Reorganize tests by API and service concerns

2026-02-24 23:46:47 +01:00
parent 885121723d
commit 50f56fdab7
20 changed files with 897 additions and 799 deletions
--- a/RpgRoller.Tests/Api/RollVisibilityApiTests.cs
+++ b/RpgRoller.Tests/Api/RollVisibilityApiTests.cs
@@ -0,0 +1,91 @@
+using Microsoft.AspNetCore.Mvc.Testing;
+
+namespace RpgRoller.Tests;
+
+public sealed class RollVisibilityApiTests : ApiTestBase
+{
+    public RollVisibilityApiTests(WebApplicationFactory<Program> factory)
+        : base(factory)
+    {
+    }
+
+    [Fact]
+    public async Task RollVisibilityAndAuthorization_AreEnforced()
+    {
+        using var factory = CreateFactory(4, 3, 5, 2, 6);
+        using var gmClient = factory.CreateClient(new WebApplicationFactoryClientOptions { AllowAutoRedirect = false });
+        using var playerClient = factory.CreateClient(new WebApplicationFactoryClientOptions { AllowAutoRedirect = false });
+        using var observerClient = factory.CreateClient(new WebApplicationFactoryClientOptions { AllowAutoRedirect = false });
+        using var outsiderClient = factory.CreateClient(new WebApplicationFactoryClientOptions { AllowAutoRedirect = false });
+
+        await RegisterAsync(gmClient, "gm", "Password123", "GM");
+        await LoginAsync(gmClient, "gm", "Password123");
+        var campaign = await PostAsync<CreateCampaignRequest, CampaignSummary>(
+            gmClient,
+            "/api/campaigns",
+            new CreateCampaignRequest("Main", "d6"));
+
+        await RegisterAsync(playerClient, "player", "Password123", "Player");
+        await LoginAsync(playerClient, "player", "Password123");
+        var playerCharacter = await PostAsync<CreateCharacterRequest, CharacterSummary>(
+            playerClient,
+            "/api/characters",
+            new CreateCharacterRequest("Rogue", campaign.Id));
+
+        var skill = await PostAsync<CreateSkillRequest, SkillSummary>(
+            playerClient,
+            $"/api/characters/{playerCharacter.Id}/skills",
+            new CreateSkillRequest("Stealth", "2D+1"));
+
+        await RegisterAsync(observerClient, "observer", "Password123", "Observer");
+        await LoginAsync(observerClient, "observer", "Password123");
+        await PostAsync<CreateCharacterRequest, CharacterSummary>(
+            observerClient,
+            "/api/characters",
+            new CreateCharacterRequest("Watcher", campaign.Id));
+
+        var privateRoll = await PostAsync<RollSkillRequest, RollResult>(
+            playerClient,
+            $"/api/skills/{skill.Id}/roll",
+            new RollSkillRequest("private"));
+        var publicRoll = await PostAsync<RollSkillRequest, RollResult>(
+            playerClient,
+            $"/api/skills/{skill.Id}/roll",
+            new RollSkillRequest("public"));
+
+        Assert.Equal("private", privateRoll.Visibility);
+        Assert.Equal("public", publicRoll.Visibility);
+
+        var gmLog = await GetAsync<IReadOnlyList<CampaignLogEntry>>(gmClient, $"/api/campaigns/{campaign.Id}/log");
+        Assert.Equal(2, gmLog.Count);
+
+        var playerLog = await GetAsync<IReadOnlyList<CampaignLogEntry>>(playerClient, $"/api/campaigns/{campaign.Id}/log");
+        Assert.Equal(2, playerLog.Count);
+
+        var observerLog = await GetAsync<IReadOnlyList<CampaignLogEntry>>(observerClient, $"/api/campaigns/{campaign.Id}/log");
+        Assert.Single(observerLog);
+        Assert.Equal("public", observerLog[0].Visibility);
+
+        await RegisterAsync(outsiderClient, "outsider", "Password123", "Outsider");
+        await LoginAsync(outsiderClient, "outsider", "Password123");
+
+        var forbiddenCampaign = await outsiderClient.GetAsync($"/api/campaigns/{campaign.Id}");
+        Assert.Equal(HttpStatusCode.BadRequest, forbiddenCampaign.StatusCode);
+
+        var invalidVisibility = await playerClient.PostAsJsonAsync(
+            $"/api/skills/{skill.Id}/roll",
+            new RollSkillRequest("hidden"));
+        Assert.Equal(HttpStatusCode.BadRequest, invalidVisibility.StatusCode);
+
+        using var anonymousClient = factory.CreateClient(new WebApplicationFactoryClientOptions { AllowAutoRedirect = false });
+        var unauthorizedCampaignCreate = await anonymousClient.PostAsJsonAsync(
+            "/api/campaigns",
+            new CreateCampaignRequest("Nope", "d6"));
+        Assert.Equal(HttpStatusCode.Unauthorized, unauthorizedCampaignCreate.StatusCode);
+
+        var invalidSessionRequest = new HttpRequestMessage(HttpMethod.Get, "/api/campaigns");
+        invalidSessionRequest.Headers.Add("Cookie", "rpgroller_session=invalid-token");
+        var unauthorizedWithInvalidSession = await anonymousClient.SendAsync(invalidSessionRequest);
+        Assert.Equal(HttpStatusCode.Unauthorized, unauthorizedWithInvalidSession.StatusCode);
+    }
+}