tests/SIGCM2.Api.Tests/Usuarios/UpdateUsuarioEndpointTests.cs

using System.Net;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Text.Json;
using Dapper;
using Microsoft.Data.SqlClient;
using SIGCM2.TestSupport;

namespace SIGCM2.Api.Tests.Usuarios;

/// <summary>
/// Integration tests for PUT /api/v1/users/{id} (UDT-008 B4).
/// </summary>
[Collection("ApiIntegration")]
public sealed class UpdateUsuarioEndpointTests : IAsyncLifetime
{
    private const string TestConnectionString =
        "Server=TECNICA3;Database=SIGCM2_Test;User Id=desarrollo;Password=desarrollo2026;TrustServerCertificate=True;";

    private readonly HttpClient _client;
    private readonly SqlTestFixture _db;

    public UpdateUsuarioEndpointTests(TestWebAppFactory factory)
    {
        _client = factory.CreateClient();
        _db = new SqlTestFixture(TestConnectionString);
    }

    public async Task InitializeAsync() => await _db.InitializeAsync();
    public async Task DisposeAsync() => await _db.DisposeAsync();

    private async Task<string> GetAdminTokenAsync()
    {
        var response = await _client.PostAsJsonAsync("/api/v1/auth/login",
            new { username = "admin", password = "@Diego550@" });
        response.EnsureSuccessStatusCode();
        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
        return json.GetProperty("accessToken").GetString()!;
    }

    private async Task<int> GetAdminIdAsync()
    {
        await using var conn = new SqlConnection(TestConnectionString);
        await conn.OpenAsync();
        return await conn.ExecuteScalarAsync<int>("SELECT Id FROM dbo.Usuario WHERE Username = 'admin'");
    }

    private async Task<int> SeedCajeroAsync(string username = "cajero_update")
    {
        await using var conn = new SqlConnection(TestConnectionString);
        await conn.OpenAsync();
        return await conn.ExecuteScalarAsync<int>($"""
            IF NOT EXISTS (SELECT 1 FROM dbo.Usuario WHERE Username = '{username}')
            INSERT INTO dbo.Usuario (Username, PasswordHash, Nombre, Apellido, Rol, PermisosJson, Activo, MustChangePassword)
            VALUES ('{username}', '$2a$12$rmq6tlSAQ8WXhR2CwLCSeuwCJKz/.8Eab95UQCUNfwe4dokeOqMcW', 'Test', 'Usuario', 'cajero', '[]', 1, 0);
            SELECT Id FROM dbo.Usuario WHERE Username = '{username}'
            """);
    }

    private async Task<string> GetCajeroTokenAsync()
    {
        var id = await SeedCajeroAsync("cajero_update_auth");
        var response = await _client.PostAsJsonAsync("/api/v1/auth/login",
            new { username = "cajero_update_auth", password = "@Diego550@" });
        response.EnsureSuccessStatusCode();
        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
        return json.GetProperty("accessToken").GetString()!;
    }

    [Fact]
    public async Task PUT_Users_Id_200_Returns_Updated_Detail()
    {
        var token = await GetAdminTokenAsync();
        var targetId = await SeedCajeroAsync("cajero_upd_happy");

        var request = new HttpRequestMessage(HttpMethod.Put, $"/api/v1/users/{targetId}");
        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
        request.Content = JsonContent.Create(new { nombre = "Editado", apellido = "Test", email = (string?)null, rol = "cajero", activo = true });

        var response = await _client.SendAsync(request);

        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
        Assert.Equal("Editado", json.GetProperty("nombre").GetString());
    }

    [Fact]
    public async Task PUT_Users_Id_400_Invalid_Email()
    {
        var token = await GetAdminTokenAsync();
        var targetId = await SeedCajeroAsync("cajero_upd_email");

        var request = new HttpRequestMessage(HttpMethod.Put, $"/api/v1/users/{targetId}");
        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
        request.Content = JsonContent.Create(new { nombre = "A", apellido = "B", email = "not-an-email", rol = "cajero", activo = true });

        var response = await _client.SendAsync(request);

        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
    }

    [Fact]
    public async Task PUT_Users_Id_400_Last_Admin_Lockout_With_Error_Key()
    {
        var token = await GetAdminTokenAsync();
        var adminId = await GetAdminIdAsync();

        var request = new HttpRequestMessage(HttpMethod.Put, $"/api/v1/users/{adminId}");
        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
        request.Content = JsonContent.Create(new { nombre = "Admin", apellido = "Sys", email = (string?)null, rol = "cajero", activo = true });

        var response = await _client.SendAsync(request);

        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
        var body = await response.Content.ReadAsStringAsync();
        Assert.Contains("last-admin-lockout", body, StringComparison.OrdinalIgnoreCase);
    }

    [Fact]
    public async Task PUT_Users_Id_404_Not_Found()
    {
        var token = await GetAdminTokenAsync();
        var request = new HttpRequestMessage(HttpMethod.Put, "/api/v1/users/9999");
        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
        request.Content = JsonContent.Create(new { nombre = "A", apellido = "B", email = (string?)null, rol = "cajero", activo = true });

        var response = await _client.SendAsync(request);

        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
    }

    [Fact]
    public async Task PUT_Users_Id_403_No_Permission()
    {
        var token = await GetCajeroTokenAsync();
        var request = new HttpRequestMessage(HttpMethod.Put, "/api/v1/users/1");
        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
        request.Content = JsonContent.Create(new { nombre = "A", apellido = "B", email = (string?)null, rol = "cajero", activo = true });

        var response = await _client.SendAsync(request);

        Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
    }

    [Fact]
    public async Task PUT_Users_Id_401_No_Auth()
    {
        var request = new HttpRequestMessage(HttpMethod.Put, "/api/v1/users/1");
        request.Content = JsonContent.Create(new { nombre = "A", apellido = "B", email = (string?)null, rol = "cajero", activo = true });

        var response = await _client.SendAsync(request);

        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
    }
}
feat(api): UpdateUsuario — handler, validator, anti-lockout guard, revoke tokens [UDT-008] 2026-04-15 17:49:19 -03:00			`using System.Net;`
			`using System.Net.Http.Headers;`
			`using System.Net.Http.Json;`
			`using System.Text.Json;`
			`using Dapper;`
			`using Microsoft.Data.SqlClient;`
			`using SIGCM2.TestSupport;`

			`namespace SIGCM2.Api.Tests.Usuarios;`

			`/// <summary>`
			`/// Integration tests for PUT /api/v1/users/{id} (UDT-008 B4).`
			`/// </summary>`
			`[Collection("ApiIntegration")]`
			`public sealed class UpdateUsuarioEndpointTests : IAsyncLifetime`
			`{`
			`private const string TestConnectionString =`
			`"Server=TECNICA3;Database=SIGCM2_Test;User Id=desarrollo;Password=desarrollo2026;TrustServerCertificate=True;";`

			`private readonly HttpClient _client;`
			`private readonly SqlTestFixture _db;`

			`public UpdateUsuarioEndpointTests(TestWebAppFactory factory)`
			`{`
			`_client = factory.CreateClient();`
			`_db = new SqlTestFixture(TestConnectionString);`
			`}`

			`public async Task InitializeAsync() => await _db.InitializeAsync();`
			`public async Task DisposeAsync() => await _db.DisposeAsync();`

			`private async Task<string> GetAdminTokenAsync()`
			`{`
			`var response = await _client.PostAsJsonAsync("/api/v1/auth/login",`
			`new { username = "admin", password = "@Diego550@" });`
			`response.EnsureSuccessStatusCode();`
			`var json = await response.Content.ReadFromJsonAsync<JsonElement>();`
			`return json.GetProperty("accessToken").GetString()!;`
			`}`

			`private async Task<int> GetAdminIdAsync()`
			`{`
			`await using var conn = new SqlConnection(TestConnectionString);`
			`await conn.OpenAsync();`
			`return await conn.ExecuteScalarAsync<int>("SELECT Id FROM dbo.Usuario WHERE Username = 'admin'");`
			`}`

			`private async Task<int> SeedCajeroAsync(string username = "cajero_update")`
			`{`
			`await using var conn = new SqlConnection(TestConnectionString);`
			`await conn.OpenAsync();`
			`return await conn.ExecuteScalarAsync<int>($"""`
			`IF NOT EXISTS (SELECT 1 FROM dbo.Usuario WHERE Username = '{username}')`
			`INSERT INTO dbo.Usuario (Username, PasswordHash, Nombre, Apellido, Rol, PermisosJson, Activo, MustChangePassword)`
			`VALUES ('{username}', '$2a$12$rmq6tlSAQ8WXhR2CwLCSeuwCJKz/.8Eab95UQCUNfwe4dokeOqMcW', 'Test', 'Usuario', 'cajero', '[]', 1, 0);`
			`SELECT Id FROM dbo.Usuario WHERE Username = '{username}'`
			`""");`
			`}`

			`private async Task<string> GetCajeroTokenAsync()`
			`{`
			`var id = await SeedCajeroAsync("cajero_update_auth");`
			`var response = await _client.PostAsJsonAsync("/api/v1/auth/login",`
			`new { username = "cajero_update_auth", password = "@Diego550@" });`
			`response.EnsureSuccessStatusCode();`
			`var json = await response.Content.ReadFromJsonAsync<JsonElement>();`
			`return json.GetProperty("accessToken").GetString()!;`
			`}`

			`[Fact]`
			`public async Task PUT_Users_Id_200_Returns_Updated_Detail()`
			`{`
			`var token = await GetAdminTokenAsync();`
			`var targetId = await SeedCajeroAsync("cajero_upd_happy");`

			`var request = new HttpRequestMessage(HttpMethod.Put, $"/api/v1/users/{targetId}");`
			`request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);`
			`request.Content = JsonContent.Create(new { nombre = "Editado", apellido = "Test", email = (string?)null, rol = "cajero", activo = true });`

			`var response = await _client.SendAsync(request);`

			`Assert.Equal(HttpStatusCode.OK, response.StatusCode);`
			`var json = await response.Content.ReadFromJsonAsync<JsonElement>();`
			`Assert.Equal("Editado", json.GetProperty("nombre").GetString());`
			`}`

			`[Fact]`
			`public async Task PUT_Users_Id_400_Invalid_Email()`
			`{`
			`var token = await GetAdminTokenAsync();`
			`var targetId = await SeedCajeroAsync("cajero_upd_email");`

			`var request = new HttpRequestMessage(HttpMethod.Put, $"/api/v1/users/{targetId}");`
			`request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);`
			`request.Content = JsonContent.Create(new { nombre = "A", apellido = "B", email = "not-an-email", rol = "cajero", activo = true });`

			`var response = await _client.SendAsync(request);`

			`Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);`
			`}`

			`[Fact]`
			`public async Task PUT_Users_Id_400_Last_Admin_Lockout_With_Error_Key()`
			`{`
			`var token = await GetAdminTokenAsync();`
			`var adminId = await GetAdminIdAsync();`

			`var request = new HttpRequestMessage(HttpMethod.Put, $"/api/v1/users/{adminId}");`
			`request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);`
			`request.Content = JsonContent.Create(new { nombre = "Admin", apellido = "Sys", email = (string?)null, rol = "cajero", activo = true });`

			`var response = await _client.SendAsync(request);`

			`Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);`
			`var body = await response.Content.ReadAsStringAsync();`
			`Assert.Contains("last-admin-lockout", body, StringComparison.OrdinalIgnoreCase);`
			`}`

			`[Fact]`
			`public async Task PUT_Users_Id_404_Not_Found()`
			`{`
			`var token = await GetAdminTokenAsync();`
			`var request = new HttpRequestMessage(HttpMethod.Put, "/api/v1/users/9999");`
			`request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);`
			`request.Content = JsonContent.Create(new { nombre = "A", apellido = "B", email = (string?)null, rol = "cajero", activo = true });`

			`var response = await _client.SendAsync(request);`

			`Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);`
			`}`

			`[Fact]`
			`public async Task PUT_Users_Id_403_No_Permission()`
			`{`
			`var token = await GetCajeroTokenAsync();`
			`var request = new HttpRequestMessage(HttpMethod.Put, "/api/v1/users/1");`
			`request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);`
			`request.Content = JsonContent.Create(new { nombre = "A", apellido = "B", email = (string?)null, rol = "cajero", activo = true });`

			`var response = await _client.SendAsync(request);`

			`Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);`
			`}`

			`[Fact]`
			`public async Task PUT_Users_Id_401_No_Auth()`
			`{`
			`var request = new HttpRequestMessage(HttpMethod.Put, "/api/v1/users/1");`
			`request.Content = JsonContent.Create(new { nombre = "A", apellido = "B", email = (string?)null, rol = "cajero", activo = true });`

			`var response = await _client.SendAsync(request);`

			`Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);`
			`}`
			`}`