Add API contract tests for mobile-consumed endpoints (#5426)

* Add API contract tests for mobile-consumed endpoints

Introduce an in-memory integration test project (Ombi.Api.IntegrationTests)
that boots the API via WebApplicationFactory/TestServer and asserts the HTTP
status and JSON shape of the endpoints the mobile app consumes, so a breaking
change to those response contracts fails CI.

The harness hosts a trimmed-down test startup (Quartz, the SPA static files and
the SignalR hub are not started), points the EF Core SQLite contexts at a fresh
temp database, authenticates every request via a deterministic test auth handler
and swaps the search/request engines for mocks so the serialized wire shape is
pinned without reaching out to TheMovieDb.

Phase A covers the highest-risk reads: V2 search (popular movies, movie details,
tv details, multi-search), V2 request lists (movie + tv), the current-user
identity endpoint and the customization/sonarr settings endpoints.

* Add contract tests for remaining V2 search and request mutation endpoints

Extends the integration suite to the rest of the V2 search surface (top
rated/upcoming/now playing movies, popular/trending/anticipated tv, movie/tv
streams, actor credits, rotten tomatoes ratings) and the request mutation flows
(create movie/tv, approve, deny, mark available, advanced options, recently
requested). Adds a Rotten Tomatoes API mock and a PUT JSON helper to the harness.

* Add contract tests for identity, issues, settings, DVR, recently-added, mobile and token

Extends the integration suite across the rest of the read surface the mobile app
consumes: identity user list/dropdown/claims, issues categories/list/comments,
the remaining settings reads (authentication, plex, client id, issues-enabled),
Radarr/Sonarr enabled/profiles/root-folders, recently-added movies/tv (engine
mocked) and mobile push-token register/remove. Also asserts the token endpoint's
unauthorized contract. Pre-seeds Plex settings so the read-only client-id
endpoint never triggers a (disabled) Quartz job.

* Add contract tests for request lifecycle remainder and Plex libraries

Covers the remaining consumed request endpoints (movie info, delete, subscribe/
unsubscribe, tv child approve/deny/mark-available, tv children) and the Plex
libraries endpoint via a mocked Plex API. Adds a README documenting what the
suite covers and the endpoints intentionally left out (Quartz-scheduled job
triggers and settings writes, live tester connections, binary image proxying).

* Address CodeRabbit review feedback on the API contract tests

- Use the SDK-style project type GUID for Ombi.Api.IntegrationTests in the
  solution and nest it under the Tests solution folder.
- Drop the unneeded Npgsql legacy-timestamp switch from the test pipeline
  (the harness only ever uses SQLite).
- Seed a deterministic issue category + issue so the issues tests assert real
  item shapes instead of just an array.
- Validate every element of returned collections (identity users/dropdown/
  claims) rather than only the first.
- Assert the Rotten Tomatoes movie-ratings payload shape.
- Assert the array body on a 200 for the Radarr/Sonarr profile/root-folder
  endpoints.
- README: "recently requested" wording fix.

* Bump version to 4.53.11

* Revert README wording change

Author: tidusjar

src/Ombi.Api.IntegrationTests/Harness/IntegrationTestBase.cs

@@ -0,0 +1,92 @@
+using System.Linq;
+using System.Net;
+using System.Net.Http;
+using System.Threading.Tasks;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
+using NUnit.Framework;
+
+namespace Ombi.Api.IntegrationTests.Harness
+{
+    /// <summary>
+    /// Base class for the API contract tests. Exposes the shared in-memory host, an HttpClient and
+    /// a few helpers, and resets the engine mocks between tests.
+    /// </summary>
+    public abstract class IntegrationTestBase
+    {
+        protected OmbiApiTestFactory Factory => SharedTestFixture.Factory;
+        protected HttpClient Client;
+
+        [OneTimeSetUp]
+        public void CreateClient()
+        {
+            Client = Factory.CreateClient();
+        }
+
+        [SetUp]
+        public void ResetMocks()
+        {
+            // Clear any setups/invocations from a previous test so each test is isolated.
+            Factory.MovieEngineV2.Invocations.Clear();
+            Factory.TvSearchEngineV2.Invocations.Clear();
+            Factory.MultiSearchEngine.Invocations.Clear();
+            Factory.MovieRequestEngine.Invocations.Clear();
+            Factory.TvRequestEngine.Invocations.Clear();
+            Factory.RottenTomatoesApi.Invocations.Clear();
+            Factory.RecentlyAddedEngine.Invocations.Clear();
+            Factory.PlexApi.Invocations.Clear();
+        }
+
+        [OneTimeTearDown]
+        public void DisposeClient()
+        {
+            Client?.Dispose();
+        }
+
+        protected async Task<(HttpStatusCode status, string body)> GetAsync(string url)
+        {
+            using var resp = await Client.GetAsync(url);
+            var body = await resp.Content.ReadAsStringAsync();
+            return (resp.StatusCode, body);
+        }
+
+        protected async Task<(HttpStatusCode status, string body)> PostJsonAsync(string url, object payload)
+        {
+            var content = new StringContent(JsonConvert.SerializeObject(payload), System.Text.Encoding.UTF8, "application/json");
+            using var resp = await Client.PostAsync(url, content);
+            var body = await resp.Content.ReadAsStringAsync();
+            return (resp.StatusCode, body);
+        }
+
+        protected async Task<(HttpStatusCode status, string body)> PutJsonAsync(string url, object payload)
+        {
+            var content = new StringContent(JsonConvert.SerializeObject(payload), System.Text.Encoding.UTF8, "application/json");
+            using var resp = await Client.PutAsync(url, content);
+            var body = await resp.Content.ReadAsStringAsync();
+            return (resp.StatusCode, body);
+        }
+
+        /// <summary>Asserts the JSON object has a property with exactly this (case-sensitive) name.</summary>
+        protected static void AssertHasProperty(JObject obj, string propertyName)
+        {
+            Assert.That(obj.ContainsKey(propertyName), Is.True,
+                $"Expected JSON to contain property '{propertyName}'. Actual properties: [{string.Join(", ", obj.Properties().Select(p => p.Name))}]");
+        }
+
+        /// <summary>
+        /// Asserts the JSON object contains every one of these (case-sensitive) property names. This is
+        /// the contract the mobile app relies on - the keys and casing it deserializes into.
+        /// </summary>
+        protected static void AssertHasProperties(JObject obj, params string[] propertyNames)
+        {
+            foreach (var name in propertyNames)
+            {
+                AssertHasProperty(obj, name);
+            }
+        }
+
+        protected static JObject AsObject(string body) => JObject.Parse(body);
+
+        protected static JArray AsArray(string body) => JArray.Parse(body);
+    }
+}

src/Ombi.Api.IntegrationTests/Harness/OmbiApiTestFactory.cs

@@ -0,0 +1,113 @@
+using System;
+using System.IO;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Mvc.Testing;
+using Microsoft.AspNetCore.TestHost;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Hosting;
+using Moq;
+using Ombi.Api.External.ExternalApis.RottenTomatoes;
+using Ombi.Api.External.MediaServers.Plex;
+using Ombi.Core;
+using Ombi.Core.Engine;
+using Ombi.Core.Engine.Interfaces;
+using Ombi.Core.Engine.V2;
+using Ombi.Helpers;
+
+namespace Ombi.Api.IntegrationTests.Harness
+{
+    /// <summary>
+    /// Boots the Ombi API in-memory for contract testing. Search/request engines that would
+    /// otherwise reach out to TheMovieDb etc. are swapped for mocks so the tests assert the
+    /// serialized HTTP shape (the contract the mobile app depends on) deterministically.
+    /// </summary>
+    public class OmbiApiTestFactory : WebApplicationFactory<Startup>
+    {
+        private readonly string _storagePath;
+
+        public Mock<IMovieEngineV2> MovieEngineV2 { get; } = new Mock<IMovieEngineV2>();
+        public Mock<ITVSearchEngineV2> TvSearchEngineV2 { get; } = new Mock<ITVSearchEngineV2>();
+        public Mock<IMultiSearchEngine> MultiSearchEngine { get; } = new Mock<IMultiSearchEngine>();
+        public Mock<IMovieRequestEngine> MovieRequestEngine { get; } = new Mock<IMovieRequestEngine>();
+        public Mock<ITvRequestEngine> TvRequestEngine { get; } = new Mock<ITvRequestEngine>();
+        public Mock<IRottenTomatoesApi> RottenTomatoesApi { get; } = new Mock<IRottenTomatoesApi>();
+        public Mock<IRecentlyAddedEngine> RecentlyAddedEngine { get; } = new Mock<IRecentlyAddedEngine>();
+        public Mock<IPlexApi> PlexApi { get; } = new Mock<IPlexApi>();
+
+        public OmbiApiTestFactory()
+        {
+            _storagePath = Path.Combine(Path.GetTempPath(), "ombi-itests-" + Guid.NewGuid().ToString("N"));
+            Directory.CreateDirectory(_storagePath);
+
+            // These must be set before the host - and therefore the database and JWT auth - is built.
+            StartupSingleton.Instance.StoragePath = _storagePath;
+            StartupSingleton.Instance.SecurityKey = "ombi-integration-tests-security-key-please-ignore-1234567890";
+        }
+
+        // Bypass Ombi's Program.CreateHostBuilder (which wires up the real Startup with Quartz, the
+        // SPA and SignalR) and host only the test startup.
+        protected override IHostBuilder CreateHostBuilder()
+        {
+            return Host.CreateDefaultBuilder()
+                .ConfigureWebHostDefaults(webBuilder =>
+                {
+                    webBuilder.UseStartup<TestStartup>();
+                    // UseStartup sets ApplicationName to this test assembly; reset it to the Ombi
+                    // assembly (after UseStartup) so MVC discovers its controllers - otherwise it
+                    // scans this test assembly and every route 404s.
+                    webBuilder.UseSetting(WebHostDefaults.ApplicationKey, typeof(Startup).Assembly.GetName().Name);
+                });
+        }
+
+        protected override void ConfigureWebHost(IWebHostBuilder builder)
+        {
+            builder.UseContentRoot(AppContext.BaseDirectory);
+            builder.UseEnvironment("Production");
+
+            builder.ConfigureTestServices(services =>
+            {
+                // Force our deterministic auth scheme as the default for authenticate/challenge.
+                services.AddAuthentication(TestAuthHandler.Scheme)
+                    .AddScheme<AuthenticationSchemeOptions, TestAuthHandler>(TestAuthHandler.Scheme, _ => { });
+                services.PostConfigure<AuthenticationOptions>(o =>
+                {
+                    o.DefaultScheme = TestAuthHandler.Scheme;
+                    o.DefaultAuthenticateScheme = TestAuthHandler.Scheme;
+                    o.DefaultChallengeScheme = TestAuthHandler.Scheme;
+                });
+
+                // Bypass caching so each request reaches the mocked engine.
+                services.RemoveAll<IMediaCacheService>();
+                services.AddSingleton<IMediaCacheService, PassThroughMediaCacheService>();
+
+                // Replace engines that hit external services with mocks the tests configure.
+                services.AddTransient(_ => MovieEngineV2.Object);
+                services.AddTransient(_ => TvSearchEngineV2.Object);
+                services.AddTransient(_ => MultiSearchEngine.Object);
+                services.AddTransient(_ => MovieRequestEngine.Object);
+                services.AddTransient(_ => TvRequestEngine.Object);
+                services.AddTransient(_ => RottenTomatoesApi.Object);
+                services.AddTransient(_ => RecentlyAddedEngine.Object);
+                services.AddTransient(_ => PlexApi.Object);
+            });
+        }
+
+        protected override void Dispose(bool disposing)
+        {
+            base.Dispose(disposing);
+            try
+            {
+                if (Directory.Exists(_storagePath))
+                {
+                    Directory.Delete(_storagePath, true);
+                }
+            }
+            catch
+            {
+                // best-effort cleanup of the temp database directory
+            }
+        }
+    }
+}

src/Ombi.Api.IntegrationTests/Harness/PassThroughMediaCacheService.cs

@@ -0,0 +1,21 @@
+using System;
+using System.Threading.Tasks;
+using Ombi.Helpers;
+
+namespace Ombi.Api.IntegrationTests.Harness
+{
+    /// <summary>
+    /// Replaces the real <see cref="IMediaCacheService"/> in tests so every controller call goes
+    /// straight to the (mocked) engine. This keeps each test deterministic and avoids cross-test
+    /// cache contamination.
+    /// </summary>
+    public class PassThroughMediaCacheService : IMediaCacheService
+    {
+        public Task<T> GetOrAddAsync<T>(string cacheKey, Func<Task<T>> factory, DateTimeOffset absoluteExpiration = default)
+        {
+            return factory();
+        }
+
+        public Task Purge() => Task.CompletedTask;
+    }
+}

src/Ombi.Api.IntegrationTests/Harness/SharedTestFixture.cs

@@ -0,0 +1,26 @@
+using NUnit.Framework;
+using Ombi.Api.IntegrationTests.Harness;
+
+// Assembly-level fixture: the concrete SQLite contexts only run their EF migrations once per
+// process (a static guard), so all tests must share a single host/database instance.
+[SetUpFixture]
+public class SharedTestFixture
+{
+    public static OmbiApiTestFactory Factory { get; private set; }
+
+    [OneTimeSetUp]
+    public void GlobalSetUp()
+    {
+        Factory = new OmbiApiTestFactory();
+        // Force the host to build (runs migrations + seeding) before any test executes.
+        using (Factory.CreateClient())
+        {
+        }
+    }
+
+    [OneTimeTearDown]
+    public void GlobalTearDown()
+    {
+        Factory?.Dispose();
+    }
+}

src/Ombi.Api.IntegrationTests/Harness/TestAuthHandler.cs

@@ -0,0 +1,48 @@
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Ombi.Helpers;
+
+namespace Ombi.Api.IntegrationTests.Harness
+{
+    /// <summary>
+    /// A deterministic authentication handler used by the integration tests. It authenticates
+    /// every request as a fixed admin/power user, so we can exercise the [Authorize] endpoints
+    /// the mobile app consumes without minting JWTs or going through the real login flow.
+    /// </summary>
+    public class TestAuthHandler : AuthenticationHandler<AuthenticationSchemeOptions>
+    {
+        public const string Scheme = "Test";
+        public const string TestUserName = "testuser";
+        public const string TestUserId = "test-user-id";
+
+        public TestAuthHandler(IOptionsMonitor<AuthenticationSchemeOptions> options, ILoggerFactory logger,
+            UrlEncoder encoder)
+            : base(options, logger, encoder)
+        {
+        }
+
+        protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+        {
+            var claims = new[]
+            {
+                new Claim(ClaimTypes.Name, TestUserName),
+                new Claim(ClaimTypes.NameIdentifier, TestUserId),
+                new Claim("id", TestUserId),
+                new Claim(ClaimTypes.Role, OmbiRoles.Admin),
+                new Claim(ClaimTypes.Role, OmbiRoles.PowerUser),
+                new Claim(ClaimTypes.Role, OmbiRoles.RequestMovie),
+                new Claim(ClaimTypes.Role, OmbiRoles.RequestTv),
+            };
+
+            var identity = new ClaimsIdentity(claims, Scheme);
+            var principal = new ClaimsPrincipal(identity);
+            var ticket = new AuthenticationTicket(principal, Scheme);
+
+            return Task.FromResult(AuthenticateResult.Success(ticket));
+        }
+    }
+}