@authms/core 0.1.0

package/src/__tests__/auth-client.test.ts

@@ -0,0 +1,412 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import { TokenManager } from '../token-manager';
+import { AuthClient } from '../auth-client';
+import { AuthmsAuthError } from '../errors';
+import type { StorageAdapter } from '../platform/types';
+
+class MockStorage implements StorageAdapter {
+  private store = new Map<string, string>();
+  getItem(k: string) { return this.store.get(k) ?? null; }
+  setItem(k: string, v: string) { this.store.set(k, v); }
+  removeItem(k: string) { this.store.delete(k); }
+}
+
+function createMockHttp(responses: Record<string, unknown>) {
+  let lastRequest: { url: string; method: string; body: string; headers?: Record<string, string> } | null = null;
+  return {
+    request: async (url: string, init?: RequestInit) => {
+      const method = init?.method || 'GET';
+      lastRequest = { url, method, body: (init?.body as string) || '', headers: (init?.headers as Record<string, string>) || {} };
+      const key = `${method} ${url}`;
+      const res = responses[key];
+      if (!res) {
+        return new Response(JSON.stringify({ code: 404, message: `Unexpected: ${key}` }), { status: 404 });
+      }
+      const status = (res as any).__status || 200;
+      return new Response(JSON.stringify(res), { status, headers: { 'Content-Type': 'application/json' } });
+    },
+    getLastRequest: () => lastRequest,
+  };
+}
+
+function createToken(expInSeconds = 900): string {
+  const header = btoa(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
+  const payload = btoa(JSON.stringify({ sub: 'user-1', user_id: 'user-1', tenant_id: 'tenant-1', exp: Math.floor(Date.now() / 1000) + expInSeconds }));
+  return `${header}.${payload}.sig`;
+}
+
+const BASE_URL = 'https://api.example.com';
+
+const AUTH_CONFIG_KEY = `GET ${BASE_URL}/identity/api/v1/public/auth-config`;
+const AUTH_CONFIG_TENANT_KEY = `GET ${BASE_URL}/identity/api/v1/public/auth-config/t1`;
+const LOGIN_KEY = `POST ${BASE_URL}/identity/api/v1/auth/login`;
+const REGISTER_KEY = `POST ${BASE_URL}/identity/api/v1/auth/register`;
+const LOGOUT_KEY = `POST ${BASE_URL}/identity/api/v1/auth/logout`;
+const REFRESH_KEY = `POST ${BASE_URL}/identity/api/v1/auth/refresh`;
+
+function plainAuthConfig() {
+  return {
+    data: {
+      tenant_id: 't1',
+      login_methods: ['password'],
+      password_policy: { password_transmission: 'plain', min_length: 8 },
+      captcha_enabled: false,
+    },
+  };
+}
+
+function hashAuthConfig() {
+  return {
+    data: {
+      tenant_id: 't1',
+      login_methods: ['password'],
+      password_policy: { password_transmission: 'hash', min_length: 8 },
+      captcha_enabled: false,
+    },
+  };
+}
+
+const LOGIN_SUCCESS_RESPONSE = {
+  data: { access_token: 'at', refresh_token: 'rt', expires_in: 900, user: { id: 'user-1' } },
+};
+
+const REGISTER_SUCCESS_RESPONSE = {
+  data: { access_token: 'at', refresh_token: 'rt', user: { id: 'user-1' } },
+};
+
+const REFRESH_TOKEN_REUSE_RESPONSE = {
+  code: '40000201',
+  message: 'Token reused',
+  __status: 401,
+};
+
+describe('AuthClient', () => {
+  let storage: MockStorage;
+  let tokenManager: TokenManager;
+  let mockHttp: ReturnType<typeof createMockHttp>;
+  let client: AuthClient;
+
+  function setupClient(responses: Record<string, unknown>) {
+    mockHttp = createMockHttp(responses);
+    storage = new MockStorage();
+    tokenManager = new TokenManager(storage);
+    client = new AuthClient({
+      tokenManager,
+      http: mockHttp,
+      baseUrl: BASE_URL,
+    });
+  }
+
+  function parseBody(body: string): Record<string, unknown> {
+    return JSON.parse(body) as Record<string, unknown>;
+  }
+
+  describe('login', () => {
+    it('sends password as-is in plain mode', async () => {
+      setupClient({
+        [AUTH_CONFIG_KEY]: plainAuthConfig(),
+        [LOGIN_KEY]: LOGIN_SUCCESS_RESPONSE,
+      });
+
+      const result = await client.login({ email: 'test@example.com', password: 'testpass' });
+
+      expect(result.accessToken).toBe('at');
+      expect(result.refreshToken).toBe('rt');
+      expect(result.expiresIn).toBe(900);
+      expect(result.user.id).toBe('user-1');
+
+      const lastReq = mockHttp.getLastRequest()!;
+      const body = parseBody(lastReq.body);
+      expect(body.password).toBe('testpass');
+      expect(body.password_transmission).toBe('plain');
+      expect(body.identity).toBe('test@example.com');
+    });
+
+    it('sends SHA-256 hashed password in hash mode', async () => {
+      setupClient({
+        [AUTH_CONFIG_KEY]: plainAuthConfig(),
+        [AUTH_CONFIG_TENANT_KEY]: hashAuthConfig(),
+        [LOGIN_KEY]: LOGIN_SUCCESS_RESPONSE,
+      });
+
+      await client.login({ email: 'test@example.com', password: 'testpass', tenantId: 't1' });
+
+      const lastReq = mockHttp.getLastRequest()!;
+      const body = parseBody(lastReq.body);
+      expect(body.password).not.toBe('testpass');
+      expect(body.password).toMatch(/^[0-9a-f]{64}$/);
+      expect(body.password_transmission).toBe('hash');
+    });
+
+    it('throws AuthmsAuthError on 401', async () => {
+      setupClient({
+        [AUTH_CONFIG_KEY]: plainAuthConfig(),
+        [LOGIN_KEY]: { code: '40100001', message: 'Invalid credentials', __status: 401 },
+      });
+
+      await expect(
+        client.login({ email: 'bad@example.com', password: 'wrong' }),
+      ).rejects.toThrow(AuthmsAuthError);
+
+      await expect(
+        client.login({ email: 'bad@example.com', password: 'wrong' }),
+      ).rejects.toMatchObject({
+        name: 'AuthmsAuthError',
+        code: '40100001',
+        status: 401,
+      });
+    });
+  });
+
+  describe('register', () => {
+    it('registers with password preprocessing', async () => {
+      setupClient({
+        [AUTH_CONFIG_KEY]: plainAuthConfig(),
+        [REGISTER_KEY]: REGISTER_SUCCESS_RESPONSE,
+      });
+
+      const result = await client.register({
+        email: 'new@example.com',
+        password: 'newpass',
+        username: 'newuser',
+      });
+
+      expect(result.accessToken).toBe('at');
+      expect(result.refreshToken).toBe('rt');
+      expect(result.user.id).toBe('user-1');
+
+      const lastReq = mockHttp.getLastRequest()!;
+      const body = parseBody(lastReq.body);
+      expect(body.email).toBe('new@example.com');
+      expect(body.password).toBe('newpass');
+      expect(body.password_transmission).toBe('plain');
+    });
+  });
+
+  describe('logout', () => {
+    it('clears tokens', async () => {
+      setupClient({
+        [AUTH_CONFIG_KEY]: plainAuthConfig(),
+        [LOGIN_KEY]: LOGIN_SUCCESS_RESPONSE,
+        [LOGOUT_KEY]: { data: {} },
+      });
+
+      await client.login({ email: 'test@example.com', password: 'testpass' });
+      expect(tokenManager.getRefreshToken()).toBe('rt');
+
+      await client.logout();
+      expect(tokenManager.getRefreshToken()).toBeNull();
+      expect(tokenManager.getAccessToken()).toBeNull();
+    });
+
+    it('sends Authorization header on logout', async () => {
+      const validToken = createToken(900);
+      tokenManager.setTokens(validToken, 'rt', 900);
+      const capturedHeaders: Record<string, string> = {};
+      
+      const http = {
+        request: async (url: string, init?: RequestInit) => {
+          Object.assign(capturedHeaders, init?.headers || {});
+          return new Response(JSON.stringify({ data: {} }), { status: 200 });
+        },
+      };
+
+      const testClient = new AuthClient({ tokenManager, http, baseUrl: BASE_URL });
+      await testClient.logout();
+      expect(capturedHeaders['Authorization']).toBe(`Bearer ${validToken}`);
+    });
+  });
+
+  describe('refreshToken', () => {
+    it('refreshes tokens on success', async () => {
+      const newAt = createToken(900);
+      setupClient({
+        [REFRESH_KEY]: {
+          data: { access_token: newAt, refresh_token: 'new_rt', expires_in: 900 },
+        },
+      });
+
+      tokenManager.setTokens(createToken(), 'old_rt', 900);
+
+      await client.refreshToken();
+
+      expect(tokenManager.getRefreshToken()).toBe('new_rt');
+      expect(tokenManager.getAccessToken()).toBe(newAt);
+    });
+
+    it('throws TOKEN_REUSE on 400002xx code', async () => {
+      setupClient({
+        [REFRESH_KEY]: REFRESH_TOKEN_REUSE_RESPONSE,
+      });
+
+      tokenManager.setTokens(createToken(), 'old_rt', 900);
+
+      await expect(client.refreshToken()).rejects.toMatchObject({
+        name: 'AuthmsAuthError',
+        code: 'TOKEN_REUSE',
+        status: 401,
+      });
+
+      expect(tokenManager.getRefreshToken()).toBeNull();
+    });
+  });
+
+  describe('fetchAuthConfig', () => {
+    it('fetches and returns auth config', async () => {
+      setupClient({
+        [AUTH_CONFIG_KEY]: plainAuthConfig(),
+      });
+
+      const config = await client.fetchAuthConfig();
+
+      expect(config.tenantId).toBe('t1');
+      expect(config.loginMethods).toEqual(['password']);
+      expect(config.passwordPolicy.mode).toBe('plain');
+      expect(config.passwordPolicy.minLength).toBe(8);
+      expect(config.captchaEnabled).toBe(false);
+    });
+
+    it('second call returns cached data', async () => {
+      let callCount = 0;
+      const trackingHttp = {
+        request: async (url: string, init?: RequestInit) => {
+          callCount++;
+          const key = (init?.method || 'GET') + ' ' + url;
+          const res = ({ [AUTH_CONFIG_KEY]: plainAuthConfig() } as Record<string, unknown>)[key];
+          return new Response(JSON.stringify(res), { status: 200, headers: { 'Content-Type': 'application/json' } });
+        },
+      };
+
+      storage = new MockStorage();
+      tokenManager = new TokenManager(storage);
+      client = new AuthClient({ tokenManager, http: trackingHttp, baseUrl: BASE_URL });
+
+      await client.fetchAuthConfig();
+      expect(callCount).toBe(1);
+
+      await client.fetchAuthConfig();
+      expect(callCount).toBe(1);
+    });
+
+    it('clearConfigCache invalidates cache', async () => {
+      let callCount = 0;
+      const trackingHttp = {
+        request: async (url: string, init?: RequestInit) => {
+          callCount++;
+          const key = (init?.method || 'GET') + ' ' + url;
+          const res = ({ [AUTH_CONFIG_KEY]: plainAuthConfig() } as Record<string, unknown>)[key];
+          return new Response(JSON.stringify(res), { status: 200, headers: { 'Content-Type': 'application/json' } });
+        },
+      };
+
+      storage = new MockStorage();
+      tokenManager = new TokenManager(storage);
+      client = new AuthClient({ tokenManager, http: trackingHttp, baseUrl: BASE_URL });
+
+      await client.fetchAuthConfig();
+      expect(callCount).toBe(1);
+
+      await client.fetchAuthConfig();
+      expect(callCount).toBe(1);
+
+      client.clearConfigCache();
+
+      await client.fetchAuthConfig();
+      expect(callCount).toBe(2);
+    });
+  });
+
+  describe('changePassword', () => {
+    const CHANGE_PASSWORD_KEY = `PUT ${BASE_URL}/identity/api/v1/auth/me/password`;
+
+    it('sends processed password with transmission', async () => {
+      setupClient({
+        [AUTH_CONFIG_KEY]: plainAuthConfig(),
+        [CHANGE_PASSWORD_KEY]: { data: {} },
+      });
+
+      await client.changePassword('oldpass', 'newpass123');
+
+      const lastReq = mockHttp.getLastRequest()!;
+      const body = parseBody(lastReq.body);
+      expect(body.current_password).toBe('oldpass');
+      expect(body.password_transmission).toBe('plain');
+    });
+
+    it('throws AuthmsAuthError on 4xx', async () => {
+      setupClient({
+        [AUTH_CONFIG_KEY]: plainAuthConfig(),
+        [CHANGE_PASSWORD_KEY]: { code: '40000001', message: 'Invalid current password', __status: 400 },
+      });
+
+      await expect(
+        client.changePassword('wrongold', 'newpass123'),
+      ).rejects.toThrow(AuthmsAuthError);
+    });
+  });
+
+  describe('loginWithOAuth', () => {
+    it('throws NOT_BROWSER when window is undefined', async () => {
+      setupClient({});
+
+      await expect(
+        client.loginWithOAuth({ provider: 'google' }),
+      ).rejects.toThrow(AuthmsAuthError);
+
+      await expect(
+        client.loginWithOAuth({ provider: 'google' }),
+      ).rejects.toMatchObject({
+        name: 'AuthmsAuthError',
+        code: 'NOT_BROWSER',
+      });
+    });
+  });
+
+  describe('login with captcha', () => {
+    it('includes captcha fields in body', async () => {
+      setupClient({
+        [AUTH_CONFIG_KEY]: plainAuthConfig(),
+        [LOGIN_KEY]: LOGIN_SUCCESS_RESPONSE,
+      });
+
+      await client.login({
+        email: 'test@example.com',
+        password: 'testpass',
+        captchaToken: 'captcha-abc',
+        captchaProvider: 'turnstile',
+        captchaChallengeId: 'challenge-123',
+      });
+
+      const lastReq = mockHttp.getLastRequest()!;
+      const body = parseBody(lastReq.body);
+      expect(body.captcha_token).toBe('captcha-abc');
+      expect(body.captcha_provider).toBe('turnstile');
+      expect(body.captcha_challenge_id).toBe('challenge-123');
+    });
+  });
+
+  describe('getProfile', () => {
+    const PROFILE_KEY = `GET ${BASE_URL}/identity/api/v1/auth/me`;
+
+    it('fetches and returns user data, caches in tokenManager', async () => {
+      setupClient({
+        [AUTH_CONFIG_KEY]: plainAuthConfig(),
+        [LOGIN_KEY]: LOGIN_SUCCESS_RESPONSE,
+        [PROFILE_KEY]: {
+          data: { id: 'user-1', email: 'test@example.com', username: 'testuser' },
+        },
+      });
+
+      await client.login({ email: 'test@example.com', password: 'testpass' });
+
+      const profile = await client.getProfile();
+
+      expect(profile).not.toBeNull();
+      expect(profile!.id).toBe('user-1');
+      expect(profile!.email).toBe('test@example.com');
+      expect(profile!.username).toBe('testuser');
+      expect(tokenManager.getUser()).not.toBeNull();
+      expect(tokenManager.getUser()!.email).toBe('test@example.com');
+    });
+  });
+});

package/src/__tests__/discovery.test.ts

@@ -0,0 +1,129 @@
+import { describe, it, expect, vi } from 'vitest';
+import { Discovery } from '../discovery';
+
+const VALID_METADATA = {
+  issuer: 'https://auth.example.com',
+  authorization_endpoint: 'https://auth.example.com/oauth/authorize',
+  token_endpoint: 'https://auth.example.com/oauth/token',
+  userinfo_endpoint: 'https://auth.example.com/oauth/userinfo',
+  jwks_uri: 'https://auth.example.com/oauth/jwks',
+  end_session_endpoint: 'https://auth.example.com/oauth/logout',
+  scopes_supported: ['openid', 'profile', 'email'],
+  response_types_supported: ['code'],
+  grant_types_supported: ['authorization_code', 'refresh_token'],
+};
+
+class MockHttp {
+  calls = 0;
+  responses: Map<string, any> = new Map();
+
+  request = async (url: string) => {
+    this.calls++;
+    const res = this.responses.get(url);
+    if (!res) return new Response('{}', { status: 404 });
+    return new Response(JSON.stringify(res), { status: res.__status || 200 });
+  };
+}
+
+const ISSUER = 'https://auth.example.com';
+const WELL_KNOWN_URL = `${ISSUER}/.well-known/openid-configuration`;
+
+describe('Discovery', () => {
+  it('should discover with valid OIDC metadata', async () => {
+    const mockHttp = new MockHttp();
+    mockHttp.responses.set(WELL_KNOWN_URL, VALID_METADATA);
+
+    const discovery = new Discovery(mockHttp);
+    const metadata = await discovery.discover(ISSUER);
+
+    expect(metadata.issuer).toBe(VALID_METADATA.issuer);
+    expect(metadata.authorization_endpoint).toBe(VALID_METADATA.authorization_endpoint);
+    expect(metadata.token_endpoint).toBe(VALID_METADATA.token_endpoint);
+    expect(metadata.jwks_uri).toBe(VALID_METADATA.jwks_uri);
+    expect(metadata.end_session_endpoint).toBe(VALID_METADATA.end_session_endpoint);
+  });
+
+  it('should unwrap DataResponse-wrapped metadata', async () => {
+    const mockHttp = new MockHttp();
+    mockHttp.responses.set(WELL_KNOWN_URL, {
+      code: 0,
+      message: 'success',
+      data: VALID_METADATA,
+    });
+
+    const discovery = new Discovery(mockHttp);
+    const metadata = await discovery.discover(ISSUER);
+
+    expect(metadata.issuer).toBe(VALID_METADATA.issuer);
+    expect(metadata.token_endpoint).toBe(VALID_METADATA.token_endpoint);
+    expect(metadata.jwks_uri).toBe(VALID_METADATA.jwks_uri);
+  });
+
+  it('should throw on HTTP error', async () => {
+    const mockHttp = new MockHttp();
+    mockHttp.responses.set(WELL_KNOWN_URL, { __status: 500 });
+
+    const discovery = new Discovery(mockHttp);
+    await expect(discovery.discover(ISSUER)).rejects.toThrow(
+      'OIDC Discovery failed: HTTP 500',
+    );
+  });
+
+  it('should throw when metadata is missing required fields', async () => {
+    const mockHttp = new MockHttp();
+    mockHttp.responses.set(WELL_KNOWN_URL, { issuer: 'https://foo' });
+
+    const discovery = new Discovery(mockHttp);
+    await expect(discovery.discover(ISSUER)).rejects.toThrow(
+      'OIDC Discovery response missing required fields',
+    );
+  });
+
+  it('should cache metadata — second discover() returns cached without HTTP request', async () => {
+    const mockHttp = new MockHttp();
+    mockHttp.responses.set(WELL_KNOWN_URL, VALID_METADATA);
+
+    const discovery = new Discovery(mockHttp);
+
+    const first = await discovery.discover(ISSUER);
+    expect(first.issuer).toBe(VALID_METADATA.issuer);
+    expect(mockHttp.calls).toBe(1);
+
+    const second = await discovery.discover(ISSUER);
+    expect(second.issuer).toBe(VALID_METADATA.issuer);
+    expect(mockHttp.calls).toBe(1);
+  });
+
+  it('should return the end_session_endpoint from discovered metadata', async () => {
+    const mockHttp = new MockHttp();
+    mockHttp.responses.set(WELL_KNOWN_URL, VALID_METADATA);
+
+    const discovery = new Discovery(mockHttp);
+    await discovery.discover(ISSUER);
+
+    expect(discovery.getEndSessionEndpoint()).toBe('https://auth.example.com/oauth/logout');
+  });
+
+  it('should return the jwks_uri from discovered metadata', async () => {
+    const mockHttp = new MockHttp();
+    mockHttp.responses.set(WELL_KNOWN_URL, VALID_METADATA);
+
+    const discovery = new Discovery(mockHttp);
+    await discovery.discover(ISSUER);
+
+    expect(discovery.getJWKSUri()).toBe('https://auth.example.com/oauth/jwks');
+  });
+
+  it('should call discover only once when cached', async () => {
+    const mockHttp = new MockHttp();
+    mockHttp.responses.set(WELL_KNOWN_URL, VALID_METADATA);
+
+    const discovery = new Discovery(mockHttp);
+
+    await discovery.discover(ISSUER);
+    await discovery.discover(ISSUER);
+    await discovery.discover(ISSUER);
+
+    expect(mockHttp.calls).toBe(1);
+  });
+});

package/src/__tests__/password-transmission.test.ts

@@ -0,0 +1,131 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import { processPasswordForTransmission } from '../crypto/password-transmission';
+import type { KeyExchangeFn } from '../crypto/password-transmission';
+import type { PasswordPolicyConfig } from '../types';
+
+const mockKeyExchange: KeyExchangeFn = async () => {
+  const kp = await crypto.subtle.generateKey({ name: 'ECDH', namedCurve: 'P-256' }, true, ['deriveBits']);
+  const pubRaw = await crypto.subtle.exportKey('raw', kp.publicKey);
+  return { serverPubKey: btoa(String.fromCharCode(...new Uint8Array(pubRaw))), keyExchangeId: 'ke_123' };
+};
+
+async function generateRsaPublicKeyPEM(): Promise<string> {
+  const kp = await crypto.subtle.generateKey(
+    { name: 'RSA-OAEP', modulusLength: 2048, publicExponent: new Uint8Array([1, 0, 1]), hash: 'SHA-256' },
+    true,
+    ['encrypt', 'decrypt'],
+  );
+  const spki = await crypto.subtle.exportKey('spki', kp.publicKey);
+  const b64 = btoa(String.fromCharCode(...new Uint8Array(spki)));
+  const lines = b64.match(/.{1,64}/g) ?? [];
+  return `-----BEGIN PUBLIC KEY-----\n${lines.join('\n')}\n-----END PUBLIC KEY-----`;
+}
+
+function createPolicy(overrides: Partial<PasswordPolicyConfig> = {}): PasswordPolicyConfig {
+  return {
+    mode: 'plain',
+    minLength: 8,
+    requireUpper: true,
+    tenantId: 'tenant-1',
+    publicKey: '',
+    ...overrides,
+  };
+}
+
+describe('processPasswordForTransmission', () => {
+  let rawPassword: string;
+
+  beforeEach(() => {
+    rawPassword = 'MySecurePass123!';
+  });
+
+  it('plain mode - returns password unchanged with transmission plain', async () => {
+    const policy = createPolicy({ mode: 'plain' });
+    const result = await processPasswordForTransmission(rawPassword, policy);
+
+    expect(result.password).toBe(rawPassword);
+    expect(result.passwordTransmission).toBe('plain');
+  });
+
+  it('hash mode - returns SHA-256(password|tenantId) in hex with transmission hash', async () => {
+    const policy = createPolicy({ mode: 'hash' });
+    const result = await processPasswordForTransmission(rawPassword, policy);
+
+    expect(result.password).not.toBe(rawPassword);
+    expect(result.password.length).toBe(64);
+    expect(/^[0-9a-f]{64}$/.test(result.password)).toBe(true);
+    expect(result.passwordTransmission).toBe('hash');
+  });
+
+  it('hash mode with missing crypto.subtle - falls back to pure JS SHA-256', async () => {
+    const originalDigest = crypto.subtle.digest;
+    // Simulate missing Web Crypto API by making digest throw
+    (crypto.subtle as { digest: typeof crypto.subtle.digest }).digest = () => {
+      throw new Error('Not available');
+    };
+
+    const policy = createPolicy({ mode: 'hash' });
+    const result = await processPasswordForTransmission(rawPassword, policy);
+
+    crypto.subtle.digest = originalDigest;
+
+    expect(result.password).not.toBe(rawPassword);
+    expect(result.password.length).toBe(64);
+    expect(/^[0-9a-f]{64}$/.test(result.password)).toBe(true);
+    expect(result.passwordTransmission).toBe('hash');
+  });
+
+  it('symmetric mode - requires keyExchangeFn, throws if missing', async () => {
+    const policy = createPolicy({ mode: 'symmetric' });
+
+    await expect(
+      processPasswordForTransmission(rawPassword, policy),
+    ).rejects.toThrow('keyExchangeFn is required for symmetric mode');
+  });
+
+  it('symmetric mode with mock keyExchangeFn - returns encrypted result with correct transmission', async () => {
+    const policy = createPolicy({ mode: 'symmetric' });
+    const result = await processPasswordForTransmission(rawPassword, policy, mockKeyExchange);
+
+    expect(result.password).not.toBe(rawPassword);
+    expect(result.passwordTransmission).toBe('symmetric');
+    expect(result.keyExchangeId).toBe('ke_123');
+    expect(typeof result.password).toBe('string');
+    expect(result.password.length).toBeGreaterThan(0);
+  });
+
+  it('asymmetric mode - requires publicKey in policy, throws if missing or too short', async () => {
+    const policyMissing = createPolicy({ mode: 'asymmetric', publicKey: '' });
+    await expect(
+      processPasswordForTransmission(rawPassword, policyMissing),
+    ).rejects.toThrow('public_key is required for asymmetric mode');
+
+    const policyShort = createPolicy({ mode: 'asymmetric', publicKey: 'short' });
+    await expect(
+      processPasswordForTransmission(rawPassword, policyShort),
+    ).rejects.toThrow('public_key is required for asymmetric mode');
+  });
+
+  it('asymmetric mode with valid publicKey - returns encrypted result with transmission asymmetric', async () => {
+    const validPEM = await generateRsaPublicKeyPEM();
+    const policy = createPolicy({ mode: 'asymmetric', publicKey: validPEM });
+    const result = await processPasswordForTransmission(rawPassword, policy);
+
+    expect(result.password).not.toBe(rawPassword);
+    expect(result.passwordTransmission).toBe('asymmetric');
+    expect(typeof result.password).toBe('string');
+    expect(result.password.length).toBeGreaterThan(0);
+  });
+
+  it('undefined/empty mode - defaults to plain', async () => {
+    const policyUndefined = createPolicy({ mode: undefined as unknown as string });
+    const result1 = await processPasswordForTransmission(rawPassword, policyUndefined);
+    expect(result1.password).toBe(rawPassword);
+    expect(result1.passwordTransmission).toBe('plain');
+
+    const policyEmpty = createPolicy({ mode: '' });
+    const result2 = await processPasswordForTransmission(rawPassword, policyEmpty);
+    expect(result2.password).toBe(rawPassword);
+    expect(result2.passwordTransmission).toBe('plain');
+  });
+});