From 8727592bff629c1aa98bc526541a866283c13324 Mon Sep 17 00:00:00 2001
From: curo1305 <curo1305@proton.me>
Date: Sat, 30 May 2026 11:37:12 +0200
Subject: [PATCH] test(05-11): add failing tests for delete_user password
 verification

- test_delete_user_correct_password: 204 on correct admin password
- test_delete_user_wrong_password: 403 on wrong password, user survives
- test_delete_user_no_body: 422 when no body provided (Pydantic validation)
---
 backend/tests/test_admin_api.py | 55 +++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/backend/tests/test_admin_api.py b/backend/tests/test_admin_api.py
index c3d75b6..8c3e2fa 100644
--- a/backend/tests/test_admin_api.py
+++ b/backend/tests/test_admin_api.py
@@ -355,3 +355,58 @@ async def test_admin_response_no_password_hash(admin_client):
     for item in data["items"]:
         assert "password_hash" not in item
         assert "credentials_enc" not in item
+
+
+# ── Delete user tests (Plan 05-11: ADMIN-02, SEC-09) ─────────────────────────
+
+
+@pytest.mark.asyncio
+async def test_delete_user_correct_password(admin_client):
+    """DELETE /api/admin/users/{id} with correct admin_password → 204; user is gone."""
+    client, admin, session = admin_client
+    target = await make_regular_user(session)
+
+    resp = await client.request(
+        "DELETE",
+        f"/api/admin/users/{target.id}",
+        json={"admin_password": "AdminPass1!Secret"},
+    )
+    assert resp.status_code == 204
+
+    # Verify the user no longer appears in the list
+    list_resp = await client.get("/api/admin/users")
+    assert list_resp.status_code == 200
+    ids = [u["id"] for u in list_resp.json()["items"]]
+    assert str(target.id) not in ids
+
+
+@pytest.mark.asyncio
+async def test_delete_user_wrong_password(admin_client):
+    """DELETE /api/admin/users/{id} with wrong admin_password → 403; user is NOT deleted."""
+    client, admin, session = admin_client
+    target = await make_regular_user(session)
+
+    resp = await client.request(
+        "DELETE",
+        f"/api/admin/users/{target.id}",
+        json={"admin_password": "WrongPassword99!"},
+    )
+    assert resp.status_code == 403
+    data = resp.json()
+    assert data["detail"] == "Invalid admin password"
+
+    # Verify the user still exists
+    list_resp = await client.get("/api/admin/users")
+    assert list_resp.status_code == 200
+    ids = [u["id"] for u in list_resp.json()["items"]]
+    assert str(target.id) in ids
+
+
+@pytest.mark.asyncio
+async def test_delete_user_no_body(admin_client):
+    """DELETE /api/admin/users/{id} with no body → 422 (Pydantic validation)."""
+    client, admin, session = admin_client
+    target = await make_regular_user(session)
+
+    resp = await client.delete(f"/api/admin/users/{target.id}")
+    assert resp.status_code == 422