@nauth-toolkit/core 0.1.0 → 0.1.3

package/src/services/auth.service.spec.ts

@@ -1,4195 +0,0 @@
-/**
- * AuthService Unit Tests - Comprehensive Coverage
- *
- * Platform-agnostic: Uses direct instantiation, no NestJS dependencies.
- *
- * This is the backbone test suite for the authentication system.
- * Covers all public methods, edge cases, security features, hooks, and error paths.
- *
- * Test Coverage:
- * - User signup (all verification methods, hooks, edge cases)
- * - User login (all scenarios, lockout, MFA, challenges, hooks)
- * - Token refresh (rotation, reuse detection, distributed locking)
- * - Logout operations (single, all, token family)
- * - Password management (change, reset, history, expiry)
- * - Account lockout (IP-based, account-based, unlock)
- * - MFA verification (all methods)
- * - Challenge completion (all challenge types)
- * - Trusted device management
- * - User profile updates
- * - Lifecycle hooks (all hooks)
- * - Optional dependencies handling
- * - Audit logging
- * - Security features (constant-time, token rotation, reuse detection)
- */
-
-import { Repository } from 'typeorm';
-import { AuthService } from './auth.service';
-import { NAuthException } from '../exceptions/nauth.exception';
-import { PasswordService } from './password.service';
-import { JwtService } from './jwt.service';
-import { SessionService } from './session.service';
-import { EmailVerificationService } from './email-verification.service';
-import { PhoneVerificationService } from './phone-verification.service';
-import { ClientInfoService } from './client-info.service';
-import { AccountLockoutStorageService } from '../storage/account-lockout-storage.service';
-import { ChallengeService } from './challenge.service';
-import { AuthChallengeHelperService } from './auth-challenge-helper.service';
-import { AuthAuditService } from './auth-audit.service';
-import { TrustedDeviceService } from './trusted-device.service';
-import { MFAService } from './mfa.service';
-import { SignupDTO } from '../dto/signup.dto';
-import { LoginDTO } from '../dto/login.dto';
-import { AuthChallenge } from '../dto/auth-challenge.dto';
-import { IUser, ISession } from '../interfaces/entities.interface';
-import { BaseUser, BaseLoginAttempt, BaseMFADevice } from '../entities';
-import { NAuthConfig } from '../interfaces/config.interface';
-import { NAuthLogger } from '../utils/nauth-logger';
-import { AuthErrorCode } from '../enums/error-codes.enum';
-import { AuthAuditEventType } from '../enums/auth-audit-event-type.enum';
-import { RiskFactor } from '../enums/risk-factor.enum';
-import {
-  VerifyEmailResponse,
-  VerifyPhoneResponse,
-  CollectPhoneResponse,
-  ForceChangePasswordResponse,
-  MFASetupResponse,
-  VerifyMFACodeResponse,
-  VerifyMFAPasskeyResponse,
-} from '../dto/challenge-response.dto';
-import { RespondChallengeDTO } from '../dto/respond-challenge.dto';
-import { MFAMethod } from '../enums/mfa-method.enum';
-
-const createRespondChallengeDto = (data: Partial<RespondChallengeDTO>): RespondChallengeDTO => {
-  return Object.assign(new RespondChallengeDTO(), data);
-};
-
-describe('AuthService', () => {
-  let service: AuthService;
-  let mockUserRepository: jest.Mocked<Repository<BaseUser>>;
-  let mockLoginAttemptRepository: jest.Mocked<Repository<BaseLoginAttempt>>;
-  let mockMfaDeviceRepository: jest.Mocked<Repository<BaseMFADevice>>;
-  let mockPasswordService: jest.Mocked<PasswordService>;
-  let mockJwtService: jest.Mocked<JwtService>;
-  let mockSessionService: jest.Mocked<SessionService>;
-  let mockEmailVerificationService: jest.Mocked<EmailVerificationService>;
-  let mockPhoneVerificationService: jest.Mocked<PhoneVerificationService>;
-  let mockClientInfoService: jest.Mocked<ClientInfoService>;
-  let mockAccountLockoutStorage: jest.Mocked<AccountLockoutStorageService>;
-  let mockChallengeService: jest.Mocked<ChallengeService>;
-  let mockChallengeHelper: jest.Mocked<AuthChallengeHelperService>;
-  let mockAuditService: jest.Mocked<AuthAuditService>;
-  let mockTrustedDeviceService: jest.Mocked<TrustedDeviceService>;
-  let mockMfaService: jest.Mocked<MFAService>;
-  let mockLogger: jest.Mocked<NAuthLogger>;
-  let mockConfig: NAuthConfig;
-
-  const mockUser: IUser = {
-    id: 1,
-    sub: 'user-123',
-    email: 'test@example.com',
-    username: 'testuser',
-    phone: null,
-    firstName: 'John',
-    lastName: 'Doe',
-    passwordHash: 'hashed-password',
-    passwordChangedAt: new Date(),
-    passwordHistory: [],
-    isEmailVerified: true,
-    isPhoneVerified: false,
-    isActive: true,
-    mustChangePassword: false,
-    isLocked: false,
-    lockReason: null,
-    lockedAt: null,
-    lockedUntil: null,
-    failedLoginAttempts: 0,
-    lastFailedLoginAt: null,
-    lastLoginAt: null,
-    lastLoginIp: null,
-    hasSocialAuth: false,
-    socialProviders: null,
-    mfaEnabled: false,
-    mfaMethods: null,
-    preferredMfaMethod: null,
-    backupCodes: null,
-    metadata: null,
-    createdAt: new Date(),
-    updatedAt: new Date(),
-    deletedAt: null,
-  };
-
-  const mockSession: ISession = {
-    id: 1,
-    userId: 1,
-    accessTokenHash: 'access-hash',
-    refreshTokenHash: 'refresh-hash',
-    tokenFamily: 'family-abc',
-    deviceId: 'device-123',
-    deviceName: 'Test Device',
-    deviceType: 'desktop',
-    deviceFingerprint: null,
-    ipAddress: '127.0.0.1',
-    ipCountry: null,
-    ipCity: null,
-    ipIsp: null,
-    userAgent: 'test-agent',
-    platform: 'web',
-    browser: 'chrome',
-    authMethod: 'password',
-    isRemembered: false,
-    isTrustedDevice: false,
-    expiresAt: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000),
-    lastActivityAt: new Date(),
-    isRevoked: false,
-    revokedAt: null,
-    revokeReason: null,
-    version: 1,
-    metadata: null,
-    createdAt: new Date(),
-  } as ISession;
-
-  const mockClientInfo: any = {
-    ipAddress: '127.0.0.1',
-    ipCountry: 'US',
-    ipCity: 'San Francisco',
-    deviceToken: null,
-    deviceName: 'Test Device',
-    deviceType: 'desktop',
-    userAgent: 'test-agent',
-    platform: 'web',
-    browser: 'chrome',
-  };
-
-  beforeEach(() => {
-    // Create mock repositories
-    // Create a fresh query builder mock for each test
-    const createMockQueryBuilder = () => ({
-      where: jest.fn().mockReturnThis(),
-      orWhere: jest.fn().mockReturnThis(),
-      select: jest.fn().mockReturnThis(),
-      getOne: jest.fn(),
-    });
-    mockUserRepository = {
-      findOne: jest.fn(),
-      save: jest.fn(),
-      create: jest.fn(),
-      update: jest.fn(),
-      createQueryBuilder: jest.fn(createMockQueryBuilder),
-    } as any;
-
-    mockLoginAttemptRepository = {
-      create: jest.fn(),
-      save: jest.fn(),
-    } as any;
-
-    mockMfaDeviceRepository = {
-      find: jest.fn(),
-      update: jest.fn(),
-    } as any;
-
-    // Create mock services
-    mockPasswordService = {
-      validatePassword: jest.fn(),
-      hashPassword: jest.fn(),
-      verifyPassword: jest.fn(),
-      isPasswordInHistory: jest.fn(),
-      addToHistory: jest.fn(),
-    } as any;
-
-    mockJwtService = {
-      generateTokenPair: jest.fn(),
-      hashToken: jest.fn(),
-      generateTokenFamily: jest.fn(),
-      validateAccessToken: jest.fn(),
-      validateRefreshToken: jest.fn(),
-      decodeToken: jest.fn(),
-      getRefreshTokenTTL: jest.fn().mockReturnValue(2592000), // 30 days
-    } as any;
-
-    mockSessionService = {
-      createSession: jest.fn(),
-      createSessionAtomic: jest.fn(),
-      findByRefreshToken: jest.fn(),
-      findByIdLight: jest.fn(),
-      updateTokens: jest.fn(),
-      revokeSession: jest.fn(),
-      revokeAllUserSessions: jest.fn(),
-      markRefreshTokenAsUsed: jest.fn(),
-      isRefreshTokenUsed: jest.fn().mockResolvedValue(false),
-      acquireRefreshLock: jest.fn().mockResolvedValue(true),
-      releaseRefreshLock: jest.fn(),
-      revokeTokenFamily: jest.fn(),
-      findById: jest.fn(),
-    } as any;
-
-    mockEmailVerificationService = {
-      sendVerificationEmail: jest.fn(),
-    } as any;
-
-    mockPhoneVerificationService = {
-      sendVerificationSMS: jest.fn(),
-      sendVerificationCode: jest.fn(),
-      verifyPhoneWithCode: jest.fn(),
-    } as any;
-
-    mockClientInfoService = {
-      get: jest.fn().mockReturnValue(mockClientInfo),
-    } as any;
-
-    mockAccountLockoutStorage = {
-      isAccountLocked: jest.fn().mockResolvedValue(false),
-      recordFailedAttempt: jest.fn().mockResolvedValue(1),
-      resetFailedAttempts: jest.fn().mockResolvedValue(undefined),
-      lockAccount: jest.fn().mockResolvedValue(undefined),
-    } as any;
-
-    mockChallengeService = {
-      createSession: jest.fn(),
-      createChallengeSession: jest.fn(),
-      validateSession: jest.fn(),
-      validateAndConsumeSession: jest.fn(),
-      incrementAttempts: jest.fn(),
-      cleanupExpiredSessions: jest.fn(),
-    } as any;
-
-    mockChallengeHelper = {
-      determineAuthResponse: jest.fn(),
-      createChallengeResponse: jest.fn(),
-      createSuccessResponse: jest.fn(),
-      createMFAChallengeResponse: jest.fn(),
-      createMFASetupChallengeResponse: jest.fn(),
-    } as any;
-
-    mockAuditService = {
-      recordEvent: jest.fn().mockResolvedValue(null),
-    } as any;
-
-    mockTrustedDeviceService = {
-      isDeviceTrusted: jest.fn().mockResolvedValue(false),
-      createTrustedDevice: jest.fn().mockResolvedValue('device-token-123'),
-      revokeTrustedDevice: jest.fn().mockResolvedValue(undefined),
-    } as any;
-
-    mockMfaService = {
-      verifyCode: jest.fn().mockResolvedValue(true),
-    } as any;
-
-    mockLogger = {
-      log: jest.fn(),
-      debug: jest.fn(),
-      warn: jest.fn(),
-      error: jest.fn(),
-      verbose: jest.fn(),
-    } as any;
-
-    // Default config
-    mockConfig = {
-      jwt: {
-        algorithm: 'HS256',
-        accessToken: {
-          secret: 'test-secret',
-          expiresIn: 900, // 15 minutes
-        },
-        refreshToken: {
-          secret: 'test-refresh-secret',
-          expiresIn: 2592000, // 30 days
-          rotation: true,
-          reuseDetection: true,
-        },
-      },
-      signup: {
-        enabled: true,
-        verificationMethod: 'none',
-      },
-      login: {},
-      lockout: {
-        enabled: true,
-        maxAttempts: 5,
-        duration: 900,
-        resetOnSuccess: true,
-      },
-      password: {
-        historyCount: 5,
-      },
-      session: {},
-    };
-
-    // Instantiate service directly
-    service = new AuthService(
-      mockUserRepository,
-      mockLoginAttemptRepository,
-      mockPasswordService,
-      mockJwtService,
-      mockSessionService,
-      mockChallengeService,
-      mockChallengeHelper,
-      mockEmailVerificationService,
-      mockClientInfoService,
-      mockAccountLockoutStorage,
-      mockConfig,
-      mockLogger,
-      mockAuditService,
-      mockPhoneVerificationService,
-      mockMfaService,
-      mockMfaDeviceRepository,
-      mockTrustedDeviceService,
-    );
-  });
-
-  afterEach(() => {
-    jest.clearAllMocks();
-  });
-
-  // ============================================================================
-  // Service Initialization
-  // ============================================================================
-
-  it('should be defined', () => {
-    expect(service).toBeDefined();
-  });
-
-  it('should log initialization', () => {
-    expect(mockLogger.log).toHaveBeenCalledWith('AuthService initialized');
-  });
-
-  // ============================================================================
-  // signup Tests
-  // ============================================================================
-
-  describe('signup()', () => {
-    const signupDto: SignupDTO = {
-      email: 'newuser@example.com',
-      password: 'SecurePassword123!',
-      username: 'newuser',
-    };
-
-    beforeEach(() => {
-      mockChallengeHelper.determineAuthResponse.mockResolvedValue({
-        accessToken: 'access-token',
-        refreshToken: 'refresh-token',
-        accessTokenExpiresAt: Math.floor(Date.now() / 1000) + 900,
-        refreshTokenExpiresAt: Math.floor(Date.now() / 1000) + 604800,
-        user: {
-          sub: 'user-123',
-          email: 'newuser@example.com',
-          isEmailVerified: true,
-          isPhoneVerified: false,
-        },
-      });
-    });
-
-    describe('Basic signup flow', () => {
-      it('should create a new user successfully with verificationMethod: none', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        mockUserRepository.create.mockReturnValue(mockUser as any);
-        mockUserRepository.save.mockResolvedValue(mockUser as any);
-
-        const result = await service.signup(signupDto);
-
-        expect(mockUserRepository.findOne).toHaveBeenCalledWith({ where: { email: signupDto.email } });
-        expect(mockPasswordService.validatePassword).toHaveBeenCalled();
-        expect(mockPasswordService.hashPassword).toHaveBeenCalledWith(signupDto.password);
-        expect(mockUserRepository.save).toHaveBeenCalled();
-        expect(mockChallengeHelper.determineAuthResponse).toHaveBeenCalled();
-        expect(result.user).toBeDefined();
-        expect(result.accessToken).toBe('access-token');
-        expect(result.refreshToken).toBe('refresh-token');
-        expect(result.challengeName).toBeUndefined();
-      });
-
-      it('should hash password with Argon2id', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        mockUserRepository.create.mockReturnValue(mockUser as any);
-        mockUserRepository.save.mockResolvedValue(mockUser as any);
-
-        await service.signup(signupDto);
-
-        expect(mockPasswordService.hashPassword).toHaveBeenCalledWith(signupDto.password);
-      });
-
-      it('should create user with isActive: true and isEmailVerified always false initially', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        const createdUser = { ...mockUser, email: signupDto.email };
-        mockUserRepository.create.mockReturnValue(createdUser as any);
-        mockUserRepository.save.mockResolvedValue(createdUser as any);
-
-        await service.signup(signupDto);
-
-        expect(mockUserRepository.create).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            email: signupDto.email,
-            passwordHash: 'hashed-password',
-            isActive: true,
-            isEmailVerified: false, // Always false initially - must be explicitly verified
-          }),
-        );
-      });
-    });
-
-    describe('Duplicate checks', () => {
-      it('should throw NAuthException if user with email already exists', async () => {
-        mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-
-        try {
-          await service.signup(signupDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.EMAIL_EXISTS);
-        }
-      });
-
-      it('should throw NAuthException if username already exists', async () => {
-        mockUserRepository.findOne.mockImplementation((options: any) => {
-          if (options.where?.email) return Promise.resolve(null);
-          if (options.where?.username) return Promise.resolve(mockUser as any);
-          return Promise.resolve(null);
-        });
-
-        try {
-          await service.signup(signupDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.USERNAME_EXISTS);
-        }
-      });
-
-      it('should throw NAuthException if phone already exists when allowDuplicatePhones is false', async () => {
-        const signupDtoWithPhone: SignupDTO = {
-          ...signupDto,
-          phone: '+1234567890',
-        };
-        mockConfig.signup!.allowDuplicatePhones = false;
-
-        mockUserRepository.findOne.mockImplementation((options: any) => {
-          if (options.where?.email) return Promise.resolve(null);
-          if (options.where?.username) return Promise.resolve(null);
-          if (options.where?.phone) return Promise.resolve(mockUser as any);
-          return Promise.resolve(null);
-        });
-
-        try {
-          await service.signup(signupDtoWithPhone);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.PHONE_EXISTS);
-        }
-      });
-
-      it('should allow duplicate phones when allowDuplicatePhones is true', async () => {
-        const signupDtoWithPhone: SignupDTO = {
-          ...signupDto,
-          phone: '+1234567890',
-        };
-        mockConfig.signup!.allowDuplicatePhones = true;
-
-        mockUserRepository.findOne.mockImplementation((options: any) => {
-          if (options.where?.email) return Promise.resolve(null);
-          if (options.where?.username) return Promise.resolve(null);
-          // Don't check phone when allowDuplicatePhones is true
-          return Promise.resolve(null);
-        });
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        mockUserRepository.create.mockReturnValue(mockUser as any);
-        mockUserRepository.save.mockResolvedValue(mockUser as any);
-
-        await service.signup(signupDtoWithPhone);
-
-        // Should not throw
-        expect(mockUserRepository.save).toHaveBeenCalled();
-      });
-    });
-
-    describe('Password validation', () => {
-      it('should throw NAuthException if password is invalid', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({
-          valid: false,
-          errors: ['Password is too weak', 'Password must contain uppercase'],
-        });
-
-        try {
-          await service.signup(signupDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          // Password validation happens in handleForceChangePassword, which throws WEAK_PASSWORD
-          // But validation might happen earlier in validateChallengeParams
-          expect([AuthErrorCode.WEAK_PASSWORD, AuthErrorCode.VALIDATION_FAILED]).toContain(error.code);
-          expect(error.message).toContain('Password is too weak');
-        }
-      });
-
-      it('should pass email and username to password validation', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        mockUserRepository.create.mockReturnValue(mockUser as any);
-        mockUserRepository.save.mockResolvedValue(mockUser as any);
-
-        await service.signup(signupDto);
-
-        expect(mockPasswordService.validatePassword).toHaveBeenCalledWith(signupDto.password, {
-          email: signupDto.email,
-          username: signupDto.username,
-        });
-      });
-    });
-
-    describe('Verification method: email', () => {
-      beforeEach(() => {
-        mockConfig.signup!.verificationMethod = 'email';
-        mockChallengeHelper.determineAuthResponse.mockResolvedValue({
-          challengeName: AuthChallenge.VERIFY_EMAIL,
-          session: 'session-token-123',
-          challengeParameters: {
-            email: signupDto.email,
-            instructions: 'Please verify your email address',
-          },
-        });
-      });
-
-      it('should return VERIFY_EMAIL challenge', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        mockUserRepository.create.mockReturnValue(mockUser as any);
-        mockUserRepository.save.mockResolvedValue(mockUser as any);
-        mockEmailVerificationService.sendVerificationEmail.mockResolvedValue(123);
-
-        const result = await service.signup(signupDto);
-
-        expect(result.challengeName).toBe(AuthChallenge.VERIFY_EMAIL);
-        expect(result.session).toBe('session-token-123');
-        expect(result.accessToken).toBeUndefined();
-        expect(result.refreshToken).toBeUndefined();
-        expect(mockEmailVerificationService.sendVerificationEmail).toHaveBeenCalled();
-      });
-
-      it('should create user with isEmailVerified: false', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        const createdUser = { ...mockUser, email: signupDto.email, isEmailVerified: false };
-        mockUserRepository.create.mockReturnValue(createdUser as any);
-        mockUserRepository.save.mockResolvedValue(createdUser as any);
-        mockEmailVerificationService.sendVerificationEmail.mockResolvedValue(123);
-
-        await service.signup(signupDto);
-
-        expect(mockUserRepository.create).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            isEmailVerified: false,
-          }),
-        );
-      });
-    });
-
-    describe('Verification method: phone', () => {
-      beforeEach(() => {
-        mockConfig.signup!.verificationMethod = 'phone';
-        mockChallengeHelper.determineAuthResponse.mockResolvedValue({
-          challengeName: AuthChallenge.VERIFY_PHONE,
-          session: 'session-token-123',
-          challengeParameters: {
-            phone: '+1234567890',
-            instructions: 'Please verify your phone number',
-          },
-        });
-      });
-
-      it('should throw NAuthException if phone is required but not provided', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-
-        try {
-          await service.signup(signupDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.PHONE_REQUIRED);
-        }
-      });
-
-      it('should return VERIFY_PHONE challenge when phone is provided', async () => {
-        const signupDtoWithPhone: SignupDTO = {
-          ...signupDto,
-          phone: '+1234567890',
-        };
-
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        mockUserRepository.create.mockReturnValue(mockUser as any);
-        mockUserRepository.save.mockResolvedValue(mockUser as any);
-
-        const result = await service.signup(signupDtoWithPhone);
-
-        expect(result.challengeName).toBe(AuthChallenge.VERIFY_PHONE);
-        // Phone verification SMS is sent during challenge completion, not during signup
-      });
-    });
-
-    describe('Verification method: both', () => {
-      beforeEach(() => {
-        mockConfig.signup!.verificationMethod = 'both';
-        // Sequential challenges: first VERIFY_EMAIL, then VERIFY_PHONE
-        mockChallengeHelper.determineAuthResponse.mockResolvedValue({
-          challengeName: AuthChallenge.VERIFY_EMAIL,
-          session: 'session-token-email',
-          challengeParameters: {
-            email: signupDto.email,
-            codeDeliveryDestination: 't***@example.com',
-          },
-        });
-      });
-
-      it('should throw NAuthException if phone is required but not provided', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-
-        try {
-          await service.signup(signupDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.PHONE_REQUIRED);
-        }
-      });
-
-      it('should return VERIFY_EMAIL challenge first when both are provided (sequential flow)', async () => {
-        const signupDtoWithPhone: SignupDTO = {
-          ...signupDto,
-          phone: '+1234567890',
-        };
-
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        mockUserRepository.create.mockReturnValue(mockUser as any);
-        mockUserRepository.save.mockResolvedValue(mockUser as any);
-        mockEmailVerificationService.sendVerificationEmail.mockResolvedValue(123);
-
-        const result = await service.signup(signupDtoWithPhone);
-
-        // Sequential challenges: first VERIFY_EMAIL, then VERIFY_PHONE after email is verified
-        expect(result.challengeName).toBe(AuthChallenge.VERIFY_EMAIL);
-        // When verificationMethod is 'both', email is sent by challenge system when VERIFY_EMAIL challenge is created
-        // Phone verification SMS is sent when VERIFY_PHONE challenge is created (after email is verified)
-      });
-    });
-
-    describe('Lifecycle hooks', () => {
-      it('should execute beforeSignup hook and reject if returns false', async () => {
-        mockConfig.hooks = {
-          beforeSignup: jest.fn().mockResolvedValue(false),
-        };
-        mockUserRepository.findOne.mockResolvedValue(null);
-
-        try {
-          await service.signup(signupDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.SIGNUP_NOT_ALLOWED);
-          expect(mockConfig.hooks!.beforeSignup).toHaveBeenCalledWith(signupDto);
-        }
-      });
-
-      it('should allow signup if beforeSignup hook returns true', async () => {
-        mockConfig.hooks = {
-          beforeSignup: jest.fn().mockResolvedValue(true),
-        };
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        mockUserRepository.create.mockReturnValue(mockUser as any);
-        mockUserRepository.save.mockResolvedValue(mockUser as any);
-
-        await service.signup(signupDto);
-
-        expect(mockConfig.hooks!.beforeSignup).toHaveBeenCalled();
-        expect(mockUserRepository.save).toHaveBeenCalled();
-      });
-
-      it('should execute afterSignup hook after successful signup', async () => {
-        mockConfig.hooks = {
-          afterSignup: jest.fn().mockResolvedValue(undefined),
-        };
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        mockUserRepository.create.mockReturnValue(mockUser as any);
-        mockUserRepository.save.mockResolvedValue(mockUser as any);
-
-        await service.signup(signupDto);
-
-        expect(mockConfig.hooks!.afterSignup).toHaveBeenCalled();
-      });
-    });
-
-    describe('Signup disabled', () => {
-      it('should throw NAuthException if signup is disabled', async () => {
-        mockConfig.signup!.enabled = false;
-
-        try {
-          await service.signup(signupDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.SIGNUP_DISABLED);
-        }
-      });
-    });
-
-    describe('Database constraint violations', () => {
-      it('should handle PostgreSQL unique constraint violation for email', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        const dbError = {
-          code: '23505',
-          detail: 'Key (email)=(newuser@example.com) already exists.',
-          message: 'duplicate key value violates unique constraint',
-        };
-        mockUserRepository.save.mockRejectedValue(dbError);
-
-        try {
-          await service.signup(signupDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.EMAIL_EXISTS);
-        }
-      });
-
-      it('should handle PostgreSQL unique constraint violation for username', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        const dbError = {
-          code: '23505',
-          detail: 'Key (username)=(newuser) already exists.',
-          message: 'duplicate key value violates unique constraint',
-        };
-        mockUserRepository.save.mockRejectedValue(dbError);
-
-        try {
-          await service.signup(signupDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.USERNAME_EXISTS);
-        }
-      });
-
-      it('should handle PostgreSQL unique constraint violation for phone', async () => {
-        const signupDtoWithPhone: SignupDTO = {
-          ...signupDto,
-          phone: '+1234567890',
-        };
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        const dbError = {
-          code: '23505',
-          detail: 'Key (phone)=(+1234567890) already exists.',
-          message: 'duplicate key value violates unique constraint',
-        };
-        mockUserRepository.save.mockRejectedValue(dbError);
-
-        try {
-          await service.signup(signupDtoWithPhone);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.PHONE_EXISTS);
-        }
-      });
-    });
-
-    describe('Audit logging', () => {
-      it('should record ACCOUNT_CREATED audit event on successful signup', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        mockUserRepository.create.mockReturnValue(mockUser as any);
-        mockUserRepository.save.mockResolvedValue(mockUser as any);
-
-        await service.signup(signupDto);
-
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            userId: mockUser.id,
-            eventType: AuthAuditEventType.ACCOUNT_CREATED,
-            eventStatus: 'INFO',
-            authMethod: 'password',
-          }),
-        );
-      });
-
-      it('should handle audit logging errors gracefully', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        mockUserRepository.create.mockReturnValue(mockUser as any);
-        mockUserRepository.save.mockResolvedValue(mockUser as any);
-        mockAuditService.recordEvent.mockRejectedValue(new Error('Audit error'));
-
-        const result = await service.signup(signupDto);
-
-        // Should still succeed despite audit error
-        expect(result.user).toBeDefined();
-        expect(mockLogger.error).toHaveBeenCalled();
-      });
-    });
-
-    describe('Optional fields', () => {
-      it('should handle signup without username', async () => {
-        const signupDtoNoUsername: SignupDTO = {
-          email: 'newuser@example.com',
-          password: 'SecurePassword123!',
-        };
-
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        mockUserRepository.create.mockReturnValue(mockUser as any);
-        mockUserRepository.save.mockResolvedValue(mockUser as any);
-
-        await service.signup(signupDtoNoUsername);
-
-        expect(mockUserRepository.findOne).not.toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            where: (expect as any).objectContaining({ username: (expect as any).anything() }),
-          }),
-        );
-      });
-
-      it('should handle signup with firstName and lastName', async () => {
-        const signupDtoWithName: SignupDTO = {
-          ...signupDto,
-          firstName: 'John',
-          lastName: 'Doe',
-        };
-
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        mockUserRepository.create.mockReturnValue(mockUser as any);
-        mockUserRepository.save.mockResolvedValue(mockUser as any);
-
-        await service.signup(signupDtoWithName);
-
-        expect(mockUserRepository.create).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            firstName: 'John',
-            lastName: 'Doe',
-          }),
-        );
-      });
-
-      it('should handle signup with metadata', async () => {
-        const signupDtoWithMetadata: SignupDTO = {
-          ...signupDto,
-          metadata: { customField: 'value' },
-        };
-
-        mockUserRepository.findOne.mockResolvedValue(null);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('hashed-password');
-        mockUserRepository.create.mockReturnValue(mockUser as any);
-        mockUserRepository.save.mockResolvedValue(mockUser as any);
-
-        await service.signup(signupDtoWithMetadata);
-
-        expect(mockUserRepository.create).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            metadata: { customField: 'value' },
-          }),
-        );
-      });
-    });
-  });
-
-  // ============================================================================
-  // login Tests
-  // ============================================================================
-
-  describe('login()', () => {
-    const loginDto: LoginDTO = {
-      identifier: 'test@example.com',
-      password: 'SecurePassword123!',
-    };
-
-    beforeEach(() => {
-      mockChallengeHelper.determineAuthResponse.mockResolvedValue({
-        accessToken: 'access-token',
-        refreshToken: 'refresh-token',
-        accessTokenExpiresAt: Math.floor(Date.now() / 1000) + 900,
-        refreshTokenExpiresAt: Math.floor(Date.now() / 1000) + 604800,
-        user: {
-          sub: mockUser.sub,
-          email: mockUser.email,
-          isEmailVerified: true,
-          isPhoneVerified: false,
-        },
-      });
-    });
-
-    describe('Successful login', () => {
-      beforeEach(() => {
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(mockUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockAccountLockoutStorage.resetFailedAttempts.mockResolvedValue(undefined);
-        mockJwtService.generateTokenFamily.mockReturnValue('family-abc');
-        mockJwtService.generateTokenPair.mockResolvedValue({
-          accessToken: 'access-token',
-          refreshToken: 'refresh-token',
-          expiresIn: 900,
-        });
-        mockJwtService.hashToken.mockReturnValue('token-hash');
-        mockJwtService.validateAccessToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 900 },
-        } as any);
-        mockJwtService.validateRefreshToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 604800 },
-        } as any);
-        mockSessionService.createSessionAtomic.mockResolvedValue({
-          session: mockSession,
-          extra: {
-            accessToken: 'access-token',
-            refreshToken: 'refresh-token',
-          },
-        } as any);
-        mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-      });
-
-      it('should login user successfully and return tokens', async () => {
-        const result = await service.login(loginDto);
-
-        expect(result.user).toBeDefined();
-        expect(result.accessToken).toBe('access-token');
-        expect(result.refreshToken).toBe('refresh-token');
-        expect(mockPasswordService.verifyPassword).toHaveBeenCalledWith(loginDto.password, mockUser.passwordHash!);
-        expect(mockSessionService.createSessionAtomic).toHaveBeenCalled();
-        expect(mockAccountLockoutStorage.resetFailedAttempts).toHaveBeenCalled();
-      });
-
-      it('should update user lastLoginAt and lastLoginIp on successful login', async () => {
-        await service.login(loginDto);
-
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          mockUser.id,
-          (expect as any).objectContaining({
-            lastLoginAt: (expect as any).any(Date),
-            lastLoginIp: mockClientInfo.ipAddress!,
-            failedLoginAttempts: 0,
-          }),
-        );
-      });
-
-      it('should record successful login attempt', async () => {
-        await service.login(loginDto);
-
-        expect(mockLoginAttemptRepository.create).toHaveBeenCalled();
-        expect(mockLoginAttemptRepository.save).toHaveBeenCalled();
-      });
-
-      it('should reset failed login attempts on successful login', async () => {
-        await service.login(loginDto);
-
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          mockUser.id,
-          (expect as any).objectContaining({
-            failedLoginAttempts: 0,
-          }),
-        );
-      });
-
-      it('should record LOGIN_SUCCESS audit event', async () => {
-        await service.login(loginDto);
-
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            userId: mockUser.id,
-            eventType: AuthAuditEventType.LOGIN_SUCCESS,
-            eventStatus: 'SUCCESS',
-            authMethod: 'password',
-          }),
-        );
-      });
-
-      it('should execute afterLogin hook on successful login', async () => {
-        mockConfig.hooks = {
-          afterLogin: jest.fn().mockResolvedValue(undefined),
-        };
-
-        await service.login(loginDto);
-
-        expect(mockConfig.hooks!.afterLogin).toHaveBeenCalledWith(mockUser, mockSession);
-      });
-    });
-
-    describe('User lookup by identifier', () => {
-      it('should find user by email', async () => {
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(mockUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockAccountLockoutStorage.resetFailedAttempts.mockResolvedValue(undefined);
-        mockJwtService.generateTokenFamily.mockReturnValue('family-abc');
-        mockJwtService.generateTokenPair.mockResolvedValue({
-          accessToken: 'access-token',
-          refreshToken: 'refresh-token',
-          expiresIn: 900,
-        });
-        mockJwtService.hashToken.mockReturnValue('token-hash');
-        mockJwtService.validateAccessToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 900 },
-        } as any);
-        mockJwtService.validateRefreshToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 604800 },
-        } as any);
-        mockSessionService.createSessionAtomic.mockResolvedValue({
-          session: mockSession,
-          extra: {
-            accessToken: 'access-token',
-            refreshToken: 'refresh-token',
-          },
-        } as any);
-        mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        await service.login({ identifier: 'test@example.com', password: 'password' });
-
-        expect(queryBuilder.where).toHaveBeenCalledWith('user.email = :identifier', { identifier: 'test@example.com' });
-      });
-
-      it('should find user by username when identifierType is email_or_username', async () => {
-        mockConfig.login!.identifierType = 'email_or_username';
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(mockUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockAccountLockoutStorage.resetFailedAttempts.mockResolvedValue(undefined);
-        mockJwtService.generateTokenFamily.mockReturnValue('family-abc');
-        mockJwtService.generateTokenPair.mockResolvedValue({
-          accessToken: 'access-token',
-          refreshToken: 'refresh-token',
-          expiresIn: 900,
-        });
-        mockJwtService.hashToken.mockReturnValue('token-hash');
-        mockJwtService.validateAccessToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 900 },
-        } as any);
-        mockJwtService.validateRefreshToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 604800 },
-        } as any);
-        mockSessionService.createSessionAtomic.mockResolvedValue({
-          session: mockSession,
-          extra: {
-            accessToken: 'access-token',
-            refreshToken: 'refresh-token',
-          },
-        } as any);
-        mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        await service.login({ identifier: 'testuser', password: 'password' });
-
-        expect(queryBuilder.where).toHaveBeenCalled();
-        expect(queryBuilder.orWhere).toHaveBeenCalled();
-      });
-
-      it('should throw NAuthException when identifierType is email but username provided', async () => {
-        mockConfig.login!.identifierType = 'email';
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(null),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockAccountLockoutStorage.recordFailedAttempt.mockResolvedValue(1);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        try {
-          await service.login({ identifier: 'testuser', password: 'password' });
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.INVALID_CREDENTIALS);
-        }
-      });
-    });
-
-    describe('IP-based lockout', () => {
-      it('should throw NAuthException if IP address is locked', async () => {
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(true);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        try {
-          await service.login(loginDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.RATE_LIMIT_LOGIN);
-        }
-      });
-
-      it('should record LOGIN_BLOCKED audit event when IP is locked', async () => {
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(true);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        try {
-          await service.login(loginDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          // Expected to throw
-        }
-
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            eventType: AuthAuditEventType.LOGIN_BLOCKED,
-            eventStatus: 'FAILURE',
-            reason: 'ip_locked',
-          }),
-        );
-      });
-
-      it('should reset IP-based failed attempts on successful login when resetOnSuccess is true', async () => {
-        mockConfig.lockout!.resetOnSuccess = true;
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(mockUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockAccountLockoutStorage.resetFailedAttempts.mockResolvedValue(undefined);
-        mockJwtService.generateTokenFamily.mockReturnValue('family-abc');
-        mockJwtService.generateTokenPair.mockResolvedValue({
-          accessToken: 'access-token',
-          refreshToken: 'refresh-token',
-          expiresIn: 900,
-        });
-        mockJwtService.hashToken.mockReturnValue('token-hash');
-        mockJwtService.validateAccessToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 900 },
-        } as any);
-        mockJwtService.validateRefreshToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 604800 },
-        } as any);
-        mockSessionService.createSessionAtomic.mockResolvedValue({
-          session: mockSession,
-          extra: {
-            accessToken: 'access-token',
-            refreshToken: 'refresh-token',
-          },
-        } as any);
-        mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        await service.login(loginDto);
-
-        expect(mockAccountLockoutStorage.resetFailedAttempts).toHaveBeenCalledWith(mockClientInfo.ipAddress);
-      });
-    });
-
-    describe('Invalid credentials', () => {
-      it('should throw NAuthException if user not found (constant-time response)', async () => {
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(null),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        // Password verification still called with dummy hash (constant-time)
-        mockPasswordService.verifyPassword.mockResolvedValue(false);
-        mockAccountLockoutStorage.recordFailedAttempt.mockResolvedValue(1);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        try {
-          await service.login(loginDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.INVALID_CREDENTIALS);
-        }
-        // Verify password was still called (constant-time protection)
-        expect(mockPasswordService.verifyPassword).toHaveBeenCalled();
-      });
-
-      it('should throw NAuthException if password is invalid', async () => {
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(mockUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(false);
-        mockAccountLockoutStorage.recordFailedAttempt.mockResolvedValue(1);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        try {
-          await service.login(loginDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.INVALID_CREDENTIALS);
-        }
-        expect(mockAccountLockoutStorage.recordFailedAttempt).toHaveBeenCalled();
-      });
-
-      it('should record failed login attempt for invalid credentials', async () => {
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(mockUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(false);
-        mockAccountLockoutStorage.recordFailedAttempt.mockResolvedValue(1);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        try {
-          await service.login(loginDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          // Expected
-        }
-
-        expect(mockLoginAttemptRepository.create).toHaveBeenCalled();
-        expect(mockLoginAttemptRepository.save).toHaveBeenCalled();
-      });
-
-      it('should record LOGIN_FAILED audit event for invalid credentials', async () => {
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(mockUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(false);
-        mockAccountLockoutStorage.recordFailedAttempt.mockResolvedValue(1);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        try {
-          await service.login(loginDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          // Expected
-        }
-
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            userId: mockUser.id,
-            eventType: AuthAuditEventType.LOGIN_FAILED,
-            eventStatus: 'FAILURE',
-            reason: 'invalid_credentials',
-          }),
-        );
-      });
-
-      it('should provide helpful error for social-only users', async () => {
-        const socialUser = { ...mockUser, passwordHash: null, socialProviders: ['google'] };
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(socialUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(false);
-        mockAccountLockoutStorage.recordFailedAttempt.mockResolvedValue(1);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        try {
-          await service.login(loginDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.INVALID_CREDENTIALS);
-          expect(error.message).toContain('Google');
-        }
-      });
-
-      it('should execute afterLoginFailed hook on failed login', async () => {
-        mockConfig.hooks = {
-          afterLoginFailed: jest.fn().mockResolvedValue(undefined),
-        };
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(mockUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(false);
-        mockAccountLockoutStorage.recordFailedAttempt.mockResolvedValue(1);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        try {
-          await service.login(loginDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          // Expected
-        }
-
-        expect(mockConfig.hooks!.afterLoginFailed).toHaveBeenCalledWith(loginDto.identifier, 'invalid_credentials');
-      });
-    });
-
-    describe('Account status checks', () => {
-      it('should throw NAuthException if account is inactive', async () => {
-        const inactiveUser = { ...mockUser, isActive: false };
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(inactiveUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        try {
-          await service.login(loginDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.ACCOUNT_INACTIVE);
-        }
-      });
-
-      it('should record LOGIN_BLOCKED audit event when account is inactive', async () => {
-        const inactiveUser = { ...mockUser, isActive: false };
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(inactiveUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        try {
-          await service.login(loginDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          // Expected
-        }
-
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            eventType: AuthAuditEventType.LOGIN_BLOCKED,
-            eventStatus: 'FAILURE',
-            reason: 'account_inactive',
-          }),
-        );
-      });
-    });
-
-    describe('Lifecycle hooks', () => {
-      it('should execute beforeLogin hook and reject if returns false', async () => {
-        mockConfig.hooks = {
-          beforeLogin: jest.fn().mockResolvedValue(false),
-        };
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        try {
-          await service.login(loginDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.FORBIDDEN);
-          expect(mockConfig.hooks!.beforeLogin).toHaveBeenCalledWith(loginDto.identifier);
-        }
-      });
-
-      it('should allow login if beforeLogin hook returns true', async () => {
-        mockConfig.hooks = {
-          beforeLogin: jest.fn().mockResolvedValue(true),
-        };
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(mockUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockAccountLockoutStorage.resetFailedAttempts.mockResolvedValue(undefined);
-        mockJwtService.generateTokenFamily.mockReturnValue('family-abc');
-        mockJwtService.generateTokenPair.mockResolvedValue({
-          accessToken: 'access-token',
-          refreshToken: 'refresh-token',
-          expiresIn: 900,
-        });
-        mockJwtService.hashToken.mockReturnValue('token-hash');
-        mockJwtService.validateAccessToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 900 },
-        } as any);
-        mockJwtService.validateRefreshToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 604800 },
-        } as any);
-        mockSessionService.createSessionAtomic.mockResolvedValue({
-          session: mockSession,
-          extra: {
-            accessToken: 'access-token',
-            refreshToken: 'refresh-token',
-          },
-        } as any);
-        mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        await service.login(loginDto);
-
-        expect(mockConfig.hooks!.beforeLogin).toHaveBeenCalled();
-        expect(mockSessionService.createSessionAtomic).toHaveBeenCalled();
-      });
-    });
-
-    describe('Challenge system', () => {
-      it('should return VERIFY_EMAIL challenge when email not verified', async () => {
-        const unverifiedUser = { ...mockUser, isEmailVerified: false };
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(unverifiedUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockChallengeHelper.determineAuthResponse.mockResolvedValue({
-          challengeName: AuthChallenge.VERIFY_EMAIL,
-          session: 'challenge-session',
-          challengeParameters: {
-            email: unverifiedUser.email,
-          },
-        });
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        const result = await service.login(loginDto);
-
-        expect(result.challengeName).toBe(AuthChallenge.VERIFY_EMAIL);
-        expect(result.accessToken).toBeUndefined();
-      });
-
-      it('should return FORCE_CHANGE_PASSWORD challenge when mustChangePassword is true', async () => {
-        const userWithMustChange = { ...mockUser, mustChangePassword: true };
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(userWithMustChange),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockChallengeHelper.determineAuthResponse.mockResolvedValue({
-          challengeName: AuthChallenge.FORCE_CHANGE_PASSWORD,
-          session: 'challenge-session',
-          challengeParameters: {
-            instructions: 'You must change your password',
-          },
-        });
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        const result = await service.login(loginDto);
-
-        expect(result.challengeName).toBe(AuthChallenge.FORCE_CHANGE_PASSWORD);
-      });
-
-      it('should return MFA_REQUIRED challenge when MFA is required', async () => {
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(mockUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockChallengeHelper.determineAuthResponse.mockResolvedValue({
-          challengeName: AuthChallenge.MFA_REQUIRED,
-          session: 'mfa-session',
-          challengeParameters: {},
-        });
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        const result = await service.login(loginDto);
-
-        expect(result.challengeName).toBe(AuthChallenge.MFA_REQUIRED);
-      });
-
-      it('should handle password expiry and force password change', async () => {
-        mockConfig.password!.expiryDays = 90;
-        const userWithExpiredPassword = {
-          ...mockUser,
-          passwordChangedAt: new Date(Date.now() - 91 * 24 * 60 * 60 * 1000), // 91 days ago
-        };
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(userWithExpiredPassword),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-        mockChallengeHelper.determineAuthResponse.mockResolvedValue({
-          challengeName: AuthChallenge.FORCE_CHANGE_PASSWORD,
-          session: 'challenge-session',
-          challengeParameters: {},
-        });
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        const result = await service.login(loginDto);
-
-        expect(result.challengeName).toBe(AuthChallenge.FORCE_CHANGE_PASSWORD);
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          userWithExpiredPassword.id,
-          (expect as any).objectContaining({
-            mustChangePassword: true,
-          }),
-        );
-      });
-    });
-
-    describe('Single session mode', () => {
-      it('should revoke other sessions when disallowMultipleSessions is enabled', async () => {
-        mockConfig.session!.disallowMultipleSessions = true;
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(mockUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockAccountLockoutStorage.resetFailedAttempts.mockResolvedValue(undefined);
-        mockSessionService.revokeAllUserSessions.mockResolvedValue(2);
-        mockJwtService.generateTokenFamily.mockReturnValue('family-abc');
-        mockJwtService.generateTokenPair.mockResolvedValue({
-          accessToken: 'access-token',
-          refreshToken: 'refresh-token',
-          expiresIn: 900,
-        });
-        mockJwtService.hashToken.mockReturnValue('token-hash');
-        mockJwtService.validateAccessToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 900 },
-        } as any);
-        mockJwtService.validateRefreshToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 604800 },
-        } as any);
-        mockSessionService.createSessionAtomic.mockResolvedValue({
-          session: mockSession,
-          extra: {
-            accessToken: 'access-token',
-            refreshToken: 'refresh-token',
-          },
-        } as any);
-        mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        await service.login(loginDto);
-
-        expect(mockSessionService.revokeAllUserSessions).toHaveBeenCalledWith(mockUser.id, 'Login from new session');
-      });
-    });
-
-    describe('Trusted device management', () => {
-      it('should check if device is already trusted', async () => {
-        mockConfig.mfa = {
-          rememberDevices: 'always',
-          rememberDeviceDays: 30,
-        };
-        mockClientInfo.deviceToken = 'existing-device-token';
-        mockTrustedDeviceService.isDeviceTrusted.mockResolvedValue(true);
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(mockUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockAccountLockoutStorage.resetFailedAttempts.mockResolvedValue(undefined);
-        mockJwtService.generateTokenFamily.mockReturnValue('family-abc');
-        mockJwtService.generateTokenPair.mockResolvedValue({
-          accessToken: 'access-token',
-          refreshToken: 'refresh-token',
-          expiresIn: 900,
-        });
-        mockJwtService.hashToken.mockReturnValue('token-hash');
-        mockJwtService.validateAccessToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 900 },
-        } as any);
-        mockJwtService.validateRefreshToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 604800 },
-        } as any);
-        mockSessionService.createSessionAtomic.mockResolvedValue({
-          session: mockSession,
-          extra: {
-            accessToken: 'access-token',
-            refreshToken: 'refresh-token',
-          },
-        } as any);
-        mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        const result = await service.login(loginDto);
-
-        expect(mockTrustedDeviceService.isDeviceTrusted).toHaveBeenCalledWith('existing-device-token', mockUser.id);
-        expect(result.trusted).toBe(true);
-      });
-
-      it('should auto-create trusted device when rememberDevices is always', async () => {
-        mockConfig.mfa = {
-          rememberDevices: 'always',
-          rememberDeviceDays: 30,
-        };
-        mockTrustedDeviceService.isDeviceTrusted.mockResolvedValue(false);
-        mockTrustedDeviceService.createTrustedDevice.mockResolvedValue('new-device-token');
-        const queryBuilder = {
-          where: jest.fn().mockReturnThis(),
-          orWhere: jest.fn().mockReturnThis(),
-          select: jest.fn().mockReturnThis(),
-          getOne: jest.fn().mockResolvedValue(mockUser),
-        };
-        mockUserRepository.createQueryBuilder.mockReturnValue(queryBuilder as any);
-        mockAccountLockoutStorage.isAccountLocked.mockResolvedValue(false);
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockAccountLockoutStorage.resetFailedAttempts.mockResolvedValue(undefined);
-        mockJwtService.generateTokenFamily.mockReturnValue('family-abc');
-        mockJwtService.generateTokenPair.mockResolvedValue({
-          accessToken: 'access-token',
-          refreshToken: 'refresh-token',
-          expiresIn: 900,
-        });
-        mockJwtService.hashToken.mockReturnValue('token-hash');
-        mockJwtService.validateAccessToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 900 },
-        } as any);
-        mockJwtService.validateRefreshToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: Math.floor(Date.now() / 1000) + 604800 },
-        } as any);
-        mockSessionService.createSessionAtomic.mockResolvedValue({
-          session: mockSession,
-          extra: {
-            accessToken: 'access-token',
-            refreshToken: 'refresh-token',
-          },
-        } as any);
-        mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-        mockLoginAttemptRepository.create.mockReturnValue({} as any);
-        mockLoginAttemptRepository.save.mockResolvedValue({} as any);
-
-        const result = await service.login(loginDto);
-
-        expect(mockTrustedDeviceService.createTrustedDevice).toHaveBeenCalled();
-        expect(result.deviceToken).toBe('new-device-token');
-        expect(result.trusted).toBe(true);
-      });
-    });
-  });
-
-  // ============================================================================
-  // refreshToken Tests
-  // ============================================================================
-
-  describe('refreshToken()', () => {
-    const mockRefreshToken = 'refresh-token-123';
-    const mockTokenHash = 'token-hash-123';
-    const mockPayload = {
-      sub: mockUser.sub,
-      email: mockUser.email,
-      type: 'refresh' as const,
-      sessionId: '1',
-      tokenFamily: 'family-abc',
-      iat: Math.floor(Date.now() / 1000),
-      exp: Math.floor(Date.now() / 1000) + 3600,
-    };
-
-    beforeEach(() => {
-      mockJwtService.hashToken.mockReturnValue(mockTokenHash);
-      mockJwtService.validateRefreshToken.mockResolvedValue({
-        valid: true,
-        payload: mockPayload,
-      } as any);
-      mockJwtService.validateAccessToken.mockResolvedValue({
-        valid: true,
-        payload: { exp: Math.floor(Date.now() / 1000) + 900 },
-      } as any);
-      mockSessionService.findByRefreshToken.mockResolvedValue(mockSession);
-      mockSessionService.findByIdLight.mockResolvedValue(mockSession);
-      mockSessionService.acquireRefreshLock.mockResolvedValue(true);
-      mockSessionService.isRefreshTokenUsed.mockResolvedValue(false);
-      mockSessionService.markRefreshTokenAsUsed.mockResolvedValue(true);
-      mockJwtService.generateTokenPair.mockResolvedValue({
-        accessToken: 'new-access-token',
-        refreshToken: 'new-refresh-token',
-        expiresIn: 900,
-      });
-      mockJwtService.decodeToken.mockReturnValue(mockPayload as any);
-      mockSessionService.updateTokens.mockResolvedValue(undefined);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-    });
-
-    describe('Successful token refresh', () => {
-      it('should refresh tokens successfully', async () => {
-        const result = await service.refreshToken(mockRefreshToken);
-
-        expect(result.accessToken).toBe('new-access-token');
-        expect(result.refreshToken).toBe('new-refresh-token');
-        expect(mockJwtService.hashToken).toHaveBeenCalledWith(mockRefreshToken);
-        expect(mockSessionService.findByRefreshToken).toHaveBeenCalledWith(mockTokenHash);
-        expect(mockSessionService.acquireRefreshLock).toHaveBeenCalled();
-        expect(mockJwtService.validateRefreshToken).toHaveBeenCalledWith(mockRefreshToken);
-        expect(mockSessionService.updateTokens).toHaveBeenCalled();
-      });
-
-      it('should acquire distributed lock before validation', async () => {
-        await service.refreshToken(mockRefreshToken);
-
-        const lockCall = mockSessionService.acquireRefreshLock.mock.calls[0];
-        expect(lockCall[0]).toContain('session-refresh:');
-        expect(lockCall[0]).toContain(mockSession.id.toString());
-      });
-
-      it('should mark refresh token as used when reuseDetection is enabled', async () => {
-        mockConfig.jwt.refreshToken.reuseDetection = true;
-
-        await service.refreshToken(mockRefreshToken);
-
-        expect(mockSessionService.markRefreshTokenAsUsed).toHaveBeenCalledWith(
-          mockTokenHash,
-          mockJwtService.getRefreshTokenTTL(),
-        );
-      });
-
-      it('should not mark token as used when reuseDetection is disabled', async () => {
-        mockConfig.jwt.refreshToken.reuseDetection = false;
-
-        await service.refreshToken(mockRefreshToken);
-
-        expect(mockSessionService.markRefreshTokenAsUsed).not.toHaveBeenCalled();
-      });
-
-      it('should rotate refresh token (generate new token pair)', async () => {
-        await service.refreshToken(mockRefreshToken);
-
-        expect(mockJwtService.generateTokenPair).toHaveBeenCalledWith({
-          userId: mockUser.sub,
-          email: mockUser.email,
-          sessionId: mockSession.id.toString(),
-          tokenFamily: mockSession.tokenFamily,
-        });
-      });
-
-      it('should update session with new token hashes', async () => {
-        mockJwtService.hashToken
-          .mockReturnValueOnce(mockTokenHash) // For initial hash
-          .mockReturnValueOnce('new-access-hash')
-          .mockReturnValueOnce('new-refresh-hash');
-
-        await service.refreshToken(mockRefreshToken);
-
-        expect(mockSessionService.updateTokens).toHaveBeenCalledWith(
-          mockSession.id,
-          'new-access-hash',
-          'new-refresh-hash',
-        );
-      });
-
-      it('should return token expiry times', async () => {
-        const accessExp = Math.floor(Date.now() / 1000) + 900;
-        const refreshExp = Math.floor(Date.now() / 1000) + 604800;
-        mockJwtService.validateAccessToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: accessExp },
-        } as any);
-        mockJwtService.validateRefreshToken.mockResolvedValue({
-          valid: true,
-          payload: { exp: refreshExp },
-        } as any);
-
-        const result = await service.refreshToken(mockRefreshToken);
-
-        expect(result.accessTokenExpiresAt).toBe(accessExp);
-        expect(result.refreshTokenExpiresAt).toBe(refreshExp);
-      });
-
-      it('should release lock after successful refresh', async () => {
-        await service.refreshToken(mockRefreshToken);
-
-        expect(mockSessionService.releaseRefreshLock).toHaveBeenCalled();
-      });
-    });
-
-    describe('Invalid token handling', () => {
-      it('should throw NAuthException if refresh token is invalid', async () => {
-        mockJwtService.validateRefreshToken.mockResolvedValue({
-          valid: false,
-          payload: undefined,
-        } as any);
-
-        try {
-          await service.refreshToken('invalid-token');
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.TOKEN_INVALID);
-        }
-      });
-
-      it('should throw NAuthException if session not found', async () => {
-        mockSessionService.findByRefreshToken.mockResolvedValue(null);
-
-        try {
-          await service.refreshToken(mockRefreshToken);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.SESSION_NOT_FOUND);
-        }
-      });
-
-      it('should throw NAuthException if session is revoked', async () => {
-        const revokedSession = { ...mockSession, isRevoked: true };
-        mockSessionService.findByRefreshToken.mockResolvedValue(revokedSession);
-
-        try {
-          await service.refreshToken(mockRefreshToken);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.SESSION_NOT_FOUND);
-        }
-      });
-
-      it('should throw NAuthException if session changed after lock acquisition', async () => {
-        mockSessionService.findByIdLight.mockResolvedValue(null);
-
-        try {
-          await service.refreshToken(mockRefreshToken);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.SESSION_NOT_FOUND);
-        }
-      });
-    });
-
-    describe('Distributed locking', () => {
-      it('should throw NAuthException if lock cannot be acquired', async () => {
-        mockSessionService.acquireRefreshLock.mockResolvedValue(false);
-
-        try {
-          await service.refreshToken(mockRefreshToken);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.RATE_LIMIT_LOGIN);
-        }
-      });
-
-      it('should release lock even if validation fails', async () => {
-        mockJwtService.validateRefreshToken.mockResolvedValue({
-          valid: false,
-          payload: undefined,
-        } as any);
-
-        try {
-          await service.refreshToken(mockRefreshToken);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          // Expected
-        }
-
-        expect(mockSessionService.releaseRefreshLock).toHaveBeenCalled();
-      });
-
-      it('should release lock even if token generation fails', async () => {
-        mockJwtService.generateTokenPair.mockRejectedValue(new Error('Token generation failed'));
-
-        try {
-          await service.refreshToken(mockRefreshToken);
-          fail('Should have thrown Error');
-        } catch (error: any) {
-          // Expected
-        }
-
-        expect(mockSessionService.releaseRefreshLock).toHaveBeenCalled();
-      });
-    });
-
-    describe('Token reuse detection', () => {
-      it('should detect token reuse via atomic mark failure and audit the event', async () => {
-        mockConfig.jwt.refreshToken.reuseDetection = true;
-        // First check passes (token not yet marked)
-        mockSessionService.isRefreshTokenUsed.mockResolvedValue(false);
-        // But atomic mark fails (token was already used by another request)
-        mockSessionService.markRefreshTokenAsUsed.mockResolvedValue(false);
-
-        try {
-          await service.refreshToken(mockRefreshToken);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.TOKEN_INVALID);
-        }
-
-        // Should audit the reuse attempt
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            eventType: AuthAuditEventType.SUSPICIOUS_ACTIVITY,
-            riskFactors: (expect as any).arrayContaining([RiskFactor.TOKEN_REUSE_ATTEMPT]),
-          }),
-        );
-      });
-
-      it('should handle cookie race condition (same session, token already used)', async () => {
-        mockConfig.jwt.refreshToken.reuseDetection = true;
-        mockSessionService.isRefreshTokenUsed.mockResolvedValue(true);
-        // Token's sessionId matches the session we found (cookie race)
-        mockJwtService.decodeToken.mockReturnValue({
-          ...mockPayload,
-          sessionId: mockSession.id.toString(),
-        } as any);
-
-        const result = await service.refreshToken(mockRefreshToken);
-
-        // Should return current tokens (not throw error)
-        expect(result.accessToken).toBeDefined();
-        expect(result.refreshToken).toBeDefined();
-      });
-
-      it('should detect attack when token reused from different session', async () => {
-        mockConfig.jwt.refreshToken.reuseDetection = true;
-        mockSessionService.isRefreshTokenUsed.mockResolvedValue(true);
-        // Token's sessionId doesn't match the session we found (attack!)
-        mockJwtService.decodeToken.mockReturnValue({
-          ...mockPayload,
-          sessionId: '999', // Different session ID
-        } as any);
-        mockSessionService.revokeSession.mockResolvedValue(undefined);
-
-        try {
-          await service.refreshToken(mockRefreshToken);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.TOKEN_INVALID);
-        }
-
-        expect(mockSessionService.revokeSession).toHaveBeenCalledWith(
-          mockSession.id,
-          'Token reuse detected - possible token theft',
-        );
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            eventType: AuthAuditEventType.SUSPICIOUS_ACTIVITY,
-            eventStatus: 'SUSPICIOUS',
-            riskFactors: (expect as any).arrayContaining([RiskFactor.TOKEN_THEFT_ATTEMPT]),
-          }),
-        );
-      });
-
-      it('should throw NAuthException if atomic mark fails (reuse detected)', async () => {
-        mockConfig.jwt.refreshToken.reuseDetection = true;
-        mockSessionService.markRefreshTokenAsUsed.mockResolvedValue(false);
-
-        try {
-          await service.refreshToken(mockRefreshToken);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.TOKEN_INVALID);
-        }
-
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            eventType: AuthAuditEventType.SUSPICIOUS_ACTIVITY,
-            riskFactors: (expect as any).arrayContaining([RiskFactor.TOKEN_REUSE_ATTEMPT]),
-          }),
-        );
-      });
-    });
-
-    describe('Token family management', () => {
-      it('should use same token family for rotated tokens', async () => {
-        await service.refreshToken(mockRefreshToken);
-
-        expect(mockJwtService.generateTokenPair).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            tokenFamily: mockSession.tokenFamily,
-          }),
-        );
-      });
-
-      it('should audit token reuse attempt when atomic mark fails', async () => {
-        mockConfig.jwt.refreshToken.reuseDetection = true;
-        mockSessionService.isRefreshTokenUsed.mockResolvedValue(false);
-        mockSessionService.markRefreshTokenAsUsed.mockResolvedValue(false);
-
-        try {
-          await service.refreshToken(mockRefreshToken);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          // Expected
-        }
-
-        // Should audit the reuse attempt
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            eventType: AuthAuditEventType.SUSPICIOUS_ACTIVITY,
-            riskFactors: (expect as any).arrayContaining([RiskFactor.TOKEN_REUSE_ATTEMPT]),
-          }),
-        );
-      });
-    });
-
-    describe('Error handling', () => {
-      it('should handle user not found in cookie race scenario', async () => {
-        // Cookie race scenario - token already used for same session
-        mockConfig.jwt.refreshToken.reuseDetection = true;
-        mockSessionService.isRefreshTokenUsed.mockResolvedValue(true);
-        mockJwtService.decodeToken.mockReturnValue({
-          ...mockPayload,
-          sessionId: mockSession.id.toString(),
-        } as any);
-        mockUserRepository.findOne.mockResolvedValue(null);
-
-        try {
-          await service.refreshToken(mockRefreshToken);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.NOT_FOUND);
-        }
-      });
-
-      it('should handle audit logging errors gracefully in cookie race scenario', async () => {
-        // Cookie race scenario where audit fails
-        mockConfig.jwt.refreshToken.reuseDetection = true;
-        mockSessionService.isRefreshTokenUsed.mockResolvedValue(true);
-        mockJwtService.decodeToken.mockReturnValue({
-          ...mockPayload,
-          sessionId: mockSession.id.toString(),
-        } as any);
-        mockAuditService.recordEvent.mockRejectedValue(new Error('Audit error'));
-
-        const result = await service.refreshToken(mockRefreshToken);
-
-        // Should still succeed despite audit error
-        expect(result.accessToken).toBeDefined();
-      });
-    });
-
-    describe('Edge cases', () => {
-      it('should handle missing expiry in token payload', async () => {
-        mockJwtService.validateAccessToken.mockResolvedValue({
-          valid: true,
-          payload: {},
-        } as any);
-        mockJwtService.validateRefreshToken.mockResolvedValue({
-          valid: true,
-          payload: {},
-        } as any);
-
-        const result = await service.refreshToken(mockRefreshToken);
-
-        expect(result.accessTokenExpiresAt).toBe(0);
-        expect(result.refreshTokenExpiresAt).toBe(0);
-      });
-
-      it('should handle token validation returning undefined payload', async () => {
-        mockJwtService.validateRefreshToken.mockResolvedValue({
-          valid: false,
-          payload: undefined,
-        } as any);
-
-        try {
-          await service.refreshToken(mockRefreshToken);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-        }
-      });
-    });
-  });
-
-  // ============================================================================
-  // logout Tests
-  // ============================================================================
-
-  describe('logout()', () => {
-    const mockSub = 'user-123';
-    const mockSessionId = '1';
-
-    beforeEach(() => {
-      mockSessionService.revokeSession.mockResolvedValue(undefined);
-      mockSessionService.findById.mockResolvedValue(mockSession);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-    });
-
-    describe('Successful logout', () => {
-      it('should revoke session on logout', async () => {
-        await service.logout(mockSub, mockSessionId);
-
-        expect(mockSessionService.revokeSession).toHaveBeenCalledWith(mockSessionId, 'User logout', undefined);
-      });
-
-      it('should revoke session with audit metadata', async () => {
-        await service.logout(mockSub, mockSessionId, false);
-
-        expect(mockSessionService.revokeSession).toHaveBeenCalledWith(mockSessionId, 'User logout', undefined);
-      });
-
-      it('should complete logout successfully', async () => {
-        await service.logout(mockSub, mockSessionId);
-
-        expect(mockSessionService.revokeSession).toHaveBeenCalled();
-      });
-    });
-
-    describe('Forget device (forgetMe)', () => {
-      it('should revoke trusted device when forgetMe is true', async () => {
-        mockConfig.mfa = {
-          rememberDevices: 'always',
-          rememberDeviceDays: 30,
-        };
-        mockClientInfo.deviceToken = 'device-token-123';
-
-        await service.logout(mockSub, mockSessionId, true);
-
-        expect(mockSessionService.revokeSession).toHaveBeenCalledWith(
-          mockSessionId,
-          'User logout',
-          (expect as any).objectContaining({
-            deviceForgotten: true,
-            reason: 'User requested device to be forgotten on logout',
-          }),
-        );
-        expect(mockSessionService.findById).toHaveBeenCalledWith(parseInt(mockSessionId, 10));
-        expect(mockTrustedDeviceService.revokeTrustedDevice).toHaveBeenCalledWith(
-          mockClientInfo.deviceToken,
-          mockSession.userId,
-        );
-      });
-
-      it('should not revoke trusted device when forgetMe is false', async () => {
-        await service.logout(mockSub, mockSessionId, false);
-
-        expect(mockTrustedDeviceService.revokeTrustedDevice).not.toHaveBeenCalled();
-      });
-
-      it('should handle missing deviceToken gracefully when forgetMe is true', async () => {
-        mockConfig.mfa = {
-          rememberDevices: 'always',
-          rememberDeviceDays: 30,
-        };
-        mockClientInfo.deviceToken = undefined;
-
-        await service.logout(mockSub, mockSessionId, true);
-
-        // Should still revoke session, but not call revokeTrustedDevice
-        expect(mockSessionService.revokeSession).toHaveBeenCalled();
-        expect(mockTrustedDeviceService.revokeTrustedDevice).not.toHaveBeenCalled();
-      });
-
-      it('should record DEVICE_UNTRUSTED audit event when forgetMe is true', async () => {
-        mockConfig.mfa = {
-          rememberDevices: 'always',
-          rememberDeviceDays: 30,
-        };
-        mockClientInfo.deviceToken = 'device-token-123';
-
-        await service.logout(mockSub, mockSessionId, true);
-
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            eventType: AuthAuditEventType.DEVICE_UNTRUSTED,
-            eventStatus: 'SUCCESS',
-          }),
-        );
-      });
-    });
-
-    describe('Error handling', () => {
-      it('should handle session revocation errors gracefully', async () => {
-        mockSessionService.revokeSession.mockRejectedValue(new Error('Session not found'));
-
-        try {
-          await service.logout(mockSub, mockSessionId);
-          fail('Should have thrown Error');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(Error);
-        }
-      });
-
-      it('should handle trusted device removal errors gracefully', async () => {
-        mockConfig.mfa = {
-          rememberDevices: 'always',
-          rememberDeviceDays: 30,
-        };
-        mockClientInfo.deviceToken = 'device-token-123';
-        (mockTrustedDeviceService.revokeTrustedDevice as jest.Mock).mockRejectedValue(new Error('Device not found'));
-
-        // Should still complete logout even if device removal fails
-        await service.logout(mockSub, mockSessionId, true);
-
-        expect(mockSessionService.revokeSession).toHaveBeenCalled();
-        expect(mockLogger.debug).toHaveBeenCalled();
-      });
-
-      it('should handle audit logging errors gracefully when forgetMe is true', async () => {
-        mockConfig.mfa = {
-          rememberDevices: 'always',
-          rememberDeviceDays: 30,
-        };
-        mockClientInfo.deviceToken = 'device-token-123';
-        mockAuditService.recordEvent.mockRejectedValue(new Error('Audit error'));
-
-        await service.logout(mockSub, mockSessionId, true);
-
-        // Should still complete logout despite audit error
-        expect(mockSessionService.revokeSession).toHaveBeenCalled();
-        expect(mockLogger.error).toHaveBeenCalled();
-      });
-    });
-  });
-
-  // ============================================================================
-  // logoutAll Tests
-  // ============================================================================
-
-  describe('logoutAll()', () => {
-    const mockSub = 'user-123';
-    const mockUserId = 1;
-
-    beforeEach(() => {
-      mockUserRepository.findOne.mockResolvedValue({ ...mockUser, id: mockUserId } as any);
-      mockSessionService.revokeAllUserSessions.mockResolvedValue(5);
-    });
-
-    describe('Successful logout all', () => {
-      it('should revoke all user sessions', async () => {
-        await service.logoutAll(mockSub);
-
-        expect(mockUserRepository.findOne).toHaveBeenCalledWith({
-          where: { sub: mockSub } as any,
-        });
-        expect(mockSessionService.revokeAllUserSessions).toHaveBeenCalledWith(mockUserId, 'Global signout');
-      });
-
-      it('should return number of revoked sessions', async () => {
-        const result = await service.logoutAll(mockSub);
-
-        expect(result).toBe(5);
-      });
-
-      it('should complete logoutAll successfully', async () => {
-        const result = await service.logoutAll(mockSub);
-
-        expect(result).toBe(5);
-        expect(mockSessionService.revokeAllUserSessions).toHaveBeenCalled();
-      });
-    });
-
-    describe('User not found', () => {
-      it('should throw NAuthException if user not found', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-
-        try {
-          await service.logoutAll(mockSub);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.NOT_FOUND);
-        }
-      });
-    });
-
-    describe('Error handling', () => {
-      it('should handle session revocation errors gracefully', async () => {
-        mockSessionService.revokeAllUserSessions.mockRejectedValue(new Error('Database error'));
-
-        try {
-          await service.logoutAll(mockSub);
-          fail('Should have thrown Error');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(Error);
-        }
-      });
-
-      it('should complete logoutAll even if errors occur', async () => {
-        // logoutAll doesn't directly record audit events, so this test just verifies it completes
-        const result = await service.logoutAll(mockSub);
-
-        expect(result).toBe(5);
-      });
-    });
-  });
-
-  // ============================================================================
-  // changePassword Tests
-  // ============================================================================
-
-  describe('changePassword()', () => {
-    const changePasswordDto = {
-      oldPassword: 'OldPassword123!',
-      newPassword: 'NewPassword456!',
-    };
-
-    beforeEach(() => {
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockPasswordService.verifyPassword.mockResolvedValue(true);
-      mockPasswordService.validatePassword.mockResolvedValue({ valid: true } as any);
-      mockPasswordService.isPasswordInHistory.mockResolvedValue(false);
-      mockPasswordService.hashPassword.mockResolvedValue('new-hashed-password');
-      mockPasswordService.addToHistory.mockReturnValue([]);
-      mockUserRepository.save.mockResolvedValue(mockUser as any);
-    });
-
-    describe('Successful password change', () => {
-      it('should change password successfully', async () => {
-        await service.changePassword(mockUser.sub, changePasswordDto);
-
-        expect(mockPasswordService.verifyPassword).toHaveBeenCalledWith(
-          changePasswordDto.oldPassword,
-          mockUser.passwordHash!,
-        );
-        expect(mockPasswordService.validatePassword).toHaveBeenCalledWith(changePasswordDto.newPassword, {
-          email: mockUser.email,
-          username: mockUser.username || undefined,
-        });
-        expect(mockPasswordService.hashPassword).toHaveBeenCalledWith(changePasswordDto.newPassword);
-        expect(mockUserRepository.save).toHaveBeenCalled();
-      });
-
-      it('should update password hash in database', async () => {
-        await service.changePassword(mockUser.sub, changePasswordDto);
-
-        expect(mockUserRepository.save).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            passwordHash: 'new-hashed-password',
-            passwordChangedAt: (expect as any).any(Date),
-            passwordHistory: (expect as any).any(Array),
-          }),
-        );
-      });
-
-      it('should add old password to history', async () => {
-        await service.changePassword(mockUser.sub, changePasswordDto);
-
-        expect(mockPasswordService.addToHistory).toHaveBeenCalledWith(
-          mockUser.passwordHistory || [],
-          mockUser.passwordHash!,
-        );
-        expect(mockSessionService.revokeAllUserSessions).toHaveBeenCalledWith(mockUser.id, 'Password changed');
-      });
-
-      it('should revoke all sessions after password change', async () => {
-        await service.changePassword(mockUser.sub, changePasswordDto);
-
-        expect(mockSessionService.revokeAllUserSessions).toHaveBeenCalledWith(mockUser.id, 'Password changed');
-      });
-
-      it('should record PASSWORD_CHANGED audit event', async () => {
-        await service.changePassword(mockUser.sub, changePasswordDto);
-
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            userId: mockUser.id,
-            eventType: AuthAuditEventType.PASSWORD_CHANGED,
-            eventStatus: 'SUCCESS',
-          }),
-        );
-      });
-    });
-
-    describe('Password validation', () => {
-      it('should throw NAuthException if current password is incorrect', async () => {
-        mockPasswordService.verifyPassword.mockResolvedValue(false);
-
-        try {
-          await service.changePassword(mockUser.sub, changePasswordDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.PASSWORD_INCORRECT);
-        }
-      });
-
-      it('should throw NAuthException if new password is invalid', async () => {
-        mockPasswordService.validatePassword.mockResolvedValue({
-          valid: false,
-          errors: ['Password too weak'],
-        } as any);
-
-        try {
-          await service.changePassword(mockUser.sub, changePasswordDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          // Password validation happens in handleForceChangePassword, which throws WEAK_PASSWORD
-          // But validation might happen earlier in validateChallengeParams
-          expect([AuthErrorCode.WEAK_PASSWORD, AuthErrorCode.VALIDATION_FAILED]).toContain(error.code);
-        }
-      });
-
-      it('should allow password change even if hash matches (service does not prevent same password)', async () => {
-        mockPasswordService.verifyPassword.mockResolvedValue(true);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true } as any);
-        // Simulate same password by making hash match - service doesn't prevent this
-        mockPasswordService.hashPassword.mockResolvedValue(mockUser.passwordHash!);
-
-        // Service doesn't check if new hash equals old hash, so this should succeed
-        await service.changePassword(mockUser.sub, changePasswordDto);
-
-        expect(mockUserRepository.update).toHaveBeenCalled();
-      });
-
-      it('should throw NAuthException if new password is in history', async () => {
-        mockPasswordService.isPasswordInHistory.mockResolvedValue(true);
-
-        try {
-          await service.changePassword(mockUser.sub, changePasswordDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.PASSWORD_REUSED);
-        }
-      });
-    });
-
-    describe('User not found', () => {
-      it('should throw NAuthException if user not found', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-
-        try {
-          await service.changePassword(mockUser.sub, changePasswordDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.NOT_FOUND);
-        }
-      });
-    });
-
-    describe('Social-only users', () => {
-      it('should throw NAuthException if user has no password (social-only)', async () => {
-        const socialUser = { ...mockUser, passwordHash: null };
-        mockUserRepository.findOne.mockResolvedValue(socialUser as any);
-
-        try {
-          await service.changePassword(mockUser.sub, changePasswordDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.NOT_FOUND);
-        }
-      });
-    });
-
-    describe('Password history management', () => {
-      it('should check password history when historyCount is configured', async () => {
-        mockConfig.password!.historyCount = 10;
-        const userWithHistory = { ...mockUser, passwordHistory: ['hash1', 'hash2'] };
-        mockUserRepository.findOne.mockResolvedValue(userWithHistory as any);
-
-        await service.changePassword(mockUser.sub, changePasswordDto);
-
-        expect(mockPasswordService.isPasswordInHistory).toHaveBeenCalledWith(
-          changePasswordDto.newPassword,
-          userWithHistory.passwordHistory,
-        );
-      });
-
-      it('should handle empty password history', async () => {
-        const userWithNoHistory = { ...mockUser, passwordHistory: [] };
-        mockUserRepository.findOne.mockResolvedValue(userWithNoHistory as any);
-
-        await service.changePassword(mockUser.sub, changePasswordDto);
-
-        expect(mockPasswordService.addToHistory).toHaveBeenCalledWith([], mockUser.passwordHash!);
-      });
-    });
-
-    describe('Error handling', () => {
-      it('should handle database update errors gracefully', async () => {
-        mockUserRepository.update.mockRejectedValue(new Error('Database error'));
-
-        try {
-          await service.changePassword(mockUser.sub, changePasswordDto);
-          fail('Should have thrown Error');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(Error);
-        }
-      });
-
-      it('should handle audit logging errors gracefully', async () => {
-        mockAuditService.recordEvent.mockRejectedValue(new Error('Audit error'));
-
-        await service.changePassword(mockUser.sub, changePasswordDto);
-
-        // Should still complete password change despite audit error
-        expect(mockUserRepository.update).toHaveBeenCalled();
-        expect(mockLogger.error).toHaveBeenCalled();
-      });
-    });
-
-    describe('Edge cases', () => {
-      it('should handle null passwordHash gracefully', async () => {
-        const userWithNullHash = { ...mockUser, passwordHash: null };
-        mockUserRepository.findOne.mockResolvedValue(userWithNullHash as any);
-
-        try {
-          await service.changePassword(mockUser.sub, changePasswordDto);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-        }
-      });
-
-      it('should handle missing password history gracefully', async () => {
-        const userWithNoHistory = { ...mockUser, passwordHistory: null };
-        mockUserRepository.findOne.mockResolvedValue(userWithNoHistory as any);
-
-        await service.changePassword(mockUser.sub, changePasswordDto);
-
-        expect(mockPasswordService.addToHistory).toHaveBeenCalledWith([], mockUser.passwordHash!);
-      });
-    });
-  });
-
-  // ============================================================================
-  // updateUserAttributes Tests
-  // ============================================================================
-
-  describe('updateUserAttributes()', () => {
-    const updateData = {
-      firstName: 'Updated',
-      lastName: 'Name',
-      email: 'updated@example.com',
-    };
-
-    beforeEach(() => {
-      // Setup default mock chain: initial lookup, uniqueness checks, final fetch
-      mockUserRepository.findOne
-        .mockResolvedValueOnce(mockUser as any) // Initial user lookup
-        .mockResolvedValueOnce(null) // Email uniqueness check (if email in updateData)
-        .mockResolvedValueOnce(null) // Phone uniqueness check (if phone in updateData)
-        .mockResolvedValueOnce(null) // Username uniqueness check (if username in updateData)
-        .mockResolvedValueOnce({ ...mockUser, ...updateData } as any); // Final fetch after update (by id)
-      mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-    });
-
-    describe('Successful updates', () => {
-      it('should update user attributes successfully', async () => {
-        // Reset and setup mocks for this test
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(mockUser as any) // Initial lookup by sub
-          .mockResolvedValueOnce(null) // Email uniqueness check
-          .mockResolvedValueOnce({ ...mockUser, ...updateData } as any); // Final fetch by id
-
-        const result = await service.updateUserAttributes(mockUser.sub, updateData);
-
-        expect(mockUserRepository.findOne).toHaveBeenCalledWith({
-          where: { sub: mockUser.sub } as any,
-        });
-        expect(mockUserRepository.update).toHaveBeenCalled();
-        expect(result).toBeDefined();
-      });
-
-      it('should update firstName and lastName', async () => {
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(mockUser as any)
-          .mockResolvedValueOnce({ ...mockUser, firstName: 'John', lastName: 'Doe' } as any);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          firstName: 'John',
-          lastName: 'Doe',
-        });
-
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          mockUser.id,
-          (expect as any).objectContaining({
-            firstName: 'John',
-            lastName: 'Doe',
-          }),
-        );
-      });
-
-      it('should update username', async () => {
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(mockUser as any)
-          .mockResolvedValueOnce(null) // Username uniqueness check
-          .mockResolvedValueOnce({ ...mockUser, username: 'newusername' } as any);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          username: 'newusername',
-        });
-
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          mockUser.id,
-          (expect as any).objectContaining({
-            username: 'newusername',
-          }),
-        );
-      });
-
-      it('should update email and reset verification status', async () => {
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(mockUser as any)
-          .mockResolvedValueOnce(null) // Email uniqueness check
-          .mockResolvedValueOnce({ ...mockUser, email: 'newemail@example.com', isEmailVerified: false } as any);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          email: 'newemail@example.com',
-        });
-
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          mockUser.id,
-          (expect as any).objectContaining({
-            email: 'newemail@example.com',
-            isEmailVerified: false,
-          }),
-        );
-      });
-
-      it('should update phone and reset verification status', async () => {
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(mockUser as any)
-          .mockResolvedValueOnce(null) // Phone uniqueness check
-          .mockResolvedValueOnce({ ...mockUser, phone: '+1987654321', isPhoneVerified: false } as any);
-        mockMfaDeviceRepository.find.mockResolvedValue([]);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          phone: '+1987654321',
-        });
-
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          mockUser.id,
-          (expect as any).objectContaining({
-            phone: '+1987654321',
-            isPhoneVerified: false,
-          }),
-        );
-      });
-
-      it('should retain verification status when retainVerification is true', async () => {
-        const verifiedUser = { ...mockUser, isEmailVerified: true, isPhoneVerified: true };
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(verifiedUser as any) // Initial lookup by sub
-          .mockResolvedValueOnce(null) // Email uniqueness check
-          .mockResolvedValueOnce(null) // Phone uniqueness check
-          .mockResolvedValueOnce({ ...verifiedUser, email: 'newemail@example.com', phone: '+1987654321' } as any); // Final fetch by id
-        mockMfaDeviceRepository.find.mockResolvedValue([]);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          email: 'newemail@example.com',
-          phone: '+1987654321',
-          retainVerification: true,
-        });
-
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          mockUser.id,
-          (expect as any).objectContaining({
-            email: 'newemail@example.com',
-            phone: '+1987654321',
-            isEmailVerified: true,
-            isPhoneVerified: true,
-          }),
-        );
-      });
-
-      it('should preserve unverified status when retainVerification is true', async () => {
-        const unverifiedUser = { ...mockUser, isEmailVerified: false, isPhoneVerified: false };
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(unverifiedUser as any) // Initial lookup by sub
-          .mockResolvedValueOnce(null) // Email uniqueness check
-          .mockResolvedValueOnce(null) // Phone uniqueness check
-          .mockResolvedValueOnce({ ...unverifiedUser, email: 'newemail@example.com', phone: '+1987654321' } as any); // Final fetch by id
-        mockMfaDeviceRepository.find.mockResolvedValue([]);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          email: 'newemail@example.com',
-          phone: '+1987654321',
-          retainVerification: true,
-        });
-
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          mockUser.id,
-          (expect as any).objectContaining({
-            email: 'newemail@example.com',
-            phone: '+1987654321',
-            isEmailVerified: false,
-            isPhoneVerified: false,
-          }),
-        );
-      });
-
-      it('should merge metadata when updating', async () => {
-        const userWithMetadata = { ...mockUser, metadata: { key1: 'value1' } };
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(userWithMetadata as any) // Initial lookup by sub
-          .mockResolvedValueOnce({ ...userWithMetadata, metadata: { key1: 'value1', key2: 'value2' } } as any); // Final fetch by id
-
-        await service.updateUserAttributes(mockUser.sub, {
-          metadata: { key2: 'value2' },
-        });
-
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          mockUser.id,
-          (expect as any).objectContaining({
-            metadata: (expect as any).objectContaining({
-              key1: 'value1',
-              key2: 'value2',
-            }),
-          }),
-        );
-      });
-
-      it('should record PROFILE_UPDATED audit event', async () => {
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(mockUser as any)
-          .mockResolvedValueOnce(null) // Email uniqueness check
-          .mockResolvedValueOnce({ ...mockUser, ...updateData } as any);
-
-        await service.updateUserAttributes(mockUser.sub, updateData);
-
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            userId: mockUser.id,
-            eventType: AuthAuditEventType.PROFILE_UPDATED,
-            eventStatus: 'INFO',
-          }),
-        );
-      });
-    });
-
-    describe('MFA device management', () => {
-      it('should delete Email MFA devices when email changes', async () => {
-        const userWithEmail = { ...mockUser, email: 'old@example.com' };
-        const emailDevice = {
-          id: 1,
-          userId: mockUser.id,
-          type: MFAMethod.EMAIL,
-          isActive: true,
-        };
-
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(userWithEmail as any) // Initial lookup
-          .mockResolvedValueOnce(null) // Email uniqueness check
-          .mockResolvedValueOnce({ ...userWithEmail, email: 'new@example.com' } as any); // Final fetch
-
-        mockMfaDeviceRepository.find
-          .mockResolvedValueOnce([emailDevice] as any) // Find Email devices
-          .mockResolvedValueOnce([emailDevice] as any); // Check remaining devices
-
-        mockMfaDeviceRepository.delete.mockResolvedValue({ affected: 1 } as any);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          email: 'new@example.com',
-        });
-
-        expect(mockMfaDeviceRepository.delete).toHaveBeenCalledWith(1);
-      });
-
-      it('should record audit event when Email MFA devices are deleted', async () => {
-        const userWithEmail = { ...mockUser, email: 'old@example.com' };
-        const emailDevice = {
-          id: 1,
-          userId: mockUser.id,
-          type: MFAMethod.EMAIL,
-          isActive: true,
-        };
-
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(userWithEmail as any)
-          .mockResolvedValueOnce(null)
-          .mockResolvedValueOnce({ ...userWithEmail, email: 'new@example.com' } as any);
-
-        mockMfaDeviceRepository.find
-          .mockResolvedValueOnce([emailDevice] as any)
-          .mockResolvedValueOnce([emailDevice] as any);
-
-        mockMfaDeviceRepository.delete.mockResolvedValue({ affected: 1 } as any);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          email: 'new@example.com',
-        });
-
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            userId: mockUser.id,
-            eventType: AuthAuditEventType.MFA_DEVICE_REMOVED,
-            eventStatus: 'INFO',
-            reason: 'email_changed',
-            metadata: (expect as any).objectContaining({
-              method: MFAMethod.EMAIL,
-              deletedCount: 1,
-              oldEmail: 'old@example.com',
-              newEmail: 'new@example.com',
-            }),
-          }),
-        );
-      });
-
-      it('should delete SMS MFA devices when phone changes', async () => {
-        const userWithPhone = { ...mockUser, phone: '+1234567890' };
-        const smsDevice = {
-          id: 1,
-          userId: mockUser.id,
-          type: MFAMethod.SMS,
-          phoneNumber: '+1234567890',
-          isActive: true,
-        };
-
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(userWithPhone as any) // Initial lookup
-          .mockResolvedValueOnce(null) // Phone uniqueness check
-          .mockResolvedValueOnce({ ...userWithPhone, phone: '+1987654321' } as any); // Final fetch
-
-        mockMfaDeviceRepository.find
-          .mockResolvedValueOnce([smsDevice] as any) // Find SMS devices
-          .mockResolvedValueOnce([smsDevice] as any); // Check remaining devices
-
-        mockMfaDeviceRepository.delete.mockResolvedValue({ affected: 1 } as any);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          phone: '+1987654321',
-        });
-
-        expect(mockMfaDeviceRepository.delete).toHaveBeenCalledWith(1);
-      });
-
-      it('should record audit event when SMS MFA devices are deleted', async () => {
-        const userWithPhone = { ...mockUser, phone: '+1234567890' };
-        const smsDevice = {
-          id: 1,
-          userId: mockUser.id,
-          type: MFAMethod.SMS,
-          phoneNumber: '+1234567890',
-          isActive: true,
-        };
-
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(userWithPhone as any)
-          .mockResolvedValueOnce(null)
-          .mockResolvedValueOnce({ ...userWithPhone, phone: '+1987654321' } as any);
-
-        mockMfaDeviceRepository.find
-          .mockResolvedValueOnce([smsDevice] as any)
-          .mockResolvedValueOnce([smsDevice] as any);
-
-        mockMfaDeviceRepository.delete.mockResolvedValue({ affected: 1 } as any);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          phone: '+1987654321',
-        });
-
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            userId: mockUser.id,
-            eventType: AuthAuditEventType.MFA_DEVICE_REMOVED,
-            eventStatus: 'INFO',
-            reason: 'phone_changed',
-            metadata: (expect as any).objectContaining({
-              method: MFAMethod.SMS,
-              deletedCount: 1,
-              oldPhone: '+1234567890',
-              newPhone: '+1987654321',
-            }),
-          }),
-        );
-      });
-
-      it('should disable MFA when all devices are removed after email change', async () => {
-        const userWithMfa = { ...mockUser, email: 'old@example.com', mfaEnabled: true };
-        const emailDevice = {
-          id: 1,
-          userId: mockUser.id,
-          type: MFAMethod.EMAIL,
-          isActive: true,
-        };
-
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(userWithMfa as any)
-          .mockResolvedValueOnce(null)
-          .mockResolvedValueOnce({ ...userWithMfa, email: 'new@example.com', mfaEnabled: false } as any);
-
-        mockMfaDeviceRepository.find
-          .mockResolvedValueOnce([emailDevice] as any) // Find Email devices
-          .mockResolvedValueOnce([] as any); // No remaining devices
-
-        mockMfaDeviceRepository.delete.mockResolvedValue({ affected: 1 } as any);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          email: 'new@example.com',
-        });
-
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          mockUser.id,
-          (expect as any).objectContaining({
-            email: 'new@example.com',
-            mfaEnabled: false,
-            mfaMethods: [],
-            preferredMfaMethod: null,
-          }),
-        );
-      });
-
-      it('should disable MFA when all devices are removed after phone change', async () => {
-        const userWithMfa = { ...mockUser, phone: '+1234567890', mfaEnabled: true };
-        const smsDevice = {
-          id: 1,
-          userId: mockUser.id,
-          type: MFAMethod.SMS,
-          phoneNumber: '+1234567890',
-          isActive: true,
-        };
-
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(userWithMfa as any)
-          .mockResolvedValueOnce(null)
-          .mockResolvedValueOnce({ ...userWithMfa, phone: '+1987654321', mfaEnabled: false } as any);
-
-        mockMfaDeviceRepository.find
-          .mockResolvedValueOnce([smsDevice] as any) // Find SMS devices
-          .mockResolvedValueOnce([] as any); // No remaining devices
-
-        mockMfaDeviceRepository.delete.mockResolvedValue({ affected: 1 } as any);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          phone: '+1987654321',
-        });
-
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          mockUser.id,
-          (expect as any).objectContaining({
-            phone: '+1987654321',
-            mfaEnabled: false,
-            mfaMethods: [],
-            preferredMfaMethod: null,
-          }),
-        );
-      });
-    });
-
-    describe('Uniqueness constraints', () => {
-      it('should throw NAuthException if email already exists', async () => {
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(mockUser as any) // First call for user lookup by sub
-          .mockResolvedValueOnce({ id: 999 } as any); // Second call for email uniqueness check
-
-        try {
-          await service.updateUserAttributes(mockUser.sub, {
-            email: 'existing@example.com',
-          });
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.VALIDATION_FAILED);
-        }
-      });
-
-      it('should throw NAuthException if phone already exists', async () => {
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(mockUser as any) // First call for user lookup by sub
-          .mockResolvedValueOnce({ id: 999 } as any); // Second call for phone uniqueness check
-
-        try {
-          await service.updateUserAttributes(mockUser.sub, {
-            phone: '+1234567890',
-          });
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.VALIDATION_FAILED);
-        }
-      });
-
-      it('should throw NAuthException if username already exists', async () => {
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(mockUser as any) // First call for user lookup by sub
-          .mockResolvedValueOnce({ id: 999 } as any); // Second call for username uniqueness check
-
-        try {
-          await service.updateUserAttributes(mockUser.sub, {
-            username: 'existinguser',
-          });
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.VALIDATION_FAILED);
-        }
-      });
-
-      it('should allow updating to same email', async () => {
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(mockUser as any) // First call for user lookup by sub
-          .mockResolvedValueOnce(null) // Email uniqueness check (not found = OK, because it's the same user)
-          .mockResolvedValueOnce(mockUser as any); // Final fetch by id
-
-        await service.updateUserAttributes(mockUser.sub, {
-          email: mockUser.email,
-        });
-
-        expect(mockUserRepository.update).toHaveBeenCalled();
-      });
-    });
-
-    describe('User not found', () => {
-      it('should throw NAuthException if user not found', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-
-        try {
-          await service.updateUserAttributes(mockUser.sub, updateData);
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.NOT_FOUND);
-        }
-      });
-    });
-
-    describe('MFA device management', () => {
-      it('should deactivate SMS MFA devices when phone changes', async () => {
-        const oldPhone = '+1234567890';
-        const userWithPhone = { ...mockUser, phone: oldPhone };
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(userWithPhone as any) // Initial lookup by sub
-          .mockResolvedValueOnce(null) // Phone uniqueness check
-          .mockResolvedValueOnce({ ...userWithPhone, phone: '+1987654321' } as any); // Final fetch by id
-        mockMfaDeviceRepository.find.mockResolvedValue([
-          { id: 1, type: MFAMethod.SMS, phoneNumber: oldPhone, isActive: true },
-        ] as any);
-        mockMfaDeviceRepository.find
-          .mockResolvedValueOnce([{ id: 1, type: MFAMethod.SMS, phoneNumber: oldPhone, isActive: true }] as any)
-          .mockResolvedValueOnce([] as any); // Check for remaining active devices
-        mockMfaDeviceRepository.update.mockResolvedValue({ affected: 1 } as any);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          phone: '+1987654321',
-        });
-
-        expect(mockMfaDeviceRepository.find).toHaveBeenCalled();
-        expect(mockMfaDeviceRepository.update).toHaveBeenCalled();
-      });
-
-      it('should not deactivate SMS devices if phone unchanged', async () => {
-        const userWithPhone = { ...mockUser, phone: '+1234567890' };
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(userWithPhone as any) // Initial lookup
-          .mockResolvedValueOnce(userWithPhone as any); // Final fetch
-
-        await service.updateUserAttributes(mockUser.sub, {
-          firstName: 'New',
-        });
-
-        expect(mockMfaDeviceRepository.find).not.toHaveBeenCalled();
-      });
-
-      it('should deactivate SMS MFA devices when phone changes even if retainVerification is true', async () => {
-        const oldPhone = '+1234567890';
-        const userWithPhone = { ...mockUser, phone: oldPhone, isPhoneVerified: true };
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(userWithPhone as any) // Initial lookup
-          .mockResolvedValueOnce(null) // Phone uniqueness check
-          .mockResolvedValueOnce({ ...userWithPhone, phone: '+1987654321' } as any); // Final fetch
-        mockMfaDeviceRepository.find
-          .mockResolvedValueOnce([{ id: 1, type: MFAMethod.SMS, phoneNumber: oldPhone, isActive: true }] as any) // Find SMS devices with old phone
-          .mockResolvedValueOnce([] as any); // Check for remaining active devices
-        mockMfaDeviceRepository.update.mockResolvedValue({ affected: 1 } as any);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          phone: '+1987654321',
-          retainVerification: true,
-        });
-
-        // Should preserve verification status
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          mockUser.id,
-          (expect as any).objectContaining({
-            phone: '+1987654321',
-            isPhoneVerified: true, // Preserved because retainVerification is true
-          }),
-        );
-
-        // Should still deactivate MFA devices regardless of retainVerification
-        expect(mockMfaDeviceRepository.find).toHaveBeenCalled();
-        expect(mockMfaDeviceRepository.update).toHaveBeenCalled();
-      });
-    });
-
-    describe('Error handling', () => {
-      it('should handle database update errors gracefully', async () => {
-        mockUserRepository.update.mockRejectedValue(new Error('Database error'));
-
-        try {
-          await service.updateUserAttributes(mockUser.sub, updateData);
-          fail('Should have thrown Error');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(Error);
-        }
-      });
-
-      it('should handle audit logging errors gracefully', async () => {
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(mockUser as any) // Initial lookup by sub
-          .mockResolvedValueOnce(null) // Uniqueness checks
-          .mockResolvedValueOnce({ ...mockUser, ...updateData } as any); // Final fetch by id
-        mockAuditService.recordEvent.mockRejectedValue(new Error('Audit error'));
-
-        await service.updateUserAttributes(mockUser.sub, updateData);
-
-        // Should still complete update despite audit error
-        expect(mockUserRepository.update).toHaveBeenCalled();
-        expect(mockLogger.error).toHaveBeenCalled();
-      });
-
-      it('should handle MFA device deactivation errors gracefully', async () => {
-        const userWithPhone = { ...mockUser, phone: '+1234567890' };
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(userWithPhone as any) // Initial lookup by sub
-          .mockResolvedValueOnce(null) // Phone uniqueness check
-          .mockResolvedValueOnce({ ...userWithPhone, phone: '+1987654321' } as any); // Final fetch by id
-        mockMfaDeviceRepository.find.mockRejectedValue(new Error('Database error'));
-
-        // Should still complete update despite MFA device error
-        await service.updateUserAttributes(mockUser.sub, {
-          phone: '+1987654321',
-        });
-
-        expect(mockUserRepository.update).toHaveBeenCalled();
-        expect(mockLogger.warn).toHaveBeenCalled();
-      });
-    });
-
-    describe('Edge cases', () => {
-      it('should handle partial updates (only some fields)', async () => {
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(mockUser as any)
-          .mockResolvedValueOnce({ ...mockUser, firstName: 'NewFirst' } as any);
-
-        await service.updateUserAttributes(mockUser.sub, {
-          firstName: 'NewFirst',
-        });
-
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          mockUser.id,
-          (expect as any).objectContaining({
-            firstName: 'NewFirst',
-          }),
-        );
-      });
-
-      it('should handle empty metadata', async () => {
-        const userWithMetadata = { ...mockUser, metadata: { key1: 'value1' } };
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(userWithMetadata as any) // Initial lookup by sub
-          .mockResolvedValueOnce(userWithMetadata as any); // Final fetch by id
-
-        await service.updateUserAttributes(mockUser.sub, {
-          metadata: {},
-        });
-
-        expect(mockUserRepository.update).toHaveBeenCalled();
-      });
-
-      it('should handle null metadata', async () => {
-        const userWithNullMetadata = { ...mockUser, metadata: null };
-        mockUserRepository.findOne.mockReset();
-        mockUserRepository.findOne
-          .mockResolvedValueOnce(userWithNullMetadata as any) // Initial lookup by sub
-          .mockResolvedValueOnce({ ...userWithNullMetadata, metadata: { key: 'value' } } as any); // Final fetch by id
-
-        await service.updateUserAttributes(mockUser.sub, {
-          metadata: { key: 'value' },
-        });
-
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          mockUser.id,
-          (expect as any).objectContaining({
-            metadata: (expect as any).objectContaining({
-              key: 'value',
-            }),
-          }),
-        );
-      });
-    });
-  });
-
-  // ============================================================================
-  // respondToChallenge - MFA_REQUIRED Tests (formerly verifyMFA)
-  // ============================================================================
-
-  describe('respondToChallenge() - MFA_REQUIRED', () => {
-    const mockChallengeSession = {
-      id: 'challenge-session-123',
-      sessionToken: 'challenge-session-123',
-      user: mockUser,
-      challengeName: AuthChallenge.MFA_REQUIRED,
-      metadata: {},
-    };
-
-    beforeEach(() => {
-      mockChallengeService.validateSession.mockResolvedValue(mockChallengeSession as any);
-      mockChallengeService.validateAndConsumeSession.mockResolvedValue(mockChallengeSession as any);
-      mockMfaService.verifyCode.mockResolvedValue(true);
-      mockJwtService.generateTokenFamily.mockReturnValue('token-family-123');
-      mockJwtService.generateTokenPair.mockResolvedValue({
-        accessToken: 'access-token',
-        refreshToken: 'refresh-token',
-        expiresIn: 3600,
-      });
-      mockJwtService.hashToken.mockReturnValue('hashed-token');
-      mockJwtService.validateAccessToken.mockResolvedValue({
-        valid: true,
-        payload: { exp: Math.floor(Date.now() / 1000) + 3600 },
-      } as any);
-      mockJwtService.validateRefreshToken.mockResolvedValue({
-        valid: true,
-        payload: { exp: Math.floor(Date.now() / 1000) + 86400 },
-      } as any);
-      mockSessionService.createSessionAtomic.mockResolvedValue({
-        session: mockSession,
-        extra: {
-          accessToken: 'access-token',
-          refreshToken: 'refresh-token',
-        },
-      } as any);
-      mockAccountLockoutStorage.resetFailedAttempts.mockResolvedValue(undefined);
-    });
-
-    describe('Successful MFA verification', () => {
-      it('should verify TOTP code successfully', async () => {
-        const response: VerifyMFACodeResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'totp',
-          code: '123456',
-        };
-        const result = await service.respondToChallenge(createRespondChallengeDto(response));
-
-        expect(mockChallengeService.validateSession).toHaveBeenCalledWith('challenge-session-123');
-        expect(mockMfaService.verifyCode).toHaveBeenCalledWith(mockUser, 'totp', '123456');
-        expect(mockChallengeService.validateAndConsumeSession).toHaveBeenCalledWith(
-          'challenge-session-123',
-          AuthChallenge.MFA_REQUIRED,
-        );
-        expect(result).toBeDefined();
-        if ('accessToken' in result) {
-          expect(result.accessToken).toBe('access-token');
-          expect(result.refreshToken).toBe('refresh-token');
-        }
-      });
-
-      it('should verify SMS code successfully', async () => {
-        const response: VerifyMFACodeResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'sms',
-          code: '123456',
-        };
-        await service.respondToChallenge(createRespondChallengeDto(response));
-
-        expect(mockMfaService.verifyCode).toHaveBeenCalledWith(mockUser, 'sms', '123456');
-      });
-
-      it('should verify backup code successfully', async () => {
-        const response: VerifyMFACodeResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'backup',
-          code: 'backup123',
-        };
-        await service.respondToChallenge(createRespondChallengeDto(response));
-
-        expect(mockMfaService.verifyCode).toHaveBeenCalledWith(mockUser, 'backup', 'backup123');
-      });
-
-      it('should verify passkey credential successfully', async () => {
-        const credential = { id: 'passkey-id', response: {} };
-        const sessionWithPasskey = {
-          ...mockChallengeSession,
-          metadata: { passkeyChallenge: 'expected-challenge' },
-        };
-        mockChallengeService.validateSession.mockResolvedValue(sessionWithPasskey as any);
-        mockMfaService.verifyCode.mockResolvedValue(true);
-
-        const response: VerifyMFAPasskeyResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'passkey',
-          credential,
-        };
-        await service.respondToChallenge(createRespondChallengeDto(response));
-
-        expect(mockMfaService.verifyCode).toHaveBeenCalledWith(mockUser, 'passkey', {
-          credential,
-          expectedChallenge: 'expected-challenge',
-        });
-      });
-
-      it('should record MFA_VERIFICATION_SUCCESS audit event', async () => {
-        const response: VerifyMFACodeResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'totp',
-          code: '123456',
-        };
-        await service.respondToChallenge(createRespondChallengeDto(response));
-
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            userId: mockUser.id,
-            eventType: AuthAuditEventType.MFA_VERIFICATION_SUCCESS,
-            eventStatus: 'SUCCESS',
-            challengeSessionId: 'challenge-session-123',
-            authMethod: 'totp',
-          }),
-        );
-      });
-
-      it('should update user last login after successful verification', async () => {
-        const response: VerifyMFACodeResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'totp',
-          code: '123456',
-        };
-        await service.respondToChallenge(createRespondChallengeDto(response));
-
-        // Note: User update happens in determineAuthResponse, not directly in MFA verification
-        // This test may need adjustment based on actual implementation
-        expect(mockChallengeHelper.determineAuthResponse).toHaveBeenCalled();
-      });
-    });
-
-    describe('Invalid MFA verification', () => {
-      it('should throw NAuthException for invalid TOTP code', async () => {
-        mockMfaService.verifyCode.mockResolvedValue(false);
-
-        const response: VerifyMFACodeResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'totp',
-          code: '123456',
-        };
-
-        try {
-          await service.respondToChallenge(createRespondChallengeDto(response));
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.VERIFICATION_CODE_INVALID);
-        }
-      });
-
-      it('should record MFA_VERIFICATION_FAILED audit event', async () => {
-        mockMfaService.verifyCode.mockResolvedValue(false);
-
-        const response: VerifyMFACodeResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'totp',
-          code: '123456',
-        };
-
-        try {
-          await service.respondToChallenge(createRespondChallengeDto(response));
-        } catch {
-          // Expected to throw
-        }
-
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            userId: mockUser.id,
-            eventType: AuthAuditEventType.MFA_VERIFICATION_FAILED,
-            eventStatus: 'FAILURE',
-            challengeSessionId: 'challenge-session-123',
-            authMethod: 'totp',
-          }),
-        );
-      });
-
-      it('should increment challenge attempts on failure', async () => {
-        mockMfaService.verifyCode.mockResolvedValue(false);
-
-        const response: VerifyMFACodeResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'totp',
-          code: '123456',
-        };
-
-        try {
-          await service.respondToChallenge(createRespondChallengeDto(response));
-        } catch {
-          // Expected to throw
-        }
-
-        expect(mockChallengeService.incrementAttempts).toHaveBeenCalled();
-      });
-
-      it('should throw NAuthException if code is missing for non-passkey methods', async () => {
-        const response: VerifyMFACodeResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'totp',
-          code: '', // Empty code
-        };
-
-        try {
-          await service.respondToChallenge(createRespondChallengeDto(response));
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.VALIDATION_FAILED);
-        }
-      });
-
-      it('should throw NAuthException if credential is missing for passkey', async () => {
-        const response: VerifyMFAPasskeyResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'passkey',
-          credential: {} as any, // Empty credential - validation will fail
-        };
-
-        try {
-          await service.respondToChallenge(createRespondChallengeDto(response));
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          // Validation happens in validateChallengeParams which throws VALIDATION_FAILED
-          // but empty object might pass validation, so it could throw CHALLENGE_INVALID
-          expect([AuthErrorCode.VALIDATION_FAILED, AuthErrorCode.CHALLENGE_INVALID]).toContain(error.code);
-        }
-      });
-
-      it('should throw NAuthException if passkey challenge is missing in session', async () => {
-        const response: VerifyMFAPasskeyResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'passkey',
-          credential: { id: 'passkey' },
-        };
-
-        try {
-          await service.respondToChallenge(createRespondChallengeDto(response));
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.CHALLENGE_INVALID);
-        }
-      });
-    });
-
-    describe('Error handling', () => {
-      it('should throw NAuthException if challenge session is invalid', async () => {
-        mockChallengeService.validateSession.mockRejectedValue(
-          new NAuthException(AuthErrorCode.CHALLENGE_INVALID, 'Invalid session'),
-        );
-
-        const response: VerifyMFACodeResponse = {
-          session: 'invalid-session',
-          type: 'MFA_REQUIRED',
-          method: 'totp',
-          code: '123456',
-        };
-
-        try {
-          await service.respondToChallenge(createRespondChallengeDto(response));
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.CHALLENGE_INVALID);
-        }
-      });
-
-      it('should throw NAuthException if user not found in challenge session', async () => {
-        const sessionWithoutUser = { ...mockChallengeSession, user: null };
-        mockChallengeService.validateSession.mockResolvedValue(sessionWithoutUser as any);
-
-        const response: VerifyMFACodeResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'totp',
-          code: '123456',
-        };
-
-        try {
-          await service.respondToChallenge(createRespondChallengeDto(response));
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.CHALLENGE_INVALID);
-        }
-      });
-
-      it('should throw NAuthException if MFA service is not available', async () => {
-        const serviceWithoutMfa = new AuthService(
-          mockUserRepository,
-          mockLoginAttemptRepository,
-          mockPasswordService,
-          mockJwtService,
-          mockSessionService,
-          mockChallengeService,
-          mockChallengeHelper,
-          mockEmailVerificationService,
-          mockClientInfoService,
-          mockAccountLockoutStorage,
-          mockConfig,
-          mockLogger,
-          mockAuditService,
-          mockPhoneVerificationService,
-          undefined, // No MFA service
-          mockMfaDeviceRepository,
-          mockTrustedDeviceService,
-        );
-
-        const response: VerifyMFACodeResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'totp',
-          code: '123456',
-        };
-
-        try {
-          await serviceWithoutMfa.respondToChallenge(createRespondChallengeDto(response));
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.INTERNAL_ERROR);
-        }
-      });
-
-      it('should handle audit logging errors gracefully', async () => {
-        mockAuditService.recordEvent.mockRejectedValue(new Error('Audit error'));
-
-        const response: VerifyMFACodeResponse = {
-          session: 'challenge-session-123',
-          type: 'MFA_REQUIRED',
-          method: 'totp',
-          code: '123456',
-        };
-        const result = await service.respondToChallenge(createRespondChallengeDto(response));
-
-        // Should still complete verification despite audit error
-        expect(result).toBeDefined();
-        expect(mockLogger.error).toHaveBeenCalled();
-      });
-    });
-  });
-
-  // ============================================================================
-  // trustDevice Tests
-  // ============================================================================
-
-  describe('trustDevice()', () => {
-    beforeEach(() => {
-      mockConfig.mfa = {
-        enabled: true,
-        enforcement: 'OPTIONAL',
-        rememberDevices: 'user_opt_in',
-        rememberDeviceDays: 30,
-      };
-      mockSessionService.findById.mockResolvedValue(mockSession as any);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockTrustedDeviceService.isDeviceTrusted.mockResolvedValue(false);
-      mockTrustedDeviceService.createTrustedDevice.mockResolvedValue('device-token-123');
-    });
-
-    describe('Successful device trust', () => {
-      it('should create trusted device token successfully', async () => {
-        const result = await service.trustDevice('1');
-
-        expect(mockSessionService.findById).toHaveBeenCalledWith(1);
-        expect(mockTrustedDeviceService.createTrustedDevice).toHaveBeenCalled();
-        expect(result.deviceToken).toBe('device-token-123');
-      });
-
-      it('should return existing device token if device already trusted', async () => {
-        mockTrustedDeviceService.isDeviceTrusted.mockResolvedValue(true);
-        mockClientInfo.deviceToken = 'existing-token';
-
-        const result = await service.trustDevice('1');
-
-        expect(result.deviceToken).toBe('existing-token');
-        expect(mockTrustedDeviceService.createTrustedDevice).not.toHaveBeenCalled();
-      });
-
-      it('should revoke existing untrusted device token before creating new one', async () => {
-        mockClientInfo.deviceToken = 'existing-untrusted-token';
-        mockTrustedDeviceService.isDeviceTrusted.mockResolvedValue(false);
-
-        await service.trustDevice('1');
-
-        expect(mockTrustedDeviceService.revokeTrustedDevice).toHaveBeenCalled();
-        expect(mockTrustedDeviceService.createTrustedDevice).toHaveBeenCalled();
-      });
-
-      it('should record DEVICE_TRUSTED audit event', async () => {
-        await service.trustDevice('1');
-
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            userId: mockUser.id,
-            eventType: AuthAuditEventType.DEVICE_TRUSTED,
-            eventStatus: 'SUCCESS',
-            deviceId: 'device-token-123',
-            sessionId: mockSession.id,
-          }),
-        );
-      });
-    });
-
-    describe('Error handling', () => {
-      it('should throw NAuthException if rememberDevices is not user_opt_in', async () => {
-        mockConfig.mfa = {
-          enabled: true,
-          enforcement: 'OPTIONAL',
-          rememberDevices: 'always',
-          rememberDeviceDays: 30,
-        };
-
-        try {
-          await service.trustDevice('1');
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.FORBIDDEN);
-        }
-      });
-
-      it('should throw NAuthException if trusted device service is not available', async () => {
-        const serviceWithoutTrustedDevice = new AuthService(
-          mockUserRepository,
-          mockLoginAttemptRepository,
-          mockPasswordService,
-          mockJwtService,
-          mockSessionService,
-          mockChallengeService,
-          mockChallengeHelper,
-          mockEmailVerificationService,
-          mockClientInfoService,
-          mockAccountLockoutStorage,
-          mockConfig,
-          mockLogger,
-          mockAuditService,
-          mockPhoneVerificationService,
-          mockMfaService,
-          mockMfaDeviceRepository,
-          undefined, // No trusted device service
-        );
-
-        try {
-          await serviceWithoutTrustedDevice.trustDevice('1');
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.INTERNAL_ERROR);
-        }
-      });
-
-      it('should throw NAuthException if session not found', async () => {
-        mockSessionService.findById.mockResolvedValue(null);
-
-        try {
-          await service.trustDevice('1');
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.SESSION_NOT_FOUND);
-        }
-      });
-
-      it('should throw NAuthException if session is revoked', async () => {
-        const revokedSession = { ...mockSession, isRevoked: true };
-        mockSessionService.findById.mockResolvedValue(revokedSession as any);
-
-        try {
-          await service.trustDevice('1');
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.SESSION_NOT_FOUND);
-        }
-      });
-
-      it('should throw NAuthException if user not found', async () => {
-        mockUserRepository.findOne.mockResolvedValue(null);
-
-        try {
-          await service.trustDevice('1');
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.NOT_FOUND);
-        }
-      });
-
-      it('should handle audit logging errors gracefully', async () => {
-        mockAuditService.recordEvent.mockRejectedValue(new Error('Audit error'));
-
-        const result = await service.trustDevice('1');
-
-        // Should still complete trust operation despite audit error
-        expect(result.deviceToken).toBe('device-token-123');
-        expect(mockLogger.error).toHaveBeenCalled();
-      });
-    });
-  });
-
-  // ============================================================================
-  // respondToChallenge Tests (formerly completeChallenge)
-  // ============================================================================
-
-  describe('respondToChallenge()', () => {
-    const mockChallengeSession = {
-      id: 'challenge-session-123',
-      sessionToken: 'session-token',
-      user: mockUser,
-      challengeName: AuthChallenge.VERIFY_EMAIL,
-      metadata: {},
-    };
-
-    beforeEach(() => {
-      mockChallengeService.validateSession.mockResolvedValue(mockChallengeSession as any);
-      mockChallengeService.validateAndConsumeSession.mockResolvedValue(mockChallengeSession as any);
-      // Query builder will be set up in individual tests as needed
-      mockChallengeHelper.determineAuthResponse.mockResolvedValue({
-        accessToken: 'access-token',
-        refreshToken: 'refresh-token',
-        accessTokenExpiresAt: Math.floor(Date.now() / 1000) + 3600,
-        refreshTokenExpiresAt: Math.floor(Date.now() / 1000) + 86400,
-        user: {
-          sub: 'user-123',
-          email: 'test@example.com',
-          isEmailVerified: true,
-          isPhoneVerified: false,
-        },
-      });
-    });
-
-    describe('VERIFY_EMAIL challenge', () => {
-      it('should complete email verification challenge successfully', async () => {
-        // Mock findOne to return updated user after verification
-        const updatedUser = {
-          ...mockUser,
-          isEmailVerified: true,
-          isPhoneVerified: false,
-        };
-        mockUserRepository.findOne.mockResolvedValue(updatedUser as any);
-        mockEmailVerificationService.verifyEmailWithCode.mockResolvedValue({ message: 'Email verified' });
-
-        const response: VerifyEmailResponse = {
-          session: 'session-token',
-          type: 'VERIFY_EMAIL',
-          code: '123456',
-        };
-        const result = await service.respondToChallenge(createRespondChallengeDto(response));
-
-        expect(mockChallengeService.validateSession).toHaveBeenCalledWith('session-token');
-        // Note: verifyEmailWithCode is called with user.sub in the implementation
-        expect(mockEmailVerificationService.verifyEmailWithCode).toHaveBeenCalledWith(mockUser.sub, '123456');
-        expect(mockChallengeService.validateAndConsumeSession).toHaveBeenCalledWith(
-          'session-token',
-          AuthChallenge.VERIFY_EMAIL,
-        );
-        expect(mockChallengeHelper.determineAuthResponse).toHaveBeenCalled();
-        expect(result).toBeDefined();
-      });
-    });
-
-    describe('VERIFY_PHONE challenge', () => {
-      it('should complete phone verification challenge successfully', async () => {
-        const phoneVerifySession = {
-          ...mockChallengeSession,
-          challengeName: AuthChallenge.VERIFY_PHONE,
-        };
-        mockChallengeService.validateSession.mockResolvedValue(phoneVerifySession as any);
-        // Mock findOne to return updated user after verification
-        const updatedUser = {
-          ...mockUser,
-          isEmailVerified: true,
-          isPhoneVerified: true,
-        };
-        mockUserRepository.findOne.mockResolvedValue(updatedUser as any);
-        mockPhoneVerificationService.verifyPhoneWithCodeBySub.mockResolvedValue({
-          message: 'Phone verified',
-        });
-
-        const response: VerifyPhoneResponse = {
-          session: 'session-token',
-          type: 'VERIFY_PHONE',
-          code: '123456',
-        };
-        const result = await service.respondToChallenge(createRespondChallengeDto(response));
-
-        expect(mockChallengeService.validateSession).toHaveBeenCalledWith('session-token');
-        expect(mockPhoneVerificationService.verifyPhoneWithCodeBySub).toHaveBeenCalledWith(mockUser.sub, '123456');
-        expect(mockChallengeService.validateAndConsumeSession).toHaveBeenCalledWith(
-          'session-token',
-          AuthChallenge.VERIFY_PHONE,
-        );
-        expect(result).toBeDefined();
-      });
-
-      it('should handle phone collection before verification', async () => {
-        const phoneCollectSession = {
-          ...mockChallengeSession,
-          challengeName: AuthChallenge.VERIFY_PHONE,
-          user: mockUser,
-        };
-        mockChallengeService.validateSession.mockResolvedValue(phoneCollectSession as any);
-        mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-        mockPhoneVerificationService.sendVerificationSMS.mockResolvedValue(undefined as any);
-        mockChallengeHelper.createChallengeResponse.mockResolvedValue({
-          challengeName: AuthChallenge.VERIFY_PHONE,
-          session: 'challenge-session-token',
-          challengeParameters: {},
-        } as any);
-
-        const response: CollectPhoneResponse = {
-          session: 'session-token',
-          type: 'VERIFY_PHONE',
-          phone: '+1234567890',
-        };
-        const result = await service.respondToChallenge(createRespondChallengeDto(response));
-
-        expect(mockChallengeService.validateSession).toHaveBeenCalledWith('session-token');
-        expect(mockUserRepository.update).toHaveBeenCalledWith({ sub: mockUser.sub }, { phone: '+1234567890' });
-        expect(mockPhoneVerificationService.sendVerificationSMS).toHaveBeenCalledWith(mockUser.sub);
-        expect(result.challengeName).toBeDefined();
-        expect(result.challengeName).toBe(AuthChallenge.VERIFY_PHONE);
-      });
-
-      it('should throw NAuthException for invalid phone format', async () => {
-        const phoneCollectSession = {
-          ...mockChallengeSession,
-          challengeName: AuthChallenge.VERIFY_PHONE,
-          user: mockUser,
-        };
-        mockChallengeService.validateSession.mockResolvedValue(phoneCollectSession as any);
-
-        const response: CollectPhoneResponse = {
-          session: 'session-token',
-          type: 'VERIFY_PHONE',
-          phone: 'invalid-phone',
-        };
-
-        try {
-          await service.respondToChallenge(createRespondChallengeDto(response));
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          // Phone format validation happens in handleVerifyPhone, which throws INVALID_PHONE_FORMAT
-          // But validation might happen earlier in validateChallengeParams
-          expect([AuthErrorCode.INVALID_PHONE_FORMAT, AuthErrorCode.VALIDATION_FAILED]).toContain(error.code);
-        }
-      });
-    });
-
-    describe('FORCE_CHANGE_PASSWORD challenge', () => {
-      it('should complete password change challenge successfully', async () => {
-        const passwordChangeSession = {
-          ...mockChallengeSession,
-          challengeName: AuthChallenge.FORCE_CHANGE_PASSWORD,
-        };
-        mockChallengeService.validateSession.mockResolvedValue(passwordChangeSession as any);
-        mockPasswordService.validatePassword.mockResolvedValue({ valid: true, errors: [] });
-        mockPasswordService.hashPassword.mockResolvedValue('new-hashed-password');
-        mockUserRepository.findOne.mockResolvedValue({ ...mockUser, mustChangePassword: false } as any);
-
-        const response: ForceChangePasswordResponse = {
-          session: 'session-token',
-          type: 'FORCE_CHANGE_PASSWORD',
-          newPassword: 'NewPassword123!',
-        };
-        const result = await service.respondToChallenge(createRespondChallengeDto(response));
-
-        expect(mockChallengeService.validateSession).toHaveBeenCalledWith('session-token');
-        expect(mockPasswordService.validatePassword).toHaveBeenCalled();
-        expect(mockPasswordService.hashPassword).toHaveBeenCalledWith('NewPassword123!');
-        expect(mockUserRepository.update).toHaveBeenCalledWith(
-          { sub: mockUser.sub },
-          (expect as any).objectContaining({
-            passwordHash: 'new-hashed-password',
-            mustChangePassword: false,
-          }),
-        );
-        expect(result).toBeDefined();
-      });
-
-      it('should throw NAuthException if new password is missing', async () => {
-        const passwordChangeSession = {
-          ...mockChallengeSession,
-          challengeName: AuthChallenge.FORCE_CHANGE_PASSWORD,
-        };
-        mockChallengeService.validateSession.mockResolvedValue(passwordChangeSession as any);
-
-        const response: ForceChangePasswordResponse = {
-          session: 'session-token',
-          type: 'FORCE_CHANGE_PASSWORD',
-          newPassword: '', // Empty password
-        };
-
-        try {
-          await service.respondToChallenge(createRespondChallengeDto(response));
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.VALIDATION_FAILED);
-        }
-      });
-
-      it('should throw NAuthException if new password is weak', async () => {
-        const passwordChangeSession = {
-          ...mockChallengeSession,
-          challengeName: AuthChallenge.FORCE_CHANGE_PASSWORD,
-        };
-        mockChallengeService.validateSession.mockResolvedValue(passwordChangeSession as any);
-        mockPasswordService.validatePassword.mockResolvedValue({
-          valid: false,
-          errors: ['Password too weak'],
-        });
-
-        const response: ForceChangePasswordResponse = {
-          session: 'session-token',
-          type: 'FORCE_CHANGE_PASSWORD',
-          newPassword: 'weak',
-        };
-
-        try {
-          await service.respondToChallenge(createRespondChallengeDto(response));
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          // Password validation happens in handleForceChangePassword, which throws WEAK_PASSWORD
-          // But validation might happen earlier in validateChallengeParams
-          expect([AuthErrorCode.WEAK_PASSWORD, AuthErrorCode.VALIDATION_FAILED]).toContain(error.code);
-        }
-      });
-    });
-
-    describe('MFA_SETUP_REQUIRED challenge', () => {
-      it('should complete MFA setup challenge successfully', async () => {
-        const mfaSetupSession = {
-          ...mockChallengeSession,
-          challengeName: AuthChallenge.MFA_SETUP_REQUIRED,
-        };
-        mockChallengeService.validateSession.mockResolvedValue(mfaSetupSession as any);
-        const updatedUser = { ...mockUser, mfaEnabled: true };
-        mockUserRepository.findOne.mockResolvedValue(updatedUser as any);
-
-        const response: MFASetupResponse = {
-          session: 'session-token',
-          type: 'MFA_SETUP_REQUIRED',
-          method: 'totp',
-          setupData: { code: '123456' },
-        };
-        const result = await service.respondToChallenge(createRespondChallengeDto(response));
-
-        expect(mockChallengeService.validateSession).toHaveBeenCalledWith('session-token');
-        expect(mockUserRepository.findOne).toHaveBeenCalledWith({ where: { sub: mockUser.sub } });
-        expect(mockChallengeHelper.determineAuthResponse).toHaveBeenCalledWith({
-          user: updatedUser,
-          config: mockConfig,
-          deviceToken: mockClientInfo.deviceToken,
-          isSocialLogin: false,
-          skipMFAVerification: true,
-        });
-        expect(result).toBeDefined();
-      });
-
-      it('should throw NAuthException if user not found after MFA setup', async () => {
-        const mfaSetupSession = {
-          ...mockChallengeSession,
-          challengeName: AuthChallenge.MFA_SETUP_REQUIRED,
-        };
-        mockChallengeService.validateSession.mockResolvedValue(mfaSetupSession as any);
-        mockUserRepository.findOne.mockResolvedValue(null);
-
-        const response: MFASetupResponse = {
-          session: 'session-token',
-          type: 'MFA_SETUP_REQUIRED',
-          method: 'totp',
-          setupData: { code: '123456' },
-        };
-
-        try {
-          await service.respondToChallenge(createRespondChallengeDto(response));
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.NOT_FOUND);
-        }
-      });
-    });
-
-    describe('Error handling', () => {
-      it('should throw NAuthException if challenge session is invalid', async () => {
-        mockChallengeService.validateSession.mockRejectedValue(
-          new NAuthException(AuthErrorCode.CHALLENGE_INVALID, 'Invalid session'),
-        );
-
-        const response: VerifyEmailResponse = {
-          session: 'invalid-session',
-          type: 'VERIFY_EMAIL',
-          code: '123456',
-        };
-
-        try {
-          await service.respondToChallenge(createRespondChallengeDto(response));
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.CHALLENGE_INVALID);
-        }
-      });
-
-      it('should throw NAuthException if user not found in challenge session', async () => {
-        const sessionWithoutUser = { ...mockChallengeSession, user: null };
-        mockChallengeService.validateSession.mockResolvedValue(sessionWithoutUser as any);
-
-        const response: VerifyEmailResponse = {
-          session: 'session-token',
-          type: 'VERIFY_EMAIL',
-          code: '123456',
-        };
-
-        try {
-          await service.respondToChallenge(createRespondChallengeDto(response));
-          fail('Should have thrown NAuthException');
-        } catch (error: any) {
-          expect(error).toBeInstanceOf(NAuthException);
-          expect(error.code).toBe(AuthErrorCode.CHALLENGE_INVALID);
-        }
-      });
-    });
-  });
-});