[INJICERT-976] Add automated API tests for Pre-Authorized Code flow

[amaydixit11]

This PR adds comprehensive automated API test coverage for the Pre-Authorized Code flow in Inji Certify, covering both positive and negative scenarios end-to-end.

Changes

• Generate Pre-Authorized Code

  • With valid claims
  • With default expiry
  • With transaction (tx_code)

• Get Credential Offer

  • Valid offer ID
  • Offer with tx_code

• Token Exchange

  • Valid pre-authorized code
  • Alphanumeric tx_code

• Get Credential (Pre-Auth)

  • Successful credential issuance using access token

• Negative test coverage

  • Invalid credential configuration ID
  • Missing mandatory claims
  • Invalid / non-existent offer IDs
  • Expiry out of allowed range
  • Unsupported grant type
  • Invalid / missing / incorrect tx_code

Summary by CodeRabbit

• Tests
  • Added comprehensive test coverage for pre-authorization code flow operations, including credential generation, credential offer retrieval, token exchange, and credential issuance.
  • Added negative test scenarios to validate error handling and boundary conditions.
  • Configured test dependencies to ensure proper test execution order.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

🗂️ Base branches to auto review (2)

• develop
• release-*

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This PR adds test configuration files and templates for the Pre-Authorized Code Flow feature testing, including YAML test definitions, Handlebars templates for request/response payloads, test case interdependency mappings, and TestNG suite configuration to enable automated testing across six distinct test flows with both positive and negative scenarios.

Changes

Cohort / File(s)	Summary
Test Interdependency Configuration config/testCaseInterDependency_preauth.json	Defines test execution dependencies for pre-auth test cases (e.g., TokenExchange depends on GenerateCode) to establish ordering constraints.
GeneratePreAuthCode Tests PreAuthCodeFlow/GeneratePreAuthCode/GeneratePreAuthCode.yml, GeneratePreAuthCode.hbs, GeneratePreAuthCodeResult.hbs	Test configuration for pre-authorized code generation with three smoke-test scenarios; templates define request payload (credential_configuration_id, claims, expires_in, tx_code) and response (credential_offer_uri).
GetCredentialOffer Tests PreAuthCodeFlow/GetCredentialOffer/GetCredentialOffer.yml, GetCredentialOffer.hbs, GetCredentialOfferResult.hbs	Test configuration for credential offer retrieval with two scenarios (valid + tx_code variant); templates define response structure (credential_issuer, credential_configuration_ids, grants).
GetCredentialPreAuth Tests PreAuthCodeFlow/GetCredentialPreAuth/GetCredentialPreAuth.yml, GetCredentialPreAuth.hbs, GetCredentialPreAuthResult.hbs	Test configuration for credential issuance in pre-auth flow; templates define request payload (format, credential_identifier, proof) and response (format, credential).
TokenExchange Tests PreAuthCodeFlow/TokenExchange/TokenExchange.yml, TokenExchange.hbs, TokenExchangeNegative.yml, TokenExchangeResult.hbs	Test configuration for token exchange (positive + four negative scenarios) and response templates; positive tests expect Bearer token; negative tests cover unsupported grant type, invalid code, missing/wrong tx_code.
PreAuthNegative Tests PreAuthCodeFlow/PreAuthNegative/PreAuthNegative.hbs, PreAuthNegativeResult.hbs	Templates for negative test scenarios (invalid credential_configuration_id, missing claims, invalid/non-existent offer IDs, expiry range violations); response template maps error field.
TestNG Suite Configuration testNgXmlFiles/injicertifySuite.xml	Registers six pre-auth test groups (GeneratePreAuthCode, GetCredentialOffer, TokenExchange variants, GetCredential, negative cases) with corresponding YAML files and prerequisite dependencies in TestNG test suite.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related PRs

• MOSIP-42259: Enable execution of a single test or task with all its required dependencies for INJI-CERTIFY. #447: Introduces the dependency-resolution and test run-scope mechanism that consumes the test interdependency configuration added in this PR.
• [INJICERT-1147] User Story 1: Implement Pre-Authorized Code generation and Credential Offer flow #483: Implements the Pre-Authorized Code Flow endpoints and DTOs (pre-auth code generation, credential offer, token exchange, credential retrieval) that these test configurations exercise.
• [INJICERT-1148] User Story 2: Add endpoint to retrieve credential offer data by offer ID #487: Implements the GetCredentialOffer endpoint (/v1/certify/credential-offer-data/{offer_id}) and response shapes directly tested by the GetCredentialOffer test configurations in this PR.

Suggested reviewers

• mohanachandran-s
• swatigoel

Poem

🐰 Hop, hop! The test suite takes flight,
Pre-auth flows verified—templates done right!
Dependencies mapped, scenarios clear,
Code generation, tokens, and offers all here! 🎫

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and specifically describes the main change: adding automated API tests for the Pre-Authorized Code flow, which aligns with the comprehensive test additions across multiple test configuration files and templates in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amaydixit11]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@api-test/src/main/resources/injicertify/PreAuthCodeFlow/GetCredentialPreAuth/GetCredentialPreAuthResult.hbs`:
- Around line 1-4: The template GetCredentialPreAuthResult.hbs incorrectly
quotes the credential value which breaks when format === "ldp_vc" because the
API returns a JSON object; update the template to render the credential unquoted
for ldp_vc (use triple-stash {{{credential}}}) and keep the quoted form for
other formats (e.g., use an if/else on the format variable to choose between
"{{credential}}" and {{{credential}}}); modify the block that outputs
"credential" to conditionally use {{{credential}}} when format equals "ldp_vc".

🧹 Nitpick comments (3)

api-test/src/main/resources/injicertify/PreAuthCodeFlow/TokenExchange/TokenExchange.yml (1)

16-20: Tighten token-exchange assertions to avoid false positives.

The expected outputs only validate token_type (and partially access_token / c_nonce). If the response drops expires_in or c_nonce_expires_in, these tests would still pass. Consider asserting the full response shape to prevent regressions.

Proposed update to expected outputs

       output: '{
           "token_type": "Bearer",
           "access_token": "",
-          "c_nonce": ""
+          "expires_in": 0,
+          "c_nonce": "",
+          "c_nonce_expires_in": 0
       }'
@@
       output: '{
-          "token_type": "Bearer"
+          "token_type": "Bearer",
+          "access_token": "",
+          "expires_in": 0,
+          "c_nonce": "",
+          "c_nonce_expires_in": 0
       }'

Also applies to: 36-38

api-test/src/main/resources/injicertify/PreAuthCodeFlow/PreAuthNegative/PreAuthNegative.yml (1)

72-113: Consider parameterizing expiry bounds to reduce brittleness.

The negative expiry tests use hard-coded values (10, 999999). If server min/max changes, these tests may start failing for the wrong reason. If the framework supports config-driven placeholders, consider referencing those bounds instead of fixed numbers.

api-test/src/main/resources/injicertify/PreAuthCodeFlow/GetCredentialOffer/GetCredentialOffer.yml (1)

18-31: Add credential_configuration_ids assertion for the tx_code case.

The tx_code scenario currently skips validating credential_configuration_ids, so regressions in that field would go unnoticed. Consider asserting it just like the first case.

Proposed output shape alignment

       output: '{
           "credential_issuer": "",
+          "credential_configuration_ids": [],
           "grants": {}
       }'

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud