test(ui): add E2E tests for invitation accept smart router

[pfe-nazaries]

Context

Follow-up from PR #10589 code review: the /invitation/accept smart router was validated with ad-hoc browser tests but lacked Playwright E2E coverage.

Description

Adds 3 Playwright E2E tests for the invitation accept smart router. All tests run unauthenticated and client-side only — no API mocking or external credentials required.

• INVITE-ACCEPT-E2E-001 — unauthenticated user sees the choice screen; the "Sign in" button redirects to /sign-in with a callbackUrl preserving the invitation token.
• INVITE-ACCEPT-E2E-002 — the "Create an account" button redirects to /sign-up?invitation_token=... and the sign-up form renders (guards against redirect loops).
• INVITE-ACCEPT-E2E-004 — navigating to /invitation/accept with no token shows the no-token error screen and the "Go to Sign In" link redirects to /sign-in.

INVITE-ACCEPT-E2E-003 from the original spec (backward-compat redirect) is intentionally not included: the redirect was removed in #10797, and the remaining negative case (/sign-up?invitation_token=... stays on /sign-up) is already covered by AUTH-MW-E2E-003 in ui/tests/auth/auth-middleware.spec.ts.

A new invitation-accept Playwright project is registered in ui/playwright.config.ts with no auth-setup dependency, matching the sign-up project layout.

Steps to review

cd ui
pnpm install
pnpm exec playwright test --project=invitation-accept

Expected: 3 tests pass.

Files:

• ui/tests/invitation-accept/invitation-accept.spec.ts
• ui/tests/invitation-accept/invitation-accept-page.ts (Page Object)
• ui/tests/invitation-accept/invitation-accept.md (doc — test IDs synced with spec)
• ui/playwright.config.ts (new project)

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me

• Are there new checks included in this PR? No
• Review if the code is being covered by tests.
• Review if code is being documented.
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable. (Not applicable — tests only, `no-changelog` label set.)

UI (if applicable)

• All issue/task requirements work as expected on the UI
• Screenshots/Video - Mobile (X < 640px) — N/A (tests only, no UI changes)
• Screenshots/Video - Tablet (640px > X < 1024px) — N/A
• Screenshots/Video - Desktop (X > 1024px) — N/A
• Ensure new entries are added to ui/CHANGELOG.md — N/A (tests only)

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

🔒 Container Security Scan

Image: prowler-ui:493cfd7
Last scan: 2026-04-21 12:40:35 UTC

✅ No Vulnerabilities Detected

The container image passed all security checks. No known CVEs were found.

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[Alan-TheGentleman]

Three things to address:

1. SignUpPage.verifyPageLoaded() breaks the new flow — in INVITE-ACCEPT-E2E-002 you first assert the URL is /sign-up?invitation_token=..., but then call signUpPage.verifyPageLoaded(), and that method currently requires an exact toHaveURL("/sign-up"). With query params present, that assertion does not match the real flow. Either relax verifyPageLoaded() for this case or add a dedicated method for sign-up with invitation token.

2. The PR description/docs do not match the actual code path — the PR says the legacy action=signup param is no longer emitted, but the current router in ui/app/(auth)/invitation/accept/accept-invitation-client.tsx still pushes /sign-up?invitation_token=...&action=signup. Also, the reference to AUTH-MW-E2E-003 does not exist in ui/tests. Please align the doc/description with the real behavior or update the implementation if the intent changed.

3. The commit message includes AI attribution — Co-Authored-By: Claude Opus 4.7... is present in the commit, and that goes against the repo rules. Please clean that up before merge.

The overall direction is good — the POM structure is clean, the Playwright project setup makes sense, and the unauthenticated flow coverage is useful. But these three issues should be fixed before this goes in.

[pfe-nazaries]

Thanks for the review, @Alan-TheGentleman. Addressing the three points:

1. SignUpPage.verifyPageLoaded() — not a blocker on current master.
The method does not assert the URL. It only checks form element visibility, so query params are fine:

// ui/tests/sign-up/sign-up-page.ts:56-59
async verifyPageLoaded(): Promise<void> {
  await expect(this.emailInput).toBeVisible();
  await expect(this.submitButton).toBeVisible();
}

The method that requires an exact toHaveURL("/sign-up") is verifyOnSignUpPage() (line 61), which I'm intentionally not using in INVITE-ACCEPT-E2E-002. All 3 tests pass locally. Happy to add a dedicated verifyOnSignUpPageWithInvitationToken() helper if you want the semantic, but behavior-wise it's correct today.

2. Doc matches current code — the action=signup param and missing AUTH-MW-E2E-003 are based on stale context.

• The router no longer emits action=signup. Commit 390bbdd1a ("refactor(ui): remove backward-compat redirect for legacy invitation links", refactor(ui): remove backward-compat redirect for legacy invitation links #10797) removed both the redirect and ui/lib/invitation-routing.ts (where INVITATION_ACTION_PARAM / INVITATION_SIGNUP_ACTION lived). Current source:

// ui/app/(auth)/invitation/accept/accept-invitation-client.tsx:201-205
onClick={() => {
  router.push(
    `/sign-up?invitation_token=${encodeURIComponent(token!)}`,
  );
}}

• AUTH-MW-E2E-003 does exist. It was added in the same 390bbdd1a commit and covers the "/sign-up?invitation_token=... stays on /sign-up" case:

// ui/tests/auth/auth-middleware.spec.ts:81-82
"should not redirect /sign-up?invitation_token=... to /invitation/accept",
{ tag: ["@e2e", "@auth", "@middleware", "@AUTH-MW-E2E-003"] },

Could you re-pull master and re-check? I suspect you're looking at the pre-390bbdd1a tree.

3. AI attribution removed. Amended the commit to drop Co-Authored-By: Claude…. New SHA: 36ab61269. Force-pushed.

[Alan-TheGentleman]

LGTM