test(bff): acceptance scenario for BFF access (valid/invalid tokens) (refs #8)

Use-case-level BDD (Reqnroll) driving the real BFF over HTTP with fake downstreams
and locally-minted tokens: a valid DigiD token is accepted and the bsn forwarded
to the domain; a tokenless submit is 401; the openbaar register is anonymous and
never exposes the bsn (ADR-0010). Real Keycloak validation is the verify-bff check.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-07-01 11:03:37 +02:00
parent d767430ad7
commit 5d32d4f15e
4 changed files with 188 additions and 0 deletions

View File

@@ -0,0 +1,83 @@
using System.Net;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using Acceptance.Support;
using Bff.Api;
using Reqnroll;
using Xunit;
namespace Acceptance.Steps;
/// <summary>Bindings for <c>BffToegang.feature</c> (S-07). Drives the real BFF over HTTP with a
/// fake domain + projection and locally-minted tokens (ADR-0010). One host per scenario.</summary>
[Binding]
public sealed class BffToegangSteps : IDisposable
{
private readonly BffAcceptanceHost _host = new();
private HttpClient _client = null!;
private string? _token;
private HttpResponseMessage? _response;
[Given("a zorgprofessional with a valid DigiD token for BSN \"(.*)\"")]
public void GivenAValidToken(string bsn)
{
_token = BffAcceptanceHost.MintToken(bsn);
_client = _host.CreateClient();
}
[Given("a caller without a token")]
public void GivenNoToken() => _client = _host.CreateClient();
[Given("the projection contains a zaak \"(.*)\" for BSN \"(.*)\"")]
public void GivenTheProjectionContains(string zaakId, string bsn)
{
_host.Projection.Entries.Add(new ProjectionEntry(zaakId, "INGEDIEND", bsn, null));
_client = _host.CreateClient();
}
[When("they submit a registration via the BFF")]
public async Task WhenTheySubmit()
{
var request = new HttpRequestMessage(HttpMethod.Post, "/self-service/registrations")
{
Content = JsonContent.Create(new { }),
};
if (_token is not null)
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", _token);
_response = await _client.SendAsync(request);
}
[When("the openbaar register is queried anonymously")]
public async Task WhenTheOpenbaarRegisterIsQueried()
=> _response = await _client.GetAsync("/openbaar/register");
[Then("the BFF accepts it and forwards BSN \"(.*)\" to the domain")]
public void ThenAcceptedAndForwarded(string bsn)
{
Assert.Equal(HttpStatusCode.Accepted, _response!.StatusCode);
Assert.Equal(bsn, _host.Domain.SubmittedBsn);
}
[Then("the BFF rejects it as unauthorized")]
public void ThenUnauthorized()
{
Assert.Equal(HttpStatusCode.Unauthorized, _response!.StatusCode);
Assert.Null(_host.Domain.SubmittedBsn);
}
[Then("the response lists \"(.*)\" without exposing the BSN")]
public async Task ThenListsWithoutBsn(string zaakId)
{
Assert.Equal(HttpStatusCode.OK, _response!.StatusCode);
var body = await _response.Content.ReadAsStringAsync();
Assert.Contains(zaakId, body);
Assert.DoesNotContain("123456782", body);
}
public void Dispose()
{
_response?.Dispose();
_client?.Dispose();
_host.Dispose();
}
}