tests/SIGCM2.Api.Tests/Auth/AuthControllerTests.cs

using System.Net;
using System.Net.Http.Json;
using System.Text.Json;
using SIGCM2.TestSupport;

namespace SIGCM2.Api.Tests.Auth;

[Collection("ApiIntegration")]
public class AuthControllerTests : IClassFixture<TestWebAppFactory>
{
    private readonly HttpClient _client;

    public AuthControllerTests(TestWebAppFactory factory)
    {
        _client = factory.CreateClient();
    }

    // Scenario: happy path — valid admin credentials return 200 with token shape + usuario
    [Fact]
    public async Task Login_ValidCredentials_Returns200WithTokenShape()
    {
        var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new
        {
            username = "admin",
            password = "@Diego550@"
        });

        Assert.Equal(HttpStatusCode.OK, response.StatusCode);

        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
        Assert.True(json.TryGetProperty("accessToken", out var token), "Response missing 'accessToken'");
        Assert.True(json.TryGetProperty("refreshToken", out var refresh), "Response missing 'refreshToken'");
        Assert.True(json.TryGetProperty("expiresIn", out var expires), "Response missing 'expiresIn'");

        Assert.False(string.IsNullOrWhiteSpace(token.GetString()), "'accessToken' must not be empty");
        Assert.False(string.IsNullOrWhiteSpace(refresh.GetString()), "'refreshToken' must not be empty");
        Assert.Equal(3600, expires.GetInt32());

        // Contract: response must include usuario object
        Assert.True(json.TryGetProperty("usuario", out var usuario), "Response missing 'usuario'");
        Assert.True(usuario.TryGetProperty("id", out var id), "usuario missing 'id'");
        Assert.True(usuario.TryGetProperty("nombre", out var nombre), "usuario missing 'nombre'");
        Assert.True(usuario.TryGetProperty("rol", out var rol), "usuario missing 'rol'");
        Assert.True(usuario.TryGetProperty("permisos", out var permisos), "usuario missing 'permisos'");

        Assert.True(id.GetInt32() > 0, "'usuario.id' must be positive");
        Assert.False(string.IsNullOrWhiteSpace(nombre.GetString()), "'usuario.nombre' must not be empty");
        Assert.False(string.IsNullOrWhiteSpace(rol.GetString()), "'usuario.rol' must not be empty");
        Assert.Equal(JsonValueKind.Array, permisos.ValueKind);
    }

    // Scenario: invalid credentials return 401 with opaque error
    [Fact]
    public async Task Login_InvalidCredentials_Returns401()
    {
        var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new
        {
            username = "admin",
            password = "WrongPassword1!"
        });

        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);

        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
        Assert.True(json.TryGetProperty("error", out var error));
        Assert.Equal("Credenciales inválidas", error.GetString());
    }

    // Scenario: malformed body (missing password) returns 400
    [Fact]
    public async Task Login_MissingPassword_Returns400()
    {
        var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new
        {
            username = "admin"
            // password intentionally missing — JSON serializes as no field
        });

        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);

        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
        Assert.True(json.TryGetProperty("errors", out var errors), "Response missing 'errors'");
    }

    // Triangulation: empty username returns 400
    [Fact]
    public async Task Login_EmptyUsername_Returns400()
    {
        var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new
        {
            username = "",
            password = "@Diego550@"
        });

        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
    }
}
test(udt-001): backend unit and integration tests (30 tests) 2026-04-13 21:36:09 -03:00			`using System.Net;`
			`using System.Net.Http.Json;`
			`using System.Text.Json;`
			`using SIGCM2.TestSupport;`

			`namespace SIGCM2.Api.Tests.Auth;`

			`[Collection("ApiIntegration")]`
			`public class AuthControllerTests : IClassFixture<TestWebAppFactory>`
			`{`
			`private readonly HttpClient _client;`

			`public AuthControllerTests(TestWebAppFactory factory)`
			`{`
			`_client = factory.CreateClient();`
			`}`

			`// Scenario: happy path — valid admin credentials return 200 with token shape + usuario`
			`[Fact]`
			`public async Task Login_ValidCredentials_Returns200WithTokenShape()`
			`{`
			`var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new`
			`{`
			`username = "admin",`
			`password = "@Diego550@"`
			`});`

			`Assert.Equal(HttpStatusCode.OK, response.StatusCode);`

			`var json = await response.Content.ReadFromJsonAsync<JsonElement>();`
			`Assert.True(json.TryGetProperty("accessToken", out var token), "Response missing 'accessToken'");`
			`Assert.True(json.TryGetProperty("refreshToken", out var refresh), "Response missing 'refreshToken'");`
			`Assert.True(json.TryGetProperty("expiresIn", out var expires), "Response missing 'expiresIn'");`

			`Assert.False(string.IsNullOrWhiteSpace(token.GetString()), "'accessToken' must not be empty");`
			`Assert.False(string.IsNullOrWhiteSpace(refresh.GetString()), "'refreshToken' must not be empty");`
			`Assert.Equal(3600, expires.GetInt32());`

			`// Contract: response must include usuario object`
			`Assert.True(json.TryGetProperty("usuario", out var usuario), "Response missing 'usuario'");`
			`Assert.True(usuario.TryGetProperty("id", out var id), "usuario missing 'id'");`
			`Assert.True(usuario.TryGetProperty("nombre", out var nombre), "usuario missing 'nombre'");`
			`Assert.True(usuario.TryGetProperty("rol", out var rol), "usuario missing 'rol'");`
			`Assert.True(usuario.TryGetProperty("permisos", out var permisos), "usuario missing 'permisos'");`

			`Assert.True(id.GetInt32() > 0, "'usuario.id' must be positive");`
			`Assert.False(string.IsNullOrWhiteSpace(nombre.GetString()), "'usuario.nombre' must not be empty");`
			`Assert.False(string.IsNullOrWhiteSpace(rol.GetString()), "'usuario.rol' must not be empty");`
			`Assert.Equal(JsonValueKind.Array, permisos.ValueKind);`
			`}`

			`// Scenario: invalid credentials return 401 with opaque error`
			`[Fact]`
			`public async Task Login_InvalidCredentials_Returns401()`
			`{`
			`var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new`
			`{`
			`username = "admin",`
			`password = "WrongPassword1!"`
			`});`

			`Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);`

			`var json = await response.Content.ReadFromJsonAsync<JsonElement>();`
			`Assert.True(json.TryGetProperty("error", out var error));`
			`Assert.Equal("Credenciales inválidas", error.GetString());`
			`}`

			`// Scenario: malformed body (missing password) returns 400`
			`[Fact]`
			`public async Task Login_MissingPassword_Returns400()`
			`{`
			`var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new`
			`{`
			`username = "admin"`
			`// password intentionally missing — JSON serializes as no field`
			`});`

			`Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);`

			`var json = await response.Content.ReadFromJsonAsync<JsonElement>();`
			`Assert.True(json.TryGetProperty("errors", out var errors), "Response missing 'errors'");`
			`}`

			`// Triangulation: empty username returns 400`
			`[Fact]`
			`public async Task Login_EmptyUsername_Returns400()`
			`{`
			`var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new`
			`{`
			`username = "",`
			`password = "@Diego550@"`
			`});`

			`Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);`
			`}`
			`}`