test: add tests for OAuth login launch flows

[jessicaschelly]

Proposed changes (including videos or screenshots)

Add OAuth coverage for:

• Custom OAuth login_style=popup opening the authorize flow in a popup
• OAuth proxy configuration redirecting the authorize flow through the proxy
• OAuth login starting correctly when the login page is embedded in an iframe

Issue(s)

QA-115

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Tests
  • Expanded OAuth authentication end-to-end test coverage with additional scenarios for popup login, proxy redirects, and iframe integration patterns. Improved test organization and helper utilities for enhanced test reliability.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[coderabbitai]

Walkthrough

The OAuth e2e test spec was expanded and reorganized with a shared test utilities layer, a reworked Login Page test suite with explicit setup/teardown hooks, and three new test scenarios covering popup, proxy redirect, and iframe OAuth authorization flows. Each scenario includes before/after configuration and assertion of expected URL patterns or window behaviors.

Changes

OAuth e2e test expansion

Layer / File(s)	Summary
Test utilities and shared setup apps/meteor/tests/e2e/oauth.spec.ts	Adds imports for test framework, page objects, and setting helpers; introduces a waitForServiceSettingsUpdate delay helper and a regex pattern to validate custom OAuth authorize URLs across test scenarios.
Login Page OAuth tests apps/meteor/tests/e2e/oauth.spec.ts	Reworks the Login Page scenario into a nested test suite with afterEach teardown that resets OAuth settings; toggles providers and login style via setSettingValueById, navigates to /home, and verifies OAuth button visibility and custom authorize URL redirect behavior.
OAuth flow variations apps/meteor/tests/e2e/oauth.spec.ts	Adds three test suites for popup, proxy redirect, and iframe OAuth flows; popup suite validates authorize opens in a new window, proxy suite asserts redirect through oauth-proxy.rocket.chat, and iframe suite verifies authorize request originates from iframe context with correct authorize URL.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels

type: chore

Suggested reviewers

• gabriellsh

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'test: add tests for OAuth login launch flows' directly matches the main purpose of the changeset, which expands OAuth e2e test coverage with new scenarios for popup, proxy redirect, and iframe login flows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.74%. Comparing base (741b87f) to head (09a8b70).

Additional details and impacted files

@@           Coverage Diff            @@
##           develop   #40708   +/-   ##
========================================
  Coverage    69.73%   69.74%           
========================================
  Files         3326     3326           
  Lines       123056   123056           
  Branches     21962    21962           
========================================
+ Hits         85816    85820    +4     
+ Misses       33880    33878    -2     
+ Partials      3360     3358    -2     

Flag	Coverage Δ
e2e	59.40% <ø> (+0.08%)	⬆️
e2e-api	46.09% <ø> (-0.01%)	⬇️
unit	70.45% <ø> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 09a8b70

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

apps/meteor/tests/e2e/oauth.spec.ts (2)

23-23: ⚡ Quick win

Use a more descriptive test name.

The test name "Login Page" duplicates the parent describe block name and doesn't clearly communicate the expected behavior being tested. Consider a name that describes what the test validates, such as "should show and hide OAuth buttons when settings are toggled" or "should toggle OAuth provider visibility".

As per coding guidelines: "Use descriptive test names that clearly communicate expected behavior in Playwright tests."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/tests/e2e/oauth.spec.ts` at line 23, The test title "Login Page"
is not descriptive and duplicates the describe block; rename the test
declaration test('Login Page', async ({ page, api }) => { ... }) to a clearer
name that conveys the expected behavior (for example: "should toggle OAuth
provider visibility based on settings" or "should show and hide OAuth buttons
when settings are toggled") so the test name and the test body (the test
function using page and api) clearly communicate what is being validated.

---

43-43: ⚡ Quick win

Use the shared customOAuthAuthorizeUrlPattern for consistency.

This URL assertion uses a different pattern than the shared customOAuthAuthorizeUrlPattern defined at line 7. For consistency and maintainability, prefer the shared constant.

♻️ Suggested fix

-await expect(page).toHaveURL(/https:\/\/(www)?\.rocket\.chat/);
+await expect(page).toHaveURL(customOAuthAuthorizeUrlPattern);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/tests/e2e/oauth.spec.ts` at line 43, Replace the hard-coded regex
in the URL assertion with the shared constant to keep patterns consistent:
locate the test assertion using
expect(page).toHaveURL(/https:\/\/(www)?\.rocket\.chat/); and change it to use
the shared customOAuthAuthorizeUrlPattern constant (import or reference the
existing customOAuthAuthorizeUrlPattern defined at the top of the file) so the
test uses that single source of truth for the OAuth authorize URL pattern.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/tests/e2e/oauth.spec.ts`:
- Around line 6-7: The helper waitForServiceSettingsUpdate currently returns a
fixed 5s sleep; replace it with an async polling wait that checks for the actual
settings propagation using Playwright auto-waiting (e.g., implement
waitForServiceSettingsUpdate(page) that uses page.waitForFunction or
page.waitForResponse to poll the specific settings API/DOM state until the
expected OAuth setting is present), rather than a hardcoded timeout; update
callsites to pass the Playwright Page as needed and remove the const
waitForServiceSettingsUpdate = () => new Promise(...) implementation.
- Line 26: Replace hardcoded page.waitForTimeout(5000) calls with explicit waits
that poll for the actual UI state: remove usages of page.waitForTimeout and
instead use Playwright's waiting utilities (e.g., page.waitForSelector,
page.waitForFunction or expect(...).toBeVisible()/toBeHidden()) to wait until
the OAuth button visibility/state reflects the expected settings; update each
occurrence of page.waitForTimeout in oauth.spec.ts (the timeout calls) to assert
the specific condition (visibility/hidden/disabled) or poll the settings
propagation until the UI matches the expected state so tests are deterministic
and faster.

---

Nitpick comments:
In `@apps/meteor/tests/e2e/oauth.spec.ts`:
- Line 23: The test title "Login Page" is not descriptive and duplicates the
describe block; rename the test declaration test('Login Page', async ({ page,
api }) => { ... }) to a clearer name that conveys the expected behavior (for
example: "should toggle OAuth provider visibility based on settings" or "should
show and hide OAuth buttons when settings are toggled") so the test name and the
test body (the test function using page and api) clearly communicate what is
being validated.
- Line 43: Replace the hard-coded regex in the URL assertion with the shared
constant to keep patterns consistent: locate the test assertion using
expect(page).toHaveURL(/https:\/\/(www)?\.rocket\.chat/); and change it to use
the shared customOAuthAuthorizeUrlPattern constant (import or reference the
existing customOAuthAuthorizeUrlPattern defined at the top of the file) so the
test uses that single source of truth for the OAuth authorize URL pattern.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 12bddb9a-0b0d-42db-b2b6-adfc6e4f1bd2

📥 Commits

Reviewing files that changed from the base of the PR and between 741b87f and 09a8b70.

📒 Files selected for processing (1)

• apps/meteor/tests/e2e/oauth.spec.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: Hacktron Security Check
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (2/4)

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/tests/e2e/oauth.spec.ts

**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.spec.ts: Use descriptive test names that clearly communicate expected behavior in Playwright tests
Use .spec.ts extension for test files (e.g., login.spec.ts)

Files:

• apps/meteor/tests/e2e/oauth.spec.ts

apps/meteor/tests/e2e/**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

apps/meteor/tests/e2e/**/*.spec.ts: All test files must be created in apps/meteor/tests/e2e/ directory
Avoid using page.locator() in Playwright tests - always prefer semantic locators such as page.getByRole(), page.getByLabel(), page.getByText(), or page.getByTitle()
Use test.beforeAll() and test.afterAll() for setup/teardown in Playwright tests
Use test.step() for complex test scenarios to improve organization in Playwright tests
Group related tests in the same file
Utilize Playwright fixtures (test, page, expect) for consistency in test files
Prefer web-first assertions (toBeVisible, toHaveText, etc.) in Playwright tests
Use expect matchers for assertions (toEqual, toContain, toBeTruthy, toHaveLength, etc.) instead of assert statements in Playwright tests
Use page.waitFor() with specific conditions instead of hardcoded timeouts in Playwright tests
Implement proper wait strategies for dynamic content in Playwright tests
Maintain test isolation between test cases in Playwright tests
Ensure clean state for each test execution in Playwright tests
Ensure tests run reliably in parallel without shared state conflicts

Files:

• apps/meteor/tests/e2e/oauth.spec.ts

apps/meteor/tests/e2e/**/*.{ts,spec.ts}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

apps/meteor/tests/e2e/**/*.{ts,spec.ts}: Store commonly used locators in variables/constants for reuse
Follow Page Object Model pattern consistently in Playwright tests

Files:

• apps/meteor/tests/e2e/oauth.spec.ts

🧠 Learnings (6)

📚 Learning: 2026-02-24T19:22:48.358Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 38493
File: apps/meteor/tests/e2e/omnichannel/omnichannel-send-pdf-transcript.spec.ts:66-67
Timestamp: 2026-02-24T19:22:48.358Z
Learning: In Playwright end-to-end tests (e.g., under apps/meteor/tests/e2e/...), prefer locating elements by translated text (getByText) and ARIA roles (getByRole) over data-qa attributes. If translation values change, update the corresponding test locators accordingly. Never use data-qa locators. This guideline applies to all Playwright e2e test specs in the repository and helps keep tests robust to UI text changes and accessible semantics.

Applied to files:

• apps/meteor/tests/e2e/oauth.spec.ts

📚 Learning: 2026-02-24T19:39:42.247Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 38493
File: apps/meteor/tests/e2e/page-objects/fragments/message.ts:7-7
Timestamp: 2026-02-24T19:39:42.247Z
Learning: In RocketChat e2e tests, avoid using data-qa attributes to locate elements. Prefer semantic locators such as getByRole, getByLabel, getByText, getByTitle and ARIA-based selectors. Apply this rule to all TypeScript files under apps/meteor/tests/e2e to improve test reliability, accessibility, and maintainability.

Applied to files:

• apps/meteor/tests/e2e/oauth.spec.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/tests/e2e/oauth.spec.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/tests/e2e/oauth.spec.ts

📚 Learning: 2026-03-06T18:10:15.268Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 39397
File: packages/gazzodown/src/code/CodeBlock.spec.tsx:47-68
Timestamp: 2026-03-06T18:10:15.268Z
Learning: In tests (especially those using testing-library/dom/jsdom) for Rocket.Chat components, the HTML <code> element has an implicit ARIA role of 'code'. Therefore, screen.getByRole('code') or screen.findByRole('code') will locate <code> elements even without a role attribute. Do not flag findByRole('code') as invalid in reviews; prefer using the implicit role instead of adding role="code" unless necessary for accessibility.

Applied to files:

• apps/meteor/tests/e2e/oauth.spec.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/tests/e2e/oauth.spec.ts

🔇 Additional comments (3)

apps/meteor/tests/e2e/oauth.spec.ts (3)

76-89: LGTM!

---

106-116: LGTM!

---

131-146: LGTM!

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Replace hardcoded timeout with a proper wait strategy.

The waitForServiceSettingsUpdate helper uses a hardcoded 5-second delay. This violates the Playwright best practice of using specific wait conditions instead of arbitrary timeouts, which can lead to flaky tests.

Consider replacing this with a proper wait strategy that polls for the actual settings propagation, or use Playwright's auto-waiting mechanisms where possible.

As per coding guidelines: "Use page.waitFor() with specific conditions instead of hardcoded timeouts in Playwright tests."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/tests/e2e/oauth.spec.ts` around lines 6 - 7, The helper
waitForServiceSettingsUpdate currently returns a fixed 5s sleep; replace it with
an async polling wait that checks for the actual settings propagation using
Playwright auto-waiting (e.g., implement waitForServiceSettingsUpdate(page) that
uses page.waitForFunction or page.waitForResponse to poll the specific settings
API/DOM state until the expected OAuth setting is present), rather than a
hardcoded timeout; update callsites to pass the Playwright Page as needed and
remove the const waitForServiceSettingsUpdate = () => new Promise(...)
implementation.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove hardcoded timeouts in favor of proper wait strategies.

Multiple calls to page.waitForTimeout(5000) violate the coding guideline to use specific wait conditions instead of arbitrary delays. These hardcoded timeouts make tests slower and less reliable.

Since you're waiting for settings to propagate, consider implementing a proper polling mechanism that checks for the actual UI state change (e.g., wait for the OAuth button visibility to match the expected state).

As per coding guidelines: "Use page.waitFor() with specific conditions instead of hardcoded timeouts in Playwright tests."

♻️ Suggested approach

Instead of waiting for an arbitrary duration, rely on Playwright's auto-waiting by directly asserting the expected state:

 await expect((await setSettingValueById(api, 'Accounts_OAuth_Google', true)).status()).toBe(200);
-await page.waitForTimeout(5000);
-
 await page.goto('/home');
-
 await expect(poRegistration.btnLoginWithGoogle).toBeVisible();

The expect().toBeVisible() assertion will automatically wait for the element to appear (up to the default timeout).

Also applies to: 35-35, 48-48, 56-56

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/tests/e2e/oauth.spec.ts` at line 26, Replace hardcoded
page.waitForTimeout(5000) calls with explicit waits that poll for the actual UI
state: remove usages of page.waitForTimeout and instead use Playwright's waiting
utilities (e.g., page.waitForSelector, page.waitForFunction or
expect(...).toBeVisible()/toBeHidden()) to wait until the OAuth button
visibility/state reflects the expected settings; update each occurrence of
page.waitForTimeout in oauth.spec.ts (the timeout calls) to assert the specific
condition (visibility/hidden/disabled) or poll the settings propagation until
the UI matches the expected state so tests are deterministic and faster.

[cubic-dev-ai]

No issues found across 1 file

_{Re-trigger cubic}