Skip to content

[test-improver] Add @WebMvcTest tests for UserController (21 tests, 2 bug pins)#56

Draft
github-actions[bot] wants to merge 1 commit into
mainfrom
test-assist/usercontroller-webmvctest-87a6f7291ed3c117-e128b8b38fd914b6
Draft

[test-improver] Add @WebMvcTest tests for UserController (21 tests, 2 bug pins)#56
github-actions[bot] wants to merge 1 commit into
mainfrom
test-assist/usercontroller-webmvctest-87a6f7291ed3c117-e128b8b38fd914b6

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

🤖 Test Improver — automated AI assistant focused on improving tests.

Goal & Rationale

UserController had zero effective test coverage — 9 endpoints completely untested at the HTTP layer. This PR adds 21 @WebMvcTest tests covering all endpoints and documents two security/contract bugs as bug-pin tests.

Approach

Used @WebMvcTest(UserController.class) with @MockBean UserService. Tests the HTTP layer in isolation (fast, no full Spring context, no database).

Tests added

Test Endpoint What it verifies
getAllUsers_returnsJsonList GET /api/users 200 + JSON array with username/email fields
getAllUsers_emptyList_returnsEmptyArray GET /api/users 200 + empty array
getUser_existingId_returns200WithBody GET /api/users/{id} 200 + correct user in body
getUser_missingId_returns404 GET /api/users/{id} 404 when user not found
registerUser_validBody_BUG_returns200InsteadOf201 POST /api/users/register Bug-pin: 200 (should be 201)
registerUser_duplicateUsername_returns400 POST /api/users/register 400 with error message on duplicate username
login_validCredentials_returns200WithUserAndToken POST /api/users/login 200 + {user, token} in body
login_invalidCredentials_returns401 POST /api/users/login 401 on wrong password
login_unknownUser_returns401 POST /api/users/login 401 on unknown username
updateUser_existingId_returns200 PUT /api/users/{id} 200 + updated user
updateUser_missingId_returns400 PUT /api/users/{id} 400 when user not found
deleteUser_existingId_returns204 DELETE /api/users/{id} 204 No Content
deleteUser_missingId_returns400 DELETE /api/users/{id} 400 when user not found
requestPasswordReset_knownEmail_BUG_returnsTokenInBody POST /api/users/password-reset Bug-pin: reset token exposed in response
requestPasswordReset_unknownEmail_returns400 POST /api/users/password-reset 400 when email not found
resetPassword_validToken_returns200 POST /api/users/password-reset/confirm 200 + success message
resetPassword_invalidToken_returns400 POST /api/users/password-reset/confirm 400 on invalid token
searchUsers_matchingQuery_returnsResults GET /api/users/search 200 + filtered results
searchUsers_noMatches_returnsEmptyArray GET /api/users/search 200 + empty array
getUsersByRole_returnsFilteredList GET /api/users/by-role/{role} 200 + role-filtered list
getUsersByRole_noUsersForRole_returnsEmptyArray GET /api/users/by-role/{role} 200 + empty array

Bug-pin tests

1. POST /api/users/register returns 200 instead of 201 Created

UserController.registerUser() calls ResponseEntity.ok(user) — same pattern as ProjectController.createProject(). When fixed, change isOk() to isCreated() in the test.

2. POST /api/users/password-reset returns the reset token in the response body

UserController.requestPasswordReset() includes the raw reset token in the JSON response:

response.put("token", token); // SECURITY: Never return reset token in API response!

Reset tokens must only be sent out-of-band (email). Returning the token over the API lets an attacker who knows a victim's email immediately obtain their reset token without email access. When fixed, assert jsonPath("$.token").doesNotExist() instead.

Coverage Impact

Metric Before After
Tests run 38 59 (+21)
New failures 0
Pre-existing failures 2 2 (unchanged)
UserController line coverage ~0% ~85% (all endpoints exercised)

Trade-offs

  • Bug-pin tests assert current (wrong/insecure) behavior with clear comments explaining what to change on fix.
  • @WebMvcTest keeps tests fast (~1s total run time) with no DB or full context.
  • Password exposure in responses (a separate security concern) is not tested here — it's a design issue that requires discussion before adding tests.

Test Status

Tests run: 59, Failures: 1, Errors: 1, Skipped: 7
New tests (UserControllerTest): 21 run, 0 failures, 0 errors

Pre-existing failures (not caused by this PR):

Reproducibility

mvn test -B
# New tests in UserControllerTest

Generated by Test Improver · 117 AIC · ⌖ 19.2 AIC · ⊞ 10.9K ·
Comment /test-assist to run again

Add this agentic workflows to your repo

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/test-improver.md@1c6668b751c51af8571f01204ceffb19362e0f66

Cover all 9 endpoints with 21 tests using @WebMvcTest + @MockBean UserService.
Documents two security/contract bugs as bug-pin tests:
  1. POST /api/users/register returns 200 instead of 201 Created
  2. POST /api/users/password-reset exposes reset token in response body

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants