Update dev workflow and org chart settings

backend/internal/service/worksmobile_client_test.go

@@ -181,6 +181,46 @@ func TestWorksmobileHTTPClientRequestsJWTBearerAccessToken(t *testing.T) {
 	require.Equal(t, float64(1710003600), payload["exp"])
 }
 
+func TestWorksmobileHTTPClientRequiresConfiguredAPIBaseURL(t *testing.T) {
+	client := &WorksmobileHTTPClient{
+		DirectoryToken: "directory-token-1",
+		HTTPClient:     &http.Client{Transport: &captureRoundTripper{statusCode: http.StatusCreated, body: `{}`}},
+	}
+
+	err := client.CreateUser(context.Background(), WorksmobileUserPayload{
+		DomainID:        300285955,
+		Email:           "tester@samaneng.com",
+		UserExternalKey: "user-1",
+		UserName:        WorksmobileUserName{LastName: "Tester"},
+		PasswordConfig:  WorksmobilePasswordConfig{PasswordCreationType: "ADMIN", Password: "Aa1!Aa1!Aa1!Aa1!"},
+	})
+
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "worksmobile api base url is not configured")
+}
+
+func TestWorksmobileHTTPClientRequiresConfiguredOAuthTokenURL(t *testing.T) {
+	privateKey := testRSAPrivateKeyPEM(t)
+	client := &WorksmobileHTTPClient{
+		BaseURL: "https://works.example.test",
+		OAuthConfig: WorksmobileOAuthConfig{
+			ClientID:       "client-id-1",
+			ClientSecret:   "client-secret-1",
+			ServiceAccount: "service-account-1",
+			PrivateKey:     privateKey,
+			Scope:          "directory",
+		},
+	}
+
+	_, _, err := client.requestDirectoryAccessToken(
+		context.Background(),
+		time.Unix(1710000000, 0),
+	)
+
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "worksmobile oauth token url is not configured")
+}
+
 func TestWorksmobileHTTPClientListUsersUsesDirectoryAPIFirst(t *testing.T) {
 	t.Setenv("SAMAN_DOMAIN_ID", "300285955")
 	transport := &captureRoundTripper{
@@ -393,13 +433,7 @@ func TestWorksmobileLiveJWTTokenExchange(t *testing.T) {
 	if os.Getenv("WORKSMOBILE_LIVE_JWT_TOKEN_EXCHANGE") != "1" {
 		t.Skip("live Worksmobile token exchange is disabled")
 	}
-	client := NewWorksmobileHTTPClientWithAuth("", os.Getenv("SAMAN_SCIM_LONGLIVE_TOKEN"), WorksmobileOAuthConfig{
-		ClientID:       os.Getenv("WORKS_ADMIN_OAUTH_CLIENT_ID"),
-		ClientSecret:   os.Getenv("WORKS_ADMIN_OAUTH_CLIENT_SECRET"),
-		ServiceAccount: os.Getenv("WORKS_ADMIN_OAUTH_CLIENT_SERVICE_ACCOUNT"),
-		PrivateKey:     os.Getenv("WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY"),
-		Scope:          getenvDefault("WORKS_ADMIN_OAUTH_SCOPE", "directory"),
-	})
+	client := newWorksmobileLiveClient()
 
 	token, err := client.directoryAccessToken(context.Background())
 
@@ -989,6 +1023,19 @@ func getenvDefault(key string, fallback string) string {
 	return fallback
 }
 
+func newWorksmobileLiveClient() *WorksmobileHTTPClient {
+	client := NewWorksmobileHTTPClientWithAuth("", os.Getenv("SAMAN_SCIM_LONGLIVE_TOKEN"), WorksmobileOAuthConfig{
+		ClientID:       os.Getenv("WORKS_ADMIN_OAUTH_CLIENT_ID"),
+		ClientSecret:   os.Getenv("WORKS_ADMIN_OAUTH_CLIENT_SECRET"),
+		ServiceAccount: os.Getenv("WORKS_ADMIN_OAUTH_CLIENT_SERVICE_ACCOUNT"),
+		PrivateKey:     os.Getenv("WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY"),
+		Scope:          getenvDefault("WORKS_ADMIN_OAUTH_SCOPE", "directory"),
+		TokenURL:       os.Getenv("WORKS_ADMIN_OAUTH_TOKEN_URL"),
+	})
+	client.BaseURL = os.Getenv("WORKS_ADMIN_API_BASE_URL")
+	return client
+}
+
 func (f *fakeWorksmobileDirectoryClient) CreateOrgUnit(ctx context.Context, payload WorksmobileOrgUnitPayload) error {
 	f.createdOrgUnits = append(f.createdOrgUnits, payload)
 	return nil