dmolinari/SIG-CM2.0
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7b7ef1c137249523f0b3d515963663b1e3338e92
SIG-CM2.0/tests/SIGCM2.Api.Tests/Auth/AuthControllerTests.cs

175 lines
6.5 KiB
C#
Raw Normal View History

test(udt-001): backend unit and integration tests (30 tests)
2026-04-13 21:36:09 -03:00
using System.Net;
using System.Net.Http.Json;
using System.Text.Json;
using SIGCM2.TestSupport;
namespace SIGCM2.Api.Tests.Auth;
[Collection("ApiIntegration")]
feat(api): UDT-004 controller de roles + refactor validator UDT-003 a lookup dinamico - RolesController /api/v1/roles CRUD admin-only: GET list, GET {codigo}, POST, PUT, DELETE (soft-delete con guard 409) - ExceptionFilter: mapea RolNotFound (404), RolAlreadyExists (409), RolInUse (409) - DI: registra 5 handlers de Roles (Application) y IRolRepository/RolRepository (Infrastructure) - CreateUsuarioCommandValidator: reemplaza whitelist hardcoded por IRolRepository.ExistsActiveByCodigoAsync via MustAsync; constructor recibe (AuthOptions, IRolRepository) - Tests: 202 verdes (173 application + 29 api). Nuevas: RolesEndpointTests (13 integration), CreateUsuarioCommandValidatorTests reescrito con NSubstitute mock, CreateUsuario_WithInactiveRol_Returns400 en Api.Tests - Fix: ApiIntegration pasa de IClassFixture (N factories) a ICollectionFixture (1 factory shared) — evitaba ObjectDisposedException sobre RSABCrypt al compartir coleccion con multiples test classes - tests/tests.runsettings: MaxCpuCount=1 para evitar race entre assemblies sobre SIGCM2_Test
2026-04-15 12:50:24 -03:00
public class AuthControllerTests
test(udt-001): backend unit and integration tests (30 tests)
2026-04-13 21:36:09 -03:00
{
private readonly HttpClient _client;
public AuthControllerTests(TestWebAppFactory factory)
{
_client = factory.CreateClient();
}
// Scenario: happy path — valid admin credentials return 200 with token shape + usuario
[Fact]
public async Task Login_ValidCredentials_Returns200WithTokenShape()
{
var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new
{
username = "admin",
password = "@Diego550@"
});
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
var json = await response.Content.ReadFromJsonAsync<JsonElement>();
Assert.True(json.TryGetProperty("accessToken", out var token), "Response missing 'accessToken'");
Assert.True(json.TryGetProperty("refreshToken", out var refresh), "Response missing 'refreshToken'");
Assert.True(json.TryGetProperty("expiresIn", out var expires), "Response missing 'expiresIn'");
Assert.False(string.IsNullOrWhiteSpace(token.GetString()), "'accessToken' must not be empty");
Assert.False(string.IsNullOrWhiteSpace(refresh.GetString()), "'refreshToken' must not be empty");
Assert.Equal(3600, expires.GetInt32());
// Contract: response must include usuario object
Assert.True(json.TryGetProperty("usuario", out var usuario), "Response missing 'usuario'");
Assert.True(usuario.TryGetProperty("id", out var id), "usuario missing 'id'");
Assert.True(usuario.TryGetProperty("nombre", out var nombre), "usuario missing 'nombre'");
Assert.True(usuario.TryGetProperty("rol", out var rol), "usuario missing 'rol'");
Assert.True(usuario.TryGetProperty("permisos", out var permisos), "usuario missing 'permisos'");
Assert.True(id.GetInt32() > 0, "'usuario.id' must be positive");
Assert.False(string.IsNullOrWhiteSpace(nombre.GetString()), "'usuario.nombre' must not be empty");
Assert.False(string.IsNullOrWhiteSpace(rol.GetString()), "'usuario.rol' must not be empty");
Assert.Equal(JsonValueKind.Array, permisos.ValueKind);
test(api): assert count 21 permisos admin post-V007 [UDT-006]
2026-04-15 16:49:54 -03:00
Assert.Equal(21, permisos.GetArrayLength());
test(udt-001): backend unit and integration tests (30 tests)
2026-04-13 21:36:09 -03:00
}
// Scenario: invalid credentials return 401 with opaque error
[Fact]
public async Task Login_InvalidCredentials_Returns401()
{
var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new
{
username = "admin",
password = "WrongPassword1!"
});
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
var json = await response.Content.ReadFromJsonAsync<JsonElement>();
Assert.True(json.TryGetProperty("error", out var error));
Assert.Equal("Credenciales inválidas", error.GetString());
}
// Scenario: malformed body (missing password) returns 400
[Fact]
public async Task Login_MissingPassword_Returns400()
{
var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new
{
username = "admin"
// password intentionally missing — JSON serializes as no field
});
Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
var json = await response.Content.ReadFromJsonAsync<JsonElement>();
Assert.True(json.TryGetProperty("errors", out var errors), "Response missing 'errors'");
}
// Triangulation: empty username returns 400
[Fact]
public async Task Login_EmptyUsername_Returns400()
{
var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new
{
username = "",
password = "@Diego550@"
});
Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
}
test(api): add Refresh and Logout endpoint integration tests RED
2026-04-14 13:28:44 -03:00
// T-050: Refresh endpoint tests
[Fact]
public async Task Refresh_WithInvalidRefreshToken_Returns401()
{
var response = await _client.PostAsJsonAsync("/api/v1/auth/refresh", new
{
accessToken = "any.token.here",
refreshToken = "nonexistent_refresh_token_value_that_is_at_least_20_chars"
});
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
[Fact]
public async Task Refresh_MissingBody_Returns400()
{
var response = await _client.PostAsJsonAsync("/api/v1/auth/refresh", new
{
accessToken = "",
refreshToken = ""
});
Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
}
[Fact]
public async Task Logout_WithoutBearer_Returns401()
{
var response = await _client.PostAsJsonAsync("/api/v1/auth/logout", new { });
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
[Fact]
public async Task Login_Refresh_Logout_FullFlow()
{
// Step 1: Login to get tokens
var loginResp = await _client.PostAsJsonAsync("/api/v1/auth/login", new
{
username = "admin",
password = "@Diego550@"
});
if (loginResp.StatusCode == HttpStatusCode.InternalServerError)
{
// DB not available in this environment — skip gracefully
return;
}
Assert.Equal(HttpStatusCode.OK, loginResp.StatusCode);
var loginJson = await loginResp.Content.ReadFromJsonAsync<JsonElement>();
var accessToken = loginJson.GetProperty("accessToken").GetString()!;
var refreshToken = loginJson.GetProperty("refreshToken").GetString()!;
// Step 2: Use access token to call logout
using var logoutRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/auth/logout");
logoutRequest.Headers.Authorization =
new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", accessToken);
logoutRequest.Content = JsonContent.Create(new { });
var logoutResp = await _client.SendAsync(logoutRequest);
Assert.Equal(HttpStatusCode.OK, logoutResp.StatusCode);
var logoutJson = await logoutResp.Content.ReadFromJsonAsync<JsonElement>();
Assert.True(logoutJson.GetProperty("success").GetBoolean());
// Step 3: After logout, refresh should fail (token revoked)
var refreshResp = await _client.PostAsJsonAsync("/api/v1/auth/refresh", new
{
accessToken = accessToken,
refreshToken = refreshToken
});
Assert.Equal(HttpStatusCode.Unauthorized, refreshResp.StatusCode);
}
test(udt-001): backend unit and integration tests (30 tests)
2026-04-13 21:36:09 -03:00
}
Reference in New Issue Copy Permalink