[codex] Add ProtoOS authentication settings E2E tests

[edgars-avotins]

🤖 What changed

• added a ProtoOS authentication settings spec
• moved API/password helper logic into a dedicated e2e helper
• expanded the authentication page object with settings-form interactions

Why

• cover the admin password update flow in ProtoOS settings
• verify the change-password request payload and success path
• cover the validation case where current password is required

Validation

• eslint e2eTests/protoOS/helpers/authenticationHelper.ts e2eTests/protoOS/pages/authentication.ts e2eTests/protoOS/spec/authentication.spec.ts
• playwright test e2eTests/protoOS/spec/00-onboarding.spec.ts --project=desktop --config=e2eTests/protoOS/playwright.config.ts
• playwright test e2eTests/protoOS/spec/authentication.spec.ts --project=desktop --config=e2eTests/protoOS/playwright.config.ts

[github-actions]

🔐 Codex Security Review

Note: This is an automated security-focused code review generated by Codex.
It should be used as a supplementary check alongside human review.
False positives are possible - use your judgment.

Scope summary

• Reviewed pull request diff only (debca7231013099f2925554efbad3661d6dadda5...711c41005e340b82447a02a21db9f55a9ce6d3df, exact PR three-dot diff)
• Model: gpt-5.5

💡 Click "edited" above to see previous reviews for this PR.

---

Review Summary

Overall Risk: MEDIUM

Findings

[MEDIUM] Password-changing E2E can leave shared admin credentials mutated after partial failure

• Category: Reliability
• Location: client/e2eTests/protoOS/spec/authentication.spec.ts:52
• Description: The test changes the real admin password, but updatedPassword is only assigned after the response status assertion succeeds. If the UI request succeeds but the test times out, the browser crashes, Playwright misses the response, or any failure occurs before line 53, afterEach returns early and skips restoring the default password.
• Impact: The shared ProtoOS test target can be left with a random admin password. Subsequent E2E tests that call authenticateAsAdmin() with testConfig.admin.password will fail, and a local or shared target could remain inaccessible with the configured credential.
• Recommendation: Track the password as soon as the change is attempted, and make cleanup tolerant: in afterEach, try restoring with the generated password if set, and fall back gracefully when the login fails because the mutation did not actually land. Alternatively isolate this spec with a fresh backend/device state.

Notes

The production change in client/src/protoOS/features/settings/components/Authentication/Authentication.tsx only wraps the existing form with a data-testid; I did not find a security issue in that runtime path. The rest of the diff is E2E-only helper/page/spec code.

---

_{Generated by Codex Security Review |
Triggered by: @edgars-avotins |
Review workflow run}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9547e4e20f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Set rollback password before post-change assertions

When the PUT has already succeeded but any assertion before this assignment fails (for example the payload assertion, toast wait, or logged-in check), updatedPassword is still null, so afterEach skips restoreAdminPassword and leaves the miner using the random password. That breaks subsequent ProtoOS specs or reruns that authenticate with testConfig.admin.password; set the rollback password as soon as the change-password response succeeds, before the remaining UI assertions.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

Adds Playwright E2E coverage for ProtoOS “Authentication settings” to validate the admin password change flow, including request payload verification and the “current password required” validation case. This fits into the existing client/e2eTests/protoOS suite by extending the Authentication page object and introducing a small API helper for login/password restoration.

Changes:

• Added a new authentication.spec.ts covering password update + re-authentication and required-current-password validation.
• Expanded the AuthenticationPage with settings-form interactions (input + submit helpers).
• Introduced an authenticationHelper for generating passwords, logging in via API, and restoring the admin password post-test.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
client/e2eTests/protoOS/spec/authentication.spec.ts	New E2E spec for admin password update flow + validation coverage, including API request/response assertions and cleanup.
client/e2eTests/protoOS/pages/authentication.ts	Extends Authentication page object with settings-form locators and interactions.
client/e2eTests/protoOS/helpers/authenticationHelper.ts	New helper for generating a strong password, logging in via API, and restoring admin password after mutation.