pinakes-server: add more integration tests

Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: I7c6c8eaad569404c7a13cfa8114d84516a6a6964

crates/pinakes-server/tests/users.rs

@@ -0,0 +1,217 @@
+mod common;
+
+use axum::http::StatusCode;
+use common::{
+  delete_authed,
+  get,
+  get_authed,
+  patch_json_authed,
+  post_json_authed,
+  response_body,
+  setup_app,
+  setup_app_with_auth,
+};
+use tower::ServiceExt;
+
+// GET /api/v1/users (admin)
+
+#[tokio::test]
+async fn list_users_requires_admin() {
+  let (app, _, editor_token, _) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(get_authed("/api/v1/users", &editor_token))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::FORBIDDEN);
+}
+
+#[tokio::test]
+async fn list_users_viewer_forbidden() {
+  let (app, _, _, viewer_token) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(get_authed("/api/v1/users", &viewer_token))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::FORBIDDEN);
+}
+
+#[tokio::test]
+async fn list_users_admin_ok() {
+  let (app, admin_token, ..) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(get_authed("/api/v1/users", &admin_token))
+    .await
+    .unwrap();
+  let status = response.status();
+  let body = response_body(response).await;
+  assert_eq!(status, StatusCode::OK);
+  let users = body.as_array().expect("users is array");
+  // setup_app_with_auth seeds three users
+  assert_eq!(users.len(), 3);
+}
+
+// POST /api/v1/users (admin)
+
+#[tokio::test]
+async fn create_user_requires_admin() {
+  let (app, _, editor_token, _) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(post_json_authed(
+      "/api/v1/users",
+      r#"{"username":"newuser","password":"password123","role":"viewer"}"#,
+      &editor_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::FORBIDDEN);
+}
+
+#[tokio::test]
+async fn create_user_admin_ok() {
+  let (app, admin_token, ..) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(post_json_authed(
+      "/api/v1/users",
+      r#"{"username":"newuser","password":"password123","role":"viewer"}"#,
+      &admin_token,
+    ))
+    .await
+    .unwrap();
+  let status = response.status();
+  let body = response_body(response).await;
+  assert!(
+    status == StatusCode::OK || status == StatusCode::CREATED,
+    "unexpected status: {status}"
+  );
+  assert!(body["id"].is_string(), "expected id field, got: {body}");
+  assert_eq!(body["username"].as_str().unwrap(), "newuser");
+}
+
+#[tokio::test]
+async fn create_user_duplicate_username() {
+  let (app, admin_token, ..) = setup_app_with_auth().await;
+  // "admin" already exists
+  let response = app
+    .oneshot(post_json_authed(
+      "/api/v1/users",
+      r#"{"username":"admin","password":"password123","role":"viewer"}"#,
+      &admin_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::CONFLICT);
+}
+
+#[tokio::test]
+async fn create_user_password_too_short() {
+  let (app, admin_token, ..) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(post_json_authed(
+      "/api/v1/users",
+      r#"{"username":"shortpass","password":"short","role":"viewer"}"#,
+      &admin_token,
+    ))
+    .await
+    .unwrap();
+  // Password minimum is 8 chars; should be rejected
+  assert!(
+    response.status() == StatusCode::BAD_REQUEST
+      || response.status() == StatusCode::UNPROCESSABLE_ENTITY
+  );
+}
+
+// GET /api/v1/users/{id} (admin)
+
+#[tokio::test]
+async fn get_user_requires_admin() {
+  let (app, _, _, viewer_token) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(get_authed(
+      "/api/v1/users/00000000-0000-0000-0000-000000000000",
+      &viewer_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::FORBIDDEN);
+}
+
+#[tokio::test]
+async fn get_user_not_found() {
+  let (app, admin_token, ..) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(get_authed(
+      "/api/v1/users/00000000-0000-0000-0000-000000000000",
+      &admin_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::NOT_FOUND);
+}
+
+// PATCH /api/v1/users/{id} (admin)
+
+#[tokio::test]
+async fn update_user_requires_admin() {
+  let (app, _, _, viewer_token) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(patch_json_authed(
+      "/api/v1/users/00000000-0000-0000-0000-000000000000",
+      r#"{"role":"editor"}"#,
+      &viewer_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::FORBIDDEN);
+}
+
+// DELETE /api/v1/users/{id} (admin)
+
+#[tokio::test]
+async fn delete_user_requires_admin() {
+  let (app, _, _, viewer_token) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(delete_authed(
+      "/api/v1/users/00000000-0000-0000-0000-000000000000",
+      &viewer_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::FORBIDDEN);
+}
+
+#[tokio::test]
+async fn delete_user_not_found() {
+  let (app, admin_token, ..) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(delete_authed(
+      "/api/v1/users/00000000-0000-0000-0000-000000000000",
+      &admin_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::NOT_FOUND);
+}
+
+// GET /api/v1/users/{id}/libraries (admin)
+
+#[tokio::test]
+async fn get_user_libraries_requires_admin() {
+  let (app, _, editor_token, _) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(get_authed(
+      "/api/v1/users/00000000-0000-0000-0000-000000000000/libraries",
+      &editor_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::FORBIDDEN);
+}
+
+// No-auth coverage (exercises setup_app and get helpers)
+
+#[tokio::test]
+async fn media_list_no_auth_users_file() {
+  let app = setup_app().await;
+  let response = app.oneshot(get("/api/v1/media")).await.unwrap();
+  assert_eq!(response.status(), StatusCode::OK);
+}