RubyGems - propel_authentication - Versions diffs - 0.1.3 → 0.2.0 - Mend

propel_authentication 0.1.3 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (113) hide show

data/lib/generators/{propel_auth → propel_authentication}/templates/test/controllers/auth/lockable_integration_test.rb.tt RENAMED Viewed

@@ -1,14 +1,17 @@
 require 'test_helper'
-class <%= controller_namespace %>::LockableIntegrationTest < ActionDispatch::IntegrationTest
+class <%= controller_namespace('tokens') %>LockableIntegrationTest < ActionDispatch::IntegrationTest
   def setup
     @organization = Organization.create!(name: "Test Organization")
+    @agency = Agency.create!(name: "Test Agency", organization: @organization)
     @user = User.create!(
       email_address: "lockable-integration@example.com",
       username: "lockableintegration",
       password: "correctpassword123",
       organization: @organization
     )
+    # Create agent association for agency access (required for real-time agency lookup)
+    Agent.create!(user: @user, agency: @agency, role: "member")
   end
   # CRITICAL: Real API integration with lockable functionality
@@ -16,7 +19,7 @@ class <%= controller_namespace %>::LockableIntegrationTest < ActionDispatch::Int
   test "should track failed attempts during actual login API calls" do
     # BEHAVIOR: Verify failed login attempts are tracked through real API
     9.times do |i|
-      post <%= login_path_helper %>, params: {
+      post '<%= auth_route_prefix %>/login', params: {
         user: { email_address: @user.email_address, password: "wrongpassword" }
       }
@@ -32,14 +35,14 @@ class <%= controller_namespace %>::LockableIntegrationTest < ActionDispatch::Int
     # First 9 attempts should not lock
     9.times do
-      post <%= login_path_helper %>, params: {
+      post '<%= auth_route_prefix %>/login', params: {
         user: { email_address: @user.email_address, password: "wrongpassword" }
       }
       assert_response :unauthorized
     end
     # 10th attempt should lock the account
-    post <%= login_path_helper %>, params: {
+    post '<%= auth_route_prefix %>/login', params: {
       user: { email_address: @user.email_address, password: "wrongpassword" }
     }
@@ -52,14 +55,14 @@ class <%= controller_namespace %>::LockableIntegrationTest < ActionDispatch::Int
     # BEHAVIOR: Verify locked accounts return proper HTTP status and error
     @user.lock_account!
-    post <%= login_path_helper %>, params: {
+    post '<%= auth_route_prefix %>/login', params: {
       user: { email_address: @user.email_address, password: "correctpassword123" }
     }
     assert_response :locked, "Should return 423 locked status"
     json = JSON.parse(response.body)
-    assert_match(/locked.*too many failed attempts/i, json['error'], "Should return descriptive error message")
+    assert_match(/locked.*too many.*failed.*attempts/i, json['error'], "Should return descriptive error message")
     assert_nil json['token'], "Should not return authentication token"
     assert_nil json['user'], "Should not return user data"
   end
@@ -69,7 +72,7 @@ class <%= controller_namespace %>::LockableIntegrationTest < ActionDispatch::Int
     @user.lock_account!
     # Try with correct password
-    post <%= login_path_helper %>, params: {
+    post '<%= auth_route_prefix %>/login', params: {
       user: { email_address: @user.email_address, password: "correctpassword123" }
     }
@@ -85,7 +88,7 @@ class <%= controller_namespace %>::LockableIntegrationTest < ActionDispatch::Int
     # Build up some failed attempts
     5.times do
-      post <%= login_path_helper %>, params: {
+      post '<%= auth_route_prefix %>/login', params: {
         user: { email_address: @user.email_address, password: "wrongpassword" }
       }
     end
@@ -94,7 +97,7 @@ class <%= controller_namespace %>::LockableIntegrationTest < ActionDispatch::Int
     assert_equal 5, @user.failed_login_attempts, "Should have 5 failed attempts"
     # Successful login should reset counter
-    post <%= login_path_helper %>, params: {
+    post '<%= auth_route_prefix %>/login', params: {
       user: { email_address: @user.email_address, password: "correctpassword123" }
     }
@@ -111,7 +114,7 @@ class <%= controller_namespace %>::LockableIntegrationTest < ActionDispatch::Int
     @user.lock_account!
     unlock_token = @user.generate_unlock_token
-    post <%= unlock_path_helper %>, params: { token: unlock_token }
+    post '<%= auth_route_prefix %>/unlock', params: { token: unlock_token }
     assert_response :ok, "Valid unlock token should return 200"
@@ -128,7 +131,7 @@ class <%= controller_namespace %>::LockableIntegrationTest < ActionDispatch::Int
     # API INTEGRATION: Verify unlock endpoint properly validates tokens
     @user.lock_account!
-    post <%= unlock_path_helper %>, params: { token: "invalid_token_12345" }
+    post '<%= auth_route_prefix %>/unlock', params: { token: "invalid_token_12345" }
     assert_response :unauthorized, "Invalid token should return 401"
@@ -143,7 +146,7 @@ class <%= controller_namespace %>::LockableIntegrationTest < ActionDispatch::Int
     # API VALIDATION: Verify unlock endpoint validates required parameters
     @user.lock_account!
-    post <%= unlock_path_helper %>, params: {}
+    post '<%= auth_route_prefix %>/unlock', params: {}
     assert_response :unprocessable_entity, "Missing token should return 422"
@@ -153,7 +156,7 @@ class <%= controller_namespace %>::LockableIntegrationTest < ActionDispatch::Int
   test "should not increment attempts when user does not exist" do
     # SECURITY: Verify failed attempts are not tracked for nonexistent users
-    post <%= login_path_helper %>, params: {
+    post '<%= auth_route_prefix %>/login', params: {
       user: { email_address: "nonexistent@example.com", password: "anypassword" }
     }
@@ -166,7 +169,7 @@ class <%= controller_namespace %>::LockableIntegrationTest < ActionDispatch::Int
   test "should handle graceful error responses for authentication failures" do
     # ERROR HANDLING: Verify system handles authentication failures gracefully
-    post <%= login_path_helper %>, params: {
+    post '<%= auth_route_prefix %>/login', params: {
       user: { email_address: "nonexistent@example.com", password: "wrongpassword" }
     }
@@ -182,7 +185,7 @@ class <%= controller_namespace %>::LockableIntegrationTest < ActionDispatch::Int
     # BEHAVIOR: Verify login timestamp tracking
     start_time = Time.current
-    post <%= login_path_helper %>, params: {
+    post '<%= auth_route_prefix %>/login', params: {
       user: { email_address: @user.email_address, password: "correctpassword123" }
     }

data/lib/generators/{propel_auth → propel_authentication}/templates/test/controllers/auth/password_reset_integration_test.rb.tt RENAMED Viewed

@@ -1,8 +1,9 @@
 require 'test_helper'
-class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch::IntegrationTest
+class <%= controller_namespace('passwords') %>PasswordResetIntegrationTest < ActionDispatch::IntegrationTest
   def setup
     @organization = Organization.create!(name: "Test Organization")
+    @agency = Agency.create!(name: "Test Agency", organization: @organization)
     @user = User.create!(
       email_address: "password-reset@example.com",
       username: "passwordresetuser",
@@ -11,18 +12,15 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
       first_name: "Password",
       last_name: "User"
     )
+    # Create agent association for agency access (required for real-time agency lookup)
+    Agent.create!(user: @user, agency: @agency, role: "member")
   end
-  def teardown
-    User.destroy_all
-    Organization.destroy_all
-  end
-  # POST <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/reset - Request Password Reset Tests
+  # POST <%= auth_route_prefix %>/reset - Request Password Reset Tests
   test "should initiate password reset with valid email_address" do
     # BEHAVIOR: Verify password reset request works with valid email_address
-    post <%= reset_path_helper %>, params: { email_address: @user.email_address }
+    post '<%= auth_route_prefix %>/reset', params: { email_address: @user.email_address }
     # VERIFY API RESPONSE: Should return success status
     assert_response :ok, "Valid email_address should initiate password reset"
@@ -38,7 +36,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
   test "should reject password reset with invalid email_address format" do
     # VALIDATION: Verify email_address format validation
-    post <%= reset_path_helper %>, params: { email_address: "invalid-email-format" }
+    post '<%= auth_route_prefix %>/reset', params: { email_address: "invalid-email-format" }
     # VERIFY VALIDATION ERROR: Should return validation error
     assert_response :unprocessable_entity, "Invalid email_address format should be rejected"
@@ -50,7 +48,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
   test "should handle password reset for nonexistent email_address safely" do
     # SECURITY: Verify nonexistent email_addresses don't reveal user information
-    post <%= reset_path_helper %>, params: { email_address: "nonexistent@example.com" }
+    post '<%= auth_route_prefix %>/reset', params: { email_address: "nonexistent@example.com" }
     # VERIFY SECURITY RESPONSE: Should return same response as valid email_address (prevent enumeration)
     assert_response :ok, "Nonexistent email_address should return same response as valid email_address"
@@ -64,7 +62,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
   test "should require email_address parameter for password reset request" do
     # VALIDATION: Verify email_address parameter is required
-    post <%= reset_path_helper %>, params: {}
+    post '<%= auth_route_prefix %>/reset', params: {}
     # VERIFY PARAMETER VALIDATION: Should return parameter error
     assert_response :unprocessable_entity, "Missing email_address should return validation error"
@@ -78,18 +76,18 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     # EXECUTE MULTIPLE REQUESTS: Send multiple reset requests rapidly
     5.times do
-      post <%= reset_path_helper %>, params: { email_address: @user.email_address }
+      post '<%= auth_route_prefix %>/reset', params: { email_address: @user.email_address }
     end
     # Make one more request that should be rate limited
-    post <%= reset_path_helper %>, params: { email_address: @user.email_address }
+    post '<%= auth_route_prefix %>/reset', params: { email_address: @user.email_address }
     # VERIFY RATE LIMITING: Should eventually rate limit (implementation dependent)
     # For now, verify the endpoint is accessible (rate limiting will be added later)
     assert_response :ok, "Rate limiting test - endpoint should be accessible"
   end
-  # PUT <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/reset - Confirm Password Reset Tests
+  # PUT <%= auth_route_prefix %>/reset - Confirm Password Reset Tests
   test "should reset password with valid token and new password" do
     # BEHAVIOR: Verify password reset confirmation works end-to-end
@@ -98,7 +96,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     new_password = "newpassword456"
     # EXECUTE RESET: Confirm password reset with token
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       token: reset_token,
       password: new_password,
       password_confirmation: new_password
@@ -125,7 +123,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     new_password = "attemptedpassword"
     # EXECUTE WITH INVALID TOKEN: Try to reset with invalid token
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       token: invalid_token,
       password: new_password,
       password_confirmation: new_password
@@ -154,10 +152,10 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
       exp: 1.second.ago.to_i,  # Already expired
       password_hash: @user.password_digest[0..10]
     }
-    expired_token = JWT.encode(expired_payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    expired_token = JWT.encode(expired_payload, PropelAuthentication.configuration.jwt_secret, 'HS256')
     # EXECUTE WITH EXPIRED TOKEN: Try to reset with expired token
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       token: expired_token,
       password: "newpassword",
       password_confirmation: "newpassword"
@@ -176,7 +174,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     reset_token = @user.generate_password_reset_token
     # EXECUTE WITH MISMATCHED PASSWORDS: Password and confirmation don't match
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       token: reset_token,
       password: "newpassword123",
       password_confirmation: "differentpassword456"
@@ -200,7 +198,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     weak_password = "123"  # Too short
     # EXECUTE WITH WEAK PASSWORD: Try to set weak password
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       token: reset_token,
       password: weak_password,
       password_confirmation: weak_password
@@ -223,7 +221,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     reset_token = @user.generate_password_reset_token
     # TEST MISSING TOKEN
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       password: "newpassword123",
       password_confirmation: "newpassword123"
     }
@@ -231,7 +229,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     assert_response :unprocessable_entity, "Missing token should be rejected"
     # TEST MISSING PASSWORD
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       token: reset_token,
       password_confirmation: "newpassword123"
     }
@@ -239,7 +237,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     assert_response :unprocessable_entity, "Missing password should be rejected"
     # TEST MISSING CONFIRMATION
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       token: reset_token,
       password: "newpassword123"
     }
@@ -256,7 +254,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     # EXECUTE RESET: Reset password successfully
     reset_token = @user.generate_password_reset_token
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       token: reset_token,
       password: "newpassword123",
       password_confirmation: "newpassword123"
@@ -279,7 +277,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     # EXECUTE RESET: Reset password while locked
     reset_token = @user.generate_password_reset_token
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       token: reset_token,
       password: "newpassword123",
       password_confirmation: "newpassword123"
@@ -294,14 +292,14 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     assert @user.authenticate("newpassword123"), "Should authenticate with new password"
   end
-  # GET <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/reset/verify - Token Verification Tests
+  # GET <%= auth_route_prefix %>/reset/verify - Token Verification Tests
   test "should verify valid password reset token" do
     # BEHAVIOR: Verify token verification endpoint works
     reset_token = @user.generate_password_reset_token
     # EXECUTE VERIFICATION: Verify token is valid
-    get <%= reset_path_helper %>, params: { token: reset_token }
+    get '<%= auth_route_prefix %>/reset', params: { token: reset_token }
     # VERIFY API RESPONSE: Should confirm token validity
     assert_response :ok, "Valid token should pass verification"
@@ -319,7 +317,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     invalid_token = "invalid.jwt.token"
     # EXECUTE VERIFICATION: Verify invalid token
-    get <%= reset_path_helper %>, params: { token: invalid_token }
+    get '<%= auth_route_prefix %>/reset', params: { token: invalid_token }
     # VERIFY REJECTION: Should indicate token is invalid
     assert_response :unauthorized, "Invalid token should be rejected"
@@ -340,10 +338,10 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
       exp: 1.second.ago.to_i,  # Already expired
       password_hash: @user.password_digest[0..10]
     }
-    expired_token = JWT.encode(expired_payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    expired_token = JWT.encode(expired_payload, PropelAuthentication.configuration.jwt_secret, 'HS256')
     # EXECUTE VERIFICATION: Verify expired token
-    get <%= reset_path_helper %>, params: { token: expired_token }
+    get '<%= auth_route_prefix %>/reset', params: { token: expired_token }
     # VERIFY EXPIRATION: Should indicate token is expired
     assert_response :unauthorized, "Expired token should be rejected"
@@ -355,7 +353,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
   test "should require token parameter for verification" do
     # VALIDATION: Verify token parameter is required for verification
-    get <%= reset_path_helper %>, params: {}
+    get '<%= auth_route_prefix %>/reset', params: {}
     # VERIFY PARAMETER VALIDATION: Should return parameter error
     assert_response :unprocessable_entity, "Missing token should return validation error"
@@ -369,12 +367,12 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     # INTEGRATION: Test complete password reset workflow from start to finish
     # STEP 1: REQUEST RESET - Send password reset request
-    post <%= reset_path_helper %>, params: { email_address: @user.email_address }
+    post '<%= auth_route_prefix %>/reset', params: { email_address: @user.email_address }
     assert_response :ok, "Reset request should succeed"
     # STEP 2: VERIFY TOKEN - Check that we can verify tokens (simulate email link click)
     reset_token = @user.generate_password_reset_token  # Simulate token from email
-    get <%= reset_path_helper %>, params: { token: reset_token }
+    get '<%= auth_route_prefix %>/reset', params: { token: reset_token }
     assert_response :ok, "Token verification should succeed"
     verification_json = JSON.parse(response.body)
@@ -382,7 +380,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     # STEP 3: RESET PASSWORD - Complete password reset
     new_password = "completeworkflow123"
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       token: reset_token,
       password: new_password,
       password_confirmation: new_password
@@ -390,7 +388,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     assert_response :ok, "Password reset should succeed"
     # STEP 4: VERIFY NEW PASSWORD - Test login with new password
-    post <%= login_path_helper %>, params: {
+    post '<%= auth_route_prefix %>/login', params: {
       user: { email_address: @user.email_address, password: new_password }
     }
     assert_response :ok, "Should login with new password"
@@ -399,7 +397,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     assert login_json['token'].present?, "Should receive JWT token"
     # STEP 5: VERIFY OLD PASSWORD INVALID - Test old password doesn't work
-    post <%= login_path_helper %>, params: {
+    post '<%= auth_route_prefix %>/login', params: {
       user: { email_address: @user.email_address, password: "originalpassword123" }
     }
     assert_response :unauthorized, "Should not login with old password"
@@ -411,7 +409,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     reset_token = @user.generate_password_reset_token
     # FIRST RESET: Use token successfully
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       token: reset_token,
       password: "firstnewpassword123",
       password_confirmation: "firstnewpassword123"
@@ -419,7 +417,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     assert_response :ok, "First password reset should succeed"
     # ATTEMPTED REUSE: Try to use same token again
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       token: reset_token,
       password: "secondnewpassword456",
       password_confirmation: "secondnewpassword456"
@@ -447,7 +445,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     assert @user.valid_password_reset_token?(token2), "Second token should be valid"
     # USE FIRST TOKEN: Reset password with first token
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       token: token1,
       password: "concurrentpassword1",
       password_confirmation: "concurrentpassword1"
@@ -455,7 +453,7 @@ class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch
     assert_response :ok, "First reset should succeed"
     # TRY SECOND TOKEN: Attempt reset with second token (should fail due to password change)
-    put <%= reset_path_helper %>, params: {
+    patch '<%= auth_route_prefix %>/reset', params: {
       token: token2,
       password: "concurrentpassword2",
       password_confirmation: "concurrentpassword2"

data/lib/generators/propel_authentication/templates/test/controllers/auth/signup_controller_test.rb.tt ADDED Viewed

@@ -0,0 +1,201 @@
+require "test_helper"
+class <%= controller_namespace('signup') %>SignupControllerTest < ActionDispatch::IntegrationTest
+  def setup
+    @valid_signup_params = {
+      user: {
+        email_address: "newuser@example.com",
+        username: "newuser",
+        password: "password123",
+        password_confirmation: "password123",
+        first_name: "New",
+        last_name: "User"
+      },
+      organization: {
+        name: "New Company Inc",
+        website: "https://newcompany.com",
+        time_zone: "UTC"
+      }
+    }
+    @valid_signup_params_with_agency = @valid_signup_params.merge(
+      agency: {
+        name: "Primary Agency",
+        description: "Main operations agency"
+      },
+      agent: {
+        role: "owner"
+      }
+    )
+  end
+  test "should create user and organization successfully" do
+    assert_difference ['User.count', 'Organization.count'], 1 do
+      post '<%= auth_route_prefix %>/signup',
+           params: @valid_signup_params_with_agency,
+           as: :json
+    end
+    assert_response :created
+    response_body = JSON.parse(response.body)
+    # Verify response structure
+    assert_includes response_body.keys, 'token'
+    assert_includes response_body.keys, 'user'
+    assert_includes response_body.keys, 'organization'
+    assert_includes response_body.keys, 'message'
+    assert_includes response_body.keys, 'next_steps'
+    # Verify user data
+    user_data = response_body['user']
+    assert_equal @valid_signup_params[:user][:email_address], user_data['email_address']
+    assert_equal @valid_signup_params[:user][:username], user_data['username']
+    assert_equal @valid_signup_params[:user][:first_name], user_data['first_name']
+    # Verify organization data
+    org_data = response_body['organization']
+    assert_equal @valid_signup_params[:organization][:name], org_data['name']
+    assert_equal @valid_signup_params[:organization][:website], org_data['website']
+    # Verify JWT token is valid
+    token = response_body['token']
+    assert_not_nil token
+    # Verify the token can be used for authenticated requests
+    get '<%= auth_route_prefix %>/me',
+        headers: { 'Authorization' => "Bearer #{token}" }
+    assert_response :success
+  end
+  test "should create user, organization, agency, and agent when agency tenancy enabled" do
+    skip "Agency tenancy test - enable when PropelApi.configuration.agency_tenancy = true" unless agency_tenancy_enabled?
+    assert_difference ['User.count', 'Organization.count', 'Agency.count', 'Agent.count'], 1 do
+      post '<%= auth_route_prefix %>/signup',
+           params: @valid_signup_params_with_agency,
+           as: :json
+    end
+    assert_response :created
+    response_body = JSON.parse(response.body)
+    # Verify user, agency, and agent were created
+    assert_includes response_body.keys, 'user'
+    assert_includes response_body.keys, 'agency'
+    assert_includes response_body.keys, 'agent'
+    user_data = response_body['user']
+    agency_data = response_body['agency']
+    assert_equal @valid_signup_params_with_agency[:agency][:name], agency_data['name']
+    agent_data = response_body['agent']
+    assert_equal @valid_signup_params_with_agency[:agent][:role], agent_data['role']
+    # Verify JWT contains minimal secure claims (agency access is now real-time lookup)
+    token = response_body['token']
+    payload = JWT.decode(token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })[0]
+    assert_includes payload.keys, 'user_id'
+    assert_includes payload.keys, 'organization_id'
+    assert_not_includes payload.keys, 'agency_ids', "agency_ids removed for security - now real-time lookup"
+    # Verify user has real-time agency access via agents association
+    created_user = User.find(user_data['id'])
+    assert_includes created_user.agency_ids, agency_data['id']
+  end
+  test "should reject signup with missing user data" do
+    invalid_params = @valid_signup_params.except(:user)
+    post '<%= auth_route_prefix %>/signup',
+         params: invalid_params,
+         as: :json
+    assert_response :unprocessable_entity
+    response_body = JSON.parse(response.body)
+    assert_includes response_body.keys, 'error'
+  end
+  test "should reject signup with missing organization data" do
+    invalid_params = @valid_signup_params.except(:organization)
+    post '<%= auth_route_prefix %>/signup',
+         params: invalid_params,
+         as: :json
+    assert_response :unprocessable_entity
+    response_body = JSON.parse(response.body)
+    assert_includes response_body.keys, 'error'
+  end
+  test "should reject signup with invalid email format" do
+    invalid_params = @valid_signup_params_with_agency.dup
+    invalid_params[:user][:email_address] = "invalid-email"
+    post '<%= auth_route_prefix %>/signup',
+         params: invalid_params,
+         as: :json
+    assert_response :unprocessable_entity
+    response_body = JSON.parse(response.body)
+    assert_includes response_body.keys, 'details'
+    assert_includes response_body['details'].keys, 'email_address'
+  end
+  test "should reject signup with password confirmation mismatch" do
+    invalid_params = @valid_signup_params_with_agency.dup
+    invalid_params[:user][:password_confirmation] = "different_password"
+    post '<%= auth_route_prefix %>/signup',
+         params: invalid_params,
+         as: :json
+    assert_response :unprocessable_entity
+    response_body = JSON.parse(response.body)
+    assert_includes response_body.keys, 'details'
+  end
+  test "should reject duplicate email address" do
+    # Create first user
+    post '<%= auth_route_prefix %>/signup',
+         params: @valid_signup_params_with_agency,
+         as: :json
+    assert_response :created
+    # Try to create second user with same email
+    duplicate_params = @valid_signup_params_with_agency.dup
+    duplicate_params[:user][:username] = "different_username"
+    duplicate_params[:organization][:name] = "Different Company"
+    duplicate_params[:agency][:name] = "Different Agency"
+    post '<%= auth_route_prefix %>/signup',
+         params: duplicate_params,
+         as: :json
+    assert_response :unprocessable_entity
+    response_body = JSON.parse(response.body)
+    assert_includes response_body.keys, 'details'
+    assert_includes response_body['details'].keys, 'email_address'
+  end
+  test "should require agency data when agency tenancy is enabled" do
+    skip "Agency tenancy test - enable when PropelApi.configuration.agency_tenancy = true" unless agency_tenancy_enabled?
+    # Try signup without agency data when agency tenancy is enabled
+    post '<%= auth_route_prefix %>/signup',
+         params: @valid_signup_params,
+         as: :json
+    assert_response :unprocessable_entity
+    response_body = JSON.parse(response.body)
+    assert_equal 'MISSING_AGENCY_DATA', response_body['code']
+  end
+  private
+  def agency_tenancy_enabled?
+    defined?(PropelApi) && PropelApi.configuration.agency_tenancy
+  rescue
+    false
+  end
+end