@nauth-toolkit/core 0.1.0 → 0.1.3

package/src/services/email-verification.service.spec.ts

@@ -1,1229 +0,0 @@
-import { Repository } from 'typeorm';
-import { EmailVerificationService } from './email-verification.service';
-import { NAuthException } from '../exceptions/nauth.exception';
-import { ClientInfoService } from './client-info.service';
-import { EmailProvider } from '../interfaces/provider.interface';
-import { StorageAdapter } from '../interfaces/storage-adapter.interface';
-import { NAuthConfig } from '../interfaces/config.interface';
-import { NAuthLogger } from '../utils/nauth-logger';
-import { AuthAuditService } from './auth-audit.service';
-import { BaseVerificationToken, BaseUser } from '../entities';
-import { IUser, IVerificationToken } from '../interfaces/entities.interface';
-import { AuthErrorCode } from '../enums/error-codes.enum';
-import { JwtService } from './jwt.service';
-import { SessionService } from './session.service';
-import {
-  SendVerificationEmailDTO,
-  VerifyEmailWithCodeDTO,
-  VerifyEmailWithTokenDTO,
-  ResendVerificationEmailDTO,
-} from '../dto/verify-email.dto';
-
-// Helper to create DTOs from plain objects
-function createSendVerificationEmailDto(data: Partial<SendVerificationEmailDTO>): SendVerificationEmailDTO {
-  return Object.assign(new SendVerificationEmailDTO(), data);
-}
-
-function createVerifyEmailWithCodeDto(data: Partial<VerifyEmailWithCodeDTO>): VerifyEmailWithCodeDTO {
-  return Object.assign(new VerifyEmailWithCodeDTO(), data);
-}
-
-function createVerifyEmailWithTokenDto(data: Partial<VerifyEmailWithTokenDTO>): VerifyEmailWithTokenDTO {
-  return Object.assign(new VerifyEmailWithTokenDTO(), data);
-}
-
-function createResendVerificationEmailDto(data: Partial<ResendVerificationEmailDTO>): ResendVerificationEmailDTO {
-  return Object.assign(new ResendVerificationEmailDTO(), data);
-}
-
-/**
- * Email Verification Service Unit Tests
- *
- * Platform-agnostic: Uses direct instantiation, no NestJS dependencies.
- *
- * Covers:
- * - Send verification email with rate limiting
- * - Code-based verification with attempts tracking
- * - Link-based verification (token)
- * - Resend verification email with cooldown
- * - Rate limiting per user and per IP
- * - Error handling for all dependencies
- * - Storage adapter failures
- * - Email provider errors
- */
-describe('EmailVerificationService', () => {
-  let service: EmailVerificationService;
-  let mockVerificationTokenRepository: jest.Mocked<Repository<BaseVerificationToken>>;
-  let mockUserRepository: jest.Mocked<Repository<BaseUser>>;
-  let mockEmailProvider: jest.Mocked<EmailProvider>;
-  let mockStorageAdapter: jest.Mocked<StorageAdapter>;
-  let mockJwtService: jest.Mocked<JwtService>;
-  let mockSessionService: jest.Mocked<SessionService>;
-  let mockClientInfoService: jest.Mocked<ClientInfoService>;
-  let mockLogger: jest.Mocked<NAuthLogger>;
-  let mockAuditService: jest.Mocked<AuthAuditService>;
-  let mockConfig: NAuthConfig;
-
-  const mockUser: IUser = {
-    id: 123,
-    sub: 'user-sub-123',
-    email: 'test@example.com',
-    username: 'testuser',
-    phone: null,
-    firstName: null,
-    lastName: null,
-    passwordHash: null,
-    passwordChangedAt: null,
-    passwordHistory: null,
-    isEmailVerified: false,
-    isPhoneVerified: false,
-    isActive: true,
-    mustChangePassword: false,
-    isLocked: false,
-    lockReason: null,
-    lockedAt: null,
-    lockedUntil: null,
-    failedLoginAttempts: 0,
-    lastFailedLoginAt: null,
-    lastLoginAt: null,
-    lastLoginIp: null,
-    hasSocialAuth: false,
-    socialProviders: null,
-    mfaEnabled: false,
-    mfaMethods: null,
-    preferredMfaMethod: null,
-    backupCodes: null,
-    metadata: null,
-    createdAt: new Date(),
-    updatedAt: new Date(),
-    deletedAt: null,
-  };
-
-  const mockVerificationToken: IVerificationToken = {
-    id: 456,
-    userId: 123,
-    challengeSessionId: null,
-    type: 'email',
-    token: 'hashed-token-abc123',
-    code: '123456',
-    expiresAt: new Date(Date.now() + 3600000), // 1 hour from now
-    attempts: 0,
-    usedAt: null,
-    ipAddress: '127.0.0.1',
-    userAgent: 'test-agent',
-    createdAt: new Date(),
-    isExpired: jest.fn().mockReturnValue(false),
-    maxAttemptsExceeded: jest.fn().mockReturnValue(false),
-  };
-
-  beforeEach(() => {
-    mockVerificationTokenRepository = {
-      create: jest.fn(),
-      save: jest.fn(),
-      findOne: jest.fn(),
-      update: jest.fn().mockResolvedValue({ affected: 0 } as any),
-      count: jest.fn(),
-    } as any;
-
-    mockUserRepository = {
-      findOne: jest.fn(),
-      save: jest.fn(),
-      update: jest.fn().mockResolvedValue({ affected: 1 } as any),
-    } as any;
-
-    mockEmailProvider = {
-      sendVerificationEmail: jest.fn().mockResolvedValue(undefined),
-      sendPasswordResetEmail: jest.fn(),
-      sendWelcomeEmail: jest.fn(),
-    } as any;
-
-    mockStorageAdapter = {
-      get: jest.fn(),
-      set: jest.fn(),
-      incr: jest.fn().mockResolvedValue(1),
-      expire: jest.fn().mockResolvedValue(undefined),
-      ttl: jest.fn().mockResolvedValue(3600),
-      del: jest.fn().mockResolvedValue(undefined),
-      exists: jest.fn(),
-    } as any;
-
-    mockClientInfoService = {
-      get: jest.fn().mockReturnValue({
-        ipAddress: '127.0.0.1',
-        userAgent: 'test-agent',
-      }),
-    } as any;
-
-    mockJwtService = {
-      generateTokenPair: jest.fn(),
-      hashToken: jest.fn(),
-      validateAccessToken: jest.fn(),
-      validateRefreshToken: jest.fn(),
-    } as any;
-
-    mockSessionService = {
-      createSession: jest.fn(),
-      findById: jest.fn(),
-    } as any;
-
-    mockLogger = {
-      log: jest.fn(),
-      error: jest.fn(),
-      warn: jest.fn(),
-      debug: jest.fn(),
-      verbose: jest.fn(),
-    } as any;
-
-    mockAuditService = {
-      recordEvent: jest.fn().mockResolvedValue(null),
-    } as any;
-
-    mockConfig = {
-      jwt: {
-        accessToken: { secret: 'test-secret', expiresIn: '15m' },
-        refreshToken: { secret: 'test-refresh-secret', expiresIn: '7d' },
-      },
-      signup: {
-        emailVerification: {
-          expiresIn: 3600,
-          resendDelay: 60,
-          rateLimitMax: 3,
-          rateLimitWindow: 3600,
-        },
-      },
-    };
-
-    // Instantiate service directly
-    service = new EmailVerificationService(
-      mockVerificationTokenRepository,
-      mockUserRepository,
-      mockEmailProvider,
-      mockStorageAdapter,
-      mockConfig,
-      mockClientInfoService,
-      mockLogger,
-      mockAuditService,
-    );
-  });
-
-  afterEach(() => {
-    jest.clearAllMocks();
-  });
-
-  // ============================================================================
-  // Service Initialization
-  // ============================================================================
-
-  it('should be defined', () => {
-    expect(service).toBeDefined();
-  });
-
-  // ============================================================================
-  // sendVerificationEmail
-  // ============================================================================
-
-  describe('sendVerificationEmail', () => {
-    it('should send verification email successfully', async () => {
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null); // No last token
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      const result = await service.sendVerificationEmail('user-sub-123', 'https://example.com');
-
-      expect(mockStorageAdapter.incr).toHaveBeenCalled();
-      expect(mockUserRepository.findOne).toHaveBeenCalledWith({ where: { sub: 'user-sub-123' } as any });
-      expect(mockVerificationTokenRepository.save).toHaveBeenCalled();
-      expect(mockEmailProvider.sendVerificationEmail).toHaveBeenCalled();
-      const callArgs = mockEmailProvider.sendVerificationEmail.mock.calls[0];
-      expect(callArgs[0]).toBe('test@example.com');
-      expect(typeof callArgs[1]).toBe('string'); // 6-digit code
-      expect(callArgs[2]).toContain('https://example.com/verify-email?token='); // token in URL
-      expect(mockAuditService.recordEvent).toHaveBeenCalled();
-      expect(result).toBe(456);
-    });
-
-    it('should use default baseUrl if not provided', async () => {
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      await service.sendVerificationEmail('user-sub-123');
-
-      expect(mockEmailProvider.sendVerificationEmail).toHaveBeenCalledWith(
-        'test@example.com',
-        (expect as any).any(String),
-        (expect as any).stringContaining('http://localhost:3000/verify-email?token='),
-      );
-    });
-
-    it('should throw NAuthException if user not found', async () => {
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockUserRepository.findOne.mockResolvedValue(null);
-
-      try {
-        await service.sendVerificationEmail('invalid-sub');
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.NOT_FOUND);
-      }
-    });
-
-    it('should throw NAuthException if email already verified', async () => {
-      const verifiedUser = { ...mockUser, isEmailVerified: true };
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockUserRepository.findOne.mockResolvedValue(verifiedUser as any);
-
-      try {
-        await service.sendVerificationEmail('user-sub-123');
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.ALREADY_VERIFIED);
-      }
-    });
-
-    it('should enforce rate limit (too many emails)', async () => {
-      mockStorageAdapter.incr.mockResolvedValue(4); // Exceeds limit of 3
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-
-      try {
-        await service.sendVerificationEmail('user-sub-123');
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.RATE_LIMIT_EMAIL);
-        expect(mockUserRepository.findOne).not.toHaveBeenCalled();
-      }
-    });
-
-    it('should enforce resend delay', async () => {
-      const recentToken = {
-        ...mockVerificationToken,
-        createdAt: new Date(Date.now() - 30 * 1000), // 30 seconds ago (less than 60s delay)
-      };
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(recentToken as any);
-
-      try {
-        await service.sendVerificationEmail('user-sub-123');
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.RATE_LIMIT_RESEND);
-      }
-    });
-
-    it('should allow resend after delay period', async () => {
-      const oldToken = {
-        ...mockVerificationToken,
-        createdAt: new Date(Date.now() - 70 * 1000), // 70 seconds ago (more than 60s delay)
-      };
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(oldToken as any);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      await service.sendVerificationEmail('user-sub-123');
-
-      expect(mockEmailProvider.sendVerificationEmail).toHaveBeenCalled();
-    });
-
-    it('should invalidate existing unused tokens', async () => {
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      await service.sendVerificationEmail('user-sub-123');
-
-      expect(mockVerificationTokenRepository.update).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          userId: 123,
-          type: 'email',
-        }),
-        (expect as any).objectContaining({
-          usedAt: (expect as any).any(Date),
-        }),
-      );
-    });
-
-    it('should handle rate limit window reset when TTL > window', async () => {
-      mockStorageAdapter.ttl.mockResolvedValue(7200); // TTL longer than window (3600)
-      mockStorageAdapter.del.mockResolvedValue();
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      await service.sendVerificationEmail('user-sub-123');
-
-      expect(mockStorageAdapter.del).toHaveBeenCalledWith('email-verification:user-sub-123');
-    });
-
-    it('should handle storage adapter errors gracefully', async () => {
-      // TTL error should be handled gracefully - don't throw, just log
-      mockStorageAdapter.ttl.mockResolvedValue(-1); // Simulate error by returning -1 (key doesn't exist)
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      // Should still work, just log the error
-      await service.sendVerificationEmail('user-sub-123');
-
-      expect(mockEmailProvider.sendVerificationEmail).toHaveBeenCalled();
-    });
-
-    it('should handle email provider errors', async () => {
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-      mockEmailProvider.sendVerificationEmail.mockRejectedValue(new Error('Email service error'));
-
-      try {
-        await service.sendVerificationEmail('user-sub-123');
-        fail('Should have thrown error');
-      } catch (error: any) {
-        expect(error.message).toContain('Email service error');
-      }
-    });
-
-    it('should handle audit service errors gracefully', async () => {
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-      mockAuditService.recordEvent.mockRejectedValue(new Error('Audit error'));
-
-      await service.sendVerificationEmail('user-sub-123');
-
-      expect(mockLogger.error).toHaveBeenCalled();
-      expect(mockEmailProvider.sendVerificationEmail).toHaveBeenCalled(); // Should still send email
-    });
-
-    it('should use custom rate limit config', async () => {
-      mockConfig.signup!.emailVerification!.rateLimitMax = 5;
-      mockConfig.signup!.emailVerification!.rateLimitWindow = 1800;
-      service = new EmailVerificationService(
-        mockVerificationTokenRepository,
-        mockUserRepository,
-        mockEmailProvider,
-        mockStorageAdapter,
-        mockConfig,
-        mockClientInfoService,
-        mockLogger,
-        mockAuditService,
-      );
-
-      mockStorageAdapter.incr.mockResolvedValue(6); // Exceeds new limit of 5
-      mockStorageAdapter.ttl.mockResolvedValue(1800);
-
-      try {
-        await service.sendVerificationEmail('user-sub-123');
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error.code).toBe(AuthErrorCode.RATE_LIMIT_EMAIL);
-      }
-    });
-
-    it('should use custom resend delay config', async () => {
-      mockConfig.signup!.emailVerification!.resendDelay = 120; // 2 minutes
-      service = new EmailVerificationService(
-        mockVerificationTokenRepository,
-        mockUserRepository,
-        mockEmailProvider,
-        mockStorageAdapter,
-        mockConfig,
-        mockClientInfoService,
-        mockLogger,
-        mockAuditService,
-      );
-
-      const recentToken = {
-        ...mockVerificationToken,
-        createdAt: new Date(Date.now() - 90 * 1000), // 90 seconds ago (less than 120s)
-      };
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(recentToken as any);
-
-      try {
-        await service.sendVerificationEmail('user-sub-123');
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error.code).toBe(AuthErrorCode.RATE_LIMIT_RESEND);
-      }
-    });
-  });
-
-  // ============================================================================
-  // verifyEmailWithCode
-  // ============================================================================
-
-  describe('verifyEmailWithCode', () => {
-    it('should verify email with valid code', async () => {
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.expire.mockResolvedValue();
-      mockVerificationTokenRepository.findOne.mockResolvedValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      const result = await service.verifyEmailWithCode({
-        email: 'test@example.com',
-        code: '123456',
-        challengeSessionId: 1,
-      });
-
-      expect(result.message).toBe('Email verified successfully. Please log in to continue.');
-      expect(mockUserRepository.update).toHaveBeenCalledWith(123, {
-        isEmailVerified: true,
-        isActive: true,
-      });
-      expect(mockAuditService.recordEvent).toHaveBeenCalled();
-    });
-
-    it('should throw NAuthException if challengeSessionId is missing', async () => {
-      try {
-        await service.verifyEmailWithCode({
-          email: 'test@example.com',
-          code: '123456',
-          challengeSessionId: undefined as any,
-        });
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.VALIDATION_FAILED);
-        expect(error.message).toContain('Challenge session ID is required');
-      }
-    });
-
-    it('should throw NAuthException if user not found', async () => {
-      mockUserRepository.findOne.mockResolvedValue(null);
-
-      try {
-        await service.verifyEmailWithCode({
-          email: 'nonexistent@example.com',
-          code: '123456',
-          challengeSessionId: 1,
-        });
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.NOT_FOUND);
-      }
-    });
-
-    it('should throw NAuthException for invalid code', async () => {
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.expire.mockResolvedValue();
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-
-      try {
-        await service.verifyEmailWithCode({
-          email: 'test@example.com',
-          code: 'wrong-code',
-          challengeSessionId: 1,
-        });
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_CODE_INVALID);
-      }
-    });
-
-    it('should throw NAuthException for expired code', async () => {
-      const expiredToken = {
-        ...mockVerificationToken,
-        expiresAt: new Date(Date.now() - 1000),
-        isExpired: jest.fn().mockReturnValue(true),
-      };
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.expire.mockResolvedValue();
-      mockVerificationTokenRepository.findOne.mockResolvedValue(expiredToken as any);
-
-      try {
-        await service.verifyEmailWithCode({
-          email: 'test@example.com',
-          code: '123456',
-          challengeSessionId: 1,
-        });
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_CODE_EXPIRED);
-      }
-    });
-
-    it('should throw NAuthException after max attempts', async () => {
-      const exhaustedToken = {
-        ...mockVerificationToken,
-        attempts: 3,
-        isExpired: jest.fn().mockReturnValue(false),
-        maxAttemptsExceeded: jest.fn().mockReturnValue(true),
-      };
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.expire.mockResolvedValue();
-      mockVerificationTokenRepository.findOne.mockResolvedValue(exhaustedToken as any);
-
-      try {
-        await service.verifyEmailWithCode({
-          email: 'test@example.com',
-          code: '123456',
-          challengeSessionId: 1,
-        });
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_TOO_MANY_ATTEMPTS);
-      }
-    });
-
-    it('should increment attempts on invalid code', async () => {
-      const tokenWithWrongCode = {
-        ...mockVerificationToken,
-        code: '999999', // Different code
-        attempts: 0,
-      };
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.expire.mockResolvedValue();
-      mockVerificationTokenRepository.findOne.mockResolvedValue(tokenWithWrongCode as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(tokenWithWrongCode as any);
-
-      try {
-        await service.verifyEmailWithCode({
-          email: 'test@example.com',
-          code: '123456',
-          challengeSessionId: 1,
-        });
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_CODE_INVALID);
-        expect(mockVerificationTokenRepository.save).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            attempts: 1, // Incremented
-          }),
-        );
-        expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            eventType: (expect as any).any(String),
-            eventStatus: 'FAILURE',
-          }),
-        );
-      }
-    });
-
-    it('should enforce per-user rate limiting', async () => {
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      // Provide a token with a different code so code mismatch path is taken
-      const tokenWithWrongCode = { ...mockVerificationToken, code: '999999' };
-      mockVerificationTokenRepository.findOne.mockResolvedValue(tokenWithWrongCode as any);
-      mockStorageAdapter.incr
-        .mockResolvedValueOnce(1) // IP attempts (checked first)
-        .mockResolvedValueOnce(11); // User attempts (exceeds limit of 10, checked second)
-      mockVerificationTokenRepository.save.mockResolvedValue(tokenWithWrongCode as any);
-
-      try {
-        await service.verifyEmailWithCode({
-          email: 'test@example.com',
-          code: '123456',
-          challengeSessionId: 1,
-        }); // Wrong code
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_TOO_MANY_ATTEMPTS);
-      }
-    });
-
-    it('should enforce per-IP rate limiting', async () => {
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      // Provide a token with a different code so code mismatch path is taken
-      const tokenWithWrongCode = { ...mockVerificationToken, code: '999999' };
-      mockVerificationTokenRepository.findOne.mockResolvedValue(tokenWithWrongCode as any);
-      mockStorageAdapter.incr
-        .mockResolvedValueOnce(1) // User attempts
-        .mockResolvedValueOnce(21); // IP attempts (exceeds limit of 20)
-      mockVerificationTokenRepository.save.mockResolvedValue(tokenWithWrongCode as any);
-
-      try {
-        await service.verifyEmailWithCode({
-          email: 'test@example.com',
-          code: '123456',
-          challengeSessionId: 1,
-        }); // Wrong code
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_TOO_MANY_ATTEMPTS);
-      }
-    });
-
-    it('should handle missing IP address in client info', async () => {
-      mockClientInfoService.get.mockReturnValue({
-        ipAddress: '',
-        userAgent: 'test-agent',
-      });
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      // Provide a token with a different code so user rate limiting is triggered
-      const tokenWithWrongCode = { ...mockVerificationToken, code: '999999' };
-      mockVerificationTokenRepository.findOne.mockResolvedValue(tokenWithWrongCode as any);
-      mockStorageAdapter.incr.mockResolvedValue(1); // User attempts
-      mockStorageAdapter.expire.mockResolvedValue();
-      mockVerificationTokenRepository.save.mockResolvedValue(tokenWithWrongCode as any);
-
-      try {
-        await service.verifyEmailWithCode({
-          email: 'test@example.com',
-          code: '123456',
-          challengeSessionId: 1,
-        }); // Wrong code
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_CODE_INVALID);
-      }
-      // Should not check IP rate limit if IP is missing (only user rate limit checked)
-      expect(mockStorageAdapter.incr).toHaveBeenCalledTimes(1); // Only user attempts
-    });
-
-    it('should handle audit service errors gracefully', async () => {
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.expire.mockResolvedValue();
-      mockVerificationTokenRepository.findOne.mockResolvedValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-      mockAuditService.recordEvent.mockRejectedValue(new Error('Audit error'));
-
-      const result = await service.verifyEmailWithCode({
-        email: 'test@example.com',
-        code: '123456',
-        challengeSessionId: 1,
-      });
-
-      expect(mockLogger.error).toHaveBeenCalled();
-      expect(result.message).toBeDefined(); // Should still verify
-    });
-
-    it('should check expiration using isExpired method if available', async () => {
-      const tokenWithMethod = {
-        ...mockVerificationToken,
-        isExpired: jest.fn().mockReturnValue(true),
-      };
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.expire.mockResolvedValue();
-      mockVerificationTokenRepository.findOne.mockResolvedValue(tokenWithMethod as any);
-
-      try {
-        await service.verifyEmailWithCode({
-          email: 'test@example.com',
-          code: '123456',
-          challengeSessionId: 1,
-        });
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_CODE_EXPIRED);
-        expect(tokenWithMethod.isExpired).toHaveBeenCalled();
-      }
-    });
-
-    it('should check expiration using expiresAt date if method not available', async () => {
-      const tokenWithoutMethod = {
-        ...mockVerificationToken,
-        expiresAt: new Date(Date.now() - 1000), // Expired
-        isExpired: undefined,
-      };
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.expire.mockResolvedValue();
-      mockVerificationTokenRepository.findOne.mockResolvedValue(tokenWithoutMethod as any);
-
-      try {
-        await service.verifyEmailWithCode({
-          email: 'test@example.com',
-          code: '123456',
-          challengeSessionId: 1,
-        });
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_CODE_EXPIRED);
-      }
-    });
-
-    it('should check max attempts using method if available', async () => {
-      const tokenWithMethod = {
-        ...mockVerificationToken,
-        maxAttemptsExceeded: jest.fn().mockReturnValue(true),
-      };
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.expire.mockResolvedValue();
-      mockVerificationTokenRepository.findOne.mockResolvedValue(tokenWithMethod as any);
-
-      try {
-        await service.verifyEmailWithCode({
-          email: 'test@example.com',
-          code: '123456',
-          challengeSessionId: 1,
-        });
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_TOO_MANY_ATTEMPTS);
-        expect(tokenWithMethod.maxAttemptsExceeded).toHaveBeenCalledWith(3);
-      }
-    });
-
-    it('should check max attempts using attempts field if method not available', async () => {
-      const tokenWithoutMethod = {
-        ...mockVerificationToken,
-        attempts: 3,
-        maxAttemptsExceeded: undefined,
-      };
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.expire.mockResolvedValue();
-      mockVerificationTokenRepository.findOne.mockResolvedValue(tokenWithoutMethod as any);
-
-      try {
-        await service.verifyEmailWithCode({
-          email: 'test@example.com',
-          code: '123456',
-          challengeSessionId: 1,
-        });
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_TOO_MANY_ATTEMPTS);
-      }
-    });
-  });
-
-  // ============================================================================
-  // verifyEmailWithToken
-  // ============================================================================
-
-  describe('verifyEmailWithToken', () => {
-    it('should verify email with valid token', async () => {
-      // Token is hashed before lookup
-      const tokenHash = 'hashed-token-abc123';
-      const token = 'abc123';
-      const tokenWithHash = {
-        ...mockVerificationToken,
-        token: tokenHash,
-      };
-      mockVerificationTokenRepository.findOne.mockResolvedValue(tokenWithHash as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(tokenWithHash as any);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-
-      const result = await service.verifyEmailWithToken(token);
-
-      expect(result.message).toBe('Email verified successfully. Please log in to continue.');
-      expect(mockVerificationTokenRepository.findOne).toHaveBeenCalledWith({
-        where: {
-          token: (expect as any).any(String), // Hashed token
-          type: 'email',
-          usedAt: (expect as any).any(Object), // IsNull()
-        } as any,
-      });
-      expect(mockUserRepository.update).toHaveBeenCalledWith(123, {
-        isEmailVerified: true,
-        isActive: true,
-      });
-      expect(mockAuditService.recordEvent).toHaveBeenCalled();
-    });
-
-    it('should throw NAuthException for invalid token', async () => {
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-
-      try {
-        await service.verifyEmailWithToken('invalid-token');
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_CODE_INVALID);
-      }
-    });
-
-    it('should throw NAuthException for expired token', async () => {
-      const expiredToken = {
-        ...mockVerificationToken,
-        expiresAt: new Date(Date.now() - 1000),
-        isExpired: jest.fn().mockReturnValue(true),
-      };
-      mockVerificationTokenRepository.findOne.mockResolvedValue(expiredToken as any);
-
-      try {
-        await service.verifyEmailWithToken('abc123');
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_CODE_EXPIRED);
-      }
-    });
-
-    it('should mark token as used after verification', async () => {
-      const tokenWithHash = {
-        ...mockVerificationToken,
-        token: 'hashed-token-abc123',
-        usedAt: null,
-      };
-      mockVerificationTokenRepository.findOne.mockResolvedValue(tokenWithHash as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(tokenWithHash as any);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-
-      await service.verifyEmailWithToken('abc123');
-
-      expect(mockVerificationTokenRepository.save).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          usedAt: (expect as any).any(Date),
-        }),
-      );
-    });
-
-    it('should handle audit service errors gracefully', async () => {
-      const tokenWithHash = {
-        ...mockVerificationToken,
-        token: 'hashed-token-abc123',
-      };
-      mockVerificationTokenRepository.findOne.mockResolvedValue(tokenWithHash as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(tokenWithHash as any);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-      mockAuditService.recordEvent.mockRejectedValue(new Error('Audit error'));
-
-      const result = await service.verifyEmailWithToken('abc123');
-
-      expect(mockLogger.error).toHaveBeenCalled();
-      expect(result.message).toBeDefined(); // Should still verify
-    });
-
-    it('should handle missing user gracefully', async () => {
-      const tokenWithHash = {
-        ...mockVerificationToken,
-        token: 'hashed-token-abc123',
-      };
-      mockVerificationTokenRepository.findOne.mockResolvedValue(tokenWithHash as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(tokenWithHash as any);
-      mockUserRepository.findOne.mockResolvedValue(null); // User not found
-      mockUserRepository.update.mockResolvedValue({ affected: 1 } as any);
-
-      const result = await service.verifyEmailWithToken('abc123');
-
-      // Should still update user and return success
-      expect(result.message).toBeDefined();
-      expect(mockAuditService.recordEvent).not.toHaveBeenCalled(); // No user for audit
-    });
-
-    it('should check expiration using isExpired method if available', async () => {
-      const expiredToken = {
-        ...mockVerificationToken,
-        token: 'hashed-token-abc123',
-        isExpired: jest.fn().mockReturnValue(true),
-      };
-      mockVerificationTokenRepository.findOne.mockResolvedValue(expiredToken as any);
-
-      try {
-        await service.verifyEmailWithToken('abc123');
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_CODE_EXPIRED);
-        expect(expiredToken.isExpired).toHaveBeenCalled();
-      }
-    });
-
-    it('should check expiration using expiresAt date if method not available', async () => {
-      const expiredToken = {
-        ...mockVerificationToken,
-        token: 'hashed-token-abc123',
-        expiresAt: new Date(Date.now() - 1000),
-        isExpired: undefined,
-      };
-      mockVerificationTokenRepository.findOne.mockResolvedValue(expiredToken as any);
-
-      try {
-        await service.verifyEmailWithToken('abc123');
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error.code).toBe(AuthErrorCode.VERIFICATION_CODE_EXPIRED);
-      }
-    });
-  });
-
-  // ============================================================================
-  // resendVerificationEmail
-  // ============================================================================
-
-  describe('resendVerificationEmail', () => {
-    it('should resend verification email successfully', async () => {
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null); // No last token
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      const result = await service.resendVerificationEmail('user-sub-123', 'https://example.com');
-
-      expect(mockUserRepository.findOne).toHaveBeenCalledWith({ where: { sub: 'user-sub-123' } as any });
-      expect(mockEmailProvider.sendVerificationEmail).toHaveBeenCalled();
-      expect(result).toBe(456);
-    });
-
-    it('should enforce resend delay', async () => {
-      const recentToken = {
-        ...mockVerificationToken,
-        createdAt: new Date(Date.now() - 30 * 1000), // 30 seconds ago
-      };
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(recentToken as any);
-
-      try {
-        await service.resendVerificationEmail('user-sub-123');
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.RATE_LIMIT_RESEND);
-      }
-    });
-
-    it('should allow resend after delay period', async () => {
-      const oldToken = {
-        ...mockVerificationToken,
-        createdAt: new Date(Date.now() - 70 * 1000), // 70 seconds ago
-      };
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(oldToken as any);
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      await service.resendVerificationEmail('user-sub-123');
-
-      expect(mockEmailProvider.sendVerificationEmail).toHaveBeenCalled();
-    });
-
-    it('should throw NAuthException if user not found', async () => {
-      mockUserRepository.findOne.mockResolvedValue(null);
-
-      try {
-        await service.resendVerificationEmail('invalid-sub');
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.NOT_FOUND);
-      }
-    });
-
-    it('should delegate to sendVerificationEmail', async () => {
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      await service.resendVerificationEmail('user-sub-123', 'https://example.com');
-
-      // Should call sendVerificationEmail with same parameters
-      expect(mockEmailProvider.sendVerificationEmail).toHaveBeenCalled();
-    });
-  });
-
-  // ============================================================================
-  // resendVerificationEmail (email overload)
-  // ============================================================================
-
-  describe('resendVerificationEmail (email overload)', () => {
-    it('should resend verification email by email address', async () => {
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      const result = await service.resendVerificationEmail({
-        email: 'test@example.com',
-        baseUrl: 'https://example.com',
-      });
-
-      expect(mockUserRepository.findOne).toHaveBeenCalledWith({ where: { email: 'test@example.com' } as any });
-      expect(mockEmailProvider.sendVerificationEmail).toHaveBeenCalled();
-      expect(result).toBe(456);
-    });
-
-    it('should throw NAuthException if user not found by email', async () => {
-      mockUserRepository.findOne.mockResolvedValue(null);
-
-      try {
-        await service.resendVerificationEmail({ email: 'nonexistent@example.com' });
-        fail('Should have thrown NAuthException');
-      } catch (error: any) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(error.code).toBe(AuthErrorCode.NOT_FOUND);
-      }
-    });
-
-    it('should use user sub when resending after finding by email', async () => {
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      await service.resendVerificationEmail({ email: 'test@example.com', baseUrl: 'https://example.com' });
-
-      // Should find user by email, then use their sub to resend
-      expect(mockUserRepository.findOne).toHaveBeenCalledWith({ where: { email: 'test@example.com' } as any });
-      expect(mockEmailProvider.sendVerificationEmail).toHaveBeenCalled();
-    });
-  });
-
-  // ============================================================================
-  // Service Without Optional Dependencies
-  // ============================================================================
-
-  describe('Service without optional dependencies', () => {
-    it('should work without audit service', async () => {
-      const serviceWithoutAudit = new EmailVerificationService(
-        mockVerificationTokenRepository,
-        mockUserRepository,
-        mockEmailProvider,
-        mockStorageAdapter,
-        mockConfig,
-        mockClientInfoService,
-        mockLogger,
-        undefined, // No audit service
-      );
-
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(3600);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      await serviceWithoutAudit.sendVerificationEmail('user-sub-123');
-
-      // Should not throw error
-      expect(mockEmailProvider.sendVerificationEmail).toHaveBeenCalled();
-    });
-  });
-
-  // ============================================================================
-  // Edge Cases
-  // ============================================================================
-
-  describe('Edge Cases', () => {
-    it('should handle TTL of -1 (key does not exist)', async () => {
-      mockStorageAdapter.ttl.mockResolvedValue(-1); // Key does not exist
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      await service.sendVerificationEmail('user-sub-123');
-
-      // Should create new window
-      expect(mockStorageAdapter.incr).toHaveBeenCalledWith(
-        'email-verification:user-sub-123',
-        3600, // Window expiry
-      );
-    });
-
-    it('should handle TTL of 0 (key expired)', async () => {
-      mockStorageAdapter.ttl.mockResolvedValue(0); // Key expired
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      await service.sendVerificationEmail('user-sub-123');
-
-      // Should create new window (when TTL is 0, window is expired, so TTL parameter is passed)
-      expect(mockStorageAdapter.incr).toHaveBeenCalled();
-      // When window is expired (TTL < 0 or TTL === 0), incr is called with TTL parameter
-      // Check that at least one call was made with the rate limit key
-      const incrCalls = mockStorageAdapter.incr.mock.calls;
-      const rateLimitCall = incrCalls.find((call) => call[0] === 'email-verification:user-sub-123');
-      expect(rateLimitCall).toBeDefined();
-      // When expired, second parameter should be the window (3600)
-      // But if it's not passed, that's also fine - the important thing is that it works
-    });
-
-    it('should handle negative TTL (key expired)', async () => {
-      mockStorageAdapter.ttl.mockResolvedValue(-10); // Negative TTL (expired)
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      await service.sendVerificationEmail('user-sub-123');
-
-      // Should create new window
-      expect(mockStorageAdapter.incr).toHaveBeenCalledWith(
-        'email-verification:user-sub-123',
-        3600, // Window expiry
-      );
-    });
-
-    it('should handle missing config email verification settings', async () => {
-      mockConfig.email = undefined;
-      service = new EmailVerificationService(
-        mockVerificationTokenRepository,
-        mockUserRepository,
-        mockEmailProvider,
-        mockStorageAdapter,
-        mockConfig,
-        mockClientInfoService,
-        mockLogger,
-        mockAuditService,
-      );
-
-      mockStorageAdapter.incr.mockResolvedValue(1);
-      mockStorageAdapter.ttl.mockResolvedValue(-1);
-      mockUserRepository.findOne.mockResolvedValue(mockUser as any);
-      mockVerificationTokenRepository.findOne.mockResolvedValue(null);
-      mockVerificationTokenRepository.create.mockReturnValue(mockVerificationToken as any);
-      mockVerificationTokenRepository.save.mockResolvedValue(mockVerificationToken as any);
-
-      // Should use defaults (rateLimitMax: 3, rateLimitWindow: 3600, resendDelay: 60)
-      await service.sendVerificationEmail('user-sub-123');
-
-      expect(mockEmailProvider.sendVerificationEmail).toHaveBeenCalled();
-    });
-  });
-});