fix(api): return 422 for validation errors with serializable payloads [FASE-3.3]

2026-05-18 14:16:53 +02:00
parent 6b076f52b2
commit 5b29c2fc56
3 changed files with 86 additions and 5 deletions
--- a/backend/tests/test_security_validators.py
+++ b/backend/tests/test_security_validators.py
@@ -42,6 +42,14 @@ class TestUsernameValidation:
        with pytest.raises(ValidationError, match="3-50 characters"):
            UserCreate(username="john@doe", password="SecurePass123!@#")

+    def test_reserved_username_system(self):
+        with pytest.raises(ValidationError):
+            UserCreate(username="system", password="SecurePass123!@#")
+
+    def test_invalid_username_path_chars(self):
+        with pytest.raises(ValidationError):
+            UserCreate(username="../admin", password="SecurePass123!@#")
+
    def test_reserved_username_admin(self):
        with pytest.raises(ValidationError, match="reserved"):
            UserCreate(username="admin", password="SecurePass123!@#")
--- a/backend/tests/test_user_api_validation.py
+++ b/backend/tests/test_user_api_validation.py
@@ -0,0 +1,59 @@
+"""API-level validation tests for user creation (SEC-004, SEC-007)."""
+
+
+def test_create_user_weak_password_rejected(client, admin_user, admin_token):
+    response = client.post(
+        "/api/v1/users",
+        json={
+            "username": "newuser",
+            "password": "123",
+            "email": "new@test.com",
+            "role": "viewer",
+        },
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    assert response.status_code == 422
+    assert "password" in response.text.lower()
+
+
+def test_create_user_reserved_username(client, admin_user, admin_token):
+    response = client.post(
+        "/api/v1/users",
+        json={
+            "username": "system",
+            "password": "SecurePass123!@#",
+            "email": "sys@test.com",
+            "role": "viewer",
+        },
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    assert response.status_code == 422
+
+
+def test_create_user_invalid_username_chars(client, admin_user, admin_token):
+    response = client.post(
+        "/api/v1/users",
+        json={
+            "username": "../admin",
+            "password": "SecurePass123!@#",
+            "email": "bad@test.com",
+            "role": "viewer",
+        },
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    assert response.status_code == 422
+
+
+def test_create_user_valid_password_accepted(client, admin_user, admin_token):
+    response = client.post(
+        "/api/v1/users",
+        json={
+            "username": "validuser99",
+            "password": "ValidPass123!@#",
+            "email": "valid@test.com",
+            "role": "viewer",
+        },
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    assert response.status_code == 201
+    assert response.json()["username"] == "validuser99"