propel_authentication 0.1.3 → 0.2.0

data/lib/generators/propel_authentication/templates/propel_authentication.rb.tt

@@ -0,0 +1,218 @@
+# frozen_string_literal: true
+
+# PropelAuthentication Runtime and Configuration
+# This file was generated by: rails generate propel_auth:install
+# 
+# This contains ALL PropelAuthentication runtime functionality - no gem dependency required!
+# This module provides JWT-based authentication for Rails applications
+# with features like account lockout, password reset, and email confirmation.
+
+require "rails"
+
+module PropelAuthentication
+  class Error < StandardError; end
+
+  class << self
+    def configuration
+      @configuration ||= Configuration.new
+    end
+
+    def configure
+      yield(configuration)
+    end
+
+    def reset_configuration!
+      @configuration = Configuration.new
+    end
+  end
+
+  class Configuration
+    attr_accessor :jwt_secret,
+                  :jwt_expiration,
+                  :jwt_algorithm,
+                  :password_length,
+                  :allow_registration,
+                  :require_email_confirmation,
+                  :confirmation_period,
+                  :confirmation_resend_interval,
+                  :max_failed_attempts,
+                  :lockout_duration,
+                  :password_reset_expiration,
+                  :password_reset_rate_limit,
+                  :frontend_url,
+                  :email_from_address,
+                  :support_email,
+                  :enable_email_notifications,
+                  :enable_sms_notifications,
+                  :agency_tenancy,
+                  :require_organization_id,
+                  :require_user_id,
+                  :namespace,
+                  :version,
+                  :auth_scope
+
+    def initialize
+      # JWT Configuration defaults
+      @jwt_secret = nil # Will be set in configuration block
+      @jwt_expiration = 24.hours
+      @jwt_algorithm = 'HS256'
+      
+      # Password requirements
+      @password_length = 8..128
+      
+      # User registration settings
+      @allow_registration = true
+      
+      # Email confirmation settings
+      @require_email_confirmation = false
+      @confirmation_period = 24.hours       # How long confirmation tokens are valid
+      @confirmation_resend_interval = 1.minute # Minimum time between resend attempts
+      
+      # Account lockout settings
+      @max_failed_attempts = 10
+      @lockout_duration = 30.minutes
+      
+      # Password reset settings
+      @password_reset_expiration = 15.minutes
+      @password_reset_rate_limit = 1.minute
+      
+      # Frontend URL for email links (configure for your frontend application)
+      # Priority: Rails credentials -> ENV variables -> environment-specific fallbacks
+      @frontend_url = Rails.application.credentials.frontend_url ||
+                      ENV['FRONTEND_URL'] ||
+                      case Rails.env
+                      when 'development', 'test'
+                        'http://localhost:3000'
+                      when 'staging'
+                        'https://staging.yourapp.com'  # Replace with your staging URL
+                      when 'production'
+                        'https://yourapp.com'  # Replace with your production URL
+                      else
+                        'http://localhost:3000'  # Safe fallback for any other environment
+                      end
+      
+      # Email configuration
+      # Priority: Rails credentials -> ENV variables -> sensible defaults
+      @email_from_address = Rails.application.credentials.email_from_address ||
+                            ENV['EMAIL_FROM_ADDRESS'] ||
+                            "noreply@#{Rails.application.class.module_parent.name.downcase}.com"
+                            
+      @support_email = Rails.application.credentials.support_email ||
+                       ENV['SUPPORT_EMAIL'] ||
+                       "support@#{Rails.application.class.module_parent.name.downcase}.com"
+      
+      # Notification preferences
+      @enable_email_notifications = true
+      @enable_sms_notifications = false # Requires SMS provider configuration
+      
+      # Tenancy configuration
+      # Controls whether multi-agency tenancy is enabled within organizations
+      @agency_tenancy = true  # Enable agency-level tenancy by default
+      
+      # API tenancy requirements (for PropelApi integration)
+      # Controls whether APIs require explicit tenancy context in requests
+      @require_organization_id = false  # Auto-assign organization when missing (developer-friendly default)
+      @require_user_id = false          # Auto-assign current user when missing (common workflow default)
+      
+      # API namespace and versioning configuration  
+      # Default to no namespace/version/auth_scope for clean URLs like /login, /me, /signup
+      @namespace = nil
+      @version = nil
+      @auth_scope = nil
+    end
+  end
+end
+
+# Configure PropelAuthentication with secure defaults
+PropelAuthentication.configure do |config|
+  # JWT Configuration for API authentication
+  # Priority: Rails credentials -> ENV variables -> fallback (development/test only)
+  config.jwt_secret = Rails.application.credentials.jwt_secret ||
+                      ENV['JWT_SECRET'] ||
+                      Rails.application.credentials.secret_key_base ||
+                      ENV['SECRET_KEY_BASE'] ||
+                      (Rails.env.development? || Rails.env.test? ? 'development-secret-key' : 
+                       raise('JWT_SECRET must be set in production'))
+  config.jwt_expiration = 24.hours
+  
+  # Password requirements
+  config.password_length = 8..128
+  
+  # User registration settings
+  config.allow_registration = true
+  
+  # Multi-tenancy settings  
+  # Controls whether agency-level tenancy is enabled within organizations
+  # When true: Organization -> Agency -> Resources structure
+  # When false: Organization -> Resources structure (simpler)
+  config.agency_tenancy = true
+  
+  # API tenancy requirements (for PropelApi integration)
+  # Controls whether clients must provide explicit tenancy context in API requests
+  
+  # Require explicit organization_id in API requests?
+  # false (recommended): Auto-assigns current user's organization_id when missing
+  # true (strict): Returns 422 error if organization_id not provided by client
+  config.require_organization_id = false
+  
+  # Require explicit user_id in API requests?  
+  # false (recommended): Auto-assigns current user as creator when missing
+  # true (admin mode): Returns 422 error if user_id not provided (for delegation scenarios)
+  config.require_user_id = false
+  
+  # Email confirmation (for future use)
+  config.require_email_confirmation = false
+  
+  # Account lockout settings
+  config.max_failed_attempts = 10
+  config.lockout_duration = 30.minutes
+  
+  # Password reset settings
+  config.password_reset_expiration = 15.minutes
+  config.password_reset_rate_limit = 1.minute
+  
+  # Environment-specific settings
+  if Rails.env.development?
+    # Development-specific settings
+    config.jwt_expiration = 24.hours
+  elsif Rails.env.production?
+    # Production-specific settings - shorter token expiration for security
+    config.jwt_expiration = 2.hours
+  end
+  
+  # URL structure configuration (set by generator based on your choices)
+  # - Default: Clean URLs like /login, /me, /signup (no additional namespacing)  
+  # - With PropelApi: Automatically adopts API namespace for consistency
+  # - Override: Set explicit values to customize URL structure
+  #
+  # Current configuration:
+  config.namespace = <%= @auth_namespace ? "'#{@auth_namespace}'" : 'nil' %>
+  config.version = <%= @auth_version ? "'#{@auth_version}'" : 'nil' %>
+  config.auth_scope = <%= @auth_scope ? "'#{@auth_scope}'" : 'nil' %>
+  
+  # Examples for customization:
+  # For clean URLs (default):
+  #   config.namespace = nil
+  #   config.version = nil  
+  #   config.auth_scope = nil        # → /login, /me → TokensController
+  #
+  # For organized URLs with auth scope:
+  #   config.namespace = nil
+  #   config.version = nil
+  #   config.auth_scope = 'auth'     # → /auth/login, /auth/me → Auth::TokensController
+  #
+  # For API-style URLs:
+  #   config.namespace = 'api'  
+  #   config.version = 'v1'
+  #   config.auth_scope = nil        # → /api/v1/login, /api/v1/me → Api::V1::TokensController
+  #
+  # For API-style URLs with auth scope:
+  #   config.namespace = 'api'
+  #   config.version = 'v1'
+  #   config.auth_scope = 'auth'     # → /api/v1/auth/login → Api::V1::Auth::TokensController
+end
+
+# PropelAuthentication is now fully extracted to your application!
+# - All runtime code is in this file
+# - Generator logic can be extracted with: rails generate propel_auth:unpack
+# - You can remove 'propel_auth' from your Gemfile after installation 

data/lib/generators/propel_authentication/templates/routes/auth_routes.rb.tt

@@ -0,0 +1,55 @@
+# JWT Authentication routes for <%= auth_route_prefix %>
+<%- if @auth_namespace.present? || @auth_version.present? || @auth_scope.present? -%>
+<%- namespace_parts = [] -%>
+<%- namespace_parts << @auth_namespace if @auth_namespace.present? -%>
+<%- namespace_parts << @auth_version if @auth_version.present? -%>
+<%- namespace_parts.each_with_index do |part, index| -%>
+<%= "  " * index %>namespace :<%= part %> do
+<%- end -%>
+  <%- if @auth_scope.present? -%>
+<%= "  " * namespace_parts.length %>namespace :<%= @auth_scope %> do
+<%= "  " * (namespace_parts.length + 1) %>post 'signup', to: 'signup#create', as: :signup
+<%= "  " * (namespace_parts.length + 1) %>post 'login', to: 'tokens#create', as: :login
+<%= "  " * (namespace_parts.length + 1) %>get 'me', to: 'tokens#show', as: :me
+<%= "  " * (namespace_parts.length + 1) %>delete 'logout', to: 'tokens#destroy', as: :logout
+<%= "  " * (namespace_parts.length + 1) %>post 'unlock', to: 'tokens#unlock', as: :unlock
+<%= "  " * (namespace_parts.length + 1) %>post 'reset', to: 'passwords#create', as: :reset
+<%= "  " * (namespace_parts.length + 1) %>get 'reset', to: 'passwords#show', as: :verify_reset
+<%= "  " * (namespace_parts.length + 1) %>patch 'reset', to: 'passwords#update', as: :update_reset
+<%= "  " * namespace_parts.length %>end
+  <%- else -%>
+<%= "  " * namespace_parts.length %>post 'signup', to: 'signup#create', as: :signup
+<%= "  " * namespace_parts.length %>post 'login', to: 'tokens#create', as: :login
+<%= "  " * namespace_parts.length %>get 'me', to: 'tokens#show', as: :me
+<%= "  " * namespace_parts.length %>delete 'logout', to: 'tokens#destroy', as: :logout
+<%= "  " * namespace_parts.length %>post 'unlock', to: 'tokens#unlock', as: :unlock
+<%= "  " * namespace_parts.length %>post 'reset', to: 'passwords#create', as: :reset
+<%= "  " * namespace_parts.length %>get 'reset', to: 'passwords#show', as: :verify_reset
+<%= "  " * namespace_parts.length %>patch 'reset', to: 'passwords#update', as: :update_reset
+  <%- end -%>
+<%- namespace_parts.length.times do |index| -%>
+<%= "  " * (namespace_parts.length - 1 - index) %>end
+<%- end -%>
+<%- else -%>
+  <%- if @auth_scope.present? -%>
+namespace :<%= @auth_scope %> do
+  post 'signup', to: 'signup#create', as: :signup
+  post 'login', to: 'tokens#create', as: :login
+  get 'me', to: 'tokens#show', as: :me
+  delete 'logout', to: 'tokens#destroy', as: :logout
+  post 'unlock', to: 'tokens#unlock', as: :unlock
+  post 'reset', to: 'passwords#create', as: :reset
+  get 'reset', to: 'passwords#show', as: :verify_reset
+  patch 'reset', to: 'passwords#update', as: :update_reset
+end
+  <%- else -%>
+post 'signup', to: 'signup#create', as: :signup
+post 'login', to: 'tokens#create', as: :login
+get 'me', to: 'tokens#show', as: :me
+delete 'logout', to: 'tokens#destroy', as: :logout
+post 'unlock', to: 'tokens#unlock', as: :unlock
+post 'reset', to: 'passwords#create', as: :reset
+get 'reset', to: 'passwords#show', as: :verify_reset  
+patch 'reset', to: 'passwords#update', as: :update_reset
+  <%- end -%>
+<%- end -%>

data/lib/generators/{propel_auth → propel_authentication}/templates/services/auth_notification_service.rb

@@ -64,17 +64,17 @@ class AuthNotificationService
     private
 
     def build_password_reset_url(token)
-      base_url = PropelAuth.configuration.frontend_url || default_frontend_url
+      base_url = PropelAuthentication.configuration.frontend_url || default_frontend_url
       "#{base_url}/reset-password?token=#{token}"
     end
 
     def build_account_unlock_url(token)
-      base_url = PropelAuth.configuration.frontend_url || default_frontend_url
+      base_url = PropelAuthentication.configuration.frontend_url || default_frontend_url
       "#{base_url}/unlock-account?token=#{token}"
     end
 
     def build_invitation_url(token)
-      base_url = PropelAuth.configuration.frontend_url || default_frontend_url
+      base_url = PropelAuthentication.configuration.frontend_url || default_frontend_url
       "#{base_url}/accept-invitation?token=#{token}"
     end
 

data/lib/generators/{propel_auth → propel_authentication}/templates/test/concerns/confirmable_test.rb.tt

@@ -10,8 +10,8 @@ class ConfirmableTest < ActiveSupport::TestCase
 
   test "should generate confirmation token on user creation" do
     user = User.new(
-      email_address: 'jane@example.com',
-      username: 'jane_doe',
+      email_address: 'test_token@example.com',
+      username: 'test_token_user',
       password: 'securepassword123',
       password_confirmation: 'securepassword123',
       organization: @organization
@@ -23,7 +23,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     user.save!
     
     assert_not_nil user.confirmation_token, "Confirmation token should be generated on save"
-    assert_not_nil user.confirmation_sent_at, "Confirmation sent at should be set on save"
+    assert_not_nil user.confirmation_sent_at, "Confirmation sent at should be set after save due to after_create callback"
     assert user.confirmation_token.length >= 32, "Confirmation token should be at least 32 characters"
   end
 
@@ -114,8 +114,8 @@ class ConfirmableTest < ActiveSupport::TestCase
   test "should send confirmation email on user creation" do
     assert_emails 1 do
       User.create!(
-        email_address: 'newuser@example.com',
-        username: 'newuser',
+        email_address: 'test_email_creation@example.com',
+        username: 'test_email_creation_user',
         password: 'securepassword123',
         password_confirmation: 'securepassword123',
         organization: @organization
@@ -123,9 +123,21 @@ class ConfirmableTest < ActiveSupport::TestCase
     end
     
     email = ActionMailer::Base.deliveries.last
-    assert_equal 'newuser@example.com', email.to.first, "Email should be sent to user's email address"
+    assert_equal 'test_email_creation@example.com', email.to.first, "Email should be sent to user's email address"
     assert_match(/confirm/i, email.subject, "Email subject should mention confirmation")
-    assert_match(/confirm/i, email.body.to_s, "Email body should contain confirmation instructions")
+    
+    # Test multipart email content properly  
+    if email.multipart?
+      text_part = email.body.parts.find { |part| part.content_type.include?('text/plain') }
+      html_part = email.body.parts.find { |part| part.content_type.include?('text/html') }
+      
+      assert_not_nil text_part, "Email should have text part"
+      assert_not_nil html_part, "Email should have HTML part" 
+      assert_match(/confirm/i, text_part.body.to_s, "Text part should contain confirmation instructions")
+      assert_match(/confirm/i, html_part.body.to_s, "HTML part should contain confirmation instructions")
+    else
+      assert_match(/confirm/i, email.body.to_s, "Email body should contain confirmation instructions")
+    end
   end
 
   test "should send confirmation email when resending instructions" do
@@ -137,7 +149,18 @@ class ConfirmableTest < ActiveSupport::TestCase
     
     email = ActionMailer::Base.deliveries.last
     assert_equal @user.email_address, email.to.first, "Email should be sent to user's email address"
-    assert_match(@user.confirmation_token, email.body.to_s, "Email should contain confirmation token")
+    
+    # Test multipart email content properly for confirmation token
+    if email.multipart?
+      text_part = email.body.parts.find { |part| part.content_type.include?('text/plain') }
+      html_part = email.body.parts.find { |part| part.content_type.include?('text/html') }
+      
+      assert_not_nil text_part, "Email should have text part"
+      assert_match(@user.confirmation_token, text_part.body.to_s, "Text part should contain confirmation token")
+      assert_match(@user.confirmation_token, html_part.body.to_s, "HTML part should contain confirmation token")
+    else
+      assert_match(@user.confirmation_token, email.body.to_s, "Email should contain confirmation token")
+    end
   end
 
   test "should not send confirmation email to already confirmed users" do
@@ -177,12 +200,13 @@ class ConfirmableTest < ActiveSupport::TestCase
     original_email = @user.email_address
     
     assert_emails 1 do
-      @user.update!(email_address: 'newemail@example.com')
+      @user.update!(email_address: 'test_email_change@example.com')
     end
     
     @user.reload
     assert_not @user.confirmed?, "Should require reconfirmation after email change"
-    assert_equal 'newemail@example.com', @user.email_address, "Email should be updated"
+    assert_equal original_email, @user.email_address, "Email should remain original until confirmed"
+    assert_equal 'test_email_change@example.com', @user.unconfirmed_email_address, "New email should be stored for confirmation"
     assert_not_nil @user.confirmation_token, "Should generate new confirmation token"
   end
 

data/lib/generators/{propel_auth → propel_authentication}/templates/test/concerns/lockable_test.rb.tt

@@ -21,13 +21,13 @@ class LockableTest < ActiveSupport::TestCase
 
   test "should lock account after max failed attempts" do
     # Simulate 10 failed attempts
-    PropelAuth.configuration.max_failed_attempts.times do
+    PropelAuthentication.configuration.max_failed_attempts.times do
       @user.increment_failed_attempts
     end
     
-    assert @user.locked?, "User should be locked after #{PropelAuth.configuration.max_failed_attempts} failed attempts"
+    assert @user.locked?, "User should be locked after #{PropelAuthentication.configuration.max_failed_attempts} failed attempts"
     assert @user.locked_at.present?, "Locked at timestamp should be set"
-    assert_equal PropelAuth.configuration.max_failed_attempts, @user.failed_login_attempts, "Failed attempts should equal max"
+    assert_equal PropelAuthentication.configuration.max_failed_attempts, @user.failed_login_attempts, "Failed attempts should equal max"
   end
 
   test "should reset failed attempts on successful login" do
@@ -54,10 +54,10 @@ class LockableTest < ActiveSupport::TestCase
 
   test "should automatically unlock after lockout duration" do
     # Lock the account with a past timestamp
-    past_time = (PropelAuth.configuration.lockout_duration + 1.minute).ago
+    past_time = (PropelAuthentication.configuration.lockout_duration + 1.minute).ago
     @user.update!(
       locked_at: past_time,
-      failed_login_attempts: PropelAuth.configuration.max_failed_attempts
+      failed_login_attempts: PropelAuthentication.configuration.max_failed_attempts
     )
     
     # Check if automatically unlocked
@@ -69,7 +69,7 @@ class LockableTest < ActiveSupport::TestCase
     recent_time = 5.minutes.ago
     @user.update!(
       locked_at: recent_time,
-      failed_login_attempts: PropelAuth.configuration.max_failed_attempts
+      failed_login_attempts: PropelAuthentication.configuration.max_failed_attempts
     )
     
     # Should still be locked
@@ -130,15 +130,15 @@ class LockableTest < ActiveSupport::TestCase
 
   test "should integrate with failed login attempt configuration" do
     # Test with different configuration
-    original_max = PropelAuth.configuration.max_failed_attempts
-    PropelAuth.configuration.max_failed_attempts = 3
+    original_max = PropelAuthentication.configuration.max_failed_attempts
+    PropelAuthentication.configuration.max_failed_attempts = 3
     
     # Should lock after 3 attempts with new config
     3.times { @user.increment_failed_attempts }
     assert @user.locked?, "Should respect updated configuration"
     
     # Restore original config
-    PropelAuth.configuration.max_failed_attempts = original_max
+    PropelAuthentication.configuration.max_failed_attempts = original_max
   end
 
   # CRITICAL EDGE CASE TESTS - Missing from initial implementation
@@ -164,7 +164,7 @@ class LockableTest < ActiveSupport::TestCase
       iat: Time.now.to_i,
       exp: 1.second.ago.to_i 
     }
-    expired_token = JWT.encode(expired_payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    expired_token = JWT.encode(expired_payload, PropelAuthentication.configuration.jwt_secret, 'HS256')
     
     assert_not @user.unlock_with_token!(expired_token), "Should reject expired unlock token"
     assert @user.locked?, "Should remain locked with expired token"
@@ -256,7 +256,7 @@ class LockableTest < ActiveSupport::TestCase
     @user.lock_account!
     
     unlock_token = @user.generate_unlock_token
-    decoded = JWT.decode(unlock_token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+    decoded = JWT.decode(unlock_token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })
     payload = decoded.first
     
     assert_equal @user.id, payload['user_id'], "Token should contain correct user ID"
@@ -272,7 +272,7 @@ class LockableTest < ActiveSupport::TestCase
     @user.lock_account!
     
     unlock_token = @user.generate_unlock_token
-    decoded = JWT.decode(unlock_token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+    decoded = JWT.decode(unlock_token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })
     payload = decoded.first
     
     token_lifetime = payload['exp'] - payload['iat']

data/lib/generators/{propel_auth → propel_authentication}/templates/test/concerns/propel_authentication_test.rb.tt

@@ -2,7 +2,7 @@ require 'test_helper'
 
 # A dummy controller to test the concern
 class PropelAuthenticationTestController < ActionController::Base
-  include PropelAuthentication
+  include PropelAuthenticationConcern
   before_action :authenticate_user
 
   def index
@@ -48,7 +48,7 @@ class PropelAuthenticationTest < ActionDispatch::IntegrationTest
       user_id: @user.id,
       exp: 1.hour.ago.to_i
     }
-    expired_token = JWT.encode(payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    expired_token = JWT.encode(payload, PropelAuthentication.configuration.jwt_secret, 'HS256')
 
     with_test_routes do
       get '/test_auth', headers: { 'Authorization' => "Bearer #{expired_token}" }

data/lib/generators/{propel_auth → propel_authentication}/templates/test/concerns/recoverable_test.rb.tt

@@ -2,7 +2,7 @@ require 'test_helper'
 
 class RecoverableTest < ActiveSupport::TestCase
   def setup
-    @user = users(:john_user)
+    @user = users(:confirmed_user)
     @organization = @user.organization
   end
 
@@ -17,7 +17,7 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_equal 3, reset_token.split('.').length, "JWT should have 3 parts separated by dots"
     
     # VERIFY TOKEN CONTENT: Decode and validate payload
-    decoded = JWT.decode(reset_token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+    decoded = JWT.decode(reset_token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })
     payload = decoded.first
     
     assert_equal @user.id, payload['user_id'], "Token should contain correct user ID"
@@ -50,7 +50,7 @@ class RecoverableTest < ActiveSupport::TestCase
     assert @user.valid_password_reset_token?(reset_token), "Valid token should pass validation"
     
     # VERIFY TOKEN BINDING: Token should be bound to specific user
-    decoded = JWT.decode(reset_token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+    decoded = JWT.decode(reset_token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })
     payload = decoded.first
     assert_equal @user.id, payload['user_id'], "Token should be bound to correct user"
   end
@@ -67,7 +67,7 @@ class RecoverableTest < ActiveSupport::TestCase
       exp: 1.second.ago.to_i,  # Already expired
       password_hash: @user.password_digest[0..10]
     }
-    expired_token = JWT.encode(expired_payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    expired_token = JWT.encode(expired_payload, PropelAuthentication.configuration.jwt_secret, 'HS256')
     
     # VERIFY EXPIRATION: Expired token should be rejected
     assert_not @user.valid_password_reset_token?(expired_token), "Expired token should be rejected"
@@ -234,7 +234,7 @@ class RecoverableTest < ActiveSupport::TestCase
     reset_token = @user.generate_password_reset_token
     
     # EXECUTE LOOKUP: Find user by reset token
-    found_user = User.find_user_by_password_reset_token(reset_token)
+    found_user = User.find_by_jwt_password_reset_token(reset_token)
     
     # VERIFY LOOKUP: Should find correct user
     assert_equal @user.id, found_user.id, "Should find user by valid reset token"
@@ -247,7 +247,7 @@ class RecoverableTest < ActiveSupport::TestCase
     invalid_token = "invalid.jwt.token"
     
     # EXECUTE LOOKUP: Try to find user with invalid token
-    found_user = User.find_user_by_password_reset_token(invalid_token)
+    found_user = User.find_by_jwt_password_reset_token(invalid_token)
     
     # VERIFY REJECTION: Should return nil
     assert_nil found_user, "Should return nil for invalid token"
@@ -264,10 +264,10 @@ class RecoverableTest < ActiveSupport::TestCase
       exp: 1.second.ago.to_i,  # Already expired
       password_hash: @user.password_digest[0..10]
     }
-    expired_token = JWT.encode(expired_payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    expired_token = JWT.encode(expired_payload, PropelAuthentication.configuration.jwt_secret, 'HS256')
     
     # EXECUTE LOOKUP: Try to find user with expired token
-    found_user = User.find_user_by_password_reset_token(expired_token)
+    found_user = User.find_by_jwt_password_reset_token(expired_token)
     
     # VERIFY EXPIRATION: Should return nil
     assert_nil found_user, "Should return nil for expired token"
@@ -277,7 +277,7 @@ class RecoverableTest < ActiveSupport::TestCase
     # SECURITY: Verify token expiration is reasonable (not too long)
     
     reset_token = @user.generate_password_reset_token
-    decoded = JWT.decode(reset_token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+    decoded = JWT.decode(reset_token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })
     payload = decoded.first
     
     token_lifetime = payload['exp'] - payload['iat']
@@ -299,7 +299,7 @@ class RecoverableTest < ActiveSupport::TestCase
       exp: 1.hour.from_now.to_i,
       password_hash: @user.password_digest[0..10]
     }
-    unlock_token = JWT.encode(unlock_payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    unlock_token = JWT.encode(unlock_payload, PropelAuthentication.configuration.jwt_secret, 'HS256')
     
     # VERIFY TYPE VALIDATION: Unlock token should not work for password reset
     assert_not @user.valid_password_reset_token?(unlock_token), "Should reject wrong token type"
@@ -313,7 +313,7 @@ class RecoverableTest < ActiveSupport::TestCase
     # SECURITY: Verify token includes password hash binding
     
     reset_token = @user.generate_password_reset_token
-    decoded = JWT.decode(reset_token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+    decoded = JWT.decode(reset_token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })
     payload = decoded.first
     
     # VERIFY BINDING: Token should contain password hash fragment