src/api/SIGCM2.Api/Controllers/UsuariosController.cs

@@ -4,14 +4,14 @@ using Microsoft.AspNetCore.Mvc;
 using SIGCM2.Api.Authorization;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Common;
+using SIGCM2.Application.Usuarios.ChangeMyPassword;
 using SIGCM2.Application.Usuarios.Create;
 using SIGCM2.Application.Usuarios.Deactivate;
 using SIGCM2.Application.Usuarios.GetById;
 using SIGCM2.Application.Usuarios.List;
 using SIGCM2.Application.Usuarios.Reactivate;
-using SIGCM2.Application.Usuarios.Update;
-using SIGCM2.Application.Usuarios.ChangeMyPassword;
 using SIGCM2.Application.Usuarios.ResetPassword;
+using SIGCM2.Application.Usuarios.Update;
 using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
 
@@ -27,13 +27,19 @@ public sealed class UsuariosController : ControllerBase
 {
     private readonly IDispatcher _dispatcher;
     private readonly IValidator<CreateUsuarioCommand> _createValidator;
+    private readonly IValidator<UpdateUsuarioCommand> _updateValidator;
+    private readonly IValidator<ChangeMyPasswordCommand> _changePasswordValidator;
 
     public UsuariosController(
         IDispatcher dispatcher,
-        IValidator<CreateUsuarioCommand> createValidator)
+        IValidator<CreateUsuarioCommand> createValidator,
+        IValidator<UpdateUsuarioCommand> updateValidator,
+        IValidator<ChangeMyPasswordCommand> changePasswordValidator)
     {
         _dispatcher = dispatcher;
         _createValidator = createValidator;
+        _updateValidator = updateValidator;
+        _changePasswordValidator = changePasswordValidator;
     }
 
     /// <summary>Creates a new user. Requires administracion:usuarios:gestionar.</summary>
@@ -122,6 +128,15 @@ public sealed class UsuariosController : ControllerBase
             Rol: request.Rol ?? string.Empty,
             Activo: request.Activo ?? true);
 
+        var validation = await _updateValidator.ValidateAsync(command);
+        if (!validation.IsValid)
+        {
+            var errors = validation.Errors
+                .GroupBy(e => e.PropertyName)
+                .ToDictionary(g => g.Key, g => g.Select(e => e.ErrorMessage).ToArray());
+            return BadRequest(new { errors });
+        }
+
         var result = await _dispatcher.Send<UpdateUsuarioCommand, UsuarioDetailDto>(command);
         return Ok(result);
     }
@@ -176,6 +191,15 @@ public sealed class UsuariosController : ControllerBase
             OldPassword: request.OldPassword ?? string.Empty,
             NewPassword: request.NewPassword ?? string.Empty);
 
+        var validation = await _changePasswordValidator.ValidateAsync(command);
+        if (!validation.IsValid)
+        {
+            var errors = validation.Errors
+                .GroupBy(e => e.PropertyName)
+                .ToDictionary(g => g.Key, g => g.Select(e => e.ErrorMessage).ToArray());
+            return BadRequest(new { errors });
+        }
+
         await _dispatcher.Send<ChangeMyPasswordCommand, Unit>(command);
         return NoContent();
     }

tests/SIGCM2.Api.Tests/Usuarios/UpdateUsuarioEndpointTests.cs

@@ -0,0 +1,155 @@
+using System.Net;
+using System.Net.Http.Headers;
+using System.Net.Http.Json;
+using System.Text.Json;
+using Dapper;
+using Microsoft.Data.SqlClient;
+using SIGCM2.TestSupport;
+
+namespace SIGCM2.Api.Tests.Usuarios;
+
+/// <summary>
+/// Integration tests for PUT /api/v1/users/{id} (UDT-008 B4).
+/// </summary>
+[Collection("ApiIntegration")]
+public sealed class UpdateUsuarioEndpointTests : IAsyncLifetime
+{
+    private const string TestConnectionString =
+        "Server=TECNICA3;Database=SIGCM2_Test;User Id=desarrollo;Password=desarrollo2026;TrustServerCertificate=True;";
+
+    private readonly HttpClient _client;
+    private readonly SqlTestFixture _db;
+
+    public UpdateUsuarioEndpointTests(TestWebAppFactory factory)
+    {
+        _client = factory.CreateClient();
+        _db = new SqlTestFixture(TestConnectionString);
+    }
+
+    public async Task InitializeAsync() => await _db.InitializeAsync();
+    public async Task DisposeAsync() => await _db.DisposeAsync();
+
+    private async Task<string> GetAdminTokenAsync()
+    {
+        var response = await _client.PostAsJsonAsync("/api/v1/auth/login",
+            new { username = "admin", password = "@Diego550@" });
+        response.EnsureSuccessStatusCode();
+        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
+        return json.GetProperty("accessToken").GetString()!;
+    }
+
+    private async Task<int> GetAdminIdAsync()
+    {
+        await using var conn = new SqlConnection(TestConnectionString);
+        await conn.OpenAsync();
+        return await conn.ExecuteScalarAsync<int>("SELECT Id FROM dbo.Usuario WHERE Username = 'admin'");
+    }
+
+    private async Task<int> SeedCajeroAsync(string username = "cajero_update")
+    {
+        await using var conn = new SqlConnection(TestConnectionString);
+        await conn.OpenAsync();
+        return await conn.ExecuteScalarAsync<int>($"""
+            IF NOT EXISTS (SELECT 1 FROM dbo.Usuario WHERE Username = '{username}')
+            INSERT INTO dbo.Usuario (Username, PasswordHash, Nombre, Apellido, Rol, PermisosJson, Activo, MustChangePassword)
+            VALUES ('{username}', '$2a$12$rmq6tlSAQ8WXhR2CwLCSeuwCJKz/.8Eab95UQCUNfwe4dokeOqMcW', 'Test', 'Usuario', 'cajero', '[]', 1, 0);
+            SELECT Id FROM dbo.Usuario WHERE Username = '{username}'
+            """);
+    }
+
+    private async Task<string> GetCajeroTokenAsync()
+    {
+        var id = await SeedCajeroAsync("cajero_update_auth");
+        var response = await _client.PostAsJsonAsync("/api/v1/auth/login",
+            new { username = "cajero_update_auth", password = "@Diego550@" });
+        response.EnsureSuccessStatusCode();
+        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
+        return json.GetProperty("accessToken").GetString()!;
+    }
+
+    [Fact]
+    public async Task PUT_Users_Id_200_Returns_Updated_Detail()
+    {
+        var token = await GetAdminTokenAsync();
+        var targetId = await SeedCajeroAsync("cajero_upd_happy");
+
+        var request = new HttpRequestMessage(HttpMethod.Put, $"/api/v1/users/{targetId}");
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        request.Content = JsonContent.Create(new { nombre = "Editado", apellido = "Test", email = (string?)null, rol = "cajero", activo = true });
+
+        var response = await _client.SendAsync(request);
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
+        Assert.Equal("Editado", json.GetProperty("nombre").GetString());
+    }
+
+    [Fact]
+    public async Task PUT_Users_Id_400_Invalid_Email()
+    {
+        var token = await GetAdminTokenAsync();
+        var targetId = await SeedCajeroAsync("cajero_upd_email");
+
+        var request = new HttpRequestMessage(HttpMethod.Put, $"/api/v1/users/{targetId}");
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        request.Content = JsonContent.Create(new { nombre = "A", apellido = "B", email = "not-an-email", rol = "cajero", activo = true });
+
+        var response = await _client.SendAsync(request);
+
+        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task PUT_Users_Id_400_Last_Admin_Lockout_With_Error_Key()
+    {
+        var token = await GetAdminTokenAsync();
+        var adminId = await GetAdminIdAsync();
+
+        var request = new HttpRequestMessage(HttpMethod.Put, $"/api/v1/users/{adminId}");
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        request.Content = JsonContent.Create(new { nombre = "Admin", apellido = "Sys", email = (string?)null, rol = "cajero", activo = true });
+
+        var response = await _client.SendAsync(request);
+
+        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+        var body = await response.Content.ReadAsStringAsync();
+        Assert.Contains("last-admin-lockout", body, StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Fact]
+    public async Task PUT_Users_Id_404_Not_Found()
+    {
+        var token = await GetAdminTokenAsync();
+        var request = new HttpRequestMessage(HttpMethod.Put, "/api/v1/users/9999");
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        request.Content = JsonContent.Create(new { nombre = "A", apellido = "B", email = (string?)null, rol = "cajero", activo = true });
+
+        var response = await _client.SendAsync(request);
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task PUT_Users_Id_403_No_Permission()
+    {
+        var token = await GetCajeroTokenAsync();
+        var request = new HttpRequestMessage(HttpMethod.Put, "/api/v1/users/1");
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        request.Content = JsonContent.Create(new { nombre = "A", apellido = "B", email = (string?)null, rol = "cajero", activo = true });
+
+        var response = await _client.SendAsync(request);
+
+        Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task PUT_Users_Id_401_No_Auth()
+    {
+        var request = new HttpRequestMessage(HttpMethod.Put, "/api/v1/users/1");
+        request.Content = JsonContent.Create(new { nombre = "A", apellido = "B", email = (string?)null, rol = "cajero", activo = true });
+
+        var response = await _client.SendAsync(request);
+
+        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+    }
+}

tests/SIGCM2.Application.Tests/Usuarios/UpdateUsuarioCommandHandlerTests.cs

@@ -0,0 +1,139 @@
+using FluentValidation;
+using NSubstitute;
+using NSubstitute.ExceptionExtensions;
+using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Common;
+using SIGCM2.Application.Usuarios.Update;
+using SIGCM2.Domain.Entities;
+using SIGCM2.Domain.Exceptions;
+
+namespace SIGCM2.Application.Tests.Usuarios;
+
+public class UpdateUsuarioCommandHandlerTests
+{
+    private readonly IUsuarioRepository _repo = Substitute.For<IUsuarioRepository>();
+    private readonly IRolRepository _rolRepo = Substitute.For<IRolRepository>();
+    private readonly IRefreshTokenRepository _refreshRepo = Substitute.For<IRefreshTokenRepository>();
+    private readonly UpdateUsuarioCommandHandler _handler;
+
+    public UpdateUsuarioCommandHandlerTests()
+    {
+        _handler = new UpdateUsuarioCommandHandler(_repo, _rolRepo, _refreshRepo);
+
+        // Default: rol exists and is active
+        _rolRepo.ExistsActiveByCodigoAsync(Arg.Any<string>(), Arg.Any<CancellationToken>()).Returns(true);
+        // Default: 2 active admins (no lockout)
+        _repo.CountActiveAdminsAsync(Arg.Any<CancellationToken>()).Returns(2);
+    }
+
+    private static Usuario MakeUser(int id = 5, string rol = "cajero", bool activo = true)
+        => new(id, "user" + id, "$2a$12$hash", "Test", "User", null, rol, "[]", activo);
+
+    [Fact]
+    public async Task Handle_Happy_Path_Updates_And_Returns_Detail()
+    {
+        var target = MakeUser(5);
+        var updated = new Usuario(5, "user5", "$2a$12$hash", "Pedro", "Gómez", "p@g.com", "cajero", "[]", true);
+
+        _repo.GetByIdAsync(5, Arg.Any<CancellationToken>()).Returns(target);
+        _repo.GetDetailAsync(5, Arg.Any<CancellationToken>()).Returns(updated);
+
+        var cmd = new UpdateUsuarioCommand(5, "Pedro", "Gómez", "p@g.com", "cajero", true);
+        var result = await _handler.Handle(cmd);
+
+        Assert.Equal("Pedro", result.Nombre);
+        await _repo.Received(1).UpdateAsync(5, Arg.Any<UpdateUsuarioFields>(), Arg.Any<DateTime>(), Arg.Any<CancellationToken>());
+    }
+
+    [Fact]
+    public async Task Handle_Throws_UsuarioNotFoundException_When_Target_Not_Found()
+    {
+        _repo.GetByIdAsync(9999, Arg.Any<CancellationToken>()).Returns((Usuario?)null);
+
+        var cmd = new UpdateUsuarioCommand(9999, "A", "B", null, "cajero", true);
+        await Assert.ThrowsAsync<UsuarioNotFoundException>(() => _handler.Handle(cmd));
+    }
+
+    [Fact]
+    public async Task Handle_Throws_LastAdminLockoutException_When_Changing_Role_Of_Last_Admin()
+    {
+        var lastAdmin = MakeUser(1, "admin", true);
+        _repo.GetByIdAsync(1, Arg.Any<CancellationToken>()).Returns(lastAdmin);
+        _repo.CountActiveAdminsAsync(Arg.Any<CancellationToken>()).Returns(1);
+
+        var cmd = new UpdateUsuarioCommand(1, "Admin", "Sys", null, "cajero", true); // changing rol
+        await Assert.ThrowsAsync<LastAdminLockoutException>(() => _handler.Handle(cmd));
+    }
+
+    [Fact]
+    public async Task Handle_Throws_LastAdminLockoutException_When_Deactivating_Last_Admin()
+    {
+        var lastAdmin = MakeUser(1, "admin", true);
+        _repo.GetByIdAsync(1, Arg.Any<CancellationToken>()).Returns(lastAdmin);
+        _repo.CountActiveAdminsAsync(Arg.Any<CancellationToken>()).Returns(1);
+
+        var cmd = new UpdateUsuarioCommand(1, "Admin", "Sys", null, "admin", false); // activo=false
+        await Assert.ThrowsAsync<LastAdminLockoutException>(() => _handler.Handle(cmd));
+    }
+
+    [Fact]
+    public async Task Handle_Allows_Same_Rol_On_Last_Admin()
+    {
+        var lastAdmin = MakeUser(1, "admin", true);
+        var updatedAdmin = new Usuario(1, "user1", "$2a$12$hash", "Admin", "Sys", null, "admin", "[]", true);
+
+        _repo.GetByIdAsync(1, Arg.Any<CancellationToken>()).Returns(lastAdmin);
+        _repo.GetDetailAsync(1, Arg.Any<CancellationToken>()).Returns(updatedAdmin);
+        _repo.CountActiveAdminsAsync(Arg.Any<CancellationToken>()).Returns(1);
+
+        var cmd = new UpdateUsuarioCommand(1, "Admin", "Sys", null, "admin", true); // same rol, same activo
+        var result = await _handler.Handle(cmd); // should NOT throw
+
+        Assert.NotNull(result);
+    }
+
+    [Fact]
+    public async Task Handle_Revokes_Refresh_Tokens_On_Role_Change()
+    {
+        var target = MakeUser(5, "cajero", true);
+        var updated = new Usuario(5, "user5", "$2a$12$hash", "Test", "User", null, "admin", "[]", true);
+
+        _repo.GetByIdAsync(5, Arg.Any<CancellationToken>()).Returns(target);
+        _repo.GetDetailAsync(5, Arg.Any<CancellationToken>()).Returns(updated);
+
+        var cmd = new UpdateUsuarioCommand(5, "Test", "User", null, "admin", true); // rol changed
+        await _handler.Handle(cmd);
+
+        await _refreshRepo.Received(1).RevokeAllActiveForUserAsync(5, Arg.Any<DateTime>(), Arg.Any<CancellationToken>());
+    }
+
+    [Fact]
+    public async Task Handle_Revokes_Refresh_Tokens_When_Deactivating()
+    {
+        var target = MakeUser(5, "cajero", true);
+        var updated = new Usuario(5, "user5", "$2a$12$hash", "Test", "User", null, "cajero", "[]", false);
+
+        _repo.GetByIdAsync(5, Arg.Any<CancellationToken>()).Returns(target);
+        _repo.GetDetailAsync(5, Arg.Any<CancellationToken>()).Returns(updated);
+
+        var cmd = new UpdateUsuarioCommand(5, "Test", "User", null, "cajero", false); // activo=false
+        await _handler.Handle(cmd);
+
+        await _refreshRepo.Received(1).RevokeAllActiveForUserAsync(5, Arg.Any<DateTime>(), Arg.Any<CancellationToken>());
+    }
+
+    [Fact]
+    public async Task Handle_Does_NOT_Revoke_Tokens_On_Name_Only_Change()
+    {
+        var target = MakeUser(5, "cajero", true);
+        var updated = new Usuario(5, "user5", "$2a$12$hash", "Nuevo", "User", null, "cajero", "[]", true);
+
+        _repo.GetByIdAsync(5, Arg.Any<CancellationToken>()).Returns(target);
+        _repo.GetDetailAsync(5, Arg.Any<CancellationToken>()).Returns(updated);
+
+        var cmd = new UpdateUsuarioCommand(5, "Nuevo", "User", null, "cajero", true); // only name changed
+        await _handler.Handle(cmd);
+
+        await _refreshRepo.DidNotReceive().RevokeAllActiveForUserAsync(Arg.Any<int>(), Arg.Any<DateTime>(), Arg.Any<CancellationToken>());
+    }
+}