Scope:
Multiple backend tests are currently failing due to test-environment drift, not production defects.
Domain model evolution, updated security configuration, and changes in service signatures have caused several tests to become misaligned with the production code.

This FIXIT issue consolidates all failing tests into a single place and tracks the work required to bring the backend test suite back to a fully green state.

Affected Test Classes

1. UserControllerTest

Failing scenarios:

• shouldCreateUser → returns 403 instead of 201
• shouldDeleteUserById → returns 403 instead of 204
• createUser_missingRequiredFields_returns400 → returns 403 instead of 400
• getCurrentUser_usesUsernameNotEmail → returns 500 due to incomplete stubbing

Cause:
@WebMvcTest loads Spring Security filters and method-level authorization, but the test configuration disables or replaces the wrong parts.
Production code is correct — only the test security environment is inconsistent.

2. CustomUserDetailsServiceTest

Failing scenarios:

• shouldLoadUserByEmail → UsernameNotFound (user not mocked correctly)
• shouldThrowWhenUserNotFound → UnnecessaryStubbingException

Cause:
The User domain object has evolved (additional constructor parameters, validation differences), but the test setup still uses old constructors and mock patterns.
Stubbings no longer match the current behavior of UserRepository#findByUsername.

3. Model / Repository Test Breakages

Example:

• ProjectRepositoryTest referencing outdated User constructors

Cause:
Domain model changes (new fields, builder usage, lifecycle annotations) were not applied to older repository tests.

Root Causes (Summary)

• Security filters active during @WebMvcTest → unexpected 403 responses
• TestConfig not aligned with main security configuration
• Test User objects built with outdated constructors
• Stubbings and matchers no longer matching actual method signatures
• Controller tests relying on implicit JSON → Domain model changed to stricter validation
• Some tests assume email-based lookup, but production now uses username-based lookup

What Needs to Be Done

1. Create a unified Test Security Configuration, used consistently across:
   • controller tests (@WebMvcTest)
   • repository tests requiring minimal security auto-configuration
2. Update test fixtures:
   • replace outdated new User(...) constructors with validated builder-based creation
3. Fix stubbing patterns:
   • ensure when(findByUsername(...)) matches actual lookups (username, not email)
4. Clean up deprecated/incorrect JSON payloads used in controller tests
5. Remove UnnecessaryStubbing by aligning mocks to actual code paths
6. Re-enable method-level security tests where appropriate

Why This Matters

• Current failures block regression/setup pipelines even though production code is stable
• Test suite drift will grow unless consolidated and fixed together
• Correctly aligned tests ensure future refactors (esp. UI-related) won’t regress the backend

Priority & Timeline

• Priority: Medium
• Status: All failing tests have been temporarily disabled to unblock UI development
• Target Fix Window: After UI MVP milestone

Notes

None of the failing tests reflect defects in production code.
This FIXIT issue is a cleanup/refactor task to stabilize the test suite before the next backend-focused cycle.