TenantAtlas/tests/Unit/TenantResourceConsentUrlTest.php

<?php

use App\Filament\Resources\TenantResource;
use App\Models\Tenant;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);
it('includes scope parameter in admin consent url', function () {
    // The adminConsentUrl builds scopes from intune_permissions config, not graph.scope
    $tenant = Tenant::create([
        'tenant_id' => 'b0091e5d-944f-4a34-bcd9-12cbfb7b75cf',
        'name' => 'Test Tenant',
        'app_client_id' => 'client-id',
    ]);

    $url = TenantResource::adminConsentUrl($tenant);

    expect($url)->toContain('scope=');

    // Should contain permissions from intune_permissions config
    $requiredPermissions = config('intune_permissions.permissions', []);
    if (! empty($requiredPermissions)) {
        $firstPermission = $requiredPermissions[0]['key'];
        expect($url)->toContain(urlencode("https://graph.microsoft.com/{$firstPermission}"));
    } else {
        // Fallback to .default if no permissions configured
        expect($url)->toContain(urlencode('https://graph.microsoft.com/.default'));
    }
});