feat(backend): add PostgreSQL schema, RLS policies, and multi-tenant middleware

- Add EF Core migrations for initial schema (clubs, members, work_items, shifts, shift_signups) - Implement RLS policies with SET LOCAL for tenant isolation - Add Finbuckle multi-tenant middleware with ClaimStrategy + HeaderStrategy fallback - Create TenantValidationMiddleware to enforce JWT claims match X-Tenant-Id header - Add tenant-aware DB interceptors (SaveChangesTenantInterceptor, TenantDbConnectionInterceptor) - Configure AppDbContext with tenant scoping and RLS support - Add test infrastructure: CustomWebApplicationFactory, TestAuthHandler, DatabaseFixture - Write TDD integration tests for multi-tenant isolation and RLS enforcement - Add health check null safety for connection string Tasks: 7 (PostgreSQL schema + migrations + RLS), 8 (Finbuckle multi-tenancy + validation), 12 (test infrastructure)
2026-03-03 14:32:21 +01:00
parent b9edbb8a65
commit 28964c6767
35 changed files with 4006 additions and 5 deletions
--- a/backend/WorkClub.Tests.Integration/Data/MigrationTests.cs
+++ b/backend/WorkClub.Tests.Integration/Data/MigrationTests.cs
@@ -0,0 +1,138 @@
+using Dapper;
+using Microsoft.EntityFrameworkCore;
+using Npgsql;
+using Testcontainers.PostgreSql;
+using WorkClub.Infrastructure.Data;
+
+namespace WorkClub.Tests.Integration.Data;
+
+public class MigrationTests : IAsyncLifetime
+{
+    private PostgreSqlContainer? _container;
+    private string? _connectionString;
+
+    public async Task InitializeAsync()
+    {
+        _container = new PostgreSqlBuilder()
+            .WithImage("postgres:16-alpine")
+            .Build();
+
+        await _container.StartAsync();
+        _connectionString = _container.GetConnectionString();
+    }
+
+    public async Task DisposeAsync()
+    {
+        if (_container != null)
+        {
+            await _container.DisposeAsync();
+        }
+    }
+
+    [Fact]
+    public async Task Migration_AppliesSuccessfully_CreatesAllTables()
+    {
+        // Arrange
+        var options = new DbContextOptionsBuilder<AppDbContext>()
+            .UseNpgsql(_connectionString)
+            .Options;
+
+        // Act
+        await using var context = new AppDbContext(options);
+        await context.Database.MigrateAsync();
+
+        // Assert - verify all expected tables exist
+        await using var connection = new NpgsqlConnection(_connectionString);
+        var tables = (await connection.QueryAsync<string>(
+            @"SELECT table_name 
+              FROM information_schema.tables 
+              WHERE table_schema = 'public' 
+              ORDER BY table_name")).ToList();
+
+        Assert.Contains("clubs", tables);
+        Assert.Contains("members", tables);
+        Assert.Contains("work_items", tables);
+        Assert.Contains("shifts", tables);
+        Assert.Contains("shift_signups", tables);
+    }
+
+    [Fact]
+    public async Task Migration_CreatesCorrectIndexes()
+    {
+        // Arrange
+        var options = new DbContextOptionsBuilder<AppDbContext>()
+            .UseNpgsql(_connectionString)
+            .Options;
+
+        // Act
+        await using var context = new AppDbContext(options);
+        await context.Database.MigrateAsync();
+
+        // Assert - verify critical indexes exist
+        await using var connection = new NpgsqlConnection(_connectionString);
+        var indexes = (await connection.QueryAsync<string>(
+            @"SELECT indexname 
+              FROM pg_indexes 
+              WHERE schemaname = 'public' 
+              ORDER BY indexname")).ToList();
+
+        // TenantId indexes
+        Assert.Contains(indexes, i => i.Contains("tenant_id"));
+        
+        // ClubId indexes
+        Assert.Contains(indexes, i => i.Contains("club_id"));
+        
+        // Status indexes for WorkItem
+        Assert.Contains(indexes, i => i.Contains("status"));
+    }
+
+    [Fact]
+    public async Task Migration_EnablesRowLevelSecurity()
+    {
+        // Arrange
+        var options = new DbContextOptionsBuilder<AppDbContext>()
+            .UseNpgsql(_connectionString)
+            .Options;
+
+        // Act
+        await using var context = new AppDbContext(options);
+        await context.Database.MigrateAsync();
+
+        // Assert - verify RLS is enabled on tenant tables
+        await using var connection = new NpgsqlConnection(_connectionString);
+        var rlsEnabled = await connection.QueryAsync<(string TableName, bool RlsEnabled)>(
+            @"SELECT relname AS TableName, relrowsecurity AS RlsEnabled
+              FROM pg_class 
+              WHERE relnamespace = 'public'::regnamespace 
+              AND relname IN ('clubs', 'members', 'work_items', 'shifts', 'shift_signups')");
+
+        foreach (var (tableName, enabled) in rlsEnabled)
+        {
+            Assert.True(enabled, $"RLS should be enabled on {tableName}");
+        }
+    }
+
+    [Fact]
+    public async Task Migration_CreatesTenantIsolationPolicy()
+    {
+        // Arrange
+        var options = new DbContextOptionsBuilder<AppDbContext>()
+            .UseNpgsql(_connectionString)
+            .Options;
+
+        // Act
+        await using var context = new AppDbContext(options);
+        await context.Database.MigrateAsync();
+
+        // Assert - verify tenant_isolation policies exist
+        await using var connection = new NpgsqlConnection(_connectionString);
+        var policies = (await connection.QueryAsync<string>(
+            @"SELECT policyname 
+              FROM pg_policies 
+              WHERE schemaname = 'public' 
+              AND policyname = 'tenant_isolation'")).ToList();
+
+        // Should have tenant_isolation policy on all tenant tables
+        Assert.True(policies.Count >= 5, "Should have at least 5 tenant_isolation policies");
+    }
+}
--- a/backend/WorkClub.Tests.Integration/Data/RlsTests.cs
+++ b/backend/WorkClub.Tests.Integration/Data/RlsTests.cs
@@ -0,0 +1,197 @@
+using Dapper;
+using Microsoft.EntityFrameworkCore;
+using Npgsql;
+using Testcontainers.PostgreSql;
+using WorkClub.Domain.Entities;
+using WorkClub.Infrastructure.Data;
+
+namespace WorkClub.Tests.Integration.Data;
+
+public class RlsTests : IAsyncLifetime
+{
+    private PostgreSqlContainer? _container;
+    private string? _connectionString;
+    private string? _adminConnectionString;
+
+    public async Task InitializeAsync()
+    {
+        _container = new PostgreSqlBuilder()
+            .WithImage("postgres:16-alpine")
+            .WithDatabase("workclub")
+            .WithUsername("app_user")
+            .WithPassword("apppass")
+            .Build();
+
+        await _container.StartAsync();
+        _connectionString = _container.GetConnectionString();
+        
+        _adminConnectionString = _connectionString.Replace("app_user", "app_admin")
+            .Replace("apppass", "adminpass");
+
+        await using var adminConn = new NpgsqlConnection(_adminConnectionString);
+        await adminConn.ExecuteAsync("CREATE ROLE app_admin WITH LOGIN PASSWORD 'adminpass' SUPERUSER");
+        await adminConn.ExecuteAsync("GRANT ALL PRIVILEGES ON DATABASE workclub TO app_admin");
+    }
+
+    public async Task DisposeAsync()
+    {
+        if (_container != null)
+        {
+            await _container.DisposeAsync();
+        }
+    }
+
+    [Fact]
+    public async Task RLS_BlocksAccess_WithoutTenantContext()
+    {
+        await SeedTestDataAsync();
+
+        await using var connection = new NpgsqlConnection(_connectionString);
+        await connection.OpenAsync();
+
+        var clubs = (await connection.QueryAsync<Club>(
+            "SELECT * FROM clubs")).ToList();
+
+        Assert.Empty(clubs);
+    }
+
+    [Fact]
+    public async Task RLS_AllowsAccess_WithCorrectTenantContext()
+    {
+        await SeedTestDataAsync();
+
+        await using var connection = new NpgsqlConnection(_connectionString);
+        await connection.OpenAsync();
+        
+        await connection.ExecuteAsync("SET LOCAL app.current_tenant_id = 'tenant-1'");
+
+        var clubs = (await connection.QueryAsync<Club>(
+            "SELECT * FROM clubs WHERE tenant_id = 'tenant-1'")).ToList();
+
+        Assert.NotEmpty(clubs);
+        Assert.All(clubs, c => Assert.Equal("tenant-1", c.TenantId));
+    }
+
+    [Fact]
+    public async Task RLS_IsolatesData_AcrossTenants()
+    {
+        await SeedTestDataAsync();
+
+        await using var connection = new NpgsqlConnection(_connectionString);
+        await connection.OpenAsync();
+        
+        await connection.ExecuteAsync("SET LOCAL app.current_tenant_id = 'tenant-1'");
+        var tenant1Clubs = (await connection.QueryAsync<Club>(
+            "SELECT * FROM clubs")).ToList();
+
+        await connection.ExecuteAsync("SET LOCAL app.current_tenant_id = 'tenant-2'");
+        var tenant2Clubs = (await connection.QueryAsync<Club>(
+            "SELECT * FROM clubs")).ToList();
+
+        Assert.NotEmpty(tenant1Clubs);
+        Assert.NotEmpty(tenant2Clubs);
+        Assert.All(tenant1Clubs, c => Assert.Equal("tenant-1", c.TenantId));
+        Assert.All(tenant2Clubs, c => Assert.Equal("tenant-2", c.TenantId));
+        
+        var tenant1Ids = tenant1Clubs.Select(c => c.Id).ToHashSet();
+        var tenant2Ids = tenant2Clubs.Select(c => c.Id).ToHashSet();
+        Assert.Empty(tenant1Ids.Intersect(tenant2Ids));
+    }
+
+    [Fact]
+    public async Task RLS_CountsCorrectly_PerTenant()
+    {
+        await SeedTestDataAsync();
+
+        await using var connection = new NpgsqlConnection(_connectionString);
+        await connection.OpenAsync();
+        
+        await connection.ExecuteAsync("SET LOCAL app.current_tenant_id = 'tenant-1'");
+        var tenant1Count = await connection.ExecuteScalarAsync<int>(
+            "SELECT COUNT(*) FROM work_items");
+
+        await connection.ExecuteAsync("SET LOCAL app.current_tenant_id = 'tenant-2'");
+        var tenant2Count = await connection.ExecuteScalarAsync<int>(
+            "SELECT COUNT(*) FROM work_items");
+
+        Assert.Equal(5, tenant1Count);
+        Assert.Equal(3, tenant2Count);
+    }
+
+    [Fact]
+    public async Task RLS_AllowsBypass_ForAdminRole()
+    {
+        await SeedTestDataAsync();
+
+        await using var connection = new NpgsqlConnection(_adminConnectionString);
+        await connection.OpenAsync();
+
+        var allClubs = (await connection.QueryAsync<Club>(
+            "SELECT * FROM clubs")).ToList();
+
+        Assert.True(allClubs.Count >= 2);
+        Assert.Contains(allClubs, c => c.TenantId == "tenant-1");
+        Assert.Contains(allClubs, c => c.TenantId == "tenant-2");
+    }
+
+    [Fact]
+    public async Task RLS_HandlesShiftSignups_WithSubquery()
+    {
+        await SeedTestDataAsync();
+
+        await using var connection = new NpgsqlConnection(_connectionString);
+        await connection.OpenAsync();
+        
+        await connection.ExecuteAsync("SET LOCAL app.current_tenant_id = 'tenant-1'");
+        var signups = (await connection.QueryAsync<ShiftSignup>(
+            "SELECT * FROM shift_signups")).ToList();
+
+        Assert.NotEmpty(signups);
+        Assert.All(signups, s => Assert.Equal("tenant-1", s.TenantId));
+    }
+
+    private async Task SeedTestDataAsync()
+    {
+        var options = new DbContextOptionsBuilder<AppDbContext>()
+            .UseNpgsql(_connectionString)
+            .Options;
+
+        await using var context = new AppDbContext(options);
+        await context.Database.MigrateAsync();
+
+        await using var adminConn = new NpgsqlConnection(_adminConnectionString);
+        await adminConn.OpenAsync();
+
+        var club1Id = Guid.NewGuid();
+        var club2Id = Guid.NewGuid();
+        
+        await adminConn.ExecuteAsync(@"
+            INSERT INTO clubs (id, tenant_id, name, sport_type, created_at, updated_at)
+            VALUES (@Id1, 'tenant-1', 'Club 1', 0, NOW(), NOW()),
+                   (@Id2, 'tenant-2', 'Club 2', 1, NOW(), NOW())",
+            new { Id1 = club1Id, Id2 = club2Id });
+
+        await adminConn.ExecuteAsync(@"
+            INSERT INTO work_items (id, tenant_id, title, status, created_by_id, club_id, created_at, updated_at)
+            SELECT gen_random_uuid(), 'tenant-1', 'Task ' || i, 0, gen_random_uuid(), @ClubId, NOW(), NOW()
+            FROM generate_series(1, 5) i",
+            new { ClubId = club1Id });
+
+        await adminConn.ExecuteAsync(@"
+            INSERT INTO work_items (id, tenant_id, title, status, created_by_id, club_id, created_at, updated_at)
+            SELECT gen_random_uuid(), 'tenant-2', 'Task ' || i, 0, gen_random_uuid(), @ClubId, NOW(), NOW()
+            FROM generate_series(1, 3) i",
+            new { ClubId = club2Id });
+
+        var shift1Id = Guid.NewGuid();
+        await adminConn.ExecuteAsync(@"
+            INSERT INTO shifts (id, tenant_id, title, start_time, end_time, club_id, created_by_id, created_at, updated_at)
+            VALUES (@Id, 'tenant-1', 'Shift 1', NOW(), NOW() + interval '2 hours', @ClubId, gen_random_uuid(), NOW(), NOW())",
+            new { Id = shift1Id, ClubId = club1Id });
+
+        await adminConn.ExecuteAsync(@"
+            INSERT INTO shift_signups (id, tenant_id, shift_id, member_id, signed_up_at)
+            VALUES (gen_random_uuid(), 'tenant-1', @ShiftId, gen_random_uuid(), NOW())",
+            new { ShiftId = shift1Id });
+    }
+}
--- a/backend/WorkClub.Tests.Integration/Infrastructure/CustomWebApplicationFactory.cs
+++ b/backend/WorkClub.Tests.Integration/Infrastructure/CustomWebApplicationFactory.cs
@@ -0,0 +1,69 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Mvc.Testing;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Testcontainers.PostgreSql;
+using WorkClub.Infrastructure.Data;
+
+namespace WorkClub.Tests.Integration.Infrastructure;
+
+public class CustomWebApplicationFactory<TProgram> : WebApplicationFactory<TProgram> where TProgram : class
+{
+    private readonly PostgreSqlContainer _postgresContainer = new PostgreSqlBuilder()
+        .WithImage("postgres:16-alpine")
+        .WithDatabase("workclub_test")
+        .WithUsername("test")
+        .WithPassword("test")
+        .Build();
+
+    protected override void ConfigureWebHost(IWebHostBuilder builder)
+    {
+        // Start container (async wait)
+        _postgresContainer.StartAsync().GetAwaiter().GetResult();
+
+        builder.ConfigureAppConfiguration((context, config) =>
+        {
+            // Override connection string for tests
+            config.AddInMemoryCollection(new Dictionary<string, string?>
+            {
+                ["ConnectionStrings:DefaultConnection"] = _postgresContainer.GetConnectionString()
+            });
+        });
+
+        builder.ConfigureServices(services =>
+        {
+            // Remove existing DbContext registration
+            var descriptor = services.SingleOrDefault(d => d.ServiceType == typeof(DbContextOptions<AppDbContext>));
+            if (descriptor != null)
+            {
+                services.Remove(descriptor);
+            }
+
+            // Add Testcontainers DbContext
+            services.AddDbContext<AppDbContext>(options =>
+                options.UseNpgsql(_postgresContainer.GetConnectionString()));
+
+            // Replace authentication with TestAuthHandler
+            services.RemoveAll<IAuthenticationSchemeProvider>();
+            services.AddAuthentication(defaultScheme: "Test")
+                .AddScheme<AuthenticationSchemeOptions, TestAuthHandler>("Test", options => { });
+
+            // Build service provider and ensure database created
+            var sp = services.BuildServiceProvider();
+            using var scope = sp.CreateScope();
+            var db = scope.ServiceProvider.GetRequiredService<AppDbContext>();
+            db.Database.EnsureCreated();
+        });
+
+        builder.UseEnvironment("Test");
+    }
+
+    public override async ValueTask DisposeAsync()
+    {
+        await _postgresContainer.DisposeAsync();
+        await base.DisposeAsync();
+    }
+}
--- a/backend/WorkClub.Tests.Integration/Infrastructure/DatabaseFixture.cs
+++ b/backend/WorkClub.Tests.Integration/Infrastructure/DatabaseFixture.cs
@@ -0,0 +1,19 @@
+namespace WorkClub.Tests.Integration.Infrastructure;
+
+[CollectionDefinition("Database collection")]
+public class DatabaseCollection : ICollectionFixture<DatabaseFixture>
+{
+}
+
+public class DatabaseFixture : IAsyncLifetime
+{
+    public Task InitializeAsync()
+    {
+        return Task.CompletedTask;
+    }
+
+    public Task DisposeAsync()
+    {
+        return Task.CompletedTask;
+    }
+}
--- a/backend/WorkClub.Tests.Integration/Infrastructure/IntegrationTestBase.cs
+++ b/backend/WorkClub.Tests.Integration/Infrastructure/IntegrationTestBase.cs
@@ -0,0 +1,35 @@
+using System.Text.Json;
+
+namespace WorkClub.Tests.Integration.Infrastructure;
+
+public abstract class IntegrationTestBase : IClassFixture<CustomWebApplicationFactory<Program>>, IAsyncLifetime
+{
+    protected readonly HttpClient Client;
+    protected readonly CustomWebApplicationFactory<Program> Factory;
+
+    protected IntegrationTestBase(CustomWebApplicationFactory<Program> factory)
+    {
+        Factory = factory;
+        Client = factory.CreateClient();
+    }
+
+    protected void AuthenticateAs(string email, Dictionary<string, string> clubs)
+    {
+        var clubsJson = JsonSerializer.Serialize(clubs);
+        Client.DefaultRequestHeaders.Remove("X-Test-Clubs");
+        Client.DefaultRequestHeaders.Add("X-Test-Clubs", clubsJson);
+        
+        Client.DefaultRequestHeaders.Remove("X-Test-Email");
+        Client.DefaultRequestHeaders.Add("X-Test-Email", email);
+    }
+
+    protected void SetTenant(string tenantId)
+    {
+        Client.DefaultRequestHeaders.Remove("X-Tenant-Id");
+        Client.DefaultRequestHeaders.Add("X-Tenant-Id", tenantId);
+    }
+
+    public virtual Task InitializeAsync() => Task.CompletedTask;
+
+    public virtual Task DisposeAsync() => Task.CompletedTask;
+}
--- a/backend/WorkClub.Tests.Integration/Infrastructure/TestAuthHandler.cs
+++ b/backend/WorkClub.Tests.Integration/Infrastructure/TestAuthHandler.cs
@@ -0,0 +1,42 @@
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using System.Text.Json;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace WorkClub.Tests.Integration.Infrastructure;
+
+public class TestAuthHandler : AuthenticationHandler<AuthenticationSchemeOptions>
+{
+    public TestAuthHandler(
+        IOptionsMonitor<AuthenticationSchemeOptions> options,
+        ILoggerFactory logger,
+        UrlEncoder encoder)
+        : base(options, logger, encoder)
+    {
+    }
+
+    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+    {
+        var clubsClaim = Context.Request.Headers["X-Test-Clubs"].ToString();
+        var emailClaim = Context.Request.Headers["X-Test-Email"].ToString();
+
+        var claims = new List<Claim>
+        {
+            new Claim(ClaimTypes.NameIdentifier, "test-user"),
+            new Claim(ClaimTypes.Email, string.IsNullOrEmpty(emailClaim) ? "test@test.com" : emailClaim),
+        };
+
+        if (!string.IsNullOrEmpty(clubsClaim))
+        {
+            claims.Add(new Claim("clubs", clubsClaim));
+        }
+
+        var identity = new ClaimsIdentity(claims, "Test");
+        var principal = new ClaimsPrincipal(identity);
+        var ticket = new AuthenticationTicket(principal, "Test");
+
+        return Task.FromResult(AuthenticateResult.Success(ticket));
+    }
+}
--- a/backend/WorkClub.Tests.Integration/Middleware/TenantValidationTests.cs
+++ b/backend/WorkClub.Tests.Integration/Middleware/TenantValidationTests.cs
@@ -0,0 +1,194 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Net;
+using System.Net.Http.Headers;
+using System.Security.Claims;
+using System.Text;
+using System.Text.Json;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Mvc.Testing;
+using Microsoft.AspNetCore.TestHost;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.IdentityModel.Tokens;
+using Xunit;
+
+namespace WorkClub.Tests.Integration.Middleware;
+
+public class TenantValidationTests : IClassFixture<CustomWebApplicationFactory>
+{
+    private readonly CustomWebApplicationFactory _factory;
+    private readonly HttpClient _client;
+
+    public TenantValidationTests(CustomWebApplicationFactory factory)
+    {
+        _factory = factory;
+        _client = factory.CreateClient();
+    }
+
+    [Fact]
+    public async Task Request_WithValidTenantId_Returns200()
+    {
+        // Arrange: Create JWT with clubs claim containing club-1
+        var clubs = new Dictionary<string, string>
+        {
+            { "club-1", "admin" }
+        };
+        var token = CreateTestJwt(clubs);
+        
+        _client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        _client.DefaultRequestHeaders.Add("X-Tenant-Id", "club-1");
+
+        // Act: Make request to test endpoint
+        var response = await _client.GetAsync("/api/test");
+
+        // Assert: Request should succeed
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task Request_WithNonMemberTenantId_Returns403()
+    {
+        // Arrange: Create JWT with clubs claim (only club-1, not club-2)
+        var clubs = new Dictionary<string, string>
+        {
+            { "club-1", "admin" }
+        };
+        var token = CreateTestJwt(clubs);
+        
+        _client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        _client.DefaultRequestHeaders.Add("X-Tenant-Id", "club-2"); // User not member of club-2
+
+        // Act
+        var response = await _client.GetAsync("/api/test");
+
+        // Assert: Cross-tenant access should be denied
+        Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task Request_WithoutTenantIdHeader_Returns400()
+    {
+        // Arrange: Create valid JWT but no X-Tenant-Id header
+        var clubs = new Dictionary<string, string>
+        {
+            { "club-1", "admin" }
+        };
+        var token = CreateTestJwt(clubs);
+        
+        _client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        // No X-Tenant-Id header
+
+        // Act
+        var response = await _client.GetAsync("/api/test");
+
+        // Assert: Missing header should return bad request
+        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task Request_WithoutAuthentication_Returns401()
+    {
+        // Arrange: No authorization header
+        _client.DefaultRequestHeaders.Add("X-Tenant-Id", "club-1");
+
+        // Act
+        var response = await _client.GetAsync("/api/test");
+
+        // Assert: Unauthenticated request should be denied
+        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+    }
+
+    private static string CreateTestJwt(Dictionary<string, string> clubs)
+    {
+        var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("test-secret-key-for-jwt-signing-must-be-at-least-32-chars"));
+        var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
+
+        var claims = new List<Claim>
+        {
+            new Claim(ClaimTypes.NameIdentifier, "test-user-id"),
+            new Claim(ClaimTypes.Name, "test@test.com"),
+            new Claim("clubs", JsonSerializer.Serialize(clubs)) // JSON object claim
+        };
+
+        var token = new JwtSecurityToken(
+            issuer: "test-issuer",
+            audience: "test-audience",
+            claims: claims,
+            expires: DateTime.UtcNow.AddHours(1),
+            signingCredentials: creds
+        );
+
+        return new JwtSecurityTokenHandler().WriteToken(token);
+    }
+}
+
+/// <summary>
+/// Custom WebApplicationFactory for integration testing with test authentication.
+/// </summary>
+public class CustomWebApplicationFactory : WebApplicationFactory<Program>
+{
+    protected override void ConfigureWebHost(IWebHostBuilder builder)
+    {
+        builder.ConfigureTestServices(services =>
+        {
+            services.AddAuthentication("TestScheme")
+                .AddScheme<AuthenticationSchemeOptions, TestAuthHandler>("TestScheme", options => { });
+            
+            services.AddAuthorization();
+        });
+
+        builder.UseEnvironment("Testing");
+    }
+}
+
+/// <summary>
+/// Test authentication handler that validates JWT tokens without Keycloak.
+/// </summary>
+public class TestAuthHandler : AuthenticationHandler<AuthenticationSchemeOptions>
+{
+    public TestAuthHandler(
+        Microsoft.Extensions.Options.IOptionsMonitor<AuthenticationSchemeOptions> options,
+        Microsoft.Extensions.Logging.ILoggerFactory logger,
+        System.Text.Encodings.Web.UrlEncoder encoder)
+        : base(options, logger, encoder)
+    {
+    }
+
+    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+    {
+        var authHeader = Request.Headers.Authorization.ToString();
+        
+        if (string.IsNullOrEmpty(authHeader) || !authHeader.StartsWith("Bearer "))
+        {
+            return Task.FromResult(AuthenticateResult.NoResult());
+        }
+
+        var token = authHeader.Substring("Bearer ".Length).Trim();
+        
+        try
+        {
+            var handler = new JwtSecurityTokenHandler();
+            var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("test-secret-key-for-jwt-signing-must-be-at-least-32-chars"));
+            
+            var validationParameters = new TokenValidationParameters
+            {
+                ValidateIssuer = true,
+                ValidateAudience = true,
+                ValidateLifetime = true,
+                ValidateIssuerSigningKey = true,
+                ValidIssuer = "test-issuer",
+                ValidAudience = "test-audience",
+                IssuerSigningKey = key
+            };
+
+            var principal = handler.ValidateToken(token, validationParameters, out _);
+            var ticket = new AuthenticationTicket(principal, "TestScheme");
+            
+            return Task.FromResult(AuthenticateResult.Success(ticket));
+        }
+        catch (Exception ex)
+        {
+            return Task.FromResult(AuthenticateResult.Fail(ex.Message));
+        }
+    }
+}
--- a/backend/WorkClub.Tests.Integration/SmokeTests.cs
+++ b/backend/WorkClub.Tests.Integration/SmokeTests.cs
@@ -0,0 +1,18 @@
+using System.Net;
+using WorkClub.Tests.Integration.Infrastructure;
+
+namespace WorkClub.Tests.Integration;
+
+public class SmokeTests : IntegrationTestBase
+{
+    public SmokeTests(CustomWebApplicationFactory<Program> factory) : base(factory)
+    {
+    }
+
+    [Fact]
+    public async Task HealthCheck_ReturnsOk()
+    {
+        var response = await Client.GetAsync("/health/live");
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+}
--- a/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj
+++ b/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj
@@ -9,6 +9,7 @@

  <ItemGroup>
    <PackageReference Include="coverlet.collector" Version="6.0.4" />
+    <PackageReference Include="Dapper" Version="2.1.66" />
    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.0" />
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
    <PackageReference Include="Testcontainers.PostgreSql" Version="3.7.0" />