test(audit): add 401 unauthenticated tests for createUser, adminUpdateUser, deleteUser

Regression guards verifying that Spring Security returns 401 (not 200) when no credentials are provided, complementing the existing 403 permission tests. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-26 17:44:03 +02:00
parent a6c8af0971
commit ce41e96a45
1 changed files with 24 additions and 0 deletions
--- a/backend/src/test/java/org/raddatz/familienarchiv/controller/UserControllerTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/controller/UserControllerTest.java
@@ -133,4 +133,28 @@ class UserControllerTest {
        mockMvc.perform(delete("/api/users/" + UUID.randomUUID()))
                .andExpect(status().isForbidden());
    }
+
+    // ─── unauthenticated access ───────────────────────────────────────────────
+
+    @Test
+    void createUser_returns401_whenUnauthenticated() throws Exception {
+        mockMvc.perform(post("/api/users")
+                        .contentType(org.springframework.http.MediaType.APPLICATION_JSON)
+                        .content("{\"email\":\"x@x.com\",\"initialPassword\":\"secret123\"}"))
+                .andExpect(status().isUnauthorized());
+    }
+
+    @Test
+    void adminUpdateUser_returns401_whenUnauthenticated() throws Exception {
+        mockMvc.perform(put("/api/users/" + UUID.randomUUID())
+                        .contentType(org.springframework.http.MediaType.APPLICATION_JSON)
+                        .content("{}"))
+                .andExpect(status().isUnauthorized());
+    }
+
+    @Test
+    void deleteUser_returns401_whenUnauthenticated() throws Exception {
+        mockMvc.perform(delete("/api/users/" + UUID.randomUUID()))
+                .andExpect(status().isUnauthorized());
+    }
 }