Add actor parameter to all tests requiring authorization

This commit adds actor: system_actor to all Ash operations in tests that require authorization.
2026-01-23 20:00:24 +01:00 · 2026-01-23 20:00:24 +01:00 · a6cdeaa18d
commit a6cdeaa18d
parent 4c846f8bba
75 changed files with 4649 additions and 2865 deletions
--- a/test/mv_web/controllers/oidc_email_update_test.exs
+++ b/test/mv_web/controllers/oidc_email_update_test.exs
@ -5,8 +5,13 @@ defmodule MvWeb.OidcEmailUpdateTest do
  """
  use MvWeb.ConnCase, async: true

+  setup do
+    system_actor = Mv.Helpers.SystemActor.get_system_actor()
+    %{actor: system_actor}
+  end
+
  describe "OIDC user updates email to available email" do
-    test "should succeed and update email" do
+    test "should succeed and update email", %{actor: actor} do
      # Create OIDC user
      {:ok, oidc_user} =
        Mv.Accounts.User
@ -14,7 +19,7 @@ defmodule MvWeb.OidcEmailUpdateTest do
          email: "original@example.com"
        })
        |> Ash.Changeset.force_change_attribute(:oidc_id, "oidc_123")
-        |> Ash.create()
+        |> Ash.create(actor: actor)

      # User logs in via OIDC with NEW email
      user_info = %{
@ -23,10 +28,13 @@ defmodule MvWeb.OidcEmailUpdateTest do
      }

      result =
-        Mv.Accounts.create_register_with_rauthy(%{
-          user_info: user_info,
-          oauth_tokens: %{"access_token" => "test_token"}
-        })
+        Mv.Accounts.create_register_with_rauthy(
+          %{
+            user_info: user_info,
+            oauth_tokens: %{"access_token" => "test_token"}
+          },
+          actor: actor
+        )

      # Should succeed and email should be updated
      assert {:ok, updated_user} = result
@ -37,7 +45,7 @@ defmodule MvWeb.OidcEmailUpdateTest do
  end

  describe "OIDC user updates email to email of passwordless user" do
-    test "should fail with clear error message" do
+    test "should fail with clear error message", %{actor: actor} do
      # Create OIDC user
      {:ok, _oidc_user} =
        Mv.Accounts.User
@ -45,7 +53,7 @@ defmodule MvWeb.OidcEmailUpdateTest do
          email: "oidcuser@example.com"
        })
        |> Ash.Changeset.force_change_attribute(:oidc_id, "oidc_456")
-        |> Ash.create()
+        |> Ash.create(actor: actor)

      # Create passwordless user with target email
      {:ok, _passwordless_user} =
@ -53,7 +61,7 @@ defmodule MvWeb.OidcEmailUpdateTest do
        |> Ash.Changeset.for_create(:create_user, %{
          email: "taken@example.com"
        })
-        |> Ash.create()
+        |> Ash.create(actor: actor)

      # OIDC user tries to update email to taken email
      user_info = %{
@ -62,10 +70,13 @@ defmodule MvWeb.OidcEmailUpdateTest do
      }

      result =
-        Mv.Accounts.create_register_with_rauthy(%{
-          user_info: user_info,
-          oauth_tokens: %{"access_token" => "test_token"}
-        })
+        Mv.Accounts.create_register_with_rauthy(
+          %{
+            user_info: user_info,
+            oauth_tokens: %{"access_token" => "test_token"}
+          },
+          actor: actor
+        )

      # Should fail with email update conflict error
      assert {:error, %Ash.Error.Invalid{errors: errors}} = result
@ -88,7 +99,7 @@ defmodule MvWeb.OidcEmailUpdateTest do
  end

  describe "OIDC user updates email to email of password-protected user" do
-    test "should fail with clear error message" do
+    test "should fail with clear error message", %{actor: actor} do
      # Create OIDC user
      {:ok, _oidc_user} =
        Mv.Accounts.User
@ -96,7 +107,7 @@ defmodule MvWeb.OidcEmailUpdateTest do
          email: "oidcuser2@example.com"
        })
        |> Ash.Changeset.force_change_attribute(:oidc_id, "oidc_789")
-        |> Ash.create()
+        |> Ash.create(actor: actor)

      # Create password user with target email (explicitly NO oidc_id)
      password_user =
@ -106,14 +117,14 @@ defmodule MvWeb.OidcEmailUpdateTest do
        })

      # Ensure it's a password-only user
-      {:ok, password_user} = Ash.reload(password_user)
+      {:ok, password_user} = Ash.reload(password_user, actor: actor)
      assert not is_nil(password_user.hashed_password)
      # Force oidc_id to be nil to avoid any confusion
      {:ok, password_user} =
        password_user
        |> Ash.Changeset.for_update(:update, %{})
        |> Ash.Changeset.force_change_attribute(:oidc_id, nil)
-        |> Ash.update()
+        |> Ash.update(actor: actor)

      assert is_nil(password_user.oidc_id)

@ -124,10 +135,13 @@ defmodule MvWeb.OidcEmailUpdateTest do
      }

      result =
-        Mv.Accounts.create_register_with_rauthy(%{
-          user_info: user_info,
-          oauth_tokens: %{"access_token" => "test_token"}
-        })
+        Mv.Accounts.create_register_with_rauthy(
+          %{
+            user_info: user_info,
+            oauth_tokens: %{"access_token" => "test_token"}
+          },
+          actor: actor
+        )

      # Should fail with email update conflict error
      assert {:error, %Ash.Error.Invalid{errors: errors}} = result
@ -150,7 +164,7 @@ defmodule MvWeb.OidcEmailUpdateTest do
  end

  describe "OIDC user updates email to email of different OIDC user" do
-    test "should fail with clear error message about different OIDC account" do
+    test "should fail with clear error message about different OIDC account", %{actor: actor} do
      # Create first OIDC user
      {:ok, _oidc_user1} =
        Mv.Accounts.User
@ -158,7 +172,7 @@ defmodule MvWeb.OidcEmailUpdateTest do
          email: "oidcuser1@example.com"
        })
        |> Ash.Changeset.force_change_attribute(:oidc_id, "oidc_aaa")
-        |> Ash.create()
+        |> Ash.create(actor: actor)

      # Create second OIDC user with target email
      {:ok, _oidc_user2} =
@ -167,7 +181,7 @@ defmodule MvWeb.OidcEmailUpdateTest do
          email: "oidcuser2@example.com"
        })
        |> Ash.Changeset.force_change_attribute(:oidc_id, "oidc_bbb")
-        |> Ash.create()
+        |> Ash.create(actor: actor)

      # First OIDC user tries to update email to second user's email
      user_info = %{
@ -176,10 +190,13 @@ defmodule MvWeb.OidcEmailUpdateTest do
      }

      result =
-        Mv.Accounts.create_register_with_rauthy(%{
-          user_info: user_info,
-          oauth_tokens: %{"access_token" => "test_token"}
-        })
+        Mv.Accounts.create_register_with_rauthy(
+          %{
+            user_info: user_info,
+            oauth_tokens: %{"access_token" => "test_token"}
+          },
+          actor: actor
+        )

      # Should fail with "already linked to different OIDC account" error
      assert {:error, %Ash.Error.Invalid{errors: errors}} = result
@ -201,14 +218,14 @@ defmodule MvWeb.OidcEmailUpdateTest do
  end

  describe "New OIDC user registration scenarios (for comparison)" do
-    test "new OIDC user with email of passwordless user triggers linking flow" do
+    test "new OIDC user with email of passwordless user triggers linking flow", %{actor: actor} do
      # Create passwordless user
      {:ok, passwordless_user} =
        Mv.Accounts.User
        |> Ash.Changeset.for_create(:create_user, %{
          email: "passwordless@example.com"
        })
-        |> Ash.create()
+        |> Ash.create(actor: actor)

      # New OIDC user tries to register
      user_info = %{
@ -217,10 +234,13 @@ defmodule MvWeb.OidcEmailUpdateTest do
      }

      result =
-        Mv.Accounts.create_register_with_rauthy(%{
-          user_info: user_info,
-          oauth_tokens: %{"access_token" => "test_token"}
-        })
+        Mv.Accounts.create_register_with_rauthy(
+          %{
+            user_info: user_info,
+            oauth_tokens: %{"access_token" => "test_token"}
+          },
+          actor: actor
+        )

      # Should trigger PasswordVerificationRequired (linking flow)
      assert {:error, %Ash.Error.Invalid{errors: errors}} = result
@ -234,7 +254,7 @@ defmodule MvWeb.OidcEmailUpdateTest do
             end)
    end

-    test "new OIDC user with email of existing OIDC user shows hard error" do
+    test "new OIDC user with email of existing OIDC user shows hard error", %{actor: actor} do
      # Create existing OIDC user
      {:ok, _existing_oidc_user} =
        Mv.Accounts.User
@ -242,7 +262,7 @@ defmodule MvWeb.OidcEmailUpdateTest do
          email: "existing@example.com"
        })
        |> Ash.Changeset.force_change_attribute(:oidc_id, "oidc_existing")
-        |> Ash.create()
+        |> Ash.create(actor: actor)

      # New OIDC user tries to register with same email
      user_info = %{
@ -251,10 +271,13 @@ defmodule MvWeb.OidcEmailUpdateTest do
      }

      result =
-        Mv.Accounts.create_register_with_rauthy(%{
-          user_info: user_info,
-          oauth_tokens: %{"access_token" => "test_token"}
-        })
+        Mv.Accounts.create_register_with_rauthy(
+          %{
+            user_info: user_info,
+            oauth_tokens: %{"access_token" => "test_token"}
+          },
+          actor: actor
+        )

      # Should fail with "already linked to different OIDC account" error
      assert {:error, %Ash.Error.Invalid{errors: errors}} = result