# Copyright (c) 2026 PowerOn AG # All rights reserved. """ T-API: Demo Config API endpoint verification. Tests the admin API endpoints for listing, loading, and removing demo configs. Uses FastAPI TestClient (no running server needed). Note: Login requires CSRF + form-data + httpOnly cookies, so we test unauthenticated rejection and the discovery module directly. """ import pytest class TestDemoConfigDiscovery: """Test the auto-discovery module (no HTTP needed).""" def test_discoveryFindsInvestorConfig(self): from modules.demoConfigs import getAvailableDemoConfigs configs = getAvailableDemoConfigs() assert "investor-demo-2026" in configs, f"Available configs: {list(configs.keys())}" def test_getByCodeReturnsInstance(self): from modules.demoConfigs import getDemoConfigByCode cfg = getDemoConfigByCode("investor-demo-2026") assert cfg is not None assert cfg.code == "investor-demo-2026" assert cfg.label == "Investor Demo April 2026" def test_getByCodeReturnsNoneForUnknown(self): from modules.demoConfigs import getDemoConfigByCode cfg = getDemoConfigByCode("nonexistent-config") assert cfg is None def test_toDictHasRequiredFields(self): from modules.demoConfigs import getDemoConfigByCode cfg = getDemoConfigByCode("investor-demo-2026") d = cfg.toDict() assert "code" in d assert "label" in d assert "description" in d assert d["code"] == "investor-demo-2026" class TestDemoConfigApiEndpoints: """Test API endpoints via TestClient. SAFETY: Never call the load/remove endpoints here - not even to assert 401/403. Tests run against the real dev database; if auth/CSRF ever lets a request through, demo mandates get deleted and recreated with new UUIDs, orphaning all real feature data (happened on 2026-06-09). """ @pytest.fixture(scope="class") def client(self): from app import app from fastapi.testclient import TestClient return TestClient(app) def test_listEndpointRejectsUnauthenticated(self, client): response = client.get("/api/admin/demo-config") assert response.status_code in (401, 403)