fix: [#28] add URL encoding for admin tokens in deployment testing

- Add automatic URL encoding for admin tokens in deploy-app.sh
- Fixes API authentication failures when tokens contain special characters (+ and /)
- Enhanced error reporting shows both raw and encoded tokens for debugging
- Update testing session documentation with issue resolution details

Resolves API testing failures in staging deployment validation.

Author: josecelano

docs/testing/manual-sessions/2025-08-08-issue-28-phase-4-7-staging.md

@@ -146,7 +146,38 @@ Expected:
 
 ## Open Items / Issues Noted During Session
 
+### ✅ RESOLVED: API Token URL Encoding Issue
+
+**Issue**: Deployment testing was failing with "token not valid" error when testing the
+HTTP API stats endpoint.
+
+**Root Cause**: The admin token contains special characters (+ and /) that need URL encoding
+in HTTP query parameters:
+
+- Raw token: `sTnc7/5XjZfsb2C5bNet++D+PTO9aqPsOyiCBcu+NOeWrxUMWe08LnVBs8VCMZDY`
+- Special characters: `+` becomes `%2B`, `/` becomes `%2F`
+- URL-encoded: `sTnc7%2F5XjZfsb2C5bNet%2B%2BD%2BPTO9aqPsOyiCBcu%2BNOeWrxUMWe08LnVBs8VCMZDY`
+
+**Solution**: Updated `infrastructure/scripts/deploy-app.sh` to automatically URL-encode the
+admin token before using it in API calls:
+
+```bash
+admin_token_encoded=$(printf '%s' "$admin_token" | sed 's/+/%2B/g; s,/,%2F,g')
+```
+
+- Updated both HTTP and HTTPS API endpoint tests to use encoded token
+- Enhanced error reporting to show both raw and encoded tokens for debugging
+
+**Impact**:
+
+- ✅ Prevents future deployment failures due to token encoding issues
+- ✅ Makes deployment testing more robust for tokens with special characters
+- ✅ Provides better debugging information when API tests fail
+
+### Open Items
+
 - [ ] Optional: Test IPv6 connectivity to deployed application (requires application deployment)
+- [ ] Continue with HTTPS setup after HTTP deployment validation
 
 ## Final Status
 

infrastructure/scripts/deploy-app.sh

@@ -1011,11 +1011,13 @@ validate_deployment() {
         
         # Test HTTP API stats endpoint (through nginx proxy, requires auth)
         echo 'Testing HTTP API stats endpoint...'
-        # Use admin token passed from local environment
+        # Use admin token passed from local environment and URL-encode it
         admin_token=\"${admin_token}\"
+        # URL-encode the token to handle special characters (+ becomes %2B, / becomes %2F)
+        admin_token_encoded=\$(printf '%s' \"\$admin_token\" | sed 's/+/%2B/g; s,/,%2F,g')
         
         # Save response to temp file and get HTTP status code
-        api_http_code=\$(curl -s -o /tmp/api_response.json -w '%{http_code}' \"http://localhost/api/v1/stats?token=\$admin_token\" 2>&1 || echo \"000\")
+        api_http_code=\$(curl -s -o /tmp/api_response.json -w '%{http_code}' \"http://localhost/api/v1/stats?token=\$admin_token_encoded\" 2>&1 || echo \"000\")
         api_response_body=\$(cat /tmp/api_response.json 2>/dev/null || echo \"No response\")
         
         # Check if HTTP status is 200 (success)
@@ -1025,7 +1027,8 @@ validate_deployment() {
             echo '❌ HTTP API stats endpoint: FAILED'
             echo \"  HTTP Code: \$api_http_code\"
             echo \"  Response: \$api_response_body\"
-            echo \"  Token used: \$admin_token\"
+            echo \"  Raw token: \$admin_token\"
+            echo \"  Encoded token: \$admin_token_encoded\"
             rm -f /tmp/api_response.json
             exit 1
         fi
@@ -1034,7 +1037,7 @@ validate_deployment() {
         # Test HTTPS API stats endpoint (through nginx proxy, with self-signed certificates)
         echo 'Testing HTTPS API stats endpoint...'
         # Save response to temp file and get HTTP status code
-        api_https_code=\$(curl -s -k -o /tmp/api_response_https.json -w '%{http_code}' \"https://localhost/api/v1/stats?token=\$admin_token\" 2>&1 || echo \"000\")
+        api_https_code=\$(curl -s -k -o /tmp/api_response_https.json -w '%{http_code}' \"https://localhost/api/v1/stats?token=\$admin_token_encoded\" 2>&1 || echo \"000\")
         api_https_response=\$(cat /tmp/api_response_https.json 2>/dev/null || echo \"No response\")
         
         # Check if HTTPS status is 200 (success)