@brika/auth 0.1.1

package/src/__tests__/AuthService.test.ts

@@ -0,0 +1,140 @@
+/**
+ * @brika/auth - AuthService Tests
+ */
+
+import { beforeEach, describe, expect, it, vi } from 'bun:test';
+import { provide, useTestBed } from '@brika/di/testing';
+import { AuthService } from '../services/AuthService';
+import { ScopeService } from '../services/ScopeService';
+import { SessionService } from '../services/SessionService';
+import { UserService } from '../services/UserService';
+import { Role, Scope } from '../types';
+
+describe('AuthService', () => {
+  let authService: AuthService;
+  let mockUserService: {
+    createUser: ReturnType<typeof vi.fn>;
+    getUser: ReturnType<typeof vi.fn>;
+    getUserByEmail: ReturnType<typeof vi.fn>;
+    listUsers: ReturnType<typeof vi.fn>;
+    deleteUser: ReturnType<typeof vi.fn>;
+    setPassword: ReturnType<typeof vi.fn>;
+    verifyPassword: ReturnType<typeof vi.fn>;
+    hasAdmin: ReturnType<typeof vi.fn>;
+  };
+  let mockSessionService: {
+    createSession: ReturnType<typeof vi.fn>;
+    validateSession: ReturnType<typeof vi.fn>;
+    revokeSession: ReturnType<typeof vi.fn>;
+    revokeAllUserSessions: ReturnType<typeof vi.fn>;
+    listUserSessions: ReturnType<typeof vi.fn>;
+    cleanExpiredSessions: ReturnType<typeof vi.fn>;
+    getSessionTTL: ReturnType<typeof vi.fn>;
+  };
+
+  useTestBed(() => {
+    mockUserService = {
+      createUser: vi.fn(),
+      getUser: vi.fn(),
+      getUserByEmail: vi.fn(),
+      listUsers: vi.fn().mockReturnValue([]),
+      deleteUser: vi.fn(),
+      setPassword: vi.fn(),
+      verifyPassword: vi.fn(),
+      hasAdmin: vi.fn(),
+    };
+
+    mockSessionService = {
+      createSession: vi.fn().mockReturnValue('test-session-token'),
+      validateSession: vi.fn(),
+      revokeSession: vi.fn(),
+      revokeAllUserSessions: vi.fn(),
+      listUserSessions: vi.fn().mockReturnValue([]),
+      cleanExpiredSessions: vi.fn().mockReturnValue(0),
+      getSessionTTL: vi.fn().mockReturnValue(604800),
+    };
+
+    provide(SessionService, mockSessionService);
+    provide(ScopeService, new ScopeService());
+    provide(UserService, mockUserService);
+
+    authService = new AuthService();
+  });
+
+  describe('login', () => {
+    it('should login with valid credentials and return session token', async () => {
+      mockUserService.getUserByEmail.mockReturnValueOnce({
+        id: '1',
+        email: 'test@example.com',
+        name: 'Test User',
+        role: Role.USER,
+        isActive: true,
+      });
+
+      mockUserService.verifyPassword.mockResolvedValueOnce(true);
+
+      const result = await authService.login(
+        'test@example.com',
+        'password123',
+        '127.0.0.1',
+        'TestAgent'
+      );
+
+      expect(result).toBeDefined();
+      expect(result.token).toBe('test-session-token');
+      expect(result.user.email).toBe('test@example.com');
+      expect(result.expiresIn).toBe(604800);
+      expect(mockSessionService.createSession).toHaveBeenCalledWith('1', '127.0.0.1', 'TestAgent');
+    });
+
+    it('should reject invalid email', async () => {
+      mockUserService.getUserByEmail.mockReturnValueOnce(null);
+
+      await expect(authService.login('nonexistent@example.com', 'password')).rejects.toThrow(
+        'Invalid credentials'
+      );
+    });
+
+    it('should reject invalid password', async () => {
+      mockUserService.getUserByEmail.mockReturnValueOnce({
+        id: '1',
+        email: 'test@example.com',
+      });
+
+      mockUserService.verifyPassword.mockResolvedValueOnce(false);
+
+      await expect(authService.login('test@example.com', 'wrongpassword')).rejects.toThrow(
+        'Invalid credentials'
+      );
+    });
+  });
+
+  describe('logout', () => {
+    it('should revoke session by ID', () => {
+      authService.logout('session-123');
+      expect(mockSessionService.revokeSession).toHaveBeenCalledWith('session-123');
+    });
+  });
+
+  describe('getCurrentUser', () => {
+    it('should get user by ID', () => {
+      mockUserService.getUser.mockReturnValueOnce({
+        id: '1',
+        email: 'test@example.com',
+        name: 'Test User',
+        role: Role.USER,
+      });
+
+      const user = authService.getCurrentUser('1');
+      expect(user?.email).toBe('test@example.com');
+      expect(mockUserService.getUser).toHaveBeenCalledWith('1');
+    });
+
+    it('should return null for unknown user', () => {
+      mockUserService.getUser.mockReturnValueOnce(null);
+
+      const user = authService.getCurrentUser('unknown');
+      expect(user).toBeNull();
+    });
+  });
+});

package/src/__tests__/ScopeService.test.ts

@@ -0,0 +1,156 @@
+/**
+ * @brika/auth - ScopeService Tests
+ */
+
+import { beforeEach, describe, expect, it } from 'bun:test';
+import { ScopeService } from '../services/ScopeService';
+import { Role, Scope } from '../types';
+
+describe('ScopeService', () => {
+  let service: ScopeService;
+
+  beforeEach(() => {
+    service = new ScopeService();
+  });
+
+  describe('isValidScope', () => {
+    it('should validate known scopes', () => {
+      expect(service.isValidScope(Scope.ADMIN_ALL)).toBe(true);
+      expect(service.isValidScope(Scope.WORKFLOW_READ)).toBe(true);
+      expect(service.isValidScope(Scope.SETTINGS_WRITE)).toBe(true);
+    });
+
+    it('should reject unknown scopes', () => {
+      expect(service.isValidScope('unknown:scope')).toBe(false);
+      expect(service.isValidScope('admin')).toBe(false);
+    });
+  });
+
+  describe('validateScopes', () => {
+    it('should filter valid scopes', () => {
+      const mixed = [Scope.WORKFLOW_READ, 'invalid', Scope.WORKFLOW_WRITE];
+      const valid = service.validateScopes(mixed);
+
+      expect(valid).toHaveLength(2);
+      expect(valid).toContain(Scope.WORKFLOW_READ);
+      expect(valid).toContain(Scope.WORKFLOW_WRITE);
+    });
+
+    it('should return empty array for invalid scope strings', () => {
+      const result = service.validateScopes(['not-a-scope', 'also-invalid']);
+      expect(result).toEqual([]);
+    });
+  });
+
+  describe('getScopesForRole', () => {
+    it('should return admin scopes for admin role', () => {
+      const scopes = service.getScopesForRole(Role.ADMIN);
+      expect(scopes).toContain(Scope.ADMIN_ALL);
+    });
+
+    it('should return user scopes for user role', () => {
+      const scopes = service.getScopesForRole(Role.USER);
+      expect(scopes).toContain(Scope.WORKFLOW_READ);
+      expect(scopes).toContain(Scope.WORKFLOW_WRITE);
+      expect(scopes).not.toContain(Scope.ADMIN_ALL);
+    });
+
+    it('should return guest scopes for guest role', () => {
+      const scopes = service.getScopesForRole(Role.GUEST);
+      expect(scopes).toContain(Scope.WORKFLOW_READ);
+      expect(scopes).not.toContain(Scope.WORKFLOW_WRITE);
+    });
+
+    it('should return empty array for service role', () => {
+      const scopes = service.getScopesForRole(Role.SERVICE);
+      expect(scopes).toEqual([]);
+    });
+  });
+
+  describe('hasScope', () => {
+    it('should check if scope is present', () => {
+      const scopes = [Scope.WORKFLOW_READ, Scope.WORKFLOW_WRITE];
+      expect(service.hasScope(scopes, Scope.WORKFLOW_READ)).toBe(true);
+      expect(service.hasScope(scopes, Scope.WORKFLOW_EXECUTE)).toBe(false);
+    });
+
+    it('should grant all scopes to admin', () => {
+      const adminScopes = [Scope.ADMIN_ALL];
+      expect(service.hasScope(adminScopes, Scope.WORKFLOW_READ)).toBe(true);
+      expect(service.hasScope(adminScopes, Scope.SETTINGS_WRITE)).toBe(true);
+      expect(service.hasScope(adminScopes, Scope.PLUGIN_MANAGE)).toBe(true);
+    });
+  });
+
+  describe('hasScopeAny', () => {
+    it('should check if any required scope is present', () => {
+      const scopes = [Scope.WORKFLOW_READ];
+      const required = [Scope.WORKFLOW_WRITE, Scope.WORKFLOW_READ];
+
+      expect(service.hasScopeAny(scopes, required)).toBe(true);
+    });
+
+    it('should return false if none present', () => {
+      const scopes = [Scope.BOARD_READ];
+      const required = [Scope.WORKFLOW_READ, Scope.WORKFLOW_WRITE];
+
+      expect(service.hasScopeAny(scopes, required)).toBe(false);
+    });
+  });
+
+  describe('hasScopeAll', () => {
+    it('should check if all required scopes are present', () => {
+      const scopes = [Scope.WORKFLOW_READ, Scope.WORKFLOW_WRITE];
+      const required = [Scope.WORKFLOW_READ, Scope.WORKFLOW_WRITE];
+
+      expect(service.hasScopeAll(scopes, required)).toBe(true);
+    });
+
+    it('should return false if any missing', () => {
+      const scopes = [Scope.WORKFLOW_READ];
+      const required = [Scope.WORKFLOW_READ, Scope.WORKFLOW_WRITE];
+
+      expect(service.hasScopeAll(scopes, required)).toBe(false);
+    });
+  });
+
+  describe('getAllScopes', () => {
+    it('should return all available scopes', () => {
+      const all = service.getAllScopes();
+      expect(all.length).toBeGreaterThan(0);
+      expect(all).toContain(Scope.ADMIN_ALL);
+      expect(all).toContain(Scope.WORKFLOW_READ);
+    });
+  });
+
+  describe('getScopesByCategory', () => {
+    it('should filter scopes by category', () => {
+      const workflow = service.getScopesByCategory('workflow');
+      expect(workflow).toContain(Scope.WORKFLOW_READ);
+      expect(workflow).toContain(Scope.WORKFLOW_WRITE);
+      expect(workflow).not.toContain(Scope.BOARD_READ);
+    });
+
+    it('should return admin category', () => {
+      const admin = service.getScopesByCategory('admin');
+      expect(admin).toContain(Scope.ADMIN_ALL);
+    });
+  });
+
+  describe('getScopeDescription', () => {
+    it('should return scope description', () => {
+      const desc = service.getScopeDescription(Scope.WORKFLOW_READ);
+      expect(typeof desc).toBe('string');
+      expect(desc.length).toBeGreaterThan(0);
+    });
+  });
+
+  describe('getRegistry', () => {
+    it('should return scope registry', () => {
+      const registry = service.getRegistry();
+      expect(registry).toBeDefined();
+      expect(registry[Scope.ADMIN_ALL]).toBeDefined();
+      expect(registry[Scope.ADMIN_ALL].category).toBe('admin');
+    });
+  });
+});

package/src/__tests__/SessionService.test.ts

@@ -0,0 +1,311 @@
+/**
+ * @brika/auth - SessionService Unit Tests
+ * Direct service tests against an in-memory SQLite database.
+ */
+
+import type { Database } from 'bun:sqlite';
+import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
+import { SessionService } from '../services/SessionService';
+import { UserService } from '../services/UserService';
+import { openAuthDatabase } from '../setup';
+import { Role } from '../types';
+
+let db: Database;
+let sessionService: SessionService;
+let userService: UserService;
+let userId: string;
+
+beforeEach(() => {
+  db = openAuthDatabase(':memory:');
+  sessionService = new SessionService(db, 3600);
+  userService = new UserService(db);
+  const user = userService.createUser('test@test.com', 'Test', Role.USER);
+  userId = user.id;
+});
+
+afterEach(() => {
+  db.close();
+});
+
+// ─── revokeSession ───────────────────────────────────────────────────────────
+
+describe('revokeSession', () => {
+  it('sets revoked_at so the session no longer validates', async () => {
+    const token = sessionService.createSession(userId);
+    const session = sessionService.validateSession(token);
+    expect(session).not.toBeNull();
+    if (session === null) {
+      return;
+    }
+
+    sessionService.revokeSession(session.id);
+
+    const result = sessionService.validateSession(token);
+    expect(result).toBeNull();
+  });
+
+  it('does not throw when revoking a non-existent session id', () => {
+    expect(() => {
+      sessionService.revokeSession('does-not-exist');
+    }).not.toThrow();
+  });
+
+  it('does not affect other sessions belonging to the same user', () => {
+    const token1 = sessionService.createSession(userId);
+    const token2 = sessionService.createSession(userId);
+
+    const session1 = sessionService.validateSession(token1);
+    expect(session1).not.toBeNull();
+    if (session1 === null) {
+      return;
+    }
+
+    sessionService.revokeSession(session1.id);
+
+    expect(sessionService.validateSession(token1)).toBeNull();
+    expect(sessionService.validateSession(token2)).not.toBeNull();
+  });
+
+  it('is idempotent — revoking an already-revoked session does not throw', () => {
+    const token = sessionService.createSession(userId);
+    const session = sessionService.validateSession(token);
+    expect(session).not.toBeNull();
+    if (session === null) {
+      return;
+    }
+
+    expect(() => {
+      sessionService.revokeSession(session.id);
+      sessionService.revokeSession(session.id);
+    }).not.toThrow();
+  });
+});
+
+// ─── revokeAllUserSessions ───────────────────────────────────────────────────
+
+describe('revokeAllUserSessions', () => {
+  it('revokes all active sessions for the user', () => {
+    const token1 = sessionService.createSession(userId);
+    const token2 = sessionService.createSession(userId);
+    const token3 = sessionService.createSession(userId);
+
+    sessionService.revokeAllUserSessions(userId);
+
+    expect(sessionService.validateSession(token1)).toBeNull();
+    expect(sessionService.validateSession(token2)).toBeNull();
+    expect(sessionService.validateSession(token3)).toBeNull();
+  });
+
+  it('does not affect sessions belonging to other users', () => {
+    const otherUser = userService.createUser('other@test.com', 'Other', Role.USER);
+    const otherToken = sessionService.createSession(otherUser.id);
+
+    sessionService.createSession(userId);
+    sessionService.revokeAllUserSessions(userId);
+
+    expect(sessionService.validateSession(otherToken)).not.toBeNull();
+  });
+
+  it('does not throw when the user has no sessions', () => {
+    expect(() => {
+      sessionService.revokeAllUserSessions(userId);
+    }).not.toThrow();
+  });
+
+  it('does not throw for a non-existent user id', () => {
+    expect(() => {
+      sessionService.revokeAllUserSessions('no-such-user');
+    }).not.toThrow();
+  });
+});
+
+// ─── listUserSessions ────────────────────────────────────────────────────────
+
+describe('listUserSessions', () => {
+  it('returns an empty array when the user has no sessions', () => {
+    const sessions = sessionService.listUserSessions(userId);
+    expect(sessions).toEqual([]);
+  });
+
+  it('returns active sessions for the user', () => {
+    sessionService.createSession(userId);
+    sessionService.createSession(userId);
+
+    const sessions = sessionService.listUserSessions(userId);
+    expect(sessions).toHaveLength(2);
+  });
+
+  it('excludes revoked sessions', () => {
+    const token1 = sessionService.createSession(userId);
+    sessionService.createSession(userId);
+
+    const session1 = sessionService.validateSession(token1);
+    expect(session1).not.toBeNull();
+    if (session1 === null) {
+      return;
+    }
+
+    sessionService.revokeSession(session1.id);
+
+    const sessions = sessionService.listUserSessions(userId);
+    expect(sessions).toHaveLength(1);
+
+    const remaining = sessions[0];
+    expect(remaining).toBeDefined();
+    if (remaining === undefined) {
+      return;
+    }
+    expect(remaining.id).not.toBe(session1.id);
+  });
+
+  it('orders results by last_seen_at DESC', () => {
+    // Create sessions with a small gap so last_seen_at timestamps differ.
+    // validateSession updates last_seen_at, so validate in reverse desired order.
+    const token1 = sessionService.createSession(userId);
+    const token2 = sessionService.createSession(userId);
+    const token3 = sessionService.createSession(userId);
+
+    // Touch them in ascending order — token3 will be most-recently seen.
+    sessionService.validateSession(token1);
+    sessionService.validateSession(token2);
+    sessionService.validateSession(token3);
+
+    const sessions = sessionService.listUserSessions(userId);
+    expect(sessions).toHaveLength(3);
+
+    // Verify DESC ordering by comparing consecutive lastSeenAt values.
+    for (let i = 0; i < sessions.length - 1; i++) {
+      const current = sessions[i];
+      const next = sessions[i + 1];
+      if (current === undefined || next === undefined) {
+        continue;
+      }
+      expect(current.lastSeenAt).toBeGreaterThanOrEqual(next.lastSeenAt);
+    }
+  });
+
+  it('does not include sessions belonging to other users', () => {
+    const otherUser = userService.createUser('other@test.com', 'Other', Role.USER);
+    sessionService.createSession(otherUser.id);
+    sessionService.createSession(userId);
+
+    const sessions = sessionService.listUserSessions(userId);
+    expect(sessions).toHaveLength(1);
+
+    const onlySession = sessions[0];
+    expect(onlySession).toBeDefined();
+    if (onlySession === undefined) {
+      return;
+    }
+    expect(onlySession.userId).toBe(userId);
+  });
+
+  it('returns SessionRecord objects with the expected shape', () => {
+    const token = sessionService.createSession(userId, '127.0.0.1', 'TestAgent/1.0');
+    // Validate so we get the session id back.
+    const session = sessionService.validateSession(token, '127.0.0.1');
+    expect(session).not.toBeNull();
+    if (session === null) {
+      return;
+    }
+
+    const records = sessionService.listUserSessions(userId);
+    expect(records).toHaveLength(1);
+
+    const record = records[0];
+    expect(record).toBeDefined();
+    if (record === undefined) {
+      return;
+    }
+    expect(record.id).toBe(session.id);
+    expect(record.userId).toBe(userId);
+    expect(typeof record.tokenHash).toBe('string');
+    expect(record.ip).toBe('127.0.0.1');
+    expect(record.userAgent).toBe('TestAgent/1.0');
+    expect(typeof record.createdAt).toBe('number');
+    expect(typeof record.lastSeenAt).toBe('number');
+    expect(typeof record.expiresAt).toBe('number');
+    expect(record.revokedAt).toBeNull();
+  });
+});
+
+// ─── cleanExpiredSessions ────────────────────────────────────────────────────
+
+describe('cleanExpiredSessions', () => {
+  it('returns 0 when there are no sessions to clean', () => {
+    const count = sessionService.cleanExpiredSessions();
+    expect(count).toBe(0);
+  });
+
+  it('returns 0 for active, non-expired sessions', () => {
+    // sessionService has TTL of 3600s — sessions are far from expired.
+    sessionService.createSession(userId);
+    sessionService.createSession(userId);
+
+    const count = sessionService.cleanExpiredSessions();
+    expect(count).toBe(0);
+  });
+
+  it('deletes expired sessions whose created_at is older than 30 days', () => {
+    // Insert a session directly with timestamps that fall outside the 30-day window.
+    const thirtyOneDaysAgo = Date.now() - 31 * 24 * 60 * 60 * 1000;
+
+    db.query(
+      `INSERT INTO sessions (id, user_id, token_hash, ip, user_agent, created_at, last_seen_at, expires_at)
+       VALUES ('old-sess', ?, 'oldhash', NULL, NULL, ?, ?, ?)`
+    ).run(userId, thirtyOneDaysAgo, thirtyOneDaysAgo, thirtyOneDaysAgo - 1);
+    // expires_at < now and created_at < cutoff => eligible for deletion.
+
+    const count = sessionService.cleanExpiredSessions();
+    expect(count).toBe(1);
+  });
+
+  it('deletes revoked sessions whose created_at is older than 30 days', () => {
+    const thirtyOneDaysAgo = Date.now() - 31 * 24 * 60 * 60 * 1000;
+    const futureExpiry = Date.now() + 3600 * 1000;
+
+    db.query(
+      `INSERT INTO sessions (id, user_id, token_hash, ip, user_agent, created_at, last_seen_at, expires_at, revoked_at)
+       VALUES ('revoked-old', ?, 'revokedhash', NULL, NULL, ?, ?, ?, ?)`
+    ).run(userId, thirtyOneDaysAgo, thirtyOneDaysAgo, futureExpiry, thirtyOneDaysAgo + 1);
+
+    const count = sessionService.cleanExpiredSessions();
+    expect(count).toBe(1);
+  });
+
+  it('does not delete recently-revoked sessions (created within 30 days)', () => {
+    // Create and immediately revoke — created_at is now, so it should not be cleaned.
+    const token = sessionService.createSession(userId);
+    const session = sessionService.validateSession(token);
+    expect(session).not.toBeNull();
+    if (session === null) {
+      return;
+    }
+
+    sessionService.revokeSession(session.id);
+
+    const count = sessionService.cleanExpiredSessions();
+    expect(count).toBe(0);
+  });
+
+  it('returns the correct count when multiple old sessions are cleaned', () => {
+    const thirtyOneDaysAgo = Date.now() - 31 * 24 * 60 * 60 * 1000;
+
+    for (let i = 0; i < 3; i++) {
+      db.query(
+        `INSERT INTO sessions (id, user_id, token_hash, ip, user_agent, created_at, last_seen_at, expires_at)
+         VALUES (?, ?, ?, NULL, NULL, ?, ?, ?)`
+      ).run(
+        `old-${i}`,
+        userId,
+        `hash-${i}`,
+        thirtyOneDaysAgo,
+        thirtyOneDaysAgo,
+        thirtyOneDaysAgo - 1
+      );
+    }
+
+    const count = sessionService.cleanExpiredSessions();
+    expect(count).toBe(3);
+  });
+});