test(api): add CRUD tests for todo items

Added full API test coverage for todo items, including:
- Creating a new todo
- Retrieving todos
- Updating a todo's status
- Deleting a todo
- Negative cases for delete with invalid ID and no auth

All tests use token-based auth and assert correct responses.

Author: OmarElsheikh1

src/main/java/com/omarelsheikh/todo/api/config/EndPoints.java

@@ -3,6 +3,7 @@
 public class EndPoints {
 
     public static final String API_REGISTER_END_POINT = "/api/v1/users/register";
+    public static final String API_LOGIN_END_POINT = "/api/v1/users/login";
     public static final String API_TASK_END_POINT = "api/v1/tasks";
     public static final String TODO_END_POINT = "/todo";
     public static final String NEW_TODO_END_POINT = "/todo/new";

src/main/java/com/omarelsheikh/todo/api/models/UserLogin.java

@@ -0,0 +1,33 @@
+package com.omarelsheikh.todo.api.models;
+
+/**
+ * Represents the structure of the User as expected by the backend API.
+ * Only includes fields allowed by the API contract for Logging in.
+ */
+public class UserLogin {
+
+    private String email;
+    private String password;
+
+    public UserLogin(String email, String password) {
+        this.email = email;
+        this.password = password;
+    }
+
+
+    public String getEmail() {
+        return email;
+    }
+
+    public void setEmail(String email) {
+        this.email = email;
+    }
+
+    public String getPassword() {
+        return password;
+    }
+
+    public void setPassword(String password) {
+        this.password = password;
+    }
+}

src/main/java/com/omarelsheikh/todo/utils/ConfigUtil.java

@@ -17,6 +17,7 @@ public class ConfigUtil {
     // Private constructor to load properties based on the environment
     private ConfigUtil() throws IOException {
 
+        // If user didn't specify environment, it will run on PRODUCTION by default
         String env = System.getProperty("env", "PRODUCTION").toUpperCase();
 
         switch (env) {

src/test/java/com/omarelsheikh/todo/api/requests/RegisterApi.java

@@ -1,7 +1,7 @@
 package com.omarelsheikh.todo.api.requests;
 
 import com.omarelsheikh.todo.api.config.EndPoints;
-import com.omarelsheikh.todo.models.User;
+import com.omarelsheikh.todo.models.UserRegister;
 import com.omarelsheikh.todo.utils.UserUtils;
 import io.restassured.http.Cookie;
 import io.restassured.response.Response;
@@ -13,7 +13,8 @@
 public class RegisterApi {
 
     private String email;
-    private User user;
+    private String password;
+    private UserRegister user;
     private List<Cookie> restAssuredCookies;
     private String accessToken;
     private String userId;
@@ -24,7 +25,11 @@ public String getEmail() {
         return this.email;
     }
 
-    public User getUser() {
+    public String getPassword() {
+        return this.password;
+    }
+
+    public UserRegister getUser() {
         return this.user;
     }
 
@@ -73,7 +78,8 @@ public void register() {
         userId = response.path("userID");
         firstName = response.path("firstName");
 
-        // Get the email
+        // Get the email and password
         email = user.getEmail();
+        password = user.getPassword();
     }
 }

src/test/java/com/omarelsheikh/todo/api/testcases/DeleteItemApiTest.java

@@ -0,0 +1,115 @@
+package com.omarelsheikh.todo.api.testcases;
+
+import com.omarelsheikh.todo.api.config.EndPoints;
+import com.omarelsheikh.todo.api.models.Todo;
+import com.omarelsheikh.todo.api.requests.RegisterApi;
+import io.restassured.response.Response;
+import org.testng.Assert;
+import org.testng.annotations.Test;
+
+import java.io.IOException;
+
+import static io.restassured.RestAssured.given;
+
+public class DeleteItemApiTest {
+
+    @Test
+    public void shouldDeleteItemSuccessfullyWithValidId() throws IOException {
+
+        // Register and get token
+        RegisterApi registerApi = new RegisterApi();
+        registerApi.register();
+        String token = registerApi.getToken();
+
+        // Create a todo item
+        Todo todo = new Todo("Test item for delete", false);
+        Response createResponse = given()
+                .baseUri("https://todo.qacart.com")
+                .header("Content-Type", "application/json")
+                .auth().oauth2(token)
+                .body(todo)
+                .log().all()
+                .when()
+                .post(EndPoints.API_TASK_END_POINT)
+                .then()
+                .log().all()
+                .extract().response();
+
+        String itemId = createResponse.path("_id");
+
+        // Delete the item
+        Response deleteResponse = given()
+                .baseUri("https://todo.qacart.com")
+                .auth().oauth2(token)
+                .log().all()
+                .when()
+                .delete(EndPoints.API_TASK_END_POINT + "/" + itemId)
+                .then()
+                .log().all()
+                .extract().response();
+
+        // Assert only the status code
+        Assert.assertEquals(deleteResponse.getStatusCode(), 200);
+    }
+
+
+    @Test
+    public void shouldFailToDeleteItemWithInvalidId() {
+
+        // Register and get a valid token
+        RegisterApi registerApi = new RegisterApi();
+        registerApi.register();
+        String token = registerApi.getToken();
+
+        // Use a fake ID (but well-formatted)
+        String fakeId = "64b83b219e03c8a9d0f0f111";
+
+        // Try deleting with fake ID
+        Response deleteResponse = given()
+                .baseUri("https://todo.qacart.com")
+                .auth().oauth2(token)
+                .when()
+                .delete(EndPoints.API_TASK_END_POINT + "/" + fakeId)
+                .then()
+                .extract().response();
+
+        // Assert status
+        Assert.assertEquals(deleteResponse.getStatusCode(), 400);
+
+        // Assert a message
+        String message = deleteResponse.jsonPath().getString("message");
+        Assert.assertEquals(message, "We could not find the task in our database");
+    }
+
+    @Test
+    public void shouldFailToDeleteItemWhenUnauthorized() {
+
+        // Register and get a token
+        RegisterApi registerApi = new RegisterApi();
+        registerApi.register();
+        String token = registerApi.getToken();
+
+        // Create a real todo item
+        Todo todo = new Todo("Item to test unauthorized delete", false);
+        Response createResponse = given()
+                .baseUri("https://todo.qacart.com")
+                .header("Content-Type", "application/json")
+                .auth().oauth2(token)
+                .body(todo)
+                .post(EndPoints.API_TASK_END_POINT)
+                .then()
+                .extract().response();
+
+        String itemId = createResponse.path("_id");
+
+        // Try to delete the item without a token
+        Response deleteResponse = given()
+                .baseUri("https://todo.qacart.com")
+                .when()
+                .delete(EndPoints.API_TASK_END_POINT + "/" + itemId)
+                .then()
+                .extract().response();
+
+        Assert.assertEquals(deleteResponse.getStatusCode(), 401);
+    }
+}

src/test/java/com/omarelsheikh/todo/api/testcases/GetItemsApiTest.java

@@ -0,0 +1,72 @@
+package com.omarelsheikh.todo.api.testcases;
+
+import com.omarelsheikh.todo.api.config.EndPoints;
+import com.omarelsheikh.todo.api.requests.RegisterApi;
+import com.omarelsheikh.todo.api.requests.TasksApi;
+import com.omarelsheikh.todo.utils.ConfigUtil;
+import io.restassured.response.Response;
+import org.testng.Assert;
+import org.testng.annotations.Test;
+
+import java.io.IOException;
+
+import static io.restassured.RestAssured.given;
+
+public class GetItemsApiTest {
+
+    @Test
+    public void shouldGetItemsSuccessfullyWithValidAuth() throws IOException {
+
+        // Register a new user via the API and retrieve their access token
+        RegisterApi registerApi = new RegisterApi();
+        registerApi.register();
+        String accessToken = registerApi.getToken();
+
+        // Add a new todo item for the user using the valid token
+        TasksApi tasksApi = new TasksApi();
+        tasksApi.addTodo(accessToken);
+
+        // Send a GET request to retrieve the user's todo items
+        Response response =
+                given()
+                        .baseUri("https://todo.qacart.com")  // Set base URL from config
+                        .auth().oauth2(accessToken)                     // Use the valid token for authorization
+                        .log().all()                                    // Log request details
+                        .when()
+                        .get(EndPoints.API_TASK_END_POINT)              // Hit the tasks endpoint
+                        .then()
+                        .log().all()                                    // Log response details
+                        .extract().response();
+
+        // Verify the response status code is 200 OK
+        Assert.assertEquals(response.statusCode(), 200, "Expected 200 OK");
+    }
+
+
+    @Test
+    public void shouldFailToGetItemsWhenUnauthorized() throws IOException {
+
+        // Register a new user via the API and retrieve their access token
+        RegisterApi registerApi = new RegisterApi();
+        registerApi.register();
+        String accessToken = registerApi.getToken();
+
+        // Add a new todo item for the user using the valid token
+        TasksApi tasksApi = new TasksApi();
+        tasksApi.addTodo(accessToken);
+
+        // Send a GET request to retrieve the user's todo items
+        Response response =
+                given()
+                        .baseUri("https://todo.qacart.com")  // Set base URL from config
+                        .log().all()                                    // Log request details
+                        .when()
+                        .get(EndPoints.API_TASK_END_POINT)              // Hit the tasks endpoint
+                        .then()
+                        .log().all()                                    // Log response details
+                        .extract().response();
+
+        // Verify the response status code is 200 OK
+        Assert.assertEquals(response.statusCode(), 401, "Expected 401 Unauthorized for invalid token");
+    }
+}