[AZ-198] Block disabled user login

Made-with: Cursor
2026-04-23 05:06:34 +00:00 · 2026-04-16 06:49:00 +03:00
parent 9da34a594b
commit 5286b6b8e3
3 changed files with 18 additions and 2 deletions
@@ -19,6 +19,13 @@ public sealed class SecurityTests
        PropertyNamingPolicy = JsonNamingPolicy.CamelCase
    };

+    private static readonly JsonSerializerOptions ResponseJsonOptions = new()
+    {
+        PropertyNameCaseInsensitive = true
+    };
+
+    private sealed record ErrorResponse(int ErrorCode, string Message);
+
    private readonly TestFixture _fixture;

    public SecurityTests(TestFixture fixture) => _fixture = fixture;
@@ -195,7 +202,7 @@ public sealed class SecurityTests
        }
    }

-    [Fact(Skip = "API bug: login does not check IsEnabled — disabled users can still log in")]
+    [Fact]
    public async Task Disabled_user_cannot_log_in()
    {
        // Arrange
@@ -218,7 +225,10 @@ public sealed class SecurityTests
            using var login = await client.PostAsync("/login", new { email, password });

            // Assert
-            login.StatusCode.Should().BeOneOf(HttpStatusCode.Forbidden, HttpStatusCode.Conflict);
+            login.StatusCode.Should().Be(HttpStatusCode.Conflict);
+            var err = await login.Content.ReadFromJsonAsync<ErrorResponse>(ResponseJsonOptions);
+            err.Should().NotBeNull();
+            err!.ErrorCode.Should().Be(38);
        }
        finally
        {