Failing tests for the BFF walking-skeleton endpoints: - POST /self-service/registrations rejects missing/malformed/wrong-key/expired tokens (401) and, with a valid digid token, forwards the bsn to the domain and returns 202 (WebApplicationFactory + a local test signing key, ADR-0010). - GET /openbaar/register serves public-safe rows anonymously (never the bsn) and filters by q. - OpenbaarProjection.PublicView (pure) filters by id and maps to id+status only. Endpoints and PublicView are stubs so the tests compile and fail on their assertions; the green commit implements them. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
39 lines
1.3 KiB
C#
39 lines
1.3 KiB
C#
using System.Net;
|
|
using System.Net.Http.Json;
|
|
using Bff.Api;
|
|
|
|
namespace Bff.Tests;
|
|
|
|
public class OpenbaarEndpointTests
|
|
{
|
|
[Fact]
|
|
public async Task Serves_public_safe_rows_anonymously()
|
|
{
|
|
using var factory = new BffFactory();
|
|
factory.Projection.Entries.Add(new ProjectionEntry("abc-111", "INGEDIEND", "123456782", "Jan"));
|
|
|
|
// No Authorization header — the openbaar register is a public lookup (ADR-0010/S-09).
|
|
var response = await factory.CreateClient().GetAsync("/openbaar/register");
|
|
|
|
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
|
|
var body = await response.Content.ReadAsStringAsync();
|
|
Assert.Contains("abc-111", body);
|
|
Assert.Contains("INGEDIEND", body);
|
|
// The bsn must never appear in a public response.
|
|
Assert.DoesNotContain("123456782", body);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Filters_by_the_query_parameter()
|
|
{
|
|
using var factory = new BffFactory();
|
|
factory.Projection.Entries.Add(new ProjectionEntry("abc-111", "INGEDIEND", null, null));
|
|
factory.Projection.Entries.Add(new ProjectionEntry("def-222", "INGEDIEND", null, null));
|
|
|
|
var rows = await factory.CreateClient()
|
|
.GetFromJsonAsync<List<OpenbaarEntry>>("/openbaar/register?q=abc");
|
|
|
|
Assert.Equal("abc-111", Assert.Single(rows!).Id);
|
|
}
|
|
}
|