Goal-Calibration/tests/Unit/Auth/Middleware/AdminMiddlewareTest.php

<?php

namespace Tests\Unit\Auth\Middleware;

use App\Auth\AdminMiddleware;
use App\User\User;
use App\ValueObjects\EmailAddress;
use PHPUnit\Framework\TestCase;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Slim\Psr7\Factory\ServerRequestFactory;
use Slim\Psr7\Response;

class AdminMiddlewareTest extends TestCase
{
    private AdminMiddleware $middleware;

    public function setUp(): void
    {
        $this->middleware = new AdminMiddleware();
    }

    private function makeApiRequest(?User $user): ServerRequestInterface
    {
        $request = new ServerRequestFactory()
            ->createServerRequest('POST', 'http://localhost/api/texts');
        if ($user !== null) {
            $request = $request->withAttribute('user', $user);
        }
        return $request;
    }

    private function makeHtmlRequest(?User $user): ServerRequestInterface
    {
        $request = new ServerRequestFactory()
            ->createServerRequest('GET', 'http://localhost/admin')
            ->withHeader('Accept', 'text/html');
        if ($user !== null) {
            $request = $request->withAttribute('user', $user);
        }
        return $request;
    }

    private function makeHandler(): RequestHandlerInterface
    {
        return new class implements RequestHandlerInterface {
            public bool $wasCalled = false;

            public function handle(
                ServerRequestInterface $request
            ): \Psr\Http\Message\ResponseInterface {
                $this->wasCalled = true;
                return new Response(200);
            }
        };
    }

    private function makeUser(bool $isAdmin): User
    {
        return new User(
            id: 1,
            email: new EmailAddress('test@test.com'),
            passwordHash: '',
            isAdmin: $isAdmin,
        );
    }

    public function test_passes_through_when_user_is_admin(): void
    {
        $handler = $this->makeHandler();

        $response = $this->middleware->process(
            $this->makeApiRequest($this->makeUser(isAdmin: true)),
            $handler,
        );

        $this->assertTrue($handler->wasCalled);
        $this->assertEquals(200, $response->getStatusCode());
    }

    public function test_returns_403_json_when_user_not_admin_for_api(): void
    {
        $response = $this->middleware->process(
            $this->makeApiRequest($this->makeUser(isAdmin: false)),
            $this->makeHandler(),
        );

        $this->assertEquals(403, $response->getStatusCode());
        $this->assertStringContainsString(
            'application/json',
            $response->getHeaderLine('Content-Type')
        );
    }

    public function test_returns_403_html_when_user_not_admin_for_view(): void
    {
        $response = $this->middleware->process(
            $this->makeHtmlRequest($this->makeUser(isAdmin: false)),
            $this->makeHandler(),
        );

        $this->assertEquals(403, $response->getStatusCode());
        $this->assertStringContainsString(
            '403 Forbidden',
            (string) $response->getBody()
        );
    }

    public function test_returns_403_when_no_user_attribute(): void
    {
        $response = $this->middleware->process(
            $this->makeApiRequest(null),
            $this->makeHandler(),
        );

        $this->assertEquals(403, $response->getStatusCode());
    }
}