test post and comment controllers

Adds AuthenticatesUsers feature trait that runs the full signup -> confirm -> login flow and exposes the resulting auth cookie. Bumps phpunit defaultTimeLimit to 30 seconds so the multi-bcrypt-per-test feature flow finishes inside the limit.
2026-05-06 22:26:10 +03:00 · 2026-05-06 22:26:10 +03:00 · 8614858558
commit 8614858558
parent fa63005db7
4 changed files with 401 additions and 0 deletions
--- a/backend/tests/Feature/Post/PostFlowTest.php
+++ b/backend/tests/Feature/Post/PostFlowTest.php
@ -0,0 +1,156 @@
+<?php
+
+namespace Tests\Feature\Post;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\Feature\AuthenticatesUsers;
+use Tests\TestCase;
+
+class PostFlowTest extends TestCase
+{
+    use AuthenticatesUsers;
+    use RefreshDatabase;
+
+    public function test_authenticated_user_creates_post(): void
+    {
+        $session = $this->signupAndLogin(
+            email: 'alice@example.com',
+            displayName: 'alice',
+            password: 'longenoughpassword',
+        );
+
+        $response = $this->withCredentials()->withUnencryptedCookie('auth_token', $session['cookie'])
+            ->postJson('/api/posts', [
+                'title' => 'My Post',
+                'body' => 'Hello world',
+            ]);
+        $response->assertStatus(201);
+        $response->assertJsonPath('post.title', 'My Post');
+        $response->assertJsonPath('post.authorDisplayName', 'alice');
+    }
+
+    public function test_anonymous_create_post_returns_401(): void
+    {
+        $this->postJson('/api/posts', [
+            'title' => 'My Post',
+            'body' => 'Hello world',
+        ])->assertStatus(401);
+    }
+
+    public function test_recent_posts_are_public(): void
+    {
+        $session = $this->signupAndLogin(
+            email: 'alice@example.com',
+            displayName: 'alice',
+            password: 'longenoughpassword',
+        );
+        $this->withCredentials()->withUnencryptedCookie('auth_token', $session['cookie'])
+            ->postJson('/api/posts', [
+                'title' => 'P1',
+                'body' => 'B1',
+            ])->assertStatus(201);
+
+        $response = $this->getJson('/api/posts');
+        $response->assertStatus(200);
+        $response->assertJsonPath('posts.0.title', 'P1');
+    }
+
+    public function test_show_returns_404_when_missing(): void
+    {
+        $this->getJson('/api/posts/9999')->assertStatus(404);
+    }
+
+    public function test_user_posts_listed_by_display_name(): void
+    {
+        $session = $this->signupAndLogin(
+            email: 'alice@example.com',
+            displayName: 'alice',
+            password: 'longenoughpassword',
+        );
+        $this->withCredentials()->withUnencryptedCookie('auth_token', $session['cookie'])
+            ->postJson('/api/posts', [
+                'title' => 'A1',
+                'body' => 'b',
+            ])->assertStatus(201);
+
+        $response = $this->getJson('/api/users/alice/posts');
+        $response->assertStatus(200);
+        $response->assertJsonPath('user.displayName', 'alice');
+        $response->assertJsonPath('posts.0.title', 'A1');
+    }
+
+    public function test_other_user_cannot_delete_post(): void
+    {
+        $alice = $this->signupAndLogin(
+            email: 'alice@example.com',
+            displayName: 'alice',
+            password: 'longenoughpassword',
+        );
+        $createResponse = $this->withCredentials()->withUnencryptedCookie('auth_token', $alice['cookie'])
+            ->postJson('/api/posts', [
+                'title' => 'A1',
+                'body' => 'b',
+            ]);
+        $postId = $createResponse->json('post.id');
+
+        $bob = $this->signupAndLogin(
+            email: 'bob@example.com',
+            displayName: 'bob',
+            password: 'longenoughpassword',
+        );
+        $this->withCredentials()->withUnencryptedCookie('auth_token', $bob['cookie'])
+            ->deleteJson("/api/posts/{$postId}")
+            ->assertStatus(403);
+    }
+
+    public function test_author_deletes_own_post(): void
+    {
+        $alice = $this->signupAndLogin(
+            email: 'alice@example.com',
+            displayName: 'alice',
+            password: 'longenoughpassword',
+        );
+        $createResponse = $this->withCredentials()->withUnencryptedCookie('auth_token', $alice['cookie'])
+            ->postJson('/api/posts', [
+                'title' => 'A1',
+                'body' => 'b',
+            ]);
+        $postId = $createResponse->json('post.id');
+
+        $this->withCredentials()->withUnencryptedCookie('auth_token', $alice['cookie'])
+            ->deleteJson("/api/posts/{$postId}")
+            ->assertStatus(204);
+    }
+
+    public function test_admin_deletes_anyones_post(): void
+    {
+        $alice = $this->signupAndLogin(
+            email: 'alice@example.com',
+            displayName: 'alice',
+            password: 'longenoughpassword',
+        );
+        $createResponse = $this->withCredentials()->withUnencryptedCookie('auth_token', $alice['cookie'])
+            ->postJson('/api/posts', [
+                'title' => 'A1',
+                'body' => 'b',
+            ]);
+        $postId = $createResponse->json('post.id');
+
+        $bob = $this->signupAndLogin(
+            email: 'bob@example.com',
+            displayName: 'bob',
+            password: 'longenoughpassword',
+        );
+        $this->promoteToAdmin($bob['user']->getId());
+        // Re-login bob to get a fresh cookie/payload
+        $loginResponse = $this->postJson('/api/login', [
+            'email' => 'bob@example.com',
+            'password' => 'longenoughpassword',
+        ]);
+        $bobCookie = $loginResponse->getCookie('auth_token', false);
+
+        $this->withCredentials()->withUnencryptedCookie('auth_token', $bobCookie->getValue())
+            ->deleteJson("/api/posts/{$postId}")
+            ->assertStatus(204);
+    }
+}