test: custom user status API tests with authentication and permission

[jessicaschelly]

Proposed changes

Adds new test cases to improve coverage for the custom-user-status API endpoints.

New Test Cases

Create endpoint (custom-user-status.create):

• Added test for invalid statusType validation

Update endpoint (custom-user-status.update):

• Added test for duplicate name conflict when updating
• Added test for invalid statusType validation

Delete endpoint (custom-user-status.delete):

• Added test for non-existent status ID

Issue(s)

QA-113

Steps to test or reproduce

Further comments

Summary by CodeRabbit

Release Notes

This pull request contains no user-facing changes. It extends internal test coverage for custom user status functionality, including authentication, authorization, and validation test scenarios.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 699cc19

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The custom-user-status end-to-end test suite was expanded to include comprehensive testing for create, update, and delete operations with authentication, authorization, validation, and lifecycle scenarios. Global setup/teardown logic was added for managing unauthorized user accounts and permissions.

Changes

Cohort / File(s)	Summary
Custom User Status E2E Tests apps/meteor/tests/end-to-end/api/custom-user-status.ts	Extended test coverage with unauthorized user workflows, permission testing, and new test suites for create/update/delete operations including authentication errors, duplicate validation, invalid parameters, and non-existent ID checks. Added global setup/teardown and per-test helper utilities.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

type: chore, area: authentication

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding end-to-end tests for custom user status API with focus on authentication and permission coverage.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 1 file

[coderabbitai]

🧹 Nitpick comments (2)

apps/meteor/tests/end-to-end/api/custom-user-status.ts (2)

23-30: Consider consolidating duplicate before hooks.

While Mocha allows multiple before hooks, consolidating them improves readability and maintains a single setup flow. The static analyzer flagged this as a duplicate hook.

♻️ Proposed consolidation

-	before((done) => {
-		getCredentials(done);
-	});
-
-	before(async () => {
-		unauthorizedUser = await createUser();
-		unauthorizedUserCredentials = await login(unauthorizedUser.username, password);
-	});
+	before(async function () {
+		await new Promise<void>((resolve) => getCredentials(resolve));
+		unauthorizedUser = await createUser();
+		unauthorizedUserCredentials = await login(unauthorizedUser.username, password);
+	});

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/tests/end-to-end/api/custom-user-status.ts` around lines 23 - 30,
Consolidate the two before hooks into a single before hook that first runs
getCredentials and then creates/logs in the unauthorized user; update the before
to be an async function that awaits getCredentials (wrap its callback form in a
Promise if needed) and then awaits createUser() and login() to set
unauthorizedUser and unauthorizedUserCredentials. Target the getCredentials call
and the unauthorizedUser/unauthorizedUserCredentials assignments so the setup
runs in one sequential flow.

---

231-236: Redundant permission restoration in after hook.

The updatePermission('manage-user-status', ['admin']) call on line 235 is redundant since afterEach at line 228 already restores permissions after each test. The after hook runs after the last afterEach, so permissions will already be restored.

♻️ Proposed simplification

 	after(async () => {
 		if (customUserStatusId) {
 			await deleteCustomUserStatus(customUserStatusId);
 		}
-		await updatePermission('manage-user-status', ['admin']);
 	});

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/tests/end-to-end/api/custom-user-status.ts` around lines 231 -
236, Remove the redundant permission restoration call from the after hook: the
afterEach already calls updatePermission('manage-user-status', ['admin']) for
every test, so in the after() block (which currently contains
deleteCustomUserStatus(customUserStatusId) and
updatePermission('manage-user-status', ['admin'])), keep the
deleteCustomUserStatus(customUserStatusId) cleanup but delete the
updatePermission('manage-user-status', ['admin']) line to avoid duplicate
restoration.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@apps/meteor/tests/end-to-end/api/custom-user-status.ts`:
- Around line 23-30: Consolidate the two before hooks into a single before hook
that first runs getCredentials and then creates/logs in the unauthorized user;
update the before to be an async function that awaits getCredentials (wrap its
callback form in a Promise if needed) and then awaits createUser() and login()
to set unauthorizedUser and unauthorizedUserCredentials. Target the
getCredentials call and the unauthorizedUser/unauthorizedUserCredentials
assignments so the setup runs in one sequential flow.
- Around line 231-236: Remove the redundant permission restoration call from the
after hook: the afterEach already calls updatePermission('manage-user-status',
['admin']) for every test, so in the after() block (which currently contains
deleteCustomUserStatus(customUserStatusId) and
updatePermission('manage-user-status', ['admin'])), keep the
deleteCustomUserStatus(customUserStatusId) cleanup but delete the
updatePermission('manage-user-status', ['admin']) line to avoid duplicate
restoration.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a6f5aadb-b22f-451a-914c-529c3fff907a

📥 Commits

Reviewing files that changed from the base of the PR and between c68ac53 and 699cc19.

📒 Files selected for processing (1)

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

🧠 Learnings (14)

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure tests run reliably in parallel without shared state conflicts

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `test.step()` for complex test scenarios to improve organization in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Utilize Playwright fixtures (`test`, `page`, `expect`) for consistency in test files

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Group related tests in the same file

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/page-objects/**/*.ts : Utilize existing page objects pattern from `apps/meteor/tests/e2e/page-objects/`

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : All test files must be created in `apps/meteor/tests/e2e/` directory

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.{ts,spec.ts} : Follow Page Object Model pattern consistently in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `expect` matchers for assertions (`toEqual`, `toContain`, `toBeTruthy`, `toHaveLength`, etc.) instead of `assert` statements in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Maintain test isolation between test cases in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure clean state for each test execution in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `test.beforeAll()` and `test.afterAll()` for setup/teardown in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

📚 Learning: 2025-10-06T20:30:45.540Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 37152
File: packages/apps-engine/tests/test-data/storage/storage.ts:101-122
Timestamp: 2025-10-06T20:30:45.540Z
Learning: In `packages/apps-engine/tests/test-data/storage/storage.ts`, the stub methods (updatePartialAndReturnDocument, updateStatus, updateSetting, updateAppInfo, updateMarketplaceInfo) intentionally throw "Method not implemented." Tests using these methods must stub them using `SpyOn` from the test library rather than relying on actual implementations.

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-user-status.ts

🪛 Biome (2.4.4)

apps/meteor/tests/end-to-end/api/custom-user-status.ts

[error] 27-30: Duplicate before hook found.

(lint/suspicious/noDuplicateTestHooks)

🔇 Additional comments (5)

apps/meteor/tests/end-to-end/api/custom-user-status.ts (5)

1-8: LGTM!

The imports are well-organized and the Response type import improves type safety for the test assertions.

---

10-13: LGTM!

The optional statusType parameter correctly aligns with the API endpoint signature and is properly forwarded in the request payload.

---

131-216: LGTM!

The create endpoint tests provide comprehensive coverage including authentication, authorization, success path with statusType, duplicate name validation, and invalid statusType handling. The afterEach hook properly restores permissions and cleans up created statuses, ensuring test isolation.

---

276-326: LGTM!

The update success test properly validates the response and tracks the updated name. The duplicate name and invalid statusType tests correctly verify error handling, and the inline cleanup of the secondary status maintains test isolation.

---

328-410: LGTM!

The delete endpoint tests use an appropriate beforeEach/afterEach pattern that creates a fresh status for each test. The success test correctly sets customUserStatusId = '' to prevent double-deletion in afterEach. This ensures proper test isolation while covering all critical paths: authentication, authorization, missing parameter, non-existent status, and successful deletion.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.87%. Comparing base (c68ac53) to head (699cc19).
⚠️ Report is 18 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #39330      +/-   ##
===========================================
- Coverage    70.89%   70.87%   -0.03%     
===========================================
  Files         3207     3207              
  Lines       113334   113334              
  Branches     20538    20531       -7     
===========================================
- Hits         80349    80322      -27     
- Misses       30940    30959      +19     
- Partials      2045     2053       +8     

Flag	Coverage Δ
e2e	60.33% <ø> (-0.08%)	⬇️
e2e-api	47.83% <ø> (-0.03%)	⬇️
unit	71.60% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.