feat(api): List + GetById usuarios — handlers, repo, endpoints [UDT-008]

tests/SIGCM2.Api.Tests/Usuarios/GetUsuarioByIdEndpointTests.cs

@@ -0,0 +1,131 @@
+using System.Net;
+using System.Net.Http.Headers;
+using System.Net.Http.Json;
+using System.Text.Json;
+using Dapper;
+using Microsoft.Data.SqlClient;
+using SIGCM2.TestSupport;
+
+namespace SIGCM2.Api.Tests.Usuarios;
+
+/// <summary>
+/// Integration tests for GET /api/v1/users/{id} (UDT-008 B3).
+/// </summary>
+[Collection("ApiIntegration")]
+public sealed class GetUsuarioByIdEndpointTests : IAsyncLifetime
+{
+    private const string TestConnectionString =
+        "Server=TECNICA3;Database=SIGCM2_Test;User Id=desarrollo;Password=desarrollo2026;TrustServerCertificate=True;";
+
+    private readonly HttpClient _client;
+    private readonly SqlTestFixture _db;
+
+    public GetUsuarioByIdEndpointTests(TestWebAppFactory factory)
+    {
+        _client = factory.CreateClient();
+        _db = new SqlTestFixture(TestConnectionString);
+    }
+
+    public async Task InitializeAsync() => await _db.InitializeAsync();
+    public async Task DisposeAsync() => await _db.DisposeAsync();
+
+    private async Task<string> GetAdminTokenAsync()
+    {
+        var response = await _client.PostAsJsonAsync("/api/v1/auth/login",
+            new { username = "admin", password = "@Diego550@" });
+        response.EnsureSuccessStatusCode();
+        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
+        return json.GetProperty("accessToken").GetString()!;
+    }
+
+    private async Task<int> GetAdminIdAsync()
+    {
+        await using var conn = new SqlConnection(TestConnectionString);
+        await conn.OpenAsync();
+        return await conn.ExecuteScalarAsync<int>("SELECT Id FROM dbo.Usuario WHERE Username = 'admin'");
+    }
+
+    private async Task<string> GetCajeroTokenAsync()
+    {
+        await using var conn = new SqlConnection(TestConnectionString);
+        await conn.OpenAsync();
+        await conn.ExecuteAsync("""
+            IF NOT EXISTS (SELECT 1 FROM dbo.Usuario WHERE Username = 'cajero_getbyid')
+            INSERT INTO dbo.Usuario (Username, PasswordHash, Nombre, Apellido, Rol, PermisosJson, Activo, MustChangePassword)
+            VALUES ('cajero_getbyid', '$2a$12$rmq6tlSAQ8WXhR2CwLCSeuwCJKz/.8Eab95UQCUNfwe4dokeOqMcW', 'Cajero', 'Test', 'cajero', '[]', 1, 0)
+            """);
+
+        var response = await _client.PostAsJsonAsync("/api/v1/auth/login",
+            new { username = "cajero_getbyid", password = "@Diego550@" });
+        response.EnsureSuccessStatusCode();
+        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
+        return json.GetProperty("accessToken").GetString()!;
+    }
+
+    [Fact]
+    public async Task GET_Users_Id_200_Returns_Detail_Shape()
+    {
+        var token = await GetAdminTokenAsync();
+        var adminId = await GetAdminIdAsync();
+        var request = new HttpRequestMessage(HttpMethod.Get, $"/api/v1/users/{adminId}");
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+        var response = await _client.SendAsync(request);
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
+        Assert.Equal(adminId, json.GetProperty("id").GetInt32());
+        Assert.Equal("admin", json.GetProperty("username").GetString());
+        Assert.True(json.TryGetProperty("nombre", out _));
+        Assert.True(json.TryGetProperty("rol", out _));
+        Assert.True(json.TryGetProperty("activo", out _));
+        Assert.True(json.TryGetProperty("mustChangePassword", out _));
+    }
+
+    [Fact]
+    public async Task GET_Users_Id_DoesNotContain_PasswordHash_In_Response()
+    {
+        var token = await GetAdminTokenAsync();
+        var adminId = await GetAdminIdAsync();
+        var request = new HttpRequestMessage(HttpMethod.Get, $"/api/v1/users/{adminId}");
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+        var response = await _client.SendAsync(request);
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var rawJson = await response.Content.ReadAsStringAsync();
+        Assert.DoesNotContain("passwordHash", rawJson, StringComparison.OrdinalIgnoreCase);
+        Assert.DoesNotContain("permisosJson", rawJson, StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Fact]
+    public async Task GET_Users_Id_9999_Returns_404()
+    {
+        var token = await GetAdminTokenAsync();
+        var request = new HttpRequestMessage(HttpMethod.Get, "/api/v1/users/9999");
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+        var response = await _client.SendAsync(request);
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task GET_Users_Id_No_Auth_Returns_401()
+    {
+        var response = await _client.GetAsync("/api/v1/users/1");
+        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task GET_Users_Id_No_Permission_Returns_403()
+    {
+        var token = await GetCajeroTokenAsync();
+        var request = new HttpRequestMessage(HttpMethod.Get, "/api/v1/users/1");
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+        var response = await _client.SendAsync(request);
+
+        Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+    }
+}