fix: isolate login states and refresh seeded passwords

Author: beyondnetPeru

src/apps/ums.api/Ums.Infrastructure/Persistence/Seeders/IdentityDevDataSeeder.cs

@@ -57,25 +57,23 @@ public static async Task SeedAsync(IServiceProvider serviceProvider, Cancellatio
             }
         }
 
-        // Seed User Accounts (including SuperAdmin)
+        // Seed / sync User Accounts (including SuperAdmin) so local password logins stay valid
+        // even when the DB already contains an older dev snapshot.
         var userAccounts = BuildSeedUserAccounts(actor, passwordHasher);
         if (inMemoryUserAccountRepository is null && userAccountRepository is not null)
         {
-            var alreadySeeded = await userAccountRepository.GetAllAsync(null, cancellationToken);
-            if (alreadySeeded.Count == 0)
+            foreach (var userAccount in userAccounts)
             {
-                foreach (var userAccount in userAccounts)
-                {
-                    await userAccountRepository.AddAsync(userAccount, cancellationToken);
-                }
-                await userAccountRepository.UnitOfWork.SaveEntitiesAsync(cancellationToken);
+                await UpsertUserAccountAsync(userAccountRepository, userAccount, actor, cancellationToken);
             }
+
+            await userAccountRepository.UnitOfWork.SaveEntitiesAsync(cancellationToken);
         }
         else if (inMemoryUserAccountRepository is not null)
         {
             foreach (var userAccount in userAccounts)
             {
-                inMemoryUserAccountRepository.Seed(userAccount);
+                await UpsertUserAccountAsync(inMemoryUserAccountRepository, userAccount, actor, cancellationToken);
             }
         }
 
@@ -493,4 +491,80 @@ private static IReadOnlyList<TenantSignupRequestAggregate> BuildSeedTenantSignup
 
         return results;
     }
+
+    private static async Task UpsertUserAccountAsync(
+        IUserAccountRepository userAccountRepository,
+        UserAccountAggregate seedUserAccount,
+        ActorId actor,
+        CancellationToken cancellationToken)
+    {
+        var existing = await userAccountRepository.GetByEmailAsync(seedUserAccount.Email, cancellationToken);
+
+        if (existing is null)
+        {
+            await userAccountRepository.AddAsync(seedUserAccount, cancellationToken);
+            return;
+        }
+
+        await SyncLocalPasswordAsync(existing, seedUserAccount, actor);
+        await userAccountRepository.UpdateAsync(existing, cancellationToken);
+    }
+
+    private static async Task UpsertUserAccountAsync(
+        InMemoryUserAccountRepository userAccountRepository,
+        UserAccountAggregate seedUserAccount,
+        ActorId actor,
+        CancellationToken cancellationToken)
+    {
+        var existing = await userAccountRepository.GetByEmailAsync(seedUserAccount.Email, cancellationToken);
+
+        if (existing is null)
+        {
+            userAccountRepository.Seed(seedUserAccount);
+            return;
+        }
+
+        await SyncLocalPasswordAsync(existing, seedUserAccount, actor);
+        await userAccountRepository.UpdateAsync(existing, cancellationToken);
+    }
+
+    private static Task SyncLocalPasswordAsync(
+        UserAccountAggregate existingUserAccount,
+        UserAccountAggregate seedUserAccount,
+        ActorId actor)
+    {
+        if (seedUserAccount.Status == UserStatus.Active)
+        {
+            if (existingUserAccount.Status == UserStatus.Pending)
+            {
+                var activateResult = existingUserAccount.Activate(actor);
+                if (activateResult.IsFailure)
+                {
+                    throw new InvalidOperationException(
+                        $"Unable to activate dev user account {seedUserAccount.Email.GetValue()}: {activateResult.Error}");
+                }
+            }
+            else if (existingUserAccount.Status == UserStatus.Blocked)
+            {
+                var restoreResult = existingUserAccount.Restore(actor);
+                if (restoreResult.IsFailure)
+                {
+                    throw new InvalidOperationException(
+                        $"Unable to restore dev user account {seedUserAccount.Email.GetValue()}: {restoreResult.Error}");
+                }
+            }
+        }
+
+        if (seedUserAccount.ActivePasswordHash is not null)
+        {
+            var passwordResult = existingUserAccount.AddPassword(seedUserAccount.ActivePasswordHash, actor);
+            if (passwordResult.IsFailure)
+            {
+                throw new InvalidOperationException(
+                    $"Unable to sync dev password for {seedUserAccount.Email.GetValue()}: {passwordResult.Error}");
+            }
+        }
+
+        return Task.CompletedTask;
+    }
 }

src/apps/ums.api/Ums.Presentation.IntegrationTest/Identity/AuthRestEndpointTests.cs

@@ -0,0 +1,41 @@
+using System.Net;
+using System.Net.Http.Json;
+using System.Text.Json;
+using FluentAssertions;
+using Ums.Infrastructure.Persistence.Seeders;
+using Ums.Presentation.IntegrationTest.Infrastructure;
+
+namespace Ums.Presentation.IntegrationTest.Identity;
+
+public sealed class AuthRestEndpointTests : IClassFixture<UmsApiWebApplicationFactory>
+{
+    private readonly HttpClient _client;
+
+    public AuthRestEndpointTests(UmsApiWebApplicationFactory factory)
+    {
+        _client = factory.CreateClient(new WebApplicationFactoryClientOptions
+        {
+            BaseAddress = new Uri("https://localhost"),
+            AllowAutoRedirect = false,
+        });
+    }
+
+    [Fact]
+    public async Task Login_WithSeededCommercialTenantCredentials_ShouldSucceed()
+    {
+        var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new
+        {
+            tenantCode = "RANSA_PERU",
+            username = "gerente.operaciones@ransa.pe",
+            password = CoreDevDataSeeder.SuperAdminPassword,
+            rememberMe = false,
+        }, TestContext.Current.CancellationToken);
+
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+
+        using var payload = JsonDocument.Parse(await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken));
+        payload.RootElement.GetProperty("tenantCode").GetString().Should().Be("RANSA_PERU");
+        payload.RootElement.GetProperty("email").GetString().Should().Be("gerente.operaciones@ransa.pe");
+        payload.RootElement.GetProperty("isInternalAdmin").GetBoolean().Should().BeFalse();
+    }
+}

src/apps/ums.web-app/src/presentation/identity/profile/screens/LoginScreen.test.tsx

@@ -0,0 +1,139 @@
+import React from 'react';
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { fireEvent, render, screen } from '@testing-library/react';
+import LoginScreen from './LoginScreen';
+
+const navigateMock = vi.fn();
+const loginMock = vi.fn();
+const setLanguageMock = vi.fn();
+const setDevUserIdMock = vi.fn();
+const addNotificationMock = vi.fn();
+
+vi.mock('react-router-dom', () => ({
+  useNavigate: () => navigateMock,
+  useLocation: () => ({ search: '' }),
+}));
+
+vi.mock('@app/stores/auth.store', () => ({
+  detectBrowserTimezone: vi.fn((timezone: string) => timezone),
+  useAuthStore: () => ({
+    login: loginMock,
+    isAuthenticated: false,
+  }),
+}));
+
+vi.mock('@app/stores/i18n.store', () => ({
+  useI18nStore: () => ({
+    setLanguage: setLanguageMock,
+  }),
+}));
+
+vi.mock('@app/stores/devTools.store', () => ({
+  useDevToolsStore: () => ({
+    setDevUserId: setDevUserIdMock,
+  }),
+}));
+
+vi.mock('@app/stores/notification.store', () => ({
+  useNotificationStore: (selector: (state: { addNotification: typeof addNotificationMock }) => unknown) =>
+    selector({ addNotification: addNotificationMock }),
+}));
+
+vi.mock('@app/i18n/use-i18n', () => ({
+  useI18n: () => (key: string) => key,
+}));
+
+vi.mock('@app/identity/services/auth.service', () => ({
+  authService: {},
+}));
+
+vi.mock('@shared/components/M3Card', () => ({
+  M3Card: ({ children }: { children: React.ReactNode }) => <div>{children}</div>,
+}));
+
+vi.mock('@shared/components/M3Button', () => ({
+  M3Button: ({ children, ...props }: React.ButtonHTMLAttributes<HTMLButtonElement> & { children: React.ReactNode }) => (
+    <button {...props}>{children}</button>
+  ),
+}));
+
+vi.mock('@shared/components/M3TextField', () => ({
+  M3TextField: ({
+    label,
+    value,
+    onChange,
+    type = 'text',
+    placeholder,
+    disabled,
+    error,
+  }: {
+    label: string;
+    value: string;
+    onChange: React.ChangeEventHandler<HTMLInputElement>;
+    type?: string;
+    placeholder?: string;
+    disabled?: boolean;
+    error?: string;
+  }) => (
+    <label>
+      <span>{label}</span>
+      <input aria-label={label} value={value} onChange={onChange} type={type} placeholder={placeholder} disabled={disabled} />
+      {error ? <span>{error}</span> : null}
+    </label>
+  ),
+}));
+
+vi.mock('@shared/components/TenantSelect', () => ({
+  TenantSelect: ({ label }: { label: string }) => <div>{label}</div>,
+}));
+
+vi.mock('@domain/identity/constants/tenant.constants', () => ({
+  DEV_TENANTS: [
+    { id: 'internal-admin', code: 'INTERNAL_ADMIN', name: 'Internal Admin Tenant' },
+    { id: 'ransa', code: 'RANSA_PERU', name: 'Ransa Comercial S.A.' },
+  ],
+}));
+
+vi.mock('../components/ForgotPasswordForm', () => ({
+  ForgotPasswordForm: ({ onBack }: { onBack: () => void }) => (
+    <div>
+      <h2>Recuperar Contraseña</h2>
+      <button onClick={onBack}>Volver al inicio de sesión</button>
+    </div>
+  ),
+}));
+
+vi.mock('../components/SignupForm', () => ({
+  SignupForm: () => <div>Signup</div>,
+}));
+
+vi.mock('../components/TenantSignupForm', () => ({
+  TenantSignupForm: () => <div>Tenant Signup</div>,
+}));
+
+vi.mock('../components/ProfileRequestForm', () => ({
+  ProfileRequestForm: () => <div>Profile Request</div>,
+}));
+
+beforeEach(() => {
+  vi.clearAllMocks();
+});
+
+describe('LoginScreen', () => {
+  it('shows only the login form in the default state', () => {
+    render(<LoginScreen />);
+
+    expect(screen.getByText('Iniciar Sesión')).toBeInTheDocument();
+    expect(screen.queryByText('Recuperar Contraseña')).not.toBeInTheDocument();
+  });
+
+  it('replaces the login form with the forgot password view', () => {
+    render(<LoginScreen />);
+
+    fireEvent.click(screen.getByRole('button', { name: '¿Olvidaste tu contraseña?' }));
+
+    expect(screen.getByText('Recuperar Contraseña')).toBeInTheDocument();
+    expect(screen.queryByText('Iniciar Sesión')).not.toBeInTheDocument();
+    expect(screen.queryByRole('button', { name: 'Ingresar' })).not.toBeInTheDocument();
+  });
+});