add comprehensive 2 factor authentication e2e tests

app/Http/Controllers/Api/V1/OrganizationController.php

@@ -50,6 +50,9 @@ class OrganizationController extends Controller
         if ($request->getName() !== null) {
             $organization->name = $request->getName();
         }
+        if ($request->getCurrency() !== null) {
+            $organization->currency = $request->getCurrency();
+        }
         if ($request->getEmployeesCanSeeBillableRates() !== null) {
             $organization->employees_can_see_billable_rates = $request->getEmployeesCanSeeBillableRates();
         }

app/Http/Controllers/Web/OrganizationController.php

@@ -54,15 +54,9 @@ class OrganizationController extends Controller
             'currencies' => array_map(function (Currency $currency): string {
                 return $currency->getName();
             }, ISOCurrencyProvider::getInstance()->getAvailableCurrencies()),
-            'availableRoles' => [],
-            'availablePermissions' => [],
-            'defaultPermissions' => [],
             'permissions' => [
-                'canAddTeamMembers' => true,
-                'canDeleteTeam' => true,
-                'canRemoveTeamMembers' => true,
-                'canUpdateTeam' => true,
-                'canUpdateTeamMembers' => true,
+                'canDeleteTeam' => $this->hasPermission($organization, 'organizations:delete'),
+                'canUpdateTeam' => $this->hasPermission($organization, 'organizations:update'),
             ],
         ]);
     }

app/Http/Controllers/Web/OtherBrowserSessionsController.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Web;
+
+use Illuminate\Contracts\Auth\StatefulGuard;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Validation\ValidationException;
+use Laravel\Fortify\Actions\ConfirmPassword;
+
+class OtherBrowserSessionsController extends Controller
+{
+    /**
+     * Log the user out of their other browser sessions across all devices.
+     */
+    public function destroy(Request $request, StatefulGuard $guard): RedirectResponse
+    {
+        $password = (string) $request->string('password');
+
+        $confirmed = app(ConfirmPassword::class)($guard, $request->user(), $password);
+
+        if (! $confirmed) {
+            throw ValidationException::withMessages([
+                'password' => __('The password is incorrect.'),
+            ]);
+        }
+
+        $guard->logoutOtherDevices($password);
+
+        $this->deleteOtherSessionRecords($request);
+
+        return back(303);
+    }
+
+    /**
+     * Delete the other browser session records from storage.
+     */
+    protected function deleteOtherSessionRecords(Request $request): void
+    {
+        if (config('session.driver') !== 'database') {
+            return;
+        }
+
+        DB::connection(config('session.connection'))
+            ->table(config('session.table', 'sessions'))
+            ->where('user_id', $request->user()->getAuthIdentifier())
+            ->where('id', '!=', $request->session()->getId())
+            ->delete();
+    }
+}

app/Http/Requests/V1/Organization/OrganizationUpdateRequest.php

@@ -11,6 +11,7 @@ use App\Enums\NumberFormat;
 use App\Enums\TimeFormat;
 use App\Http\Requests\V1\BaseFormRequest;
 use App\Models\Organization;
+use App\Rules\CurrencyRule;
 use Illuminate\Validation\Rule;
 
 /**
@@ -21,7 +22,7 @@ class OrganizationUpdateRequest extends BaseFormRequest
     /**
      * Get the validation rules that apply to the request.
      *
-     * @return array<string, array<string|\Illuminate\Contracts\Validation\Rule>>
+     * @return array<string, array<string|\Illuminate\Contracts\Validation\Rule|\Illuminate\Contracts\Validation\ValidationRule>>
      */
     public function rules(): array
     {
@@ -30,6 +31,10 @@ class OrganizationUpdateRequest extends BaseFormRequest
                 'string',
                 'max:255',
             ],
+            'currency' => [
+                'string',
+                new CurrencyRule,
+            ],
             'billable_rate' => array_merge(
                 [
                     'nullable',
@@ -68,6 +73,11 @@ class OrganizationUpdateRequest extends BaseFormRequest
         return $this->has('name') ? (string) $this->input('name') : null;
     }
 
+    public function getCurrency(): ?string
+    {
+        return $this->has('currency') ? (string) $this->input('currency') : null;
+    }
+
     public function getNumberFormat(): ?NumberFormat
     {
         return $this->has('number_format') ? NumberFormat::from($this->input('number_format')) : null;

app/Service/UserService.php

@@ -62,6 +62,7 @@ class UserService
                 $intervalFormat,
                 $timeFormat,
             );
+            $this->switchCurrentOrganization($user, $organization);
         }
 
         return $user;

composer.json

@@ -132,7 +132,8 @@
             "pestphp/pest-plugin": true,
             "php-http/discovery": true,
             "wikimedia/composer-merge-plugin": true
-        }
+        },
+        "process-timeout": 900
     },
     "minimum-stability": "stable",
     "prefer-stable": true

e2e/calendar.spec.ts

@@ -12,7 +12,7 @@ import {
     createRunningTimeEntryWithStartViaApi,
     createTaskViaApi,
     createProjectWithClientViaApi,
-    updateUserProfileViaWeb,
+    updateUserProfileViaApi,
     updateOrganizationSettingViaApi,
 } from './utils/api';
 
@@ -1803,28 +1803,22 @@ test.describe('Click-Drag Selection to Create', () => {
 // =============================================
 
 test.describe('Timezone & Localization', () => {
-    test('week start day: monday shows Mon as first column', async ({ page }) => {
-        // Navigate to calendar first to load Inertia page props
+    test('week start day: monday shows Mon as first column', async ({ page, ctx }) => {
+        await updateUserProfileViaApi(ctx, { week_start: 'monday' });
         await goToCalendar(page);
-        await updateUserProfileViaWeb(page, { week_start: 'monday' });
-        await page.reload();
         await expect(page.locator('.fc')).toBeVisible();
 
         const firstHeader = page.locator('.fc-col-header-cell').first();
         await expect(firstHeader).toContainText('Mon');
     });
 
-    test('week start day: sunday shows Sun as first column', async ({ page }) => {
+    test('week start day: sunday shows Sun as first column', async ({ page, ctx }) => {
+        await updateUserProfileViaApi(ctx, { week_start: 'sunday' });
         await goToCalendar(page);
-        await updateUserProfileViaWeb(page, { week_start: 'sunday' });
-        await page.reload();
         await expect(page.locator('.fc')).toBeVisible();
 
         const firstHeader = page.locator('.fc-col-header-cell').first();
         await expect(firstHeader).toContainText('Sun');
-
-        // Reset to monday for other tests
-        await updateUserProfileViaWeb(page, { week_start: 'monday' });
     });
 
     test('12-hour time format shows AM/PM on slot labels', async ({ page, ctx }) => {

e2e/command-palette.spec.ts

@@ -348,7 +348,7 @@ test.describe('Command Palette', () => {
             const newOrgName = 'TestOrg' + Math.floor(Math.random() * 10000);
 
             // Create a new organization
-            await page.goto(PLAYWRIGHT_BASE_URL + '/teams/create');
+            await page.goto(PLAYWRIGHT_BASE_URL + '/organizations/create');
             await page.getByLabel('Organization Name').fill(newOrgName);
             await page.getByRole('button', { name: 'Create' }).click();
 
@@ -393,7 +393,7 @@ test.describe('Command Palette', () => {
             const newOrgName = 'GroupTestOrg' + Math.floor(Math.random() * 10000);
 
             // Create a new organization to ensure we have multiple
-            await page.goto(PLAYWRIGHT_BASE_URL + '/teams/create');
+            await page.goto(PLAYWRIGHT_BASE_URL + '/organizations/create');
             await page.getByLabel('Organization Name').fill(newOrgName);
             await page.getByRole('button', { name: 'Create' }).click();
             await expect(page.getByTestId('dashboard_view')).toBeVisible({ timeout: 10000 });

e2e/organization.spec.ts

@@ -36,13 +36,52 @@ async function createTimeEntry(page, duration: string) {
 test('test that organization name can be updated', async ({ page }) => {
     await goToOrganizationSettings(page);
     await page.getByLabel('Organization Name').fill('NEW ORG NAME');
-    await page.getByLabel('Organization Name').press('Enter');
-    await page.getByLabel('Organization Name').press('Meta+r');
+    await Promise.all([
+        page.waitForResponse(
+            (response) =>
+                response.url().includes('/api/v1/organizations/') &&
+                response.request().method() === 'PUT' &&
+                response.status() === 200
+        ),
+        page
+            .locator('form')
+            .filter({ hasText: 'Organization Name' })
+            .getByRole('button', { name: 'Save' })
+            .click(),
+    ]);
+    await page.reload();
     await expect(page.locator('[data-testid="organization_switcher"]:visible')).toContainText(
         'NEW ORG NAME'
     );
 });
 
+test('test that organization currency can be updated', async ({ page }) => {
+    await goToOrganizationSettings(page);
+    await page.getByLabel('Currency', { exact: true }).selectOption('USD');
+    await Promise.all([
+        page.waitForRequest(
+            (request) =>
+                request.url().includes('/api/v1/organizations/') &&
+                request.method() === 'PUT' &&
+                request.postDataJSON().currency === 'USD'
+        ),
+        page.waitForResponse(
+            async (response) =>
+                response.url().includes('/api/v1/organizations/') &&
+                response.request().method() === 'PUT' &&
+                response.status() === 200 &&
+                (await response.json()).data.currency === 'USD'
+        ),
+        page
+            .locator('form')
+            .filter({ hasText: 'Organization Name' })
+            .getByRole('button', { name: 'Save' })
+            .click(),
+    ]);
+    await page.reload();
+    await expect(page.getByLabel('Currency', { exact: true })).toHaveValue('USD');
+});
+
 test('test that organization billable rate can be updated with all existing time entries', async ({
     page,
 }) => {
@@ -369,13 +408,130 @@ test('test that format settings persist after page reload', async ({ page }) =>
     await expect(page.getByLabel('Date Format')).toContainText('DD/MM/YYYY');
 });
 
+// =============================================
+// Create, Delete & Switch
+// =============================================
+
+test.describe('Organization Create, Delete & Switch', () => {
+    async function createOrganization(page, name: string) {
+        await page.goto(PLAYWRIGHT_BASE_URL + '/organizations/create');
+        await page.getByLabel('Organization Name').fill(name);
+        await Promise.all([
+            page.waitForResponse(
+                (response) =>
+                    response.url().includes('/api/v1/organizations') &&
+                    response.request().method() === 'POST' &&
+                    response.status() === 201
+            ),
+            page.getByRole('button', { name: 'Create' }).click(),
+        ]);
+        // The backend switches the current organization to the new one and the
+        // frontend reloads into its dashboard.
+        await expect(page.getByTestId('dashboard_view')).toBeVisible({ timeout: 10000 });
+    }
+
+    test('can create a new organization and switches to it automatically', async ({ page }) => {
+        const newOrgName = 'CreateOrg' + Math.floor(Math.random() * 100000);
+        await createOrganization(page, newOrgName);
+
+        await expect(page.locator('[data-testid="organization_switcher"]:visible')).toContainText(
+            newOrgName
+        );
+    });
+
+    test('does not create an organization when the name is empty', async ({ page }) => {
+        await page.goto(PLAYWRIGHT_BASE_URL + '/organizations/create');
+
+        // The form posts to the API, which rejects the empty name with a 422.
+        await Promise.all([
+            page.waitForResponse(
+                (response) =>
+                    response.url().includes('/api/v1/organizations') &&
+                    response.request().method() === 'POST' &&
+                    response.status() === 422
+            ),
+            page.getByRole('button', { name: 'Create' }).click(),
+        ]);
+
+        // Validation failed, so we stay on the create form and never reach a
+        // dashboard. Assert on the form rather than the URL.
+        await expect(page.getByText('Organization Details')).toBeVisible();
+        await expect(page.getByRole('alert')).toContainText('The name field is required.');
+        await expect(page.getByLabel('Organization Name')).toHaveAttribute('aria-invalid', 'true');
+        await expect(page.getByTestId('dashboard_view')).toHaveCount(0);
+    });
+
+    test('can delete an organization', async ({ page }) => {
+        // Create a throwaway organization so the primary one is never deleted.
+        const orgName = 'DeleteOrg' + Math.floor(Math.random() * 100000);
+        await createOrganization(page, orgName);
+
+        // Open the (now current) throwaway organization's settings.
+        await goToOrganizationSettings(page);
+
+        // Open the confirmation modal, then confirm inside the dialog.
+        await page.getByRole('button', { name: 'Delete Organization' }).click();
+        await Promise.all([
+            page.waitForResponse(
+                (response) =>
+                    response.url().includes('/api/v1/organizations') &&
+                    response.request().method() === 'DELETE' &&
+                    response.status() === 204
+            ),
+            page.getByRole('dialog').getByRole('button', { name: 'Delete Organization' }).click(),
+        ]);
+
+        // We are redirected to the dashboard of a different organization.
+        await expect(page.getByTestId('dashboard_view')).toBeVisible({ timeout: 10000 });
+        await expect(
+            page.locator('[data-testid="organization_switcher"]:visible')
+        ).not.toContainText(orgName);
+    });
+
+    test('can switch the current organization via the organization switcher', async ({ page }) => {
+        await page.goto(PLAYWRIGHT_BASE_URL + '/dashboard');
+        const orgSwitcher = page.locator('[data-testid="organization_switcher"]:visible');
+        await expect(orgSwitcher).toBeVisible();
+        const previousOrgNameLines = (await orgSwitcher.innerText())
+            .split('\n')
+            .map((line) => line.trim())
+            .filter(Boolean);
+        const previousOrgName = previousOrgNameLines[previousOrgNameLines.length - 1];
+
+        // Ensure there are at least two organizations to switch between.
+        const orgName = 'SwitchOrg' + Math.floor(Math.random() * 100000);
+        await createOrganization(page, orgName);
+
+        await expect(orgSwitcher).toContainText(orgName);
+
+        // Open the switcher and pick a different organization.
+        await orgSwitcher.click();
+        await expect(page.getByText('Switch Organizations')).toBeVisible();
+        const otherOrgButton = page.getByRole('menuitem', { name: previousOrgName });
+        await expect(otherOrgButton).toBeVisible();
+
+        await Promise.all([
+            page.waitForResponse(
+                (response) =>
+                    response.url().includes('/users/me/current-organization') &&
+                    response.request().method() === 'PUT' &&
+                    response.status() === 200
+            ),
+            otherOrgButton.click(),
+        ]);
+
+        await expect(orgSwitcher).not.toContainText(orgName, { timeout: 10000 });
+        await expect(orgSwitcher).toContainText(previousOrgName, { timeout: 10000 });
+    });
+});
+
 // =============================================
 // Admin Permission Tests
 // =============================================
 
 test.describe('Admin Organization Settings Access', () => {
     test('admin can see and edit organization settings', async ({ ctx, admin }) => {
-        await admin.page.goto(PLAYWRIGHT_BASE_URL + '/teams/' + ctx.orgId);
+        await admin.page.goto(PLAYWRIGHT_BASE_URL + '/organizations/' + ctx.orgId);
 
         // Organization Name section is visible
         await expect(
@@ -396,6 +552,9 @@ test.describe('Admin Organization Settings Access', () => {
         // Save buttons should be visible (admin can update)
         await expect(admin.page.getByRole('button', { name: 'Save' }).first()).toBeVisible();
 
+        // The Organization Name input is editable (admin can update)
+        await expect(admin.page.getByLabel('Organization Name')).toBeEnabled();
+
         // Delete organization should NOT be visible (owner only)
         await expect(
             admin.page.getByRole('heading', { name: 'Delete Organization' })
@@ -409,13 +568,17 @@ test.describe('Admin Organization Settings Access', () => {
 
 test.describe('Employee Organization Settings Restrictions', () => {
     test('employee can see org name but not editable settings', async ({ ctx, employee }) => {
-        await employee.page.goto(PLAYWRIGHT_BASE_URL + '/teams/' + ctx.orgId);
+        await employee.page.goto(PLAYWRIGHT_BASE_URL + '/organizations/' + ctx.orgId);
 
         // Organization Name section is visible (but inputs are disabled)
         await expect(
             employee.page.getByRole('heading', { name: 'Organization Name', level: 3 })
         ).toBeVisible({ timeout: 10000 });
 
+        // The name and currency inputs are rendered but disabled (employee cannot update)
+        await expect(employee.page.getByLabel('Organization Name')).toBeDisabled();
+        await expect(employee.page.getByLabel('Currency')).toBeDisabled();
+
         // Editable settings sections should NOT be visible
         await expect(
             employee.page.getByRole('heading', { name: 'Billable Rate', level: 3 })
@@ -429,5 +592,10 @@ test.describe('Employee Organization Settings Restrictions', () => {
 
         // Save button should not be visible (employee cannot update)
         await expect(employee.page.getByRole('button', { name: 'Save' })).not.toBeVisible();
+
+        // Delete organization should NOT be visible (owner only)
+        await expect(
+            employee.page.getByRole('heading', { name: 'Delete Organization' })
+        ).not.toBeVisible();
     });
 });

e2e/two-factor.spec.ts

@@ -0,0 +1,192 @@
+import { test, expect } from '../playwright/fixtures';
+import { PLAYWRIGHT_BASE_URL, TEST_USER_PASSWORD } from '../playwright/config';
+import { generateTotpCode, generateInvalidTotpCode } from './utils/totp';
+import type { Page } from '@playwright/test';
+
+async function goToProfilePage(page: Page) {
+    await page.goto(PLAYWRIGHT_BASE_URL + '/user/profile');
+}
+
+/**
+ * ConfirmsPassword only opens the dialog when the password has not been
+ * confirmed recently, so fill it only when it actually shows up.
+ */
+async function confirmPasswordIfPrompted(page: Page) {
+    const dialog = page.getByRole('dialog');
+    const appeared = await dialog
+        .waitFor({ state: 'visible', timeout: 2500 })
+        .then(() => true)
+        .catch(() => false);
+    if (appeared) {
+        await dialog.getByPlaceholder('Password').fill(TEST_USER_PASSWORD);
+        await dialog.getByRole('button', { name: 'Confirm' }).click();
+        await expect(dialog).not.toBeVisible();
+    }
+}
+
+/**
+ * Enables 2FA from the profile page and returns the TOTP secret (setup key)
+ * and the recovery codes fetched right after enabling.
+ */
+async function enableTwoFactor(page: Page): Promise<{ secret: string; recoveryCodes: string[] }> {
+    await goToProfilePage(page);
+    await page
+        .getByText('You have not enabled two factor authentication.')
+        .locator('..')
+        .getByRole('button', { name: 'Enable' })
+        .click();
+
+    const dialog = page.getByRole('dialog');
+    await expect(dialog).toBeVisible();
+
+    const recoveryCodesResponse = page.waitForResponse(
+        (response) =>
+            response.url().includes('/user/two-factor-recovery-codes') &&
+            response.request().method() === 'GET'
+    );
+    await dialog.getByPlaceholder('Password').fill(TEST_USER_PASSWORD);
+    await dialog.getByRole('button', { name: 'Confirm' }).click();
+
+    await expect(page.getByRole('heading', { name: 'Finish enabling two factor' })).toBeVisible();
+    const recoveryCodes: string[] = await (await recoveryCodesResponse).json();
+
+    const setupKeyText = await page.getByText('Setup Key:').textContent();
+    const secret = setupKeyText!.replace('Setup Key:', '').trim();
+    expect(secret.length).toBeGreaterThan(0);
+
+    return { secret, recoveryCodes };
+}
+
+/**
+ * Confirms a freshly enabled 2FA setup with a valid TOTP code.
+ */
+async function confirmTwoFactor(page: Page, secret: string) {
+    await page.getByLabel('Code').fill(generateTotpCode(secret));
+    await page.getByRole('button', { name: 'Confirm', exact: true }).click();
+    await confirmPasswordIfPrompted(page);
+    await expect(page.getByText('You have enabled two factor authentication.')).toBeVisible();
+}
+
+async function logout(page: Page) {
+    await page.getByTestId('current_user_button').click();
+    await page.getByText('Log Out', { exact: true }).click();
+    await page.waitForURL(PLAYWRIGHT_BASE_URL + '/login');
+}
+
+/**
+ * Reads the email of the current user from the profile form, waiting until
+ * the user query has populated it.
+ */
+async function getProfileEmail(page: Page): Promise<string> {
+    await goToProfilePage(page);
+    const emailInput = page.getByLabel('Email', { exact: true });
+    await expect(emailInput).toHaveValue(/@/);
+    return await emailInput.inputValue();
+}
+
+async function loginUntilTwoFactorChallenge(page: Page, email: string) {
+    await page.goto(PLAYWRIGHT_BASE_URL + '/login');
+    await page.getByLabel('Email').fill(email);
+    await page.getByLabel('Password').fill(TEST_USER_PASSWORD);
+    await page.getByRole('button', { name: 'Log in' }).click();
+    await page.waitForURL(PLAYWRIGHT_BASE_URL + '/two-factor-challenge');
+}
+
+test('test that 2FA can be confirmed with a TOTP code and shows recovery codes', async ({
+    page,
+}) => {
+    const { secret, recoveryCodes } = await enableTwoFactor(page);
+    await confirmTwoFactor(page, secret);
+
+    await expect(page.getByText('Store these recovery codes')).toBeVisible();
+    expect(recoveryCodes.length).toBeGreaterThan(0);
+    for (const code of recoveryCodes) {
+        await expect(page.getByText(code)).toBeVisible();
+    }
+
+    // The confirmed state survives a reload
+    await page.reload();
+    await expect(page.getByText('You have enabled two factor authentication.')).toBeVisible();
+});
+
+test('test that 2FA confirmation fails with an invalid TOTP code', async ({ page }) => {
+    const { secret } = await enableTwoFactor(page);
+
+    await page.getByLabel('Code').fill(generateInvalidTotpCode(secret));
+    await page.getByRole('button', { name: 'Confirm', exact: true }).click();
+    await confirmPasswordIfPrompted(page);
+
+    await expect(page.getByRole('alert')).toContainText(
+        'The provided two factor authentication code was invalid.'
+    );
+    await expect(page.getByRole('heading', { name: 'Finish enabling two factor' })).toBeVisible();
+});
+
+test('test that recovery codes can be regenerated', async ({ page }) => {
+    const { secret, recoveryCodes } = await enableTwoFactor(page);
+    await confirmTwoFactor(page, secret);
+
+    const newCodesResponse = page.waitForResponse(
+        (response) =>
+            response.url().includes('/user/two-factor-recovery-codes') &&
+            response.request().method() === 'GET'
+    );
+    await page.getByRole('button', { name: 'Regenerate Recovery Codes' }).click();
+    await confirmPasswordIfPrompted(page);
+    const newCodes: string[] = await (await newCodesResponse).json();
+
+    expect(newCodes).not.toEqual(recoveryCodes);
+    await expect(page.getByText(newCodes[0])).toBeVisible();
+    await expect(page.getByText(recoveryCodes[0])).not.toBeVisible();
+});
+
+test('test that 2FA can be disabled', async ({ page }) => {
+    const { secret } = await enableTwoFactor(page);
+    await confirmTwoFactor(page, secret);
+
+    await page.getByRole('button', { name: 'Disable' }).click();
+    await confirmPasswordIfPrompted(page);
+    await expect(page.getByText('You have not enabled two factor authentication.')).toBeVisible();
+
+    // The disabled state survives a reload
+    await page.reload();
+    await expect(page.getByText('You have not enabled two factor authentication.')).toBeVisible();
+});
+
+test('test that login challenges for a TOTP code and rejects an invalid code', async ({ page }) => {
+    const email = await getProfileEmail(page);
+
+    const { secret } = await enableTwoFactor(page);
+    await confirmTwoFactor(page, secret);
+    await logout(page);
+
+    await loginUntilTwoFactorChallenge(page, email);
+
+    await page.getByLabel('Code').fill(generateInvalidTotpCode(secret));
+    await page.getByRole('button', { name: 'Log in' }).click();
+    await expect(page.getByRole('alert')).toContainText(
+        'The provided two factor authentication code was invalid.'
+    );
+
+    // Fortify rejects replayed codes, and the current window's code was
+    // already consumed when confirming the setup — use the next window's
+    // code, which the +/- 1 step verification window also accepts.
+    await page.getByLabel('Code').fill(generateTotpCode(secret, Date.now() + 30_000));
+    await page.getByRole('button', { name: 'Log in' }).click();
+    await expect(page.getByTestId('dashboard_view')).toBeVisible();
+});
+
+test('test that login works with a recovery code', async ({ page }) => {
+    const email = await getProfileEmail(page);
+
+    const { secret, recoveryCodes } = await enableTwoFactor(page);
+    await confirmTwoFactor(page, secret);
+    await logout(page);
+
+    await loginUntilTwoFactorChallenge(page, email);
+
+    await page.getByRole('button', { name: 'Use a recovery code' }).click();
+    await page.getByLabel('Recovery Code').fill(recoveryCodes[0]);
+    await page.getByRole('button', { name: 'Log in' }).click();
+    await expect(page.getByTestId('dashboard_view')).toBeVisible();
+});

e2e/utils/api.ts

@@ -641,10 +641,13 @@ export async function updateOrganizationCurrencyViaWeb(
     const xsrfCookie = cookies.find((c) => c.name === 'XSRF-TOKEN');
     const xsrfToken = xsrfCookie ? decodeURIComponent(xsrfCookie.value) : '';
 
-    const response = await page.request.put(`${PLAYWRIGHT_BASE_URL}/teams/${ctx.orgId}`, {
-        headers: { 'X-XSRF-TOKEN': xsrfToken },
-        data: { name, currency },
-    });
+    const response = await page.request.put(
+        `${PLAYWRIGHT_BASE_URL}/api/v1/organizations/${ctx.orgId}`,
+        {
+            headers: { 'X-XSRF-TOKEN': xsrfToken },
+            data: { name, currency },
+        }
+    );
     expect(response.status()).toBe(200);
 }
 
@@ -801,53 +804,23 @@ export async function getCurrentUserViaApi(ctx: TestContext) {
     };
 }
 
-export async function updateUserProfileViaWeb(
-    page: Page,
+export async function updateUserProfileViaApi(
+    ctx: TestContext,
     settings: { timezone?: string; week_start?: string }
 ) {
-    // Read user info from Inertia's data-page attribute on the root element
-    const userInfo = await page.evaluate(() => {
-        // Try Inertia's data-page attribute (stores initial page props as JSON)
-        const appEl = document.getElementById('app');
-        if (appEl) {
-            const dataPage = appEl.getAttribute('data-page');
-            if (dataPage) {
-                try {
-                    const parsed = JSON.parse(dataPage);
-                    const user = parsed?.props?.auth?.user;
-                    if (user) {
-                        return {
-                            name: user.name,
-                            email: user.email,
-                            timezone: user.timezone,
-                            week_start: user.week_start,
-                        };
-                    }
-                } catch {
-                    // JSON parse failed
-                }
-            }
-        }
-        return null;
-    });
-    if (!userInfo) throw new Error('Could not read user info from Inertia data-page attribute');
+    const user = await getCurrentUserViaApi(ctx);
 
-    const cookies = await page.context().cookies();
-    const xsrfCookie = cookies.find((c) => c.name === 'XSRF-TOKEN');
-    const xsrfToken = xsrfCookie ? decodeURIComponent(xsrfCookie.value) : '';
+    // Only send the fields under test; the endpoint leaves omitted fields untouched.
+    const data: Record<string, string> = {};
+    if (settings.timezone !== undefined) {
+        data.timezone = settings.timezone;
+    }
+    if (settings.week_start !== undefined) {
+        data.week_start = settings.week_start;
+    }
 
-    const response = await page.request.put(`${PLAYWRIGHT_BASE_URL}/user/profile-information`, {
-        headers: {
-            'X-XSRF-TOKEN': xsrfToken,
-            'Content-Type': 'application/json',
-            Accept: 'application/json',
-        },
-        data: {
-            name: userInfo.name,
-            email: userInfo.email,
-            timezone: settings.timezone ?? userInfo.timezone,
-            week_start: settings.week_start ?? userInfo.week_start,
-        },
+    const response = await ctx.request.put(`${PLAYWRIGHT_BASE_URL}/api/v1/users/${user.id}`, {
+        data,
     });
     expect(response.status()).toBe(200);
 }

e2e/utils/totp.ts

@@ -0,0 +1,58 @@
+import { createHmac } from 'node:crypto';
+
+const BASE32_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+
+function base32Decode(input: string): Buffer {
+    const normalized = input
+        .toUpperCase()
+        .replace(/=+$/, '')
+        .replace(/[^A-Z2-7]/g, '');
+    let bits = 0;
+    let value = 0;
+    const bytes: number[] = [];
+    for (const char of normalized) {
+        value = (value << 5) | BASE32_ALPHABET.indexOf(char);
+        bits += 5;
+        if (bits >= 8) {
+            bytes.push((value >>> (bits - 8)) & 0xff);
+            bits -= 8;
+        }
+    }
+    return Buffer.from(bytes);
+}
+
+/**
+ * Generates a 6-digit TOTP code (RFC 6238, SHA-1, 30 second period) for the
+ * given base32 secret — the "Setup Key" shown while enabling 2FA.
+ */
+export function generateTotpCode(base32Secret: string, atMs: number = Date.now()): string {
+    const counter = Math.floor(atMs / 1000 / 30);
+    const counterBuffer = Buffer.alloc(8);
+    counterBuffer.writeBigUInt64BE(BigInt(counter));
+    const digest = createHmac('sha1', base32Decode(base32Secret)).update(counterBuffer).digest();
+    const offset = digest[digest.length - 1] & 0x0f;
+    const code =
+        ((digest[offset] & 0x7f) << 24) |
+        ((digest[offset + 1] & 0xff) << 16) |
+        ((digest[offset + 2] & 0xff) << 8) |
+        (digest[offset + 3] & 0xff);
+    return (code % 1_000_000).toString().padStart(6, '0');
+}
+
+/**
+ * Generates a syntactically valid TOTP code that is guaranteed to be rejected,
+ * by using a timestamp far outside the accepted verification window.
+ */
+export function generateInvalidTotpCode(base32Secret: string): string {
+    const validNow = [
+        generateTotpCode(base32Secret, Date.now() - 30_000),
+        generateTotpCode(base32Secret),
+        generateTotpCode(base32Secret, Date.now() + 30_000),
+    ];
+    for (let minutes = 10; ; minutes++) {
+        const candidate = generateTotpCode(base32Secret, Date.now() + minutes * 60_000);
+        if (!validNow.includes(candidate)) {
+            return candidate;
+        }
+    }
+}

resources/js/Components/OrganizationSwitcher.vue

@@ -61,7 +61,7 @@ const switchToTeam = (organization: Organization) => {
 
                 <DropdownMenuItem as-child>
                     <Link
-                        :href="route('teams.show', page.props.auth.user.current_team.id)"
+                        :href="route('organizations.show', page.props.auth.user.current_team.id)"
                         class="inline-flex items-center gap-2.5 w-full">
                         <Cog6ToothIcon class="w-5 h-5 text-icon-default" />
                         <span>Organization Settings</span>
@@ -74,7 +74,7 @@ const switchToTeam = (organization: Organization) => {
 
                 <DropdownMenuItem as-child>
                     <Link
-                        :href="route('teams.create')"
+                        :href="route('organizations.create')"
                         class="inline-flex items-center gap-2.5 w-full">
                         <PlusCircleIcon class="w-5 h-5 text-icon-default" />
                         <span>Create new organization</span>

resources/js/Layouts/AppLayout.vue

@@ -280,10 +280,15 @@ const page = usePage<{
                                 v-if="canUpdateOrganization()"
                                 title="Settings"
                                 :icon="Cog6ToothIcon"
-                                :href="route('teams.show', page.props.auth.user.current_team.id)"
+                                :href="
+                                    route(
+                                        'organizations.show',
+                                        page.props.auth.user.current_team.id
+                                    )
+                                "
                                 :current="
                                     route().current(
-                                        'teams.show',
+                                        'organizations.show',
                                         page.props.auth.user.current_team.id
                                     )
                                 "></NavigationSidebarItem>

resources/js/Pages/Profile/Partials/UpdateProfileInformationForm.vue

@@ -1,7 +1,6 @@
 <script setup lang="ts">
 import { computed, onBeforeUnmount, ref, watch } from 'vue';
 import { usePage } from '@inertiajs/vue3';
-import axios from 'axios';
 import ActionMessage from '@/Components/ActionMessage.vue';
 import FormSection from '@/Components/FormSection.vue';
 import { Field, FieldError, FieldLabel } from '@/packages/ui/src/field';
@@ -16,6 +15,7 @@ import {
     useUserQuery,
 } from '@/utils/useUserQuery';
 import type { UpdateUserBody, User } from '@/packages/api/src';
+import { getApiValidationFieldErrors } from '@/utils/apiValidation';
 
 const { user } = useUserQuery();
 const updateUser = useUpdateUserMutation();
@@ -58,17 +58,9 @@ const hasUploadedPhoto = computed(() => {
     return !!url && !url.includes('ui-avatars.com');
 });
 
-const fieldErrors = computed<Record<string, string>>(() => {
-    const err = updateUser.error.value;
-    if (!axios.isAxiosError(err) || err.response?.status !== 422) return {};
-    const raw = err.response.data?.errors as Record<string, string[]> | undefined;
-    if (!raw) return {};
-    const flat: Record<string, string> = {};
-    for (const [key, messages] of Object.entries(raw)) {
-        if (Array.isArray(messages) && messages[0]) flat[key] = messages[0];
-    }
-    return flat;
-});
+const fieldErrors = computed<Record<string, string>>(() =>
+    getApiValidationFieldErrors(updateUser.error.value)
+);
 
 function buildPayload(): UpdateUserBody {
     if (!user.value) return {};

resources/js/Pages/Teams/Partials/CreateTeamForm.vue

@@ -1,25 +1,68 @@
 <script setup lang="ts">
-import { useForm, usePage } from '@inertiajs/vue3';
+import { computed, ref, watch } from 'vue';
+import axios from 'axios';
+import { router, usePage } from '@inertiajs/vue3';
 import FormSection from '@/Components/FormSection.vue';
-import { Field, FieldLabel, FieldError } from '@/packages/ui/src/field';
+import { Field, FieldError, FieldLabel } from '@/packages/ui/src/field';
 import PrimaryButton from '@/packages/ui/src/Buttons/PrimaryButton.vue';
 import TextInput from '@/packages/ui/src/Input/TextInput.vue';
 import type { User } from '@/types/models';
-import { initializeStores } from '@/utils/init';
+import { useOrganizationStore } from '@/utils/useOrganization';
+import { useNotificationsStore } from '@/utils/notification';
+import {
+    getApiValidationFieldErrors,
+    getApiValidationMessage,
+    isApiValidationError,
+} from '@/utils/apiValidation';
 
-const form = useForm({
-    name: '',
+const name = ref('');
+const processing = ref(false);
+const createError = ref<unknown>(null);
+const organizationStore = useOrganizationStore();
+const notifications = useNotificationsStore();
+
+const fieldErrors = computed<Record<string, string>>(() =>
+    getApiValidationFieldErrors(createError.value)
+);
+
+watch(name, () => {
+    createError.value = null;
 });
 
-const createTeam = () => {
-    form.post(route('teams.store'), {
-        errorBag: 'createTeam',
-        preserveScroll: true,
-        onSuccess: () => {
-            initializeStores();
-        },
-    });
+const createTeam = async () => {
+    processing.value = true;
+    createError.value = null;
+    try {
+        const organization = await organizationStore.createOrganization(name.value);
+        if (organization) {
+            notifications.addNotification('success', 'Organization created successfully');
+            // The backend already switched the current organization to the new one.
+            // Flush Inertia's prefetch cache and do a full reload so the new
+            // organization context is picked up everywhere.
+            router.flushAll();
+            router.visit(route('dashboard'));
+        }
+    } catch (error) {
+        createError.value = error;
+        if (isApiValidationError(error)) {
+            notifications.addNotification(
+                'error',
+                getApiValidationMessage(error, 'Failed to create organization')
+            );
+        } else if (axios.isAxiosError(error)) {
+            notifications.addNotification(
+                'error',
+                'Failed to create organization',
+                error.response?.data?.message ?? 'Please try again later.'
+            );
+        } else {
+            notifications.addNotification('error', 'Failed to create organization');
+        }
+    } finally {
+        processing.value = false;
+    }
 };
+
 const page = usePage<{
     auth: {
         user: User;
@@ -60,16 +103,17 @@ const page = usePage<{
                 <FieldLabel for="name">Organization Name</FieldLabel>
                 <TextInput
                     id="name"
-                    v-model="form.name"
+                    v-model="name"
                     type="text"
                     class="block w-full"
-                    autofocus />
-                <FieldError v-if="form.errors.name">{{ form.errors.name }}</FieldError>
+                    autofocus
+                    :aria-invalid="Boolean(fieldErrors.name)" />
+                <FieldError v-if="fieldErrors.name">{{ fieldErrors.name }}</FieldError>
             </Field>
         </template>
 
         <template #actions>
-            <PrimaryButton :class="{ 'opacity-25': form.processing }" :disabled="form.processing">
+            <PrimaryButton :class="{ 'opacity-25': processing }" :disabled="processing">
                 Create
             </PrimaryButton>
         </template>

resources/js/Pages/Teams/Partials/DeleteTeamForm.vue

@@ -1,26 +1,36 @@
 <script setup lang="ts">
 import { ref } from 'vue';
-import { useForm } from '@inertiajs/vue3';
+import { router } from '@inertiajs/vue3';
 import ActionSection from '@/Components/ActionSection.vue';
 import ConfirmationModal from '@/Components/ConfirmationModal.vue';
 import DangerButton from '@/packages/ui/src/Buttons/DangerButton.vue';
 import SecondaryButton from '@/packages/ui/src/Buttons/SecondaryButton.vue';
+import { useOrganizationStore } from '@/utils/useOrganization';
 
-const props = defineProps({
-    team: Object,
-});
+const props = defineProps<{
+    team: { id: string };
+}>();
 
 const confirmingTeamDeletion = ref(false);
-const form = useForm({});
+const processing = ref(false);
+const organizationStore = useOrganizationStore();
 
 const confirmTeamDeletion = () => {
     confirmingTeamDeletion.value = true;
 };
 
-const deleteTeam = () => {
-    form.delete(route('teams.destroy', props.team), {
-        errorBag: 'deleteTeam',
-    });
+const deleteTeam = async () => {
+    processing.value = true;
+    try {
+        await organizationStore.deleteOrganization(props.team.id);
+        // The backend reassigns the user's current organization after deletion,
+        // so flush the prefetch cache and reload into the dashboard.
+        router.flushAll();
+        router.visit(route('dashboard'));
+    } catch {
+        // Request errors are surfaced as notifications by the store.
+        processing.value = false;
+    }
 };
 </script>
 
@@ -59,8 +69,8 @@ const deleteTeam = () => {
 
                     <DangerButton
                         class="ms-3"
-                        :class="{ 'opacity-25': form.processing }"
-                        :disabled="form.processing"
+                        :class="{ 'opacity-25': processing }"
+                        :disabled="processing"
                         @click="deleteTeam">
                         Delete Organization
                     </DangerButton>

resources/js/Pages/Teams/Partials/UpdateTeamNameForm.vue

@@ -1,5 +1,7 @@
 <script setup lang="ts">
-import { Link, useForm } from '@inertiajs/vue3';
+import { Link, router } from '@inertiajs/vue3';
+import { reactive, ref } from 'vue';
+import axios from 'axios';
 import ActionMessage from '@/Components/ActionMessage.vue';
 import FormSection from '@/Components/FormSection.vue';
 import { Field, FieldLabel, FieldError } from '@/packages/ui/src/field';
@@ -10,22 +12,66 @@ import type { Permissions } from '@/types/jetstream';
 import { CreditCardIcon } from '@heroicons/vue/20/solid';
 import { isBillingActivated } from '@/utils/billing';
 import { canManageBilling } from '@/utils/permissions';
+import { api } from '@/packages/api/src';
+import { useNotificationsStore } from '@/utils/notification';
+import { getApiValidationFieldErrors, isApiValidationError } from '@/utils/apiValidation';
 
 const props = defineProps<{
     team: Organization;
     permissions: Permissions;
 }>();
 
-const form = useForm({
+const form = reactive({
     name: props.team.name,
     currency: props.team.currency,
 });
 
-const updateTeamName = () => {
-    form.put(route('teams.update', props.team.id), {
-        errorBag: 'updateTeamName',
-        preserveScroll: true,
-    });
+const errors = ref<Record<string, string>>({});
+const processing = ref(false);
+const recentlySuccessful = ref(false);
+const notifications = useNotificationsStore();
+let recentlySuccessfulTimeout: ReturnType<typeof setTimeout> | undefined;
+
+const updateTeamName = async () => {
+    processing.value = true;
+    recentlySuccessful.value = false;
+    errors.value = {};
+    try {
+        await api.updateOrganization(
+            {
+                name: form.name,
+                currency: form.currency,
+            },
+            {
+                params: {
+                    organization: props.team.id,
+                },
+            }
+        );
+        notifications.addNotification('success', 'Organization updated successfully');
+        recentlySuccessful.value = true;
+        if (recentlySuccessfulTimeout) {
+            clearTimeout(recentlySuccessfulTimeout);
+        }
+        recentlySuccessfulTimeout = setTimeout(() => {
+            recentlySuccessful.value = false;
+        }, 2000);
+        router.reload({ only: ['auth', 'team'] });
+    } catch (error) {
+        if (isApiValidationError(error)) {
+            errors.value = getApiValidationFieldErrors(error);
+        } else if (axios.isAxiosError(error)) {
+            notifications.addNotification(
+                'error',
+                'Failed to update organization',
+                error.response?.data?.message ?? 'Please try again later.'
+            );
+        } else {
+            notifications.addNotification('error', 'Failed to update organization');
+        }
+    } finally {
+        processing.value = false;
+    }
 };
 </script>
 
@@ -74,7 +120,7 @@ const updateTeamName = () => {
                     class="block w-full"
                     :disabled="!permissions.canUpdateTeam" />
 
-                <FieldError v-if="form.errors.name">{{ form.errors.name }}</FieldError>
+                <FieldError v-if="errors.name">{{ errors.name }}</FieldError>
             </Field>
 
             <!-- Currency -->
@@ -94,14 +140,14 @@ const updateTeamName = () => {
                         {{ currencyKey }} - {{ currencyTranslated }}
                     </option>
                 </select>
-                <FieldError v-if="form.errors.currency">{{ form.errors.currency }}</FieldError>
+                <FieldError v-if="errors.currency">{{ errors.currency }}</FieldError>
             </Field>
         </template>
 
         <template v-if="permissions.canUpdateTeam" #actions>
-            <ActionMessage :on="form.recentlySuccessful" class="me-3"> Saved. </ActionMessage>
+            <ActionMessage :on="recentlySuccessful" class="me-3"> Saved. </ActionMessage>
 
-            <PrimaryButton :class="{ 'opacity-25': form.processing }" :disabled="form.processing">
+            <PrimaryButton :class="{ 'opacity-25': processing }" :disabled="processing">
                 Save
             </PrimaryButton>
         </template>

resources/js/Pages/Teams/Show.vue

@@ -4,7 +4,7 @@ import DeleteTeamForm from '@/Pages/Teams/Partials/DeleteTeamForm.vue';
 import SectionBorder from '@/Components/SectionBorder.vue';
 import UpdateTeamNameForm from '@/Pages/Teams/Partials/UpdateTeamNameForm.vue';
 import type { Organization } from '@/types/models';
-import type { Permissions, Role } from '@/types/jetstream';
+import type { Permissions } from '@/types/jetstream';
 import OrganizationBillableRate from '@/Pages/Teams/Partials/OrganizationBillableRate.vue';
 import OrganizationFormatSettings from '@/Pages/Teams/Partials/OrganizationFormatSettings.vue';
 import OrganizationTimeEntrySettings from '@/Pages/Teams/Partials/OrganizationTimeEntrySettings.vue';
@@ -14,7 +14,6 @@ import { storeToRefs } from 'pinia';
 
 defineProps<{
     team: Organization;
-    availableRoles: Role[];
     permissions: Permissions;
 }>();
 
@@ -54,7 +53,7 @@ onMounted(async () => {
                     <OrganizationTimeEntrySettings v-if="permissions.canUpdateTeam" />
                     <SectionBorder />
 
-                    <template v-if="permissions.canDeleteTeam && !team.personal_team">
+                    <template v-if="permissions.canDeleteTeam">
                         <DeleteTeamForm class="mt-10 sm:mt-0" :team="team" />
                     </template>
                 </template>

resources/js/packages/api/src/openapi.json.client.ts

@@ -330,6 +330,7 @@ const OrganizationResource = z
 const OrganizationUpdateRequest = z
     .object({
         name: z.string().max(255),
+        currency: z.string(),
         billable_rate: z.union([z.number(), z.null()]),
         employees_can_see_billable_rates: z.boolean(),
         employees_can_manage_tasks: z.boolean(),
@@ -803,6 +804,39 @@ const endpoints = makeApi([
             z.object({ code: z.string(), name: z.string(), symbol: z.string() }).passthrough()
         ),
     },
+    {
+        method: 'post',
+        path: '/v1/organizations',
+        alias: 'createOrganization',
+        requestFormat: 'json',
+        parameters: [
+            {
+                name: 'body',
+                type: 'Body',
+                schema: z.object({ name: z.string().max(255) }).passthrough(),
+            },
+        ],
+        response: z.object({ data: OrganizationResource }).passthrough(),
+        errors: [
+            {
+                status: 401,
+                description: `Unauthenticated`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 403,
+                description: `Authorization error`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 422,
+                description: `Validation error`,
+                schema: z
+                    .object({ message: z.string(), errors: z.record(z.array(z.string())) })
+                    .passthrough(),
+            },
+        ],
+    },
     {
         method: 'get',
         path: '/v1/organizations/:organization',
@@ -877,6 +911,37 @@ const endpoints = makeApi([
             },
         ],
     },
+    {
+        method: 'delete',
+        path: '/v1/organizations/:organization',
+        alias: 'deleteOrganization',
+        requestFormat: 'json',
+        parameters: [
+            {
+                name: 'organization',
+                type: 'Path',
+                schema: z.string(),
+            },
+        ],
+        response: z.void(),
+        errors: [
+            {
+                status: 401,
+                description: `Unauthenticated`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 403,
+                description: `Authorization error`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 404,
+                description: `Not found`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+        ],
+    },
     {
         method: 'get',
         path: '/v1/organizations/:organization/charts/daily-tracked-hours',
@@ -4447,6 +4512,42 @@ The report is considered public if the `is_public` field is set to &#x
             },
         ],
     },
+    {
+        method: 'put',
+        path: '/v1/users/me/current-organization',
+        alias: 'updateMyCurrentOrganization',
+        description: `Switches the organization that the user is currently working in. The user
+must be a member of the given organization. This endpoint is independent of
+the organization.`,
+        requestFormat: 'json',
+        parameters: [
+            {
+                name: 'body',
+                type: 'Body',
+                schema: z.object({ organization_id: z.string().uuid() }).passthrough(),
+            },
+        ],
+        response: z.object({ data: UserResource }).passthrough(),
+        errors: [
+            {
+                status: 401,
+                description: `Unauthenticated`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 403,
+                description: `Authorization error`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 422,
+                description: `Validation error`,
+                schema: z
+                    .object({ message: z.string(), errors: z.record(z.array(z.string())) })
+                    .passthrough(),
+            },
+        ],
+    },
     {
         method: 'put',
         path: '/v1/users/:user',

resources/js/types/jetstream.ts

@@ -1,11 +1,8 @@
 import type { User } from '@/types/models';
 
 export interface Permissions {
-    canAddTeamMembers: boolean;
     canDeleteTeam: boolean;
-    canRemoveTeamMembers: boolean;
     canUpdateTeam: boolean;
-    canUpdateTeamMembers: boolean;
 }
 
 export interface Session {

resources/js/utils/apiValidation.ts

@@ -0,0 +1,31 @@
+import axios, { type AxiosError } from 'axios';
+
+type ApiValidationResponse = {
+    message?: string;
+    errors?: Record<string, string[]>;
+};
+
+export function isApiValidationError(error: unknown): error is AxiosError<ApiValidationResponse> {
+    return axios.isAxiosError<ApiValidationResponse>(error) && error.response?.status === 422;
+}
+
+export function getApiValidationFieldErrors(error: unknown): Record<string, string> {
+    if (!isApiValidationError(error)) {
+        return {};
+    }
+
+    const fieldErrors: Record<string, string> = {};
+    for (const [field, messages] of Object.entries(error.response?.data?.errors ?? {})) {
+        if (Array.isArray(messages) && messages[0]) {
+            fieldErrors[field] = messages[0];
+        }
+    }
+    return fieldErrors;
+}
+
+export function getApiValidationMessage(error: unknown, fallback: string): string {
+    if (!isApiValidationError(error)) {
+        return fallback;
+    }
+    return error.response?.data?.message ?? fallback;
+}

resources/js/utils/commandPaletteCommands.ts

@@ -210,7 +210,7 @@ export function createNavigationCommands(
             icon: Cog6ToothIcon,
             keywords: ['settings', 'organization', 'configuration'],
             group: 'navigation',
-            action: () => navigate('teams.show', { team: currentTeamId() }),
+            action: () => navigate('organizations.show', { organizationId: currentTeamId() }),
             permission: permissions.canUpdateOrganization,
             priority: GROUP_PRIORITIES.navigation - 3,
         },

resources/js/utils/useOrganization.ts

@@ -11,23 +11,29 @@ import { useNotificationsStore } from '@/utils/notification';
 import { getCurrentOrganizationId } from '@/utils/useUser';
 import { api } from '@/packages/api/src';
 
-export function switchOrganization(organizationId: string) {
-    // Clear Inertia's prefetch cache to prevent stale pages from the old
-    // organization being served when navigating after the switch.
-    router.flushAll();
+export async function switchOrganization(organizationId: string) {
+    const { handleApiRequestNotifications } = useNotificationsStore();
+    try {
+        await handleApiRequestNotifications(
+            () => api.updateMyCurrentOrganization({ organization_id: organizationId }),
+            undefined,
+            'Failed to switch organization'
+        );
+    } catch {
+        // The error notification is surfaced by the request handler.
+        return;
+    }
 
-    router.put(
-        route('current-team.update'),
-        {
-            team_id: organizationId,
+    // The current organization changed server-side. Clear Inertia's prefetch
+    // cache and reload into the dashboard so the new organization context
+    // (auth.user.current_team) is picked up everywhere.
+    router.flushAll();
+    router.visit(route('dashboard'), {
+        preserveState: false,
+        onSuccess: () => {
+            initializeStores();
         },
-        {
-            preserveState: false,
-            onSuccess: () => {
-                initializeStores();
-            },
-        }
-    );
+    });
 }
 
 export const useOrganizationStore = defineStore('organization', () => {
@@ -67,9 +73,33 @@ export const useOrganizationStore = defineStore('organization', () => {
         }
     }
 
+    async function createOrganization(name: string): Promise<Organization | null> {
+        const response = await api.createOrganization({ name });
+        return response?.data ?? null;
+    }
+
+    async function deleteOrganization(organizationId: string) {
+        await handleApiRequestNotifications(
+            () =>
+                api.deleteOrganization(undefined, {
+                    params: {
+                        organization: organizationId,
+                    },
+                }),
+            'Organization deleted successfully',
+            'Failed to delete organization'
+        );
+    }
+
     const organization = computed<Organization | null>(() => {
         return organizationResponse.value?.data || null;
     });
 
-    return { organization, fetchOrganization, updateOrganization };
+    return {
+        organization,
+        fetchOrganization,
+        updateOrganization,
+        createOrganization,
+        deleteOrganization,
+    };
 });

resources/js/ziggy.d.ts

@@ -114,6 +114,13 @@ declare module 'ziggy-js' {
         'other-browser-sessions.destroy': [];
         'current-user-photo.destroy': [];
         'current-user.destroy': [];
+        'organizations.create': [];
+        'organizations.show': [
+            {
+                'name': 'organizationId';
+                'required': true;
+            },
+        ];
         'teams.create': [];
         'teams.store': [];
         'teams.show': [

resources/js/ziggy.js

@@ -197,6 +197,12 @@ const Ziggy = {
             'methods': ['DELETE'],
         },
         'current-user.destroy': { 'uri': 'user', 'methods': ['DELETE'] },
+        'organizations.create': { 'uri': 'organizations/create', 'methods': ['GET', 'HEAD'] },
+        'organizations.show': {
+            'uri': 'organizations/{organizationId}',
+            'methods': ['GET', 'HEAD'],
+            'parameters': ['organizationId'],
+        },
         'teams.create': { 'uri': 'teams/create', 'methods': ['GET', 'HEAD'] },
         'teams.store': { 'uri': 'teams', 'methods': ['POST'] },
         'teams.show': {

routes/web.php

@@ -2,13 +2,14 @@
 
 declare(strict_types=1);
 
-use App\Enums\Role;
 use App\Http\Controllers\Web\DashboardController;
 use App\Http\Controllers\Web\HomeController;
 use App\Http\Controllers\Web\OrganizationController;
 use App\Http\Controllers\Web\OrganizationInvitationController;
+use App\Http\Controllers\Web\OtherBrowserSessionsController;
 use App\Http\Controllers\Web\UserController;
 use App\Http\Controllers\Web\UserProfileController;
+use App\Service\PermissionStore;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Support\Facades\Route;
 use Inertia\Inertia;
@@ -74,7 +75,14 @@ Route::middleware([
 
     Route::get('/members', function () {
         return Inertia::render('Members', [
-            'availableRoles' => Role::values(),
+            'availableRoles' => collect(PermissionStore::roleDefinitions())
+                ->map(fn (array $definition, string $key): array => [
+                    'key' => $key,
+                    'name' => $definition['name'],
+                    'description' => $definition['description'],
+                ])
+                ->values()
+                ->all(),
         ]);
     })->name('members');
 
@@ -95,6 +103,8 @@ Route::middleware([
         return to_route('organizations.show', [$organizationId]);
     })->name('teams.show');
     Route::get('/user/profile', [UserProfileController::class, 'show'])->name('profile.show');
+    Route::delete('/user/other-browser-sessions', [OtherBrowserSessionsController::class, 'destroy'])
+        ->name('other-browser-sessions.destroy');
 });
 
 Route::get('/team-invitations/{invitation}', [OrganizationInvitationController::class, 'accept'])

tests/Feature/BrowserSessionsTest.php

@@ -1,25 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace Tests\Feature;
-
-use App\Models\User;
-use Illuminate\Foundation\Testing\RefreshDatabase;
-use Tests\TestCase;
-
-class BrowserSessionsTest extends TestCase
-{
-    use RefreshDatabase;
-
-    public function test_other_browser_sessions_can_be_logged_out(): void
-    {
-        $this->actingAs($user = User::factory()->create());
-
-        $response = $this->delete('/user/other-browser-sessions', [
-            'password' => 'password',
-        ]);
-
-        $response->assertSessionHasNoErrors();
-    }
-}

tests/Feature/ProfileInformationTest.php

@@ -5,12 +5,9 @@ declare(strict_types=1);
 namespace Tests\Feature;
 
 use App\Enums\Weekday;
-use App\Mail\VerifyUpdatedEmailMail;
 use App\Models\User;
 use App\Service\TimezoneService;
 use Illuminate\Foundation\Testing\RefreshDatabase;
-use Illuminate\Support\Facades\Mail;
-use Illuminate\Support\Facades\URL;
 use Tests\TestCase;
 
 class ProfileInformationTest extends TestCase
@@ -39,66 +36,4 @@ class ProfileInformationTest extends TestCase
         $user = $user->fresh();
         $this->assertEquals($user->name, $user->name);
     }
-
-    public function test_pending_email_verification_redirects_with_danger_banner_when_email_already_in_use(): void
-    {
-        // Arrange
-        User::factory()->create([
-            'email' => 'taken@example.com',
-            'is_placeholder' => false,
-        ]);
-        $user = User::factory()->create([
-            'email' => 'current@example.com',
-            'pending_email' => 'taken@example.com',
-        ]);
-        $this->actingAs($user);
-        $verificationUrl = URL::temporarySignedRoute(
-            'users.verify-email-change',
-            now()->addMinutes(60),
-            [
-                'user' => $user->getKey(),
-                'email' => 'taken@example.com',
-            ],
-            false
-        );
-
-        // Act
-        $response = $this->get($verificationUrl);
-
-        // Assert
-        $response->assertRedirect(route('dashboard'));
-        $response->assertSessionHas('bannerStyle', 'danger');
-        $response->assertSessionHas('bannerText', 'The email address is already in use.');
-        $user = $user->fresh();
-        $this->assertEquals('current@example.com', $user->email);
-        $this->assertEquals('taken@example.com', $user->pending_email);
-    }
-
-    public function test_stale_pending_email_verification_link_is_rejected(): void
-    {
-        // Arrange
-        $user = User::factory()->create([
-            'email' => 'current@example.com',
-            'pending_email' => 'newer@example.com',
-        ]);
-        $this->actingAs($user);
-        $verificationUrl = URL::temporarySignedRoute(
-            'users.verify-email-change',
-            now()->addMinutes(60),
-            [
-                'user' => $user->getKey(),
-                'email' => 'older@example.com',
-            ],
-            false
-        );
-
-        // Act
-        $response = $this->get($verificationUrl);
-
-        // Assert
-        $response->assertForbidden();
-        $user = $user->fresh();
-        $this->assertEquals('current@example.com', $user->email);
-        $this->assertEquals('newer@example.com', $user->pending_email);
-    }
 }

tests/Feature/RegistrationTest.php

@@ -61,6 +61,7 @@ class RegistrationTest extends TestCaseWithDatabase
         $member = Member::query()->whereBelongsTo($user, 'user')->whereBelongsTo($organization, 'organization')->firstOrFail();
         $this->assertSame(Role::Owner->value, $member->role);
         Event::assertNotDispatched(NewsletterRegistered::class);
+        $this->assertSame($organization->getKey(), $user->current_team_id);
     }
 
     public function test_user_registration_fails_if_registration_is_deactivated(): void

tests/Unit/Endpoint/Api/V1/OrganizationEndpointTest.php

@@ -382,6 +382,58 @@ class OrganizationEndpointTest extends ApiEndpointTestAbstract
         ]);
     }
 
+    public function test_update_endpoint_can_update_the_currency_of_the_organization(): void
+    {
+        // Arrange
+        $data = $this->createUserWithPermission([
+            'organizations:update',
+        ]);
+        $this->assertBillableRateServiceIsUnused();
+        $data->organization->currency = 'EUR';
+        $data->organization->save();
+        Passport::actingAs($data->user);
+
+        // Act
+        $response = $this->putJson(route('api.v1.organizations.update', [$data->organization->getKey()]), [
+            'name' => $data->organization->name,
+            'currency' => 'USD',
+        ]);
+
+        // Assert
+        $response->assertStatus(200);
+        $response->assertJsonPath('data.currency', 'USD');
+        $this->assertDatabaseHas(Organization::class, [
+            'id' => $data->organization->getKey(),
+            'currency' => 'USD',
+        ]);
+    }
+
+    public function test_update_endpoint_fails_if_currency_is_invalid(): void
+    {
+        // Arrange
+        $data = $this->createUserWithPermission([
+            'organizations:update',
+        ]);
+        $this->assertBillableRateServiceIsUnused();
+        $data->organization->currency = 'EUR';
+        $data->organization->save();
+        Passport::actingAs($data->user);
+
+        // Act
+        $response = $this->putJson(route('api.v1.organizations.update', [$data->organization->getKey()]), [
+            'name' => $data->organization->name,
+            'currency' => 'NOT_A_CURRENCY',
+        ]);
+
+        // Assert
+        $response->assertStatus(422);
+        $response->assertJsonValidationErrors(['currency']);
+        $this->assertDatabaseHas(Organization::class, [
+            'id' => $data->organization->getKey(),
+            'currency' => 'EUR',
+        ]);
+    }
+
     public function test_delete_endpoint_if_user_does_not_have_permission(): void
     {
         // Arrange

tests/Unit/Endpoint/Web/MembersEndpointTest.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Unit\Endpoint\Web;
+
+use Inertia\Testing\AssertableInertia as Assert;
+
+class MembersEndpointTest extends EndpointTestAbstract
+{
+    public function test_members_passes_available_roles_as_objects_with_key_name_and_description(): void
+    {
+        // Arrange
+        $data = $this->createUserWithPermission([
+            'members:view',
+        ]);
+        $this->actingAs($data->user);
+
+        // Act
+        $response = $this->get(route('members'));
+
+        // Assert
+        $response->assertOk();
+        $response->assertInertia(fn (Assert $page) => $page
+            ->component('Members')
+            ->has('availableRoles', 5, fn (Assert $role) => $role
+                ->has('key')
+                ->has('name')
+                ->has('description')
+            )
+            ->where('availableRoles.0.key', 'owner')
+            ->where('availableRoles.0.name', 'Owner')
+        );
+    }
+}

tests/Unit/Endpoint/Web/OrganizationEndpointTest.php

@@ -4,12 +4,14 @@ declare(strict_types=1);
 
 namespace Tests\Unit\Endpoint\Web;
 
+use App\Enums\Role;
 use App\Http\Controllers\Web\OrganizationController;
 use App\Models\Organization;
 use App\Models\OrganizationInvitation;
 use App\Models\User;
 use Inertia\Testing\AssertableInertia as Assert;
 use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\DataProvider;
 
 #[CoversClass(OrganizationController::class)]
 class OrganizationEndpointTest extends EndpointTestAbstract
@@ -65,14 +67,37 @@ class OrganizationEndpointTest extends EndpointTestAbstract
             ->where('team.owner.name', $data->owner->name)
             ->has('team.owner.profile_photo_url')
             ->has('currencies')
-            ->where('availableRoles', [])
-            ->where('availablePermissions', [])
-            ->where('defaultPermissions', [])
-            ->where('permissions.canAddTeamMembers', true)
-            ->where('permissions.canDeleteTeam', true)
-            ->where('permissions.canRemoveTeamMembers', true)
-            ->where('permissions.canUpdateTeam', true)
-            ->where('permissions.canUpdateTeamMembers', true)
+        );
+    }
+
+    /**
+     * @return array<string, array{role: Role, canUpdateTeam: bool, canDeleteTeam: bool}>
+     */
+    public static function showPermissionsPerRoleProvider(): array
+    {
+        return [
+            'owner can update and delete' => ['role' => Role::Owner, 'canUpdateTeam' => true, 'canDeleteTeam' => true],
+            'admin can update but not delete' => ['role' => Role::Admin, 'canUpdateTeam' => true, 'canDeleteTeam' => false],
+            'employee can neither update nor delete' => ['role' => Role::Employee, 'canUpdateTeam' => false, 'canDeleteTeam' => false],
+        ];
+    }
+
+    #[DataProvider('showPermissionsPerRoleProvider')]
+    public function test_organization_show_returns_permissions_based_on_role(Role $role, bool $canUpdateTeam, bool $canDeleteTeam): void
+    {
+        // Arrange
+        $data = $this->createUserWithRole($role);
+        $this->actingAs($data->user);
+
+        // Act
+        $response = $this->get(route('organizations.show', [$data->organization->getKey()]));
+
+        // Assert
+        $response->assertOk();
+        $response->assertInertia(fn (Assert $page) => $page
+            ->component('Teams/Show')
+            ->where('permissions.canUpdateTeam', $canUpdateTeam)
+            ->where('permissions.canDeleteTeam', $canDeleteTeam)
         );
     }
 

tests/Unit/Endpoint/Web/OtherBrowserSessionsEndpointTest.php

@@ -0,0 +1,103 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Unit\Endpoint\Web;
+
+use App\Http\Controllers\Web\OtherBrowserSessionsController;
+use App\Models\User;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Hash;
+use PHPUnit\Framework\Attributes\CoversClass;
+
+#[CoversClass(OtherBrowserSessionsController::class)]
+class OtherBrowserSessionsEndpointTest extends EndpointTestAbstract
+{
+    public function test_destroy_logs_out_other_browser_sessions_with_the_correct_password(): void
+    {
+        // Arrange
+        $user = User::factory()->create();
+        $originalPasswordHash = $user->password;
+        $this->actingAs($user);
+
+        // Act
+        $response = $this->delete('/user/other-browser-sessions', [
+            'password' => 'password',
+        ]);
+
+        // Assert
+        $response->assertRedirect();
+        $response->assertSessionHasNoErrors();
+        // logoutOtherDevices re-hashes the password (same plaintext, new hash) to invalidate other sessions.
+        $this->assertNotSame($originalPasswordHash, $user->fresh()->password);
+        $this->assertTrue(Hash::check('password', $user->fresh()->password));
+    }
+
+    public function test_destroy_fails_with_an_incorrect_password(): void
+    {
+        // Arrange
+        $user = User::factory()->create();
+        $originalPasswordHash = $user->password;
+        $this->actingAs($user);
+
+        // Act
+        $response = $this->delete('/user/other-browser-sessions', [
+            'password' => 'wrong-password',
+        ]);
+
+        // Assert
+        $response->assertSessionHasErrors('password');
+        // No side effects when the password is incorrect: the password must not be re-hashed.
+        $this->assertSame($originalPasswordHash, $user->fresh()->password);
+    }
+
+    public function test_destroy_requires_authentication(): void
+    {
+        // Act
+        $response = $this->delete('/user/other-browser-sessions', [
+            'password' => 'password',
+        ]);
+
+        // Assert
+        $response->assertRedirect(route('login'));
+    }
+
+    public function test_destroy_deletes_the_other_database_session_records_of_the_current_user(): void
+    {
+        // Arrange
+        config(['session.driver' => 'database']);
+        $user = User::factory()->create();
+        $otherUser = User::factory()->create();
+        $this->actingAs($user);
+
+        DB::table('sessions')->insert([
+            [
+                'id' => 'other-session-of-current-user',
+                'user_id' => $user->getKey(),
+                'ip_address' => '192.0.2.10',
+                'user_agent' => '',
+                'payload' => '',
+                'last_activity' => now()->subMinutes(5)->timestamp,
+            ],
+            [
+                'id' => 'session-of-another-user',
+                'user_id' => $otherUser->getKey(),
+                'ip_address' => '192.0.2.30',
+                'user_agent' => '',
+                'payload' => '',
+                'last_activity' => now()->timestamp,
+            ],
+        ]);
+
+        // Act
+        $response = $this->delete('/user/other-browser-sessions', [
+            'password' => 'password',
+        ]);
+
+        // Assert
+        $response->assertSessionHasNoErrors();
+        // The current user's other sessions are removed, while another user's session is untouched.
+        $this->assertDatabaseMissing('sessions', ['id' => 'other-session-of-current-user']);
+        $this->assertDatabaseHas('sessions', ['id' => 'session-of-another-user']);
+    }
+}

tests/Unit/Endpoint/Web/UserEndpointTest.php

@@ -0,0 +1,253 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Unit\Endpoint\Web;
+
+use App\Http\Controllers\Web\UserController;
+use App\Models\User;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\URL;
+use PHPUnit\Framework\Attributes\CoversClass;
+
+#[CoversClass(UserController::class)]
+class UserEndpointTest extends EndpointTestAbstract
+{
+    public function test_pending_email_verification_updates_email_and_redirects_with_success_banner(): void
+    {
+        // Arrange
+        $this->travelTo(Carbon::parse('2024-01-02 12:00:00', 'UTC'));
+        $user = User::factory()->create([
+            'email' => 'current@example.com',
+            'pending_email' => 'new@example.com',
+            'email_verified_at' => null,
+        ]);
+        $this->actingAs($user);
+        $verificationUrl = URL::temporarySignedRoute(
+            'users.verify-email-change',
+            now()->addMinutes(60),
+            [
+                'user' => $user->getKey(),
+                'email' => 'NEW@EXAMPLE.COM',
+            ],
+            false
+        );
+
+        // Act
+        $response = $this->get($verificationUrl);
+
+        // Assert
+        $response->assertRedirect(route('dashboard'));
+        $response->assertSessionHas('bannerStyle', 'success');
+        $response->assertSessionHas('bannerText', 'Your email address has been updated successfully.');
+        $user->refresh();
+        $this->assertSame('new@example.com', $user->email);
+        $this->assertNull($user->pending_email);
+        $this->assertTrue(now()->equalTo($user->email_verified_at));
+    }
+
+    public function test_pending_email_verification_is_rejected_for_another_authenticated_user(): void
+    {
+        // Arrange
+        $user = User::factory()->create([
+            'email' => 'current@example.com',
+            'pending_email' => 'new@example.com',
+        ]);
+        $this->actingAs(User::factory()->create());
+        $verificationUrl = URL::temporarySignedRoute(
+            'users.verify-email-change',
+            now()->addMinutes(60),
+            [
+                'user' => $user->getKey(),
+                'email' => 'new@example.com',
+            ],
+            false
+        );
+
+        // Act
+        $response = $this->get($verificationUrl);
+
+        // Assert
+        $response->assertForbidden();
+        $user->refresh();
+        $this->assertSame('current@example.com', $user->email);
+        $this->assertSame('new@example.com', $user->pending_email);
+    }
+
+    public function test_pending_email_verification_without_email_is_rejected(): void
+    {
+        // Arrange
+        $user = User::factory()->create([
+            'email' => 'current@example.com',
+            'pending_email' => 'new@example.com',
+        ]);
+        $this->actingAs($user);
+        $verificationUrl = URL::temporarySignedRoute(
+            'users.verify-email-change',
+            now()->addMinutes(60),
+            ['user' => $user->getKey()],
+            false
+        );
+
+        // Act
+        $response = $this->get($verificationUrl);
+
+        // Assert
+        $response->assertForbidden();
+        $user->refresh();
+        $this->assertSame('current@example.com', $user->email);
+        $this->assertSame('new@example.com', $user->pending_email);
+    }
+
+    public function test_pending_email_verification_with_non_string_email_is_rejected(): void
+    {
+        // Arrange
+        $user = User::factory()->create([
+            'email' => 'current@example.com',
+            'pending_email' => 'new@example.com',
+        ]);
+        $this->actingAs($user);
+        $verificationUrl = URL::temporarySignedRoute(
+            'users.verify-email-change',
+            now()->addMinutes(60),
+            [
+                'user' => $user->getKey(),
+                'email' => ['new@example.com'],
+            ],
+            false
+        );
+
+        // Act
+        $response = $this->get($verificationUrl);
+
+        // Assert
+        $response->assertForbidden();
+        $user->refresh();
+        $this->assertSame('current@example.com', $user->email);
+        $this->assertSame('new@example.com', $user->pending_email);
+    }
+
+    public function test_stale_pending_email_verification_link_is_rejected(): void
+    {
+        // Arrange
+        $user = User::factory()->create([
+            'email' => 'current@example.com',
+            'pending_email' => 'newer@example.com',
+        ]);
+        $this->actingAs($user);
+        $verificationUrl = URL::temporarySignedRoute(
+            'users.verify-email-change',
+            now()->addMinutes(60),
+            [
+                'user' => $user->getKey(),
+                'email' => 'older@example.com',
+            ],
+            false
+        );
+
+        // Act
+        $response = $this->get($verificationUrl);
+
+        // Assert
+        $response->assertForbidden();
+        $user->refresh();
+        $this->assertSame('current@example.com', $user->email);
+        $this->assertSame('newer@example.com', $user->pending_email);
+    }
+
+    public function test_pending_email_verification_redirects_with_danger_banner_when_email_already_in_use(): void
+    {
+        // Arrange
+        User::factory()->create([
+            'email' => 'taken@example.com',
+            'is_placeholder' => false,
+        ]);
+        $user = User::factory()->create([
+            'email' => 'current@example.com',
+            'pending_email' => 'taken@example.com',
+        ]);
+        $this->actingAs($user);
+        $verificationUrl = URL::temporarySignedRoute(
+            'users.verify-email-change',
+            now()->addMinutes(60),
+            [
+                'user' => $user->getKey(),
+                'email' => 'taken@example.com',
+            ],
+            false
+        );
+
+        // Act
+        $response = $this->get($verificationUrl);
+
+        // Assert
+        $response->assertRedirect(route('dashboard'));
+        $response->assertSessionHas('bannerStyle', 'danger');
+        $response->assertSessionHas('bannerText', 'The email address is already in use.');
+        $user->refresh();
+        $this->assertSame('current@example.com', $user->email);
+        $this->assertSame('taken@example.com', $user->pending_email);
+    }
+
+    public function test_pending_email_verification_ignores_placeholder_users_with_the_same_email(): void
+    {
+        // Arrange
+        User::factory()->placeholder()->create([
+            'email' => 'new@example.com',
+        ]);
+        $user = User::factory()->create([
+            'email' => 'current@example.com',
+            'pending_email' => 'new@example.com',
+            'email_verified_at' => null,
+        ]);
+        $this->actingAs($user);
+        $verificationUrl = URL::temporarySignedRoute(
+            'users.verify-email-change',
+            now()->addMinutes(60),
+            [
+                'user' => $user->getKey(),
+                'email' => 'new@example.com',
+            ],
+            false
+        );
+
+        // Act
+        $response = $this->get($verificationUrl);
+
+        // Assert
+        $response->assertRedirect(route('dashboard'));
+        $response->assertSessionHas('bannerStyle', 'success');
+        $user->refresh();
+        $this->assertSame('new@example.com', $user->email);
+        $this->assertNull($user->pending_email);
+        $this->assertNotNull($user->email_verified_at);
+    }
+
+    public function test_pending_email_verification_with_invalid_signature_is_rejected(): void
+    {
+        // Arrange
+        $user = User::factory()->create([
+            'email' => 'current@example.com',
+            'pending_email' => 'new@example.com',
+        ]);
+        $this->actingAs($user);
+        $verificationUrl = URL::temporarySignedRoute(
+            'users.verify-email-change',
+            now()->addMinutes(60),
+            [
+                'user' => $user->getKey(),
+                'email' => 'new@example.com',
+            ],
+            false
+        );
+
+        // Act
+        $response = $this->get($verificationUrl.'&invalid');
+
+        // Assert
+        $response->assertForbidden();
+        $user->refresh();
+        $this->assertSame('current@example.com', $user->email);
+        $this->assertSame('new@example.com', $user->pending_email);
+    }
+}

tests/Unit/Service/Dto/UserAgentDtoTest.php

@@ -0,0 +1,131 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Unit\Service\Dto;
+
+use App\Service\Dto\UserAgentDto;
+use PHPUnit\Framework\Attributes\CoversClass;
+use Tests\TestCase;
+
+#[CoversClass(UserAgentDto::class)]
+class UserAgentDtoTest extends TestCase
+{
+    public function test_chrome_on_windows_is_detected_as_a_desktop_browser(): void
+    {
+        // Arrange
+        $userAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36';
+        $agent = new UserAgentDto;
+        $agent->setUserAgent($userAgent);
+
+        // Act
+        $platform = $agent->platform();
+        $browser = $agent->browser();
+        $isDesktop = $agent->isDesktop();
+
+        // Assert
+        $this->assertSame('Windows', $platform);
+        $this->assertSame('Chrome', $browser);
+        $this->assertTrue($isDesktop);
+    }
+
+    public function test_edge_is_detected_before_chrome(): void
+    {
+        // Arrange
+        $userAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0';
+        $agent = new UserAgentDto;
+        $agent->setUserAgent($userAgent);
+
+        // Act
+        $browser = $agent->browser();
+
+        // Assert
+        $this->assertSame('Edge', $browser);
+    }
+
+    public function test_iphone_safari_is_detected_as_a_non_desktop_browser(): void
+    {
+        // Arrange
+        $userAgent = 'Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1';
+        $agent = new UserAgentDto;
+        $agent->setUserAgent($userAgent);
+
+        // Act
+        $platform = $agent->platform();
+        $browser = $agent->browser();
+        $isDesktop = $agent->isDesktop();
+
+        // Assert
+        $this->assertSame('iOS', $platform);
+        $this->assertSame('Safari', $browser);
+        $this->assertFalse($isDesktop);
+    }
+
+    public function test_ipad_is_detected_as_non_desktop(): void
+    {
+        // Arrange
+        $userAgent = 'Mozilla/5.0 (iPad; CPU OS 17_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1';
+        $agent = new UserAgentDto;
+        $agent->setUserAgent($userAgent);
+
+        // Act
+        $isDesktop = $agent->isDesktop();
+
+        // Assert
+        $this->assertFalse($isDesktop);
+    }
+
+    public function test_unknown_user_agent_has_no_platform_or_browser_and_is_a_desktop(): void
+    {
+        // Arrange
+        $agent = new UserAgentDto;
+        $agent->setUserAgent('CustomClient/1.0');
+
+        // Act
+        $platform = $agent->platform();
+        $browser = $agent->browser();
+        $isDesktop = $agent->isDesktop();
+
+        // Assert
+        $this->assertNull($platform);
+        $this->assertNull($browser);
+        $this->assertTrue($isDesktop);
+    }
+
+    public function test_cloudfront_desktop_header_is_detected_as_desktop(): void
+    {
+        // Arrange
+        $agent = new UserAgentDto;
+        $agent->setUserAgent('Amazon CloudFront');
+        $agent->setHttpHeaders([
+            'HTTP_CLOUDFRONT_IS_DESKTOP_VIEWER' => 'true',
+        ]);
+
+        // Act
+        $isDesktop = $agent->isDesktop();
+
+        // Assert
+        $this->assertTrue($isDesktop);
+    }
+
+    public function test_cached_values_are_resolved_for_the_current_user_agent(): void
+    {
+        // Arrange
+        $agent = new UserAgentDto;
+        $agent->setUserAgent('Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0 Safari/537.36');
+        $agent->platform();
+        $agent->browser();
+        $agent->isDesktop();
+        $agent->setUserAgent('Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X) Version/17.0 Mobile/15E148 Safari/604.1');
+
+        // Act
+        $platform = $agent->platform();
+        $browser = $agent->browser();
+        $isDesktop = $agent->isDesktop();
+
+        // Assert
+        $this->assertSame('iOS', $platform);
+        $this->assertSame('Safari', $browser);
+        $this->assertFalse($isDesktop);
+    }
+}