feat(api): List + GetById usuarios — handlers, repo, endpoints [UDT-008]

2026-04-15 17:46:23 -03:00
parent 9dcd63543e
commit 2925336783
29 changed files with 1210 additions and 6 deletions
--- a/src/api/SIGCM2.Api/Controllers/UsuariosController.cs
+++ b/src/api/SIGCM2.Api/Controllers/UsuariosController.cs
@@ -3,26 +3,42 @@ using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using SIGCM2.Api.Authorization;
 using SIGCM2.Application.Abstractions;
+using SIGCM2.Application.Common;
 using SIGCM2.Application.Usuarios.Create;
+using SIGCM2.Application.Usuarios.Deactivate;
+using SIGCM2.Application.Usuarios.GetById;
+using SIGCM2.Application.Usuarios.List;
+using SIGCM2.Application.Usuarios.Reactivate;
+using SIGCM2.Application.Usuarios.Update;
+using SIGCM2.Application.Usuarios.ChangeMyPassword;
+using SIGCM2.Application.Usuarios.ResetPassword;
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;

 namespace SIGCM2.Api.Controllers;

+/// <summary>
+/// UDT-001/UDT-008: Usuario management endpoints.
+/// RequirePermission moved to method level to allow /me/password with [Authorize] only.
+/// </summary>
 [ApiController]
 [Route("api/v1/users")]
-[RequirePermission("administracion:usuarios:gestionar")]
 public sealed class UsuariosController : ControllerBase
 {
    private readonly IDispatcher _dispatcher;
-    private readonly IValidator<CreateUsuarioCommand> _validator;
+    private readonly IValidator<CreateUsuarioCommand> _createValidator;

-    public UsuariosController(IDispatcher dispatcher, IValidator<CreateUsuarioCommand> validator)
+    public UsuariosController(
+        IDispatcher dispatcher,
+        IValidator<CreateUsuarioCommand> createValidator)
    {
        _dispatcher = dispatcher;
-        _validator = validator;
+        _createValidator = createValidator;
    }

-    /// <summary>Creates a new user. Requires admin role.</summary>
+    /// <summary>Creates a new user. Requires administracion:usuarios:gestionar.</summary>
    [HttpPost]
+    [RequirePermission("administracion:usuarios:gestionar")]
    [ProducesResponseType(typeof(UsuarioCreatedDto), StatusCodes.Status201Created)]
    [ProducesResponseType(StatusCodes.Status400BadRequest)]
    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
@@ -38,7 +54,7 @@ public sealed class UsuariosController : ControllerBase
            Email: request.Email,
            Rol: request.Rol ?? string.Empty);

-        var validation = await _validator.ValidateAsync(command);
+        var validation = await _createValidator.ValidateAsync(command);
        if (!validation.IsValid)
        {
            var errors = validation.Errors
@@ -51,8 +67,144 @@ public sealed class UsuariosController : ControllerBase

        return CreatedAtAction(nameof(CreateUsuario), new { id = result.Id }, result);
    }
+
+    /// <summary>Lists usuarios with optional filters and pagination.</summary>
+    [HttpGet]
+    [RequirePermission("administracion:usuarios:gestionar")]
+    [ProducesResponseType(typeof(PagedResult<UsuarioListItemDto>), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
+    public async Task<IActionResult> ListUsuarios(
+        [FromQuery] int page = 1,
+        [FromQuery] int pageSize = 20,
+        [FromQuery] string? rol = null,
+        [FromQuery] bool? activo = null,
+        [FromQuery] string? search = null)
+    {
+        if (page < 1) return BadRequest(new { error = "page must be >= 1" });
+        if (pageSize < 1) return BadRequest(new { error = "pageSize must be >= 1" });
+
+        var query = new ListUsuariosQuery(page, pageSize, rol, activo, search);
+        var result = await _dispatcher.Send<ListUsuariosQuery, PagedResult<UsuarioListItemDto>>(query);
+        return Ok(result);
+    }
+
+    /// <summary>Gets a single usuario by id.</summary>
+    [HttpGet("{id:int}")]
+    [RequirePermission("administracion:usuarios:gestionar")]
+    [ProducesResponseType(typeof(UsuarioDetailDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> GetUsuarioById([FromRoute] int id)
+    {
+        var query = new GetUsuarioByIdQuery(id);
+        var result = await _dispatcher.Send<GetUsuarioByIdQuery, UsuarioDetailDto>(query);
+        return Ok(result);
+    }
+
+    /// <summary>Updates a usuario's editable fields.</summary>
+    [HttpPut("{id:int}")]
+    [RequirePermission("administracion:usuarios:gestionar")]
+    [ProducesResponseType(typeof(UsuarioDetailDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> UpdateUsuario([FromRoute] int id, [FromBody] UpdateUsuarioRequest request)
+    {
+        var command = new UpdateUsuarioCommand(
+            Id: id,
+            Nombre: request.Nombre ?? string.Empty,
+            Apellido: request.Apellido ?? string.Empty,
+            Email: request.Email,
+            Rol: request.Rol ?? string.Empty,
+            Activo: request.Activo ?? true);
+
+        var result = await _dispatcher.Send<UpdateUsuarioCommand, UsuarioDetailDto>(command);
+        return Ok(result);
+    }
+
+    /// <summary>Deactivates a usuario (idempotent).</summary>
+    [HttpPatch("{id:int}/deactivate")]
+    [RequirePermission("administracion:usuarios:gestionar")]
+    [ProducesResponseType(typeof(UsuarioDetailDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> DeactivateUsuario([FromRoute] int id)
+    {
+        var command = new DeactivateUsuarioCommand(id);
+        var result = await _dispatcher.Send<DeactivateUsuarioCommand, UsuarioDetailDto>(command);
+        return Ok(result);
+    }
+
+    /// <summary>Reactivates a usuario (idempotent).</summary>
+    [HttpPatch("{id:int}/reactivate")]
+    [RequirePermission("administracion:usuarios:gestionar")]
+    [ProducesResponseType(typeof(UsuarioDetailDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> ReactivateUsuario([FromRoute] int id)
+    {
+        var command = new ReactivateUsuarioCommand(id);
+        var result = await _dispatcher.Send<ReactivateUsuarioCommand, UsuarioDetailDto>(command);
+        return Ok(result);
+    }
+
+    /// <summary>
+    /// Changes the authenticated user's own password.
+    /// Declared BEFORE /{id:int} route to avoid routing ambiguity (though :int constraint handles it).
+    /// Requires only authentication (no specific permission).
+    /// </summary>
+    [HttpPut("me/password")]
+    [Authorize]
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    public async Task<IActionResult> ChangeMyPassword([FromBody] ChangeMyPasswordRequest request)
+    {
+        var sub = User.FindFirstValue(JwtRegisteredClaimNames.Sub)
+            ?? User.FindFirstValue(ClaimTypes.NameIdentifier)
+            ?? throw new UnauthorizedAccessException();
+
+        var command = new ChangeMyPasswordCommand(
+            UsuarioId: int.Parse(sub),
+            OldPassword: request.OldPassword ?? string.Empty,
+            NewPassword: request.NewPassword ?? string.Empty);
+
+        await _dispatcher.Send<ChangeMyPasswordCommand, Unit>(command);
+        return NoContent();
+    }
+
+    /// <summary>Resets a usuario's password (admin only). Returns a one-time temp password.</summary>
+    [HttpPost("{id:int}/password/reset")]
+    [RequirePermission("administracion:usuarios:gestionar")]
+    [ProducesResponseType(typeof(ResetUsuarioPasswordResponse), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> ResetUsuarioPassword([FromRoute] int id)
+    {
+        var sub = User.FindFirstValue(JwtRegisteredClaimNames.Sub)
+            ?? User.FindFirstValue(ClaimTypes.NameIdentifier)
+            ?? throw new UnauthorizedAccessException();
+
+        var command = new ResetUsuarioPasswordCommand(
+            TargetId: id,
+            CallerId: int.Parse(sub));
+
+        var result = await _dispatcher.Send<ResetUsuarioPasswordCommand, ResetUsuarioPasswordResponse>(command);
+        return Ok(result);
+    }
 }

+// ── request body records ──────────────────────────────────────────────────────
+
 /// <summary>Create user request body — nullable to catch missing field scenarios.</summary>
 public sealed record CreateUsuarioRequest(
    string? Username,
@@ -61,3 +213,14 @@ public sealed record CreateUsuarioRequest(
    string? Apellido,
    string? Email,
    string? Rol);
+
+public sealed record UpdateUsuarioRequest(
+    string? Nombre,
+    string? Apellido,
+    string? Email,
+    string? Rol,
+    bool? Activo);
+
+public sealed record ChangeMyPasswordRequest(
+    string? OldPassword,
+    string? NewPassword);
--- a/src/api/SIGCM2.Api/Filters/ExceptionFilter.cs
+++ b/src/api/SIGCM2.Api/Filters/ExceptionFilter.cs
@@ -19,6 +19,56 @@ public sealed class ExceptionFilter : IExceptionFilter
    {
        switch (context.Exception)
        {
+            case UsuarioNotFoundException usuarioNotFoundEx:
+                context.Result = new ObjectResult(new
+                {
+                    error = "usuario_not_found",
+                    message = usuarioNotFoundEx.Message
+                })
+                {
+                    StatusCode = StatusCodes.Status404NotFound
+                };
+                context.ExceptionHandled = true;
+                break;
+
+            case LastAdminLockoutException:
+                context.Result = new ObjectResult(new Microsoft.AspNetCore.Mvc.ProblemDetails
+                {
+                    Type = "about:blank",
+                    Title = "last-admin-lockout",
+                    Status = 400,
+                    Detail = "No se puede desactivar o cambiar el rol del último administrador activo."
+                })
+                {
+                    StatusCode = StatusCodes.Status400BadRequest
+                };
+                context.ExceptionHandled = true;
+                break;
+
+            case CannotSelfResetException:
+                context.Result = new ObjectResult(new
+                {
+                    error = "cannot-self-reset",
+                    message = "Un administrador no puede resetear su propia contraseña. Use el endpoint de cambio de contraseña propio."
+                })
+                {
+                    StatusCode = StatusCodes.Status400BadRequest
+                };
+                context.ExceptionHandled = true;
+                break;
+
+            case InvalidOldPasswordException:
+                context.Result = new ObjectResult(new
+                {
+                    error = "invalid-old-password",
+                    message = "La contraseña actual es incorrecta."
+                })
+                {
+                    StatusCode = StatusCodes.Status400BadRequest
+                };
+                context.ExceptionHandled = true;
+                break;
+
            case UsernameAlreadyExistsException usernameEx:
                context.Result = new ObjectResult(new
                {