a281bb2896
Features Added: - Standard e-commerce properties (Price, Weight, shipping fields) - Order management with Create/Edit views and shipping information - ShippingRates system for weight-based shipping calculations - Comprehensive test coverage with JWT authentication tests - Sample data seeder with 5 orders demonstrating full workflow - Photo upload functionality for products - Multi-cryptocurrency payment support (BTC, XMR, USDT, etc.) Database Changes: - Added ShippingRates table - Added shipping fields to Orders (Name, Address, City, PostCode, Country) - Renamed properties to standard names (BasePrice to Price, ProductWeight to Weight) - Added UpdatedAt timestamps to models UI Improvements: - Added Create/Edit views for Orders - Added ShippingRates management UI - Updated navigation menu with Shipping option - Enhanced Order Details view with shipping information Sample Data: - 3 Categories (Electronics, Clothing, Books) - 5 Products with various prices - 5 Shipping rates (Royal Mail options) - 5 Orders in different statuses (Pending to Delivered) - 3 Crypto payments demonstrating payment flow Security: - All API endpoints secured with JWT authentication - No public endpoints - client apps must authenticate - Privacy-focused design with minimal data collection Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
184 lines
5.9 KiB
C#
184 lines
5.9 KiB
C#
using System.Net;
|
|
using System.Net.Http.Headers;
|
|
using FluentAssertions;
|
|
using LittleShop.Tests.Infrastructure;
|
|
using Microsoft.AspNetCore.Mvc.Testing;
|
|
using Xunit;
|
|
|
|
namespace LittleShop.Tests.Security;
|
|
|
|
public class AuthenticationEnforcementTests : IClassFixture<TestWebApplicationFactory>
|
|
{
|
|
private readonly HttpClient _client;
|
|
private readonly TestWebApplicationFactory _factory;
|
|
|
|
public AuthenticationEnforcementTests(TestWebApplicationFactory factory)
|
|
{
|
|
_factory = factory;
|
|
_client = _factory.CreateClient(new WebApplicationFactoryClientOptions
|
|
{
|
|
AllowAutoRedirect = false
|
|
});
|
|
}
|
|
|
|
[Theory]
|
|
[InlineData("/api/catalog/categories")]
|
|
[InlineData("/api/catalog/categories/00000000-0000-0000-0000-000000000001")]
|
|
[InlineData("/api/catalog/products")]
|
|
[InlineData("/api/catalog/products/00000000-0000-0000-0000-000000000001")]
|
|
public async Task CatalogEndpoints_WithoutAuthentication_ShouldReturn401(string url)
|
|
{
|
|
// Act
|
|
var response = await _client.GetAsync(url);
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
|
|
}
|
|
|
|
[Theory]
|
|
[InlineData("/api/orders")]
|
|
[InlineData("/api/orders/00000000-0000-0000-0000-000000000001")]
|
|
public async Task AdminOrderEndpoints_WithoutAuthentication_ShouldReturn401(string url)
|
|
{
|
|
// Act
|
|
var response = await _client.GetAsync(url);
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
|
|
}
|
|
|
|
[Theory]
|
|
[InlineData("/api/orders/by-identity/test-identity")]
|
|
[InlineData("/api/orders/by-identity/test-identity/00000000-0000-0000-0000-000000000001")]
|
|
[InlineData("/api/orders/00000000-0000-0000-0000-000000000001/payments")]
|
|
[InlineData("/api/orders/payments/00000000-0000-0000-0000-000000000001/status")]
|
|
public async Task PublicOrderEndpoints_WithoutAuthentication_ShouldReturn401(string url)
|
|
{
|
|
// Act
|
|
var response = await _client.GetAsync(url);
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task PostOrder_WithoutAuthentication_ShouldReturn401()
|
|
{
|
|
// Act
|
|
var response = await _client.PostAsync("/api/orders", null);
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task PostPayment_WithoutAuthentication_ShouldReturn401()
|
|
{
|
|
// Act
|
|
var response = await _client.PostAsync("/api/orders/00000000-0000-0000-0000-000000000001/payments", null);
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task PaymentWebhook_WithoutAuthentication_ShouldReturn401()
|
|
{
|
|
// Act
|
|
var response = await _client.PostAsync("/api/orders/payments/webhook", null);
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
|
|
}
|
|
|
|
[Theory]
|
|
[InlineData("/api/catalog/categories")]
|
|
[InlineData("/api/catalog/products")]
|
|
public async Task CatalogEndpoints_WithValidJwtToken_ShouldReturn200(string url)
|
|
{
|
|
// Arrange
|
|
var token = JwtTokenHelper.GenerateJwtToken();
|
|
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
|
|
|
|
// Act
|
|
var response = await _client.GetAsync(url);
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.OK);
|
|
}
|
|
|
|
[Theory]
|
|
[InlineData("/api/catalog/categories")]
|
|
[InlineData("/api/catalog/products")]
|
|
public async Task CatalogEndpoints_WithExpiredJwtToken_ShouldReturn401(string url)
|
|
{
|
|
// Arrange
|
|
var token = JwtTokenHelper.GenerateExpiredJwtToken();
|
|
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
|
|
|
|
// Act
|
|
var response = await _client.GetAsync(url);
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
|
|
}
|
|
|
|
[Theory]
|
|
[InlineData("/api/catalog/categories")]
|
|
[InlineData("/api/catalog/products")]
|
|
public async Task CatalogEndpoints_WithInvalidJwtToken_ShouldReturn401(string url)
|
|
{
|
|
// Arrange
|
|
var token = JwtTokenHelper.GenerateInvalidJwtToken();
|
|
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
|
|
|
|
// Act
|
|
var response = await _client.GetAsync(url);
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
|
|
}
|
|
|
|
[Theory]
|
|
[InlineData("/api/catalog/categories")]
|
|
[InlineData("/api/catalog/products")]
|
|
public async Task CatalogEndpoints_WithMalformedToken_ShouldReturn401(string url)
|
|
{
|
|
// Arrange
|
|
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", "not-a-valid-jwt-token");
|
|
|
|
// Act
|
|
var response = await _client.GetAsync(url);
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task AdminEndpoint_WithUserToken_ShouldReturnForbiddenOrUnauthorized()
|
|
{
|
|
// Arrange
|
|
var token = JwtTokenHelper.GenerateJwtToken(role: "User");
|
|
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
|
|
|
|
// Act
|
|
var response = await _client.GetAsync("/api/orders");
|
|
|
|
// Assert
|
|
response.StatusCode.Should().BeOneOf(HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task AdminEndpoint_WithAdminToken_ShouldReturn200()
|
|
{
|
|
// Arrange
|
|
var token = JwtTokenHelper.GenerateAdminJwtToken();
|
|
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
|
|
|
|
// Act
|
|
var response = await _client.GetAsync("/api/orders");
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.OK);
|
|
}
|
|
} |