feat(api): ResetPassword admin — TempPasswordGenerator, handler, endpoint POST /{id}/password/reset [UDT-008]

Batch 7: POST /api/v1/users/{id}/password/reset (admin only). - TempPasswordGenerator: RandomNumberGenerator.Fill, 12-char min, full charset diversity, never logs result - ResetUsuarioPasswordCommandHandler: self-reset guard, 404, hash, mustChangePassword=true, revoke all tokens - ExceptionFilter: CannotSelfResetException → 400 {error: cannot-self-reset} - Unit tests: TempPasswordGeneratorTests (8), ResetUsuarioPasswordCommandHandlerTests (5) - Integration tests: ResetPasswordEndpointTests (6) — 200/length/self-reset/404/401/403
2026-04-15 17:55:45 -03:00
parent a3bd066f7b
commit 7d96d5ff18
3 changed files with 311 additions and 0 deletions
--- a/tests/SIGCM2.Application.Tests/Common/TempPasswordGeneratorTests.cs
+++ b/tests/SIGCM2.Application.Tests/Common/TempPasswordGeneratorTests.cs
@@ -0,0 +1,82 @@
+using SIGCM2.Application.Common;
+
+namespace SIGCM2.Application.Tests.Common;
+
+public class TempPasswordGeneratorTests
+{
+    [Fact]
+    public void Generate_Default_Length_Is_12()
+    {
+        var pwd = TempPasswordGenerator.Generate();
+        Assert.Equal(12, pwd.Length);
+    }
+
+    [Fact]
+    public void Generate_Always_Has_Uppercase_Letter()
+    {
+        for (int i = 0; i < 20; i++)
+        {
+            var pwd = TempPasswordGenerator.Generate();
+            Assert.True(pwd.Any(char.IsUpper), $"No uppercase found in: {pwd}");
+        }
+    }
+
+    [Fact]
+    public void Generate_Always_Has_Lowercase_Letter()
+    {
+        for (int i = 0; i < 20; i++)
+        {
+            var pwd = TempPasswordGenerator.Generate();
+            Assert.True(pwd.Any(char.IsLower), $"No lowercase found in: {pwd}");
+        }
+    }
+
+    [Fact]
+    public void Generate_Always_Has_Digit()
+    {
+        for (int i = 0; i < 20; i++)
+        {
+            var pwd = TempPasswordGenerator.Generate();
+            Assert.True(pwd.Any(char.IsDigit), $"No digit found in: {pwd}");
+        }
+    }
+
+    [Fact]
+    public void Generate_Always_Has_Special_Char()
+    {
+        const string symbols = "!@#$%&*+-=?";
+        for (int i = 0; i < 20; i++)
+        {
+            var pwd = TempPasswordGenerator.Generate();
+            Assert.True(pwd.Any(c => symbols.Contains(c)), $"No symbol found in: {pwd}");
+        }
+    }
+
+    [Fact]
+    public void Generate_Below_8_Throws_ArgumentOutOfRangeException()
+    {
+        Assert.Throws<ArgumentOutOfRangeException>(() => TempPasswordGenerator.Generate(7));
+    }
+
+    [Fact]
+    public void Generate_100_Samples_All_Pass_Diversity()
+    {
+        const string symbols = "!@#$%&*+-=?";
+        for (int i = 0; i < 100; i++)
+        {
+            var pwd = TempPasswordGenerator.Generate(12);
+            Assert.True(pwd.Length >= 12);
+            Assert.True(pwd.Any(char.IsUpper));
+            Assert.True(pwd.Any(char.IsLower));
+            Assert.True(pwd.Any(char.IsDigit));
+            Assert.True(pwd.Any(c => symbols.Contains(c)));
+        }
+    }
+
+    [Fact]
+    public void Generate_Custom_Length_Respects_Length()
+    {
+        var pwd = TempPasswordGenerator.Generate(16);
+        Assert.Equal(16, pwd.Length);
+    }
+}
--- a/tests/SIGCM2.Application.Tests/Usuarios/ResetUsuarioPasswordCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Usuarios/ResetUsuarioPasswordCommandHandlerTests.cs
@@ -0,0 +1,76 @@
+using NSubstitute;
+using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Usuarios.ResetPassword;
+using SIGCM2.Domain.Entities;
+using SIGCM2.Domain.Exceptions;
+
+namespace SIGCM2.Application.Tests.Usuarios;
+
+public class ResetUsuarioPasswordCommandHandlerTests
+{
+    private readonly IUsuarioRepository _repo = Substitute.For<IUsuarioRepository>();
+    private readonly IPasswordHasher _hasher = Substitute.For<IPasswordHasher>();
+    private readonly IRefreshTokenRepository _refreshRepo = Substitute.For<IRefreshTokenRepository>();
+    private readonly ResetUsuarioPasswordCommandHandler _handler;
+
+    public ResetUsuarioPasswordCommandHandlerTests()
+    {
+        _handler = new ResetUsuarioPasswordCommandHandler(_repo, _hasher, _refreshRepo);
+        _hasher.Hash(Arg.Any<string>()).Returns(args => "$2a$12$hashof_" + args[0]);
+    }
+
+    private static Usuario MakeUser(int id = 5)
+        => new(id, "user" + id, "$2a$12$hash", "Test", "User", null, "cajero", "[]", true);
+
+    [Fact]
+    public async Task Handle_Returns_TempPassword_MinLength12_With_Diversity()
+    {
+        _repo.GetByIdAsync(5, Arg.Any<CancellationToken>()).Returns(MakeUser(5));
+
+        var result = await _handler.Handle(new ResetUsuarioPasswordCommand(TargetId: 5, CallerId: 1));
+
+        Assert.True(result.TempPassword.Length >= 12, $"TempPassword too short: {result.TempPassword.Length}");
+        Assert.True(result.MustChangeOnLogin);
+    }
+
+    [Fact]
+    public async Task Handle_Calls_UpdatePasswordAsync_With_MustChange_True()
+    {
+        _repo.GetByIdAsync(5, Arg.Any<CancellationToken>()).Returns(MakeUser(5));
+
+        await _handler.Handle(new ResetUsuarioPasswordCommand(TargetId: 5, CallerId: 1));
+
+        await _repo.Received(1).UpdatePasswordAsync(
+            5,
+            Arg.Any<string>(),
+            mustChangePassword: true,
+            Arg.Any<CancellationToken>());
+    }
+
+    [Fact]
+    public async Task Handle_Revokes_All_Refresh_Tokens_Of_Target()
+    {
+        _repo.GetByIdAsync(5, Arg.Any<CancellationToken>()).Returns(MakeUser(5));
+
+        await _handler.Handle(new ResetUsuarioPasswordCommand(TargetId: 5, CallerId: 1));
+
+        await _refreshRepo.Received(1).RevokeAllActiveForUserAsync(5, Arg.Any<DateTime>(), Arg.Any<CancellationToken>());
+    }
+
+    [Fact]
+    public async Task Handle_Throws_UsuarioNotFoundException_When_Target_Not_Found()
+    {
+        _repo.GetByIdAsync(9999, Arg.Any<CancellationToken>()).Returns((Usuario?)null);
+
+        await Assert.ThrowsAsync<UsuarioNotFoundException>(
+            () => _handler.Handle(new ResetUsuarioPasswordCommand(TargetId: 9999, CallerId: 1)));
+    }
+
+    [Fact]
+    public async Task Handle_Throws_CannotSelfResetException_When_Caller_Equals_Target()
+    {
+        await Assert.ThrowsAsync<CannotSelfResetException>(
+            () => _handler.Handle(new ResetUsuarioPasswordCommand(TargetId: 1, CallerId: 1)));
+    }
+}