2026-03-03 14:27:30 +01:00
|
|
|
using System.Net;
|
|
|
|
|
using System.Text;
|
2026-03-06 09:19:32 +01:00
|
|
|
using WorkClub.Tests.Integration.Infrastructure;
|
2026-03-03 14:27:30 +01:00
|
|
|
|
|
|
|
|
namespace WorkClub.Tests.Integration.Auth;
|
|
|
|
|
|
2026-03-06 09:19:32 +01:00
|
|
|
public class AuthorizationTests : IntegrationTestBase
|
2026-03-03 14:27:30 +01:00
|
|
|
{
|
2026-03-06 09:19:32 +01:00
|
|
|
public AuthorizationTests(CustomWebApplicationFactory<Program> factory) : base(factory)
|
2026-03-03 14:27:30 +01:00
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[Fact]
|
|
|
|
|
public async Task AdminCanAccessAdminEndpoints_Returns200()
|
|
|
|
|
{
|
2026-03-06 09:19:32 +01:00
|
|
|
AuthenticateAs("admin@test.com", new Dictionary<string, string> { ["club-1"] = "admin" });
|
|
|
|
|
SetTenant("club-1");
|
2026-03-03 14:27:30 +01:00
|
|
|
|
2026-03-06 09:19:32 +01:00
|
|
|
var response = await Client.GetAsync("/health/ready");
|
2026-03-03 14:27:30 +01:00
|
|
|
|
|
|
|
|
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[Fact]
|
|
|
|
|
public async Task MemberCannotAccessAdminEndpoints_Returns403()
|
|
|
|
|
{
|
2026-03-06 09:19:32 +01:00
|
|
|
AuthenticateAs("member@test.com", new Dictionary<string, string> { ["club-1"] = "member" });
|
|
|
|
|
SetTenant("club-1");
|
2026-03-03 14:27:30 +01:00
|
|
|
|
2026-03-06 09:19:32 +01:00
|
|
|
var response = await Client.GetAsync("/admin/test");
|
2026-03-03 14:27:30 +01:00
|
|
|
|
2026-03-06 09:19:32 +01:00
|
|
|
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
|
2026-03-03 14:27:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[Fact]
|
|
|
|
|
public async Task ViewerCanOnlyRead_PostReturns403()
|
|
|
|
|
{
|
2026-03-06 09:19:32 +01:00
|
|
|
AuthenticateAs("viewer@test.com", new Dictionary<string, string> { ["club-1"] = "viewer" });
|
|
|
|
|
SetTenant("club-1");
|
2026-03-03 14:27:30 +01:00
|
|
|
|
|
|
|
|
var content = new StringContent("{}", Encoding.UTF8, "application/json");
|
2026-03-06 09:19:32 +01:00
|
|
|
var response = await Client.PostAsync("/api/tasks", content);
|
2026-03-03 14:27:30 +01:00
|
|
|
|
|
|
|
|
Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[Fact]
|
|
|
|
|
public async Task UnauthenticatedUser_Returns401()
|
|
|
|
|
{
|
2026-03-06 09:19:32 +01:00
|
|
|
AuthenticateAsUnauthenticated();
|
2026-03-03 14:27:30 +01:00
|
|
|
|
2026-03-06 09:19:32 +01:00
|
|
|
var response = await Client.GetAsync("/api/tasks");
|
2026-03-03 14:27:30 +01:00
|
|
|
|
|
|
|
|
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[Fact]
|
|
|
|
|
public async Task HealthEndpointsArePublic_NoAuthRequired()
|
|
|
|
|
{
|
2026-03-06 09:19:32 +01:00
|
|
|
AuthenticateAsUnauthenticated();
|
2026-03-03 14:27:30 +01:00
|
|
|
|
2026-03-06 09:19:32 +01:00
|
|
|
var liveResponse = await Client.GetAsync("/health/live");
|
|
|
|
|
var readyResponse = await Client.GetAsync("/health/ready");
|
|
|
|
|
var startupResponse = await Client.GetAsync("/health/startup");
|
2026-03-03 14:27:30 +01:00
|
|
|
|
|
|
|
|
Assert.Equal(HttpStatusCode.OK, liveResponse.StatusCode);
|
|
|
|
|
Assert.Equal(HttpStatusCode.OK, readyResponse.StatusCode);
|
|
|
|
|
Assert.Equal(HttpStatusCode.OK, startupResponse.StatusCode);
|
|
|
|
|
}
|
|
|
|
|
}
|
