").fill("customClaim1_value");
+
+  await page.getByRole("button", { name: "Add another" }).click();
+  await page.getByPlaceholder("Key").nth(1).fill("customClaim2");
+  await page.getByPlaceholder("Value").nth(1).fill("customClaim2_value");
+
+  await page.getByRole("button", { name: "Save" }).nth(2).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "Custom claims updated successfully"
+  );
+
+  await page.reload();
+
+  // Check if custom claims are saved
+  await expect(page.getByPlaceholder("Key").first()).toHaveValue(
+    "customClaim1"
+  );
+  await expect(page.getByPlaceholder("Value").first()).toHaveValue(
+    "customClaim1_value"
+  );
+  await expect(page.getByPlaceholder("Key").nth(1)).toHaveValue("customClaim2");
+  await expect(page.getByPlaceholder("Value").nth(1)).toHaveValue(
+    "customClaim2_value"
+  );
+
+  // Remove one custom claim
+  await page.getByLabel("Remove custom claim").first().click();
+  await page.getByRole("button", { name: "Save" }).nth(2).click();
+
+  await page.reload();
+
+  // Check if custom claim is removed
+  await expect(page.getByPlaceholder("Key").first()).toHaveValue(
+    "customClaim2"
+  );
+  await expect(page.getByPlaceholder("Value").first()).toHaveValue(
+    "customClaim2_value"
+  );
+});
--- a/tests/specs/user-settings.spec.ts
+++ b/tests/specs/user-settings.spec.ts
@@ -0,0 +1,253 @@
+import test, { expect } from "@playwright/test";
+import { userGroups, users } from "../data";
+import { cleanupBackend } from "../utils/cleanup.util";
+
+test.beforeEach(cleanupBackend);
+
+test("Create user", async ({ page }) => {
+  const user = users.steve;
+
+  await page.goto("/settings/admin/users");
+
+  await page.getByRole("button", { name: "Add User" }).click();
+  await page.getByLabel("First name").fill(user.firstname);
+  await page.getByLabel("Last name").fill(user.lastname);
+  await page.getByLabel("Email").fill(user.email);
+  await page.getByLabel("Username").fill(user.username);
+  await page.getByRole("button", { name: "Save" }).click();
+
+  await expect(
+    page.getByRole("row", { name: `${user.firstname} ${user.lastname}` })
+  ).toBeVisible();
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "User created successfully"
+  );
+});
+
+test("Create user fails with already taken email", async ({ page }) => {
+  const user = users.steve;
+
+  await page.goto("/settings/admin/users");
+
+  await page.getByRole("button", { name: "Add User" }).click();
+  await page.getByLabel("First name").fill(user.firstname);
+  await page.getByLabel("Last name").fill(user.lastname);
+  await page.getByLabel("Email").fill(users.tim.email);
+  await page.getByLabel("Username").fill(user.username);
+  await page.getByRole("button", { name: "Save" }).click();
+
+  await expect(page.locator('[data-type="error"]')).toHaveText(
+    "Email is already in use"
+  );
+});
+
+test("Create user fails with already taken username", async ({ page }) => {
+  const user = users.steve;
+
+  await page.goto("/settings/admin/users");
+
+  await page.getByRole("button", { name: "Add User" }).click();
+  await page.getByLabel("First name").fill(user.firstname);
+  await page.getByLabel("Last name").fill(user.lastname);
+  await page.getByLabel("Email").fill(user.email);
+  await page.getByLabel("Username").fill(users.tim.username);
+  await page.getByRole("button", { name: "Save" }).click();
+
+  await expect(page.locator('[data-type="error"]')).toHaveText(
+    "Username is already in use"
+  );
+});
+
+test("Create one time access token", async ({ page, context }) => {
+  await page.goto("/settings/admin/users");
+
+  await page
+    .getByRole("row", {
+      name: `${users.craig.firstname} ${users.craig.lastname}`,
+    })
+    .getByRole("button")
+    .click();
+
+  await page.getByRole("menuitem", { name: "Login Code" }).click();
+
+  await page.getByLabel("Login Code").getByRole("combobox").click();
+  await page.getByRole("option", { name: "12 hours" }).click();
+  await page.getByRole("button", { name: "Show Code" }).click();
+
+  const link = await page.getByTestId("login-code-link").textContent();
+  await context.clearCookies();
+
+  await page.goto(link!);
+  await page.waitForURL("/settings/account");
+});
+
+test("Delete user", async ({ page }) => {
+  await page.goto("/settings/admin/users");
+
+  await page
+    .getByRole("row", {
+      name: `${users.craig.firstname} ${users.craig.lastname}`,
+    })
+    .getByRole("button")
+    .click();
+  await page.getByRole("menuitem", { name: "Delete" }).click();
+  await page.getByRole("button", { name: "Delete" }).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "User deleted successfully"
+  );
+  await expect(
+    page.getByRole("row", {
+      name: `${users.craig.firstname} ${users.craig.lastname}`,
+    })
+  ).not.toBeVisible();
+});
+
+test("Update user", async ({ page }) => {
+  const user = users.craig;
+
+  await page.goto("/settings/admin/users");
+
+  await page
+    .getByRole("row", { name: `${user.firstname} ${user.lastname}` })
+    .getByRole("button")
+    .click();
+  await page.getByRole("menuitem", { name: "Edit" }).click();
+
+  await page.getByLabel("First name").fill("Crack");
+  await page.getByLabel("Last name").fill("Apple");
+  await page.getByLabel("Email").fill("crack.apple@test.com");
+  await page.getByLabel("Username").fill("crack");
+  await page.getByRole("button", { name: "Save" }).first().click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "User updated successfully"
+  );
+});
+
+test("Update user fails with already taken email", async ({ page }) => {
+  const user = users.craig;
+
+  await page.goto("/settings/admin/users");
+
+  await page
+    .getByRole("row", { name: `${user.firstname} ${user.lastname}` })
+    .getByRole("button")
+    .click();
+  await page.getByRole("menuitem", { name: "Edit" }).click();
+
+  await page.getByLabel("Email").fill(users.tim.email);
+  await page.getByRole("button", { name: "Save" }).first().click();
+
+  await expect(page.locator('[data-type="error"]')).toHaveText(
+    "Email is already in use"
+  );
+});
+
+test("Update user fails with already taken username", async ({ page }) => {
+  const user = users.craig;
+
+  await page.goto("/settings/admin/users");
+
+  await page
+    .getByRole("row", { name: `${user.firstname} ${user.lastname}` })
+    .getByRole("button")
+    .click();
+  await page.getByRole("menuitem", { name: "Edit" }).click();
+
+  await page.getByLabel("Username").fill(users.tim.username);
+  await page.getByRole("button", { name: "Save" }).first().click();
+
+  await expect(page.locator('[data-type="error"]')).toHaveText(
+    "Username is already in use"
+  );
+});
+
+test("Update user custom claims", async ({ page }) => {
+  await page.goto(`/settings/admin/users/${users.craig.id}`);
+
+  await page.getByRole("button", { name: "Expand card" }).nth(1).click();
+
+  // Add two custom claims
+  await page.getByRole("button", { name: "Add custom claim" }).click();
+
+  await page.getByPlaceholder("Key").fill("customClaim1");
+  await page.getByPlaceholder("Value").fill("customClaim1_value");
+
+  await page.getByRole("button", { name: "Add another" }).click();
+  await page.getByPlaceholder("Key").nth(1).fill("customClaim2");
+  await page.getByPlaceholder("Value").nth(1).fill("customClaim2_value");
+
+  await page.getByRole("button", { name: "Save" }).nth(1).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "Custom claims updated successfully"
+  );
+
+  await page.reload();
+
+  // Check if custom claims are saved
+  await expect(page.getByPlaceholder("Key").first()).toHaveValue(
+    "customClaim1"
+  );
+  await expect(page.getByPlaceholder("Value").first()).toHaveValue(
+    "customClaim1_value"
+  );
+  await expect(page.getByPlaceholder("Key").nth(1)).toHaveValue("customClaim2");
+  await expect(page.getByPlaceholder("Value").nth(1)).toHaveValue(
+    "customClaim2_value"
+  );
+
+  // Remove one custom claim
+  await page.getByLabel("Remove custom claim").first().click();
+  await page.getByRole("button", { name: "Save" }).nth(1).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "Custom claims updated successfully"
+  );
+
+  await page.reload();
+
+  // Check if custom claim is removed
+  await expect(page.getByPlaceholder("Key").first()).toHaveValue(
+    "customClaim2"
+  );
+  await expect(page.getByPlaceholder("Value").first()).toHaveValue(
+    "customClaim2_value"
+  );
+});
+
+test("Update user group assignments", async ({ page }) => {
+  const user = users.craig;
+  await page.goto(`/settings/admin/users/${user.id}`);
+
+  page.getByRole("button", { name: "Expand card" }).first().click();
+
+  await page
+    .getByRole("row", { name: userGroups.developers.name })
+    .getByRole("checkbox")
+    .click();
+  await page
+    .getByRole("row", { name: userGroups.designers.name })
+    .getByRole("checkbox")
+    .click();
+
+  await page.getByRole("button", { name: "Save" }).nth(1).click();
+
+  await expect(page.locator('[data-type="success"]')).toHaveText(
+    "User groups updated successfully"
+  );
+
+  await page.reload();
+
+  await expect(
+    page
+      .getByRole("row", { name: userGroups.designers.name })
+      .getByRole("checkbox")
+  ).toHaveAttribute("data-state", "checked");
+  await expect(
+    page
+      .getByRole("row", { name: userGroups.developers.name })
+      .getByRole("checkbox")
+  ).toHaveAttribute("data-state", "unchecked");
+});