Unit test guards by creating a TestingModule with a mocked Reflector and calling canActivate() directly with a mock ExecutionContext. E2E test the full auth flow using supertest — log in to get a real JWT, then assert that protected routes return 401 without it and 200 with it.
Unit test guards by calling canActivate() directly with a mock ExecutionContext — no HTTP needed.
Mock Reflector with jest.fn() and control getAllAndOverride return values per test case.
E2E tests should use .overrideProvider() to swap UsersService with a mock — no real database needed.
Always test both the unauthenticated (401) and authenticated (200) paths for protected routes.
Test role-based routes with tokens carrying different role claims — assert 403 for insufficient roles.