Task 6: AuthService + 9 unit tests (16/16 pass)

- IAuthService: LoginAsync / RefreshAsync / LogoutAsync - AuthService: refresh-token rotation, hashed storage, LastLoginAt update - AuthServiceTests: 5 login + 3 refresh + 1 logout tests via Moq + EF InMemory Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-26 17:38:56 -07:00
parent f74563bb36
commit 9db8b34181
3 changed files with 434 additions and 0 deletions
@@ -0,0 +1,258 @@
+using Microsoft.AspNetCore.Identity;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Configuration;
+using Moq;
+using ROLAC.API.Data;
+using ROLAC.API.DTOs.Auth;
+using ROLAC.API.Entities;
+using ROLAC.API.Services;
+using Xunit;
+
+namespace ROLAC.API.Tests.Services;
+
+public class AuthServiceTests
+{
+    // -----------------------------------------------------------------------
+    // Factory helpers
+    // -----------------------------------------------------------------------
+
+    private static AppDbContext BuildDb() =>
+        new(new DbContextOptionsBuilder<AppDbContext>()
+            .UseInMemoryDatabase(Guid.NewGuid().ToString())
+            .Options);
+
+    private static IConfiguration BuildConfig() =>
+        new ConfigurationBuilder()
+            .AddInMemoryCollection(new Dictionary<string, string?>
+            {
+                { "Jwt:RefreshTokenExpiryDays", "30" },
+            })
+            .Build();
+
+    /// <summary>Creates a <see cref="UserManager{TUser}"/> mock with sensible defaults.</summary>
+    private static Mock<UserManager<AppUser>> BuildUserManager(
+        AppUser?        findResult  = null,
+        bool            passwordOk  = true,
+        IList<string>?  roles       = null)
+    {
+        var store = new Mock<IUserStore<AppUser>>();
+        // Remaining ctor params are all optional; Moq passes them via reflection.
+#pragma warning disable CS8625
+        var mgr = new Mock<UserManager<AppUser>>(
+            store.Object, null, null, null, null, null, null, null, null);
+#pragma warning restore CS8625
+
+        mgr.Setup(m => m.FindByEmailAsync(It.IsAny<string>()))
+           .ReturnsAsync(findResult);
+        mgr.Setup(m => m.FindByIdAsync(It.IsAny<string>()))
+           .ReturnsAsync(findResult);
+        mgr.Setup(m => m.CheckPasswordAsync(It.IsAny<AppUser>(), It.IsAny<string>()))
+           .ReturnsAsync(passwordOk);
+        mgr.Setup(m => m.GetRolesAsync(It.IsAny<AppUser>()))
+           .ReturnsAsync(roles ?? new List<string> { "member" });
+        mgr.Setup(m => m.UpdateAsync(It.IsAny<AppUser>()))
+           .ReturnsAsync(IdentityResult.Success);
+
+        return mgr;
+    }
+
+    /// <summary>
+    /// ITokenService mock: GenerateAccessToken → "access-token",
+    /// GenerateRefreshToken → "raw-refresh", HashToken(x) → "hash:{x}".
+    /// </summary>
+    private static Mock<ITokenService> BuildTokenService()
+    {
+        var svc = new Mock<ITokenService>();
+        svc.Setup(t => t.GenerateAccessToken(It.IsAny<AppUser>(), It.IsAny<IList<string>>()))
+           .Returns("access-token");
+        svc.Setup(t => t.GenerateRefreshToken())
+           .Returns("raw-refresh");
+        svc.Setup(t => t.HashToken(It.IsAny<string>()))
+           .Returns<string>(s => $"hash:{s}");
+        return svc;
+    }
+
+    private static AuthService BuildSut(
+        Mock<UserManager<AppUser>> umMock,
+        Mock<ITokenService>        tsMock,
+        AppDbContext                db)
+        => new(umMock.Object, tsMock.Object, db, BuildConfig());
+
+    // -----------------------------------------------------------------------
+    // Login tests
+    // -----------------------------------------------------------------------
+
+    [Fact]
+    public async Task Login_ValidCredentials_ReturnsAccessTokenAndRefreshToken()
+    {
+        var user = new AppUser { Id = "u1", Email = "a@b.com", UserName = "a@b.com", IsActive = true };
+        var um   = BuildUserManager(findResult: user, roles: new[] { "member" });
+        var ts   = BuildTokenService();
+        var db   = BuildDb();
+        var sut  = BuildSut(um, ts, db);
+
+        var (response, raw) = await sut.LoginAsync(new LoginRequest { Email = "a@b.com", Password = "P@ssw0rd!" });
+
+        Assert.Equal("access-token", response.AccessToken);
+        Assert.Equal(900, response.ExpiresIn);
+        Assert.Equal("u1",    response.User.Id);
+        Assert.Equal("a@b.com", response.User.Email);
+        Assert.Contains("member", response.User.Roles);
+        Assert.Equal("raw-refresh", raw);
+
+        // Persisted in DB
+        var stored = db.RefreshTokens.Single();
+        Assert.Equal("hash:raw-refresh", stored.TokenHash);
+        Assert.Equal("u1", stored.UserId);
+    }
+
+    [Fact]
+    public async Task Login_UnknownEmail_ThrowsUnauthorized()
+    {
+        var um  = BuildUserManager(findResult: null);
+        var ts  = BuildTokenService();
+        var sut = BuildSut(um, ts, BuildDb());
+
+        await Assert.ThrowsAsync<UnauthorizedAccessException>(
+            () => sut.LoginAsync(new LoginRequest { Email = "nope@b.com", Password = "P@ssw0rd!" }));
+    }
+
+    [Fact]
+    public async Task Login_WrongPassword_ThrowsUnauthorized()
+    {
+        var user = new AppUser { Id = "u1", Email = "a@b.com", UserName = "a@b.com", IsActive = true };
+        var um   = BuildUserManager(findResult: user, passwordOk: false);
+        var ts   = BuildTokenService();
+        var sut  = BuildSut(um, ts, BuildDb());
+
+        await Assert.ThrowsAsync<UnauthorizedAccessException>(
+            () => sut.LoginAsync(new LoginRequest { Email = "a@b.com", Password = "wrong" }));
+    }
+
+    [Fact]
+    public async Task Login_InactiveAccount_ThrowsUnauthorized()
+    {
+        var user = new AppUser { Id = "u1", Email = "a@b.com", UserName = "a@b.com", IsActive = false };
+        var um   = BuildUserManager(findResult: user, passwordOk: true);
+        var ts   = BuildTokenService();
+        var sut  = BuildSut(um, ts, BuildDb());
+
+        await Assert.ThrowsAsync<UnauthorizedAccessException>(
+            () => sut.LoginAsync(new LoginRequest { Email = "a@b.com", Password = "P@ssw0rd!" }));
+    }
+
+    [Fact]
+    public async Task Login_Success_UpdatesLastLoginAt()
+    {
+        var user = new AppUser { Id = "u1", Email = "a@b.com", UserName = "a@b.com", IsActive = true };
+        var um   = BuildUserManager(findResult: user);
+        var ts   = BuildTokenService();
+        var sut  = BuildSut(um, ts, BuildDb());
+
+        await sut.LoginAsync(new LoginRequest { Email = "a@b.com", Password = "P@ssw0rd!" });
+
+        um.Verify(m => m.UpdateAsync(It.Is<AppUser>(u => u.LastLoginAt != null)), Times.Once);
+    }
+
+    // -----------------------------------------------------------------------
+    // Refresh tests
+    // -----------------------------------------------------------------------
+
+    [Fact]
+    public async Task Refresh_ValidToken_RotatesRefreshToken()
+    {
+        const string rawOld = "old-raw";
+        const string rawNew = "raw-refresh"; // what BuildTokenService returns
+
+        var user = new AppUser { Id = "u1", Email = "a@b.com", UserName = "a@b.com", IsActive = true };
+        var um   = BuildUserManager(findResult: user);
+        var ts   = BuildTokenService();
+        var db   = BuildDb();
+
+        // Seed an active token
+        db.RefreshTokens.Add(new RefreshToken
+        {
+            UserId    = "u1",
+            TokenHash = "hash:old-raw",
+            ExpiresAt = DateTime.UtcNow.AddDays(30),
+            CreatedAt = DateTime.UtcNow.AddHours(-1),
+        });
+        await db.SaveChangesAsync();
+
+        var sut = BuildSut(um, ts, db);
+        var (response, newRaw) = await sut.RefreshAsync(rawOld);
+
+        Assert.Equal("access-token", response.AccessToken);
+        Assert.Equal(rawNew, newRaw);
+
+        // Old token revoked
+        var old = db.RefreshTokens.First(rt => rt.TokenHash == "hash:old-raw");
+        Assert.NotNull(old.RevokedAt);
+        Assert.Equal("hash:raw-refresh", old.ReplacedByHash);
+
+        // New token stored
+        var newTok = db.RefreshTokens.First(rt => rt.TokenHash == "hash:raw-refresh");
+        Assert.Null(newTok.RevokedAt);
+    }
+
+    [Fact]
+    public async Task Refresh_UnknownToken_ThrowsUnauthorized()
+    {
+        var um  = BuildUserManager();
+        var ts  = BuildTokenService();
+        var sut = BuildSut(um, ts, BuildDb());
+
+        await Assert.ThrowsAsync<UnauthorizedAccessException>(
+            () => sut.RefreshAsync("no-such-token"));
+    }
+
+    [Fact]
+    public async Task Refresh_ExpiredToken_ThrowsUnauthorized()
+    {
+        var db = BuildDb();
+        db.RefreshTokens.Add(new RefreshToken
+        {
+            UserId    = "u1",
+            TokenHash = "hash:expired-raw",
+            ExpiresAt = DateTime.UtcNow.AddDays(-1),  // already expired
+            CreatedAt = DateTime.UtcNow.AddDays(-31),
+        });
+        await db.SaveChangesAsync();
+
+        var um  = BuildUserManager();
+        var ts  = BuildTokenService();
+        var sut = BuildSut(um, ts, db);
+
+        await Assert.ThrowsAsync<UnauthorizedAccessException>(
+            () => sut.RefreshAsync("expired-raw"));
+    }
+
+    // -----------------------------------------------------------------------
+    // Logout tests
+    // -----------------------------------------------------------------------
+
+    [Fact]
+    public async Task Logout_ValidToken_RevokesRefreshToken()
+    {
+        const string raw = "my-raw-token";
+
+        var db = BuildDb();
+        db.RefreshTokens.Add(new RefreshToken
+        {
+            UserId    = "u1",
+            TokenHash = "hash:my-raw-token",
+            ExpiresAt = DateTime.UtcNow.AddDays(30),
+            CreatedAt = DateTime.UtcNow.AddHours(-1),
+        });
+        await db.SaveChangesAsync();
+
+        var um  = BuildUserManager();
+        var ts  = BuildTokenService();
+        var sut = BuildSut(um, ts, db);
+
+        await sut.LogoutAsync(raw);
+
+        var token = db.RefreshTokens.Single();
+        Assert.NotNull(token.RevokedAt);
+    }
+}