From ce41e96a45f878ef6025b399afeab57b35d7108b Mon Sep 17 00:00:00 2001 From: Marcel Date: Sun, 26 Apr 2026 17:44:03 +0200 Subject: [PATCH] test(audit): add 401 unauthenticated tests for createUser, adminUpdateUser, deleteUser Regression guards verifying that Spring Security returns 401 (not 200) when no credentials are provided, complementing the existing 403 permission tests. Co-Authored-By: Claude Sonnet 4.6 --- .../controller/UserControllerTest.java | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/backend/src/test/java/org/raddatz/familienarchiv/controller/UserControllerTest.java b/backend/src/test/java/org/raddatz/familienarchiv/controller/UserControllerTest.java index a0fca09c..d4686ab4 100644 --- a/backend/src/test/java/org/raddatz/familienarchiv/controller/UserControllerTest.java +++ b/backend/src/test/java/org/raddatz/familienarchiv/controller/UserControllerTest.java @@ -133,4 +133,28 @@ class UserControllerTest { mockMvc.perform(delete("/api/users/" + UUID.randomUUID())) .andExpect(status().isForbidden()); } + + // ─── unauthenticated access ─────────────────────────────────────────────── + + @Test + void createUser_returns401_whenUnauthenticated() throws Exception { + mockMvc.perform(post("/api/users") + .contentType(org.springframework.http.MediaType.APPLICATION_JSON) + .content("{\"email\":\"x@x.com\",\"initialPassword\":\"secret123\"}")) + .andExpect(status().isUnauthorized()); + } + + @Test + void adminUpdateUser_returns401_whenUnauthenticated() throws Exception { + mockMvc.perform(put("/api/users/" + UUID.randomUUID()) + .contentType(org.springframework.http.MediaType.APPLICATION_JSON) + .content("{}")) + .andExpect(status().isUnauthorized()); + } + + @Test + void deleteUser_returns401_whenUnauthenticated() throws Exception { + mockMvc.perform(delete("/api/users/" + UUID.randomUUID())) + .andExpect(status().isUnauthorized()); + } }