@nauth-toolkit/core 0.1.0 → 0.1.5

package/src/services/challenge.service.spec.ts

@@ -1,1363 +0,0 @@
-import { Repository, SelectQueryBuilder } from 'typeorm';
-import { ChallengeService } from './challenge.service';
-import { NAuthException } from '../exceptions/nauth.exception';
-import { IUser, IChallengeSession } from '../interfaces/entities.interface';
-import { AuthChallenge } from '../dto/auth-challenge.dto';
-import { NAuthLogger } from '../utils/nauth-logger';
-import { AuthAuditService } from './auth-audit.service';
-import { AuthAuditEventType } from '../enums/auth-audit-event-type.enum';
-import { AuthErrorCode } from '../enums/error-codes.enum';
-import { BaseChallengeSession } from '../entities';
-import { ClientInfoService } from './client-info.service';
-
-/**
- * Challenge Service Unit Tests
- *
- * Tests challenge session creation, validation, consumption, and cleanup.
- * Covers all challenge types, expiration, max attempts, and edge cases.
- *
- * Platform-agnostic: Uses direct instantiation, no NestJS dependencies.
- */
-describe('ChallengeService', () => {
-  let service: ChallengeService;
-  let mockChallengeSessionRepository: jest.Mocked<Repository<BaseChallengeSession>>;
-  let mockClientInfoService: jest.Mocked<ClientInfoService>;
-  let mockAuditService: jest.Mocked<AuthAuditService>;
-  let mockLogger: jest.Mocked<NAuthLogger>;
-  let mockQueryBuilder: jest.Mocked<SelectQueryBuilder<BaseChallengeSession>>;
-
-  const mockUser: Partial<IUser> = {
-    id: 1,
-    sub: 'user-uuid-123',
-    email: 'test@example.com',
-    phone: '+1234567890',
-    isEmailVerified: false,
-    isPhoneVerified: false,
-  };
-
-  const mockChallengeSession: Partial<IChallengeSession> = {
-    id: 1,
-    userId: 1,
-    user: mockUser as IUser,
-    challengeName: AuthChallenge.VERIFY_EMAIL,
-    sessionToken: 'session-token-123',
-    expiresAt: new Date(Date.now() + 15 * 60 * 1000), // 15 minutes from now
-    isCompleted: false,
-    completedAt: null,
-    attempts: 0,
-    maxAttempts: 3,
-    ipAddress: '1.2.3.4',
-    userAgent: 'test-user-agent',
-    createdAt: new Date(),
-  };
-
-  beforeEach(() => {
-    // Create mock query builder
-    mockQueryBuilder = {
-      leftJoinAndSelect: jest.fn().mockReturnThis(),
-      where: jest.fn().mockReturnThis(),
-      select: jest.fn().mockReturnThis(),
-      getOne: jest.fn(),
-    } as any;
-
-    // Create mock repository
-    mockChallengeSessionRepository = {
-      create: jest.fn(),
-      save: jest.fn(),
-      delete: jest.fn(),
-      findOne: jest.fn(),
-      createQueryBuilder: jest.fn(() => mockQueryBuilder),
-    } as any;
-
-    // Create mock services
-
-    mockAuditService = {
-      recordEvent: jest.fn(),
-    } as any;
-
-    mockLogger = {
-      log: jest.fn(),
-      error: jest.fn(),
-      warn: jest.fn(),
-      debug: jest.fn(),
-    } as any;
-
-    mockClientInfoService = {
-      get: jest.fn().mockReturnValue({
-        ipAddress: '1.2.3.4',
-        userAgent: 'test-user-agent',
-      }),
-    } as any;
-
-    // Instantiate service directly
-    service = new ChallengeService(mockChallengeSessionRepository, mockClientInfoService, mockLogger, mockAuditService);
-  });
-
-  afterEach(() => {
-    jest.clearAllMocks();
-  });
-
-  // ============================================================================
-  // Service Initialization
-  // ============================================================================
-
-  it('should be defined', () => {
-    expect(service).toBeDefined();
-  });
-
-  // ============================================================================
-  // createChallengeSession() Method
-  // ============================================================================
-
-  describe('createChallengeSession', () => {
-    it('should create a challenge session successfully', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      mockChallengeSessionRepository.create.mockReturnValue(mockChallengeSession as any);
-      mockChallengeSessionRepository.save.mockResolvedValue(mockChallengeSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      const result = await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL, {
-        email: mockUser.email,
-      });
-
-      expect(result).toBeDefined();
-      expect(result.challengeName).toBe(AuthChallenge.VERIFY_EMAIL);
-      expect(mockChallengeSessionRepository.create).toHaveBeenCalled();
-      expect(mockChallengeSessionRepository.save).toHaveBeenCalled();
-      expect(mockLogger.log).toHaveBeenCalled();
-    });
-
-    it('should cleanup expired sessions before creating new one', async () => {
-      const deleteSpy = mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 2 } as any);
-      mockChallengeSessionRepository.create.mockReturnValue(mockChallengeSession as any);
-      mockChallengeSessionRepository.save.mockResolvedValue(mockChallengeSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL);
-
-      expect(deleteSpy).toHaveBeenCalledTimes(2); // Once for expired, once for completed
-    });
-
-    it('should throttle cleanup to once per 5 minutes per user', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      mockChallengeSessionRepository.create.mockReturnValue(mockChallengeSession as any);
-      mockChallengeSessionRepository.save.mockResolvedValue(mockChallengeSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      // Create first session
-      await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL);
-      const firstDeleteCount = mockChallengeSessionRepository.delete.mock.calls.length;
-
-      // Create second session immediately (should not trigger cleanup again)
-      await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_PHONE);
-      const secondDeleteCount = mockChallengeSessionRepository.delete.mock.calls.length;
-
-      // Cleanup should only run once (first call)
-      expect(secondDeleteCount).toBe(firstDeleteCount);
-    });
-
-    it('should create session with default expiration (15 minutes)', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      const createdSession = { ...mockChallengeSession, expiresAt: new Date() } as any;
-      mockChallengeSessionRepository.create.mockReturnValue(createdSession);
-      mockChallengeSessionRepository.save.mockResolvedValue(createdSession);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      jest.useFakeTimers();
-      const now = Date.now();
-      jest.setSystemTime(now);
-
-      await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL);
-
-      expect(mockChallengeSessionRepository.create).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          expiresAt: (expect as any).any(Date),
-        }),
-      );
-
-      const createdCall = mockChallengeSessionRepository.create.mock.calls[0][0] as any;
-      const expectedExpiry = new Date(now + 15 * 60 * 1000);
-      if (createdCall?.expiresAt) {
-        expect(createdCall.expiresAt.getTime()).toBeCloseTo(expectedExpiry.getTime(), -2); // Within 100ms
-      }
-
-      jest.useRealTimers();
-    });
-
-    it('should create session with provided metadata', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      mockChallengeSessionRepository.create.mockReturnValue(mockChallengeSession as any);
-      mockChallengeSessionRepository.save.mockResolvedValue(mockChallengeSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      const metadata = { email: 'test@example.com', verificationTokenId: 123 };
-
-      await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL, metadata);
-
-      expect(mockChallengeSessionRepository.create).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          metadata,
-        }),
-      );
-    });
-
-    it('should create session with provided IP and user agent', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      mockChallengeSessionRepository.create.mockReturnValue(mockChallengeSession as any);
-      mockChallengeSessionRepository.save.mockResolvedValue(mockChallengeSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      mockClientInfoService.get.mockReturnValue({
-        ipAddress: '192.168.1.1',
-        userAgent: 'Custom-Agent',
-      });
-
-      await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL, undefined);
-
-      expect(mockChallengeSessionRepository.create).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          ipAddress: '192.168.1.1',
-          userAgent: 'Custom-Agent',
-        }),
-      );
-    });
-
-    it('should record audit event on session creation', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      const sessionWithId = { ...mockChallengeSession, id: 1 } as any;
-      mockChallengeSessionRepository.create.mockReturnValue(sessionWithId);
-      mockChallengeSessionRepository.save.mockResolvedValue(sessionWithId);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL);
-
-      expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          eventType: AuthAuditEventType.CHALLENGE_CREATED,
-          eventStatus: 'INFO',
-          userId: mockUser.id,
-        }),
-      );
-    });
-
-    it('should handle audit service errors gracefully', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      mockChallengeSessionRepository.create.mockReturnValue(mockChallengeSession as any);
-      mockChallengeSessionRepository.save.mockResolvedValue(mockChallengeSession as any);
-      mockAuditService.recordEvent.mockRejectedValue(new Error('Audit service error'));
-
-      const result = await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL);
-
-      expect(result).toBeDefined();
-      expect(mockLogger.error).toHaveBeenCalled();
-    });
-
-    it('should handle non-Error audit exceptions', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      mockChallengeSessionRepository.create.mockReturnValue(mockChallengeSession as any);
-      mockChallengeSessionRepository.save.mockResolvedValue(mockChallengeSession as any);
-      mockAuditService.recordEvent.mockRejectedValue('String error' as any);
-
-      const result = await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL);
-
-      expect(result).toBeDefined();
-      expect(mockLogger.error).toHaveBeenCalledWith(
-        (expect as any).stringContaining('Failed to record CHALLENGE_CREATED audit event: Unknown error'),
-        (expect as any).any(Object),
-      );
-    });
-
-    it('should reuse existing active challenge session (deduplication)', async () => {
-      const existingSession = {
-        ...mockChallengeSession,
-        id: 123,
-        sessionToken: 'existing-token-456',
-        expiresAt: new Date(Date.now() + 10 * 60 * 1000), // 10 minutes from now (not expired)
-        isCompleted: false,
-        user: mockUser,
-      };
-
-      // Mock finding an existing active session
-      mockChallengeSessionRepository.findOne.mockResolvedValue(existingSession as any);
-
-      const result = await service.createChallengeSession(mockUser as IUser, AuthChallenge.MFA_SETUP_REQUIRED);
-
-      // Should return existing session
-      expect(result.sessionToken).toBe('existing-token-456');
-      expect(result.id).toBe(123);
-
-      // Should NOT create a new session
-      expect(mockChallengeSessionRepository.create).not.toHaveBeenCalled();
-      expect(mockChallengeSessionRepository.save).not.toHaveBeenCalled();
-
-      // Should NOT record a duplicate CHALLENGE_CREATED audit event
-      expect(mockAuditService.recordEvent).not.toHaveBeenCalled();
-    });
-
-    it('should create new session if existing session is expired', async () => {
-      const expiredSession = {
-        ...mockChallengeSession,
-        id: 123,
-        sessionToken: 'expired-token',
-        expiresAt: new Date(Date.now() - 1000), // Expired 1 second ago
-        isCompleted: false,
-        user: mockUser,
-      };
-
-      // Mock finding an expired session
-      mockChallengeSessionRepository.findOne.mockResolvedValue(expiredSession as any);
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 1 } as any);
-      mockChallengeSessionRepository.create.mockReturnValue(mockChallengeSession as any);
-      mockChallengeSessionRepository.save.mockResolvedValue({ ...mockChallengeSession, id: 124 } as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      const result = await service.createChallengeSession(mockUser as IUser, AuthChallenge.MFA_SETUP_REQUIRED);
-
-      // Should delete expired session
-      expect(mockChallengeSessionRepository.delete).toHaveBeenCalledWith({ id: 123 });
-
-      // Should create a new session
-      expect(mockChallengeSessionRepository.create).toHaveBeenCalled();
-      expect(mockChallengeSessionRepository.save).toHaveBeenCalled();
-
-      // Should record new CHALLENGE_CREATED audit event
-      expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          eventType: AuthAuditEventType.CHALLENGE_CREATED,
-        }),
-      );
-    });
-
-    it('should create new session if no existing session found', async () => {
-      // Mock no existing session
-      mockChallengeSessionRepository.findOne.mockResolvedValue(null);
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      mockChallengeSessionRepository.create.mockReturnValue(mockChallengeSession as any);
-      mockChallengeSessionRepository.save.mockResolvedValue({ ...mockChallengeSession, id: 125 } as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      const result = await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL);
-
-      // Should create a new session
-      expect(mockChallengeSessionRepository.create).toHaveBeenCalled();
-      expect(mockChallengeSessionRepository.save).toHaveBeenCalled();
-
-      // Should record CHALLENGE_CREATED audit event
-      expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          eventType: AuthAuditEventType.CHALLENGE_CREATED,
-        }),
-      );
-    });
-
-    it('should use client info from ClientInfoService in audit event', async () => {
-      mockChallengeSessionRepository.findOne.mockResolvedValue(null);
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      const sessionWithId = { ...mockChallengeSession, id: 1 } as any;
-      mockChallengeSessionRepository.create.mockReturnValue(sessionWithId);
-      mockChallengeSessionRepository.save.mockResolvedValue(sessionWithId);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      mockClientInfoService.get.mockReturnValue({
-        ipAddress: '192.168.1.100',
-        userAgent: 'Custom-Agent-String',
-      });
-
-      await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL, undefined);
-
-      // Audit service now gets IP and userAgent from ClientInfoService automatically
-      // Verify that recordEvent was called (the audit service will extract client info from context)
-      expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          userId: mockUser.id,
-          eventType: AuthAuditEventType.CHALLENGE_CREATED,
-          eventStatus: 'INFO',
-        }),
-      );
-      // Verify that ClientInfoService was called to get client info
-      expect(mockClientInfoService.get).toHaveBeenCalled();
-    });
-
-    it('should create MFA challenge sessions with metadata', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      const mfaSession = {
-        ...mockChallengeSession,
-        challengeName: AuthChallenge.MFA_REQUIRED,
-      } as any;
-      mockChallengeSessionRepository.create.mockReturnValue(mfaSession);
-      mockChallengeSessionRepository.save.mockResolvedValue(mfaSession);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      const mfaMetadata = {
-        deviceId: 'device-123',
-        method: 'TOTP',
-        availableMethods: ['TOTP', 'SMS'],
-      };
-
-      const result = await service.createChallengeSession(mockUser as IUser, AuthChallenge.MFA_REQUIRED, mfaMetadata);
-
-      expect(result.challengeName).toBe(AuthChallenge.MFA_REQUIRED);
-      expect(mockChallengeSessionRepository.create).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          challengeName: AuthChallenge.MFA_REQUIRED,
-          metadata: mfaMetadata,
-        }),
-      );
-    });
-
-    it('should create MFA_SETUP_REQUIRED challenge sessions', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      const mfaSetupSession = {
-        ...mockChallengeSession,
-        challengeName: AuthChallenge.MFA_SETUP_REQUIRED,
-      } as any;
-      mockChallengeSessionRepository.create.mockReturnValue(mfaSetupSession);
-      mockChallengeSessionRepository.save.mockResolvedValue(mfaSetupSession);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      const setupMetadata = {
-        allowedMethods: ['TOTP', 'SMS', 'EMAIL'],
-        gracePeriodExpired: true,
-      };
-
-      const result = await service.createChallengeSession(
-        mockUser as IUser,
-        AuthChallenge.MFA_SETUP_REQUIRED,
-        setupMetadata,
-      );
-
-      expect(result.challengeName).toBe(AuthChallenge.MFA_SETUP_REQUIRED);
-      expect(mockChallengeSessionRepository.create).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          challengeName: AuthChallenge.MFA_SETUP_REQUIRED,
-          metadata: setupMetadata,
-        }),
-      );
-    });
-
-    it('should create FORCE_CHANGE_PASSWORD challenge sessions', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      const passwordChangeSession = {
-        ...mockChallengeSession,
-        challengeName: AuthChallenge.FORCE_CHANGE_PASSWORD,
-      } as any;
-      mockChallengeSessionRepository.create.mockReturnValue(passwordChangeSession);
-      mockChallengeSessionRepository.save.mockResolvedValue(passwordChangeSession);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      const passwordChangeMetadata = {
-        reason: 'admin_forced',
-        passwordExpired: true,
-        instructions: 'You must change your password before continuing',
-      };
-
-      const result = await service.createChallengeSession(
-        mockUser as IUser,
-        AuthChallenge.FORCE_CHANGE_PASSWORD,
-        passwordChangeMetadata,
-      );
-
-      expect(result.challengeName).toBe(AuthChallenge.FORCE_CHANGE_PASSWORD);
-      expect(mockChallengeSessionRepository.create).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          challengeName: AuthChallenge.FORCE_CHANGE_PASSWORD,
-          metadata: passwordChangeMetadata,
-        }),
-      );
-    });
-
-    // VERIFY_EMAIL_AND_PHONE removed - challenges are sequential (VERIFY_EMAIL first, then VERIFY_PHONE)
-    // This test is no longer needed as the challenge system works sequentially
-
-    it('should trigger cleanup after 5 minutes have passed', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      mockChallengeSessionRepository.create.mockReturnValue(mockChallengeSession as any);
-      mockChallengeSessionRepository.save.mockResolvedValue(mockChallengeSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      jest.useFakeTimers();
-      const now = Date.now();
-      jest.setSystemTime(now);
-
-      // Create first session
-      await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL);
-      const firstDeleteCount = mockChallengeSessionRepository.delete.mock.calls.length;
-
-      // Advance time by 5 minutes and 1 second
-      jest.setSystemTime(now + 5 * 60 * 1000 + 1000);
-
-      // Create second session (should trigger cleanup again)
-      await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_PHONE);
-      const secondDeleteCount = mockChallengeSessionRepository.delete.mock.calls.length;
-
-      // Cleanup should run again after 5 minutes
-      expect(secondDeleteCount).toBeGreaterThan(firstDeleteCount);
-
-      jest.useRealTimers();
-    });
-
-    it('should create session for all challenge types', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      mockChallengeSessionRepository.create.mockReturnValue(mockChallengeSession as any);
-      mockChallengeSessionRepository.save.mockResolvedValue(mockChallengeSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      const challengeTypes = [
-        AuthChallenge.VERIFY_EMAIL,
-        AuthChallenge.VERIFY_PHONE,
-        AuthChallenge.MFA_REQUIRED,
-        AuthChallenge.MFA_SETUP_REQUIRED,
-        AuthChallenge.FORCE_CHANGE_PASSWORD,
-      ];
-
-      for (const challengeType of challengeTypes) {
-        await service.createChallengeSession(mockUser as IUser, challengeType);
-        expect(mockChallengeSessionRepository.create).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            challengeName: challengeType,
-          }),
-        );
-        jest.clearAllMocks();
-      }
-    });
-  });
-
-  // ============================================================================
-  // validateSession() Method
-  // ============================================================================
-
-  describe('validateSession', () => {
-    it('should validate a valid session', async () => {
-      const validSession = {
-        ...mockChallengeSession,
-        expiresAt: new Date(Date.now() + 60000), // 1 minute from now
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(validSession as any);
-
-      const result = await service.validateSession('session-token-123', AuthChallenge.VERIFY_EMAIL);
-
-      expect(result).toBeDefined();
-      expect(result.sessionToken).toBe('session-token-123');
-      expect(mockChallengeSessionRepository.findOne).toHaveBeenCalledWith({
-        where: { sessionToken: 'session-token-123' },
-        relations: ['user'],
-      });
-    });
-
-    it('should throw NAuthException if session not found', async () => {
-      mockChallengeSessionRepository.findOne.mockResolvedValue(null);
-
-      try {
-        await service.validateSession('invalid-token');
-        fail('Should have thrown NAuthException');
-      } catch (error) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect((error as NAuthException).code).toBe(AuthErrorCode.CHALLENGE_INVALID);
-        expect(mockLogger.warn).toHaveBeenCalled();
-      }
-    });
-
-    it('should throw NAuthException if session expired', async () => {
-      const expiredSession = {
-        ...mockChallengeSession,
-        expiresAt: new Date(Date.now() - 1000), // 1 second ago
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(expiredSession as any);
-
-      try {
-        await service.validateSession('session-token-123');
-        fail('Should have thrown NAuthException');
-      } catch (error) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect((error as NAuthException).code).toBe(AuthErrorCode.CHALLENGE_EXPIRED);
-        expect((error as NAuthException).message).toContain('expired');
-        expect(mockLogger.warn).toHaveBeenCalled();
-      }
-    });
-
-    it('should throw NAuthException if session expires exactly at current time', async () => {
-      jest.useFakeTimers();
-      const now = new Date();
-      jest.setSystemTime(now);
-
-      const exactlyExpiredSession = {
-        ...mockChallengeSession,
-        expiresAt: new Date(now.getTime() - 1), // 1ms ago
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(exactlyExpiredSession as any);
-
-      try {
-        await service.validateSession('session-token-123');
-        fail('Should have thrown NAuthException');
-      } catch (error) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect((error as NAuthException).code).toBe(AuthErrorCode.CHALLENGE_EXPIRED);
-      }
-
-      jest.useRealTimers();
-    });
-
-    it('should throw NAuthException if session already completed', async () => {
-      const completedSession = {
-        ...mockChallengeSession,
-        isCompleted: true,
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(completedSession as any);
-
-      try {
-        await service.validateSession('session-token-123');
-        fail('Should have thrown NAuthException');
-      } catch (error) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect((error as NAuthException).code).toBe(AuthErrorCode.CHALLENGE_ALREADY_COMPLETED);
-        expect((error as NAuthException).message).toContain('already been completed');
-        expect(mockLogger.warn).toHaveBeenCalled();
-      }
-    });
-
-    it('should throw NAuthException if max attempts exceeded', async () => {
-      const maxAttemptsSession = {
-        ...mockChallengeSession,
-        attempts: 3,
-        maxAttempts: 3,
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(maxAttemptsSession as any);
-
-      try {
-        await service.validateSession('session-token-123');
-        fail('Should have thrown NAuthException');
-      } catch (error) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect((error as NAuthException).code).toBe(AuthErrorCode.CHALLENGE_MAX_ATTEMPTS);
-        expect((error as NAuthException).message).toContain('Maximum challenge attempts exceeded');
-        expect(mockLogger.warn).toHaveBeenCalled();
-      }
-    });
-
-    it('should throw NAuthException if attempts exceed max attempts', async () => {
-      const overMaxAttemptsSession = {
-        ...mockChallengeSession,
-        attempts: 4,
-        maxAttempts: 3,
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(overMaxAttemptsSession as any);
-
-      try {
-        await service.validateSession('session-token-123');
-        fail('Should have thrown NAuthException');
-      } catch (error) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect((error as NAuthException).code).toBe(AuthErrorCode.CHALLENGE_MAX_ATTEMPTS);
-      }
-    });
-
-    it('should validate session when attempts are just below max', async () => {
-      const validSession = {
-        ...mockChallengeSession,
-        expiresAt: new Date(Date.now() + 60000),
-        attempts: 2,
-        maxAttempts: 3,
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(validSession as any);
-
-      const result = await service.validateSession('session-token-123');
-
-      expect(result).toBeDefined();
-      expect(result.attempts).toBe(2);
-    });
-
-    it('should throw NAuthException if challenge type mismatch', async () => {
-      mockChallengeSessionRepository.findOne.mockResolvedValue(mockChallengeSession as any);
-
-      try {
-        await service.validateSession('session-token-123', AuthChallenge.VERIFY_PHONE);
-        fail('Should have thrown NAuthException');
-      } catch (error) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect((error as NAuthException).code).toBe(AuthErrorCode.CHALLENGE_TYPE_MISMATCH);
-        expect((error as NAuthException).message).toContain('Invalid challenge type');
-        expect(mockLogger.warn).toHaveBeenCalled();
-      }
-    });
-
-    it('should validate session without expected challenge type', async () => {
-      const validSession = {
-        ...mockChallengeSession,
-        expiresAt: new Date(Date.now() + 60000),
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(validSession as any);
-
-      const result = await service.validateSession('session-token-123');
-
-      expect(result).toBeDefined();
-      expect(result.sessionToken).toBe('session-token-123');
-    });
-
-    it('should load session with user relation', async () => {
-      const validSession = {
-        ...mockChallengeSession,
-        expiresAt: new Date(Date.now() + 60000),
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(validSession as any);
-
-      await service.validateSession('session-token-123');
-
-      // Verify findOne is called with relations to load user
-      expect(mockChallengeSessionRepository.findOne).toHaveBeenCalledWith({
-        where: { sessionToken: 'session-token-123' },
-        relations: ['user'],
-      });
-    });
-  });
-
-  // ============================================================================
-  // incrementAttempts() Method
-  // ============================================================================
-
-  describe('incrementAttempts', () => {
-    it('should increment attempt counter', async () => {
-      const session = { ...mockChallengeSession, attempts: 1 } as IChallengeSession;
-      const updatedSession = { ...session, attempts: 2 };
-      mockChallengeSessionRepository.save.mockResolvedValue(updatedSession as any);
-
-      const result = await service.incrementAttempts(session);
-
-      expect(result.attempts).toBe(2);
-      expect(mockChallengeSessionRepository.save).toHaveBeenCalledWith(session);
-    });
-
-    it('should record audit event when max attempts exceeded', async () => {
-      const session = {
-        ...mockChallengeSession,
-        attempts: 2,
-        maxAttempts: 3,
-      } as IChallengeSession;
-      const updatedSession = { ...session, attempts: 3 };
-      mockChallengeSessionRepository.save.mockResolvedValue(updatedSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      await service.incrementAttempts(session);
-
-      expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          eventType: AuthAuditEventType.CHALLENGE_ATTEMPT_FAILED,
-          eventStatus: 'FAILURE',
-          reason: 'max_attempts_exceeded',
-        }),
-      );
-    });
-
-    it('should not record audit event when max attempts not exceeded', async () => {
-      const session = {
-        ...mockChallengeSession,
-        attempts: 1,
-        maxAttempts: 3,
-      } as IChallengeSession;
-      const updatedSession = { ...session, attempts: 2 };
-      mockChallengeSessionRepository.save.mockResolvedValue(updatedSession as any);
-
-      await service.incrementAttempts(session);
-
-      expect(mockAuditService.recordEvent).not.toHaveBeenCalled();
-    });
-
-    it('should handle audit service errors gracefully', async () => {
-      const session = {
-        ...mockChallengeSession,
-        attempts: 2,
-        maxAttempts: 3,
-      } as IChallengeSession;
-      const updatedSession = { ...session, attempts: 3 };
-      mockChallengeSessionRepository.save.mockResolvedValue(updatedSession as any);
-      mockAuditService.recordEvent.mockRejectedValue(new Error('Audit error'));
-
-      const result = await service.incrementAttempts(session);
-
-      expect(result.attempts).toBe(3);
-      expect(mockLogger.error).toHaveBeenCalled();
-    });
-
-    it('should handle non-Error audit exceptions in incrementAttempts', async () => {
-      const session = {
-        ...mockChallengeSession,
-        attempts: 2,
-        maxAttempts: 3,
-      } as IChallengeSession;
-      const updatedSession = { ...session, attempts: 3 };
-      mockChallengeSessionRepository.save.mockResolvedValue(updatedSession as any);
-      mockAuditService.recordEvent.mockRejectedValue('String error' as any);
-
-      const result = await service.incrementAttempts(session);
-
-      expect(result.attempts).toBe(3);
-      expect(mockLogger.error).toHaveBeenCalledWith(
-        (expect as any).stringContaining('Failed to record CHALLENGE_ATTEMPT_FAILED audit event: Unknown error'),
-        (expect as any).any(Object),
-      );
-    });
-
-    it('should record audit event with session IP and userAgent when available', async () => {
-      const session = {
-        ...mockChallengeSession,
-        attempts: 2,
-        maxAttempts: 3,
-        ipAddress: '10.20.30.40',
-        userAgent: 'custom-browser-agent',
-      } as IChallengeSession;
-      const updatedSession = { ...session, attempts: 3 };
-      mockChallengeSessionRepository.save.mockResolvedValue(updatedSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      await service.incrementAttempts(session);
-
-      expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          ipAddress: '10.20.30.40',
-          userAgent: 'custom-browser-agent',
-        }),
-      );
-    });
-
-    it('should record audit event with undefined IP/userAgent when session values are null', async () => {
-      const session = {
-        ...mockChallengeSession,
-        attempts: 2,
-        maxAttempts: 3,
-        ipAddress: null,
-        userAgent: null,
-      } as IChallengeSession;
-      const updatedSession = { ...session, attempts: 3 };
-      mockChallengeSessionRepository.save.mockResolvedValue(updatedSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      await service.incrementAttempts(session);
-
-      expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          ipAddress: undefined,
-          userAgent: undefined,
-        }),
-      );
-    });
-
-    it('should handle audit logging when incrementAttempts reaches exactly max attempts', async () => {
-      const session = {
-        ...mockChallengeSession,
-        attempts: 2,
-        maxAttempts: 3,
-      } as IChallengeSession;
-      const updatedSession = { ...session, attempts: 3 };
-      mockChallengeSessionRepository.save.mockResolvedValue(updatedSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      await service.incrementAttempts(session);
-
-      expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          eventType: AuthAuditEventType.CHALLENGE_ATTEMPT_FAILED,
-          description: (expect as any).stringContaining('maximum attempts (3) exceeded'),
-        }),
-      );
-    });
-
-    it('should handle session without user gracefully', async () => {
-      const sessionWithoutUser = {
-        ...mockChallengeSession,
-        attempts: 2,
-        maxAttempts: 3,
-        user: undefined,
-      } as any;
-      const updatedSession = { ...sessionWithoutUser, attempts: 3 };
-      mockChallengeSessionRepository.save.mockResolvedValue(updatedSession);
-
-      await service.incrementAttempts(sessionWithoutUser);
-
-      // Should not throw, but audit may not be recorded
-      expect(mockChallengeSessionRepository.save).toHaveBeenCalled();
-    });
-  });
-
-  // ============================================================================
-  // validateAndConsumeSession() Method
-  // ============================================================================
-
-  describe('validateAndConsumeSession', () => {
-    it('should validate and mark session as completed', async () => {
-      const validSession = {
-        ...mockChallengeSession,
-        expiresAt: new Date(Date.now() + 60000),
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(validSession as any);
-      const completedSession = { ...validSession, isCompleted: true, completedAt: new Date() };
-      mockChallengeSessionRepository.save.mockResolvedValue(completedSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      const result = await service.validateAndConsumeSession('session-token-123', AuthChallenge.VERIFY_EMAIL);
-
-      expect(result.isCompleted).toBe(true);
-      expect(result.completedAt).toBeDefined();
-      expect(mockChallengeSessionRepository.save).toHaveBeenCalled();
-      expect(mockLogger.log).toHaveBeenCalled();
-    });
-
-    it('should record audit event on session completion', async () => {
-      const validSession = {
-        ...mockChallengeSession,
-        expiresAt: new Date(Date.now() + 60000),
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(validSession as any);
-      const completedSession = { ...validSession, isCompleted: true };
-      mockChallengeSessionRepository.save.mockResolvedValue(completedSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      await service.validateAndConsumeSession('session-token-123', AuthChallenge.VERIFY_EMAIL);
-
-      expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          eventType: AuthAuditEventType.CHALLENGE_COMPLETED,
-          eventStatus: 'SUCCESS',
-          userId: mockUser.id,
-        }),
-      );
-    });
-
-    it('should handle audit service errors gracefully', async () => {
-      const validSession = {
-        ...mockChallengeSession,
-        expiresAt: new Date(Date.now() + 60000),
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(validSession as any);
-      const completedSession = { ...validSession, isCompleted: true };
-      mockChallengeSessionRepository.save.mockResolvedValue(completedSession as any);
-      mockAuditService.recordEvent.mockRejectedValue(new Error('Audit error'));
-
-      const result = await service.validateAndConsumeSession('session-token-123', AuthChallenge.VERIFY_EMAIL);
-
-      expect(result.isCompleted).toBe(true);
-      expect(mockLogger.error).toHaveBeenCalled();
-    });
-
-    it('should handle non-Error audit exceptions in validateAndConsumeSession', async () => {
-      const validSession = {
-        ...mockChallengeSession,
-        expiresAt: new Date(Date.now() + 60000),
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(validSession as any);
-      const completedSession = { ...validSession, isCompleted: true };
-      mockChallengeSessionRepository.save.mockResolvedValue(completedSession as any);
-      mockAuditService.recordEvent.mockRejectedValue('String error' as any);
-
-      const result = await service.validateAndConsumeSession('session-token-123', AuthChallenge.VERIFY_EMAIL);
-
-      expect(result.isCompleted).toBe(true);
-      expect(mockLogger.error).toHaveBeenCalledWith(
-        (expect as any).stringContaining('Failed to record CHALLENGE_COMPLETED audit event: Unknown error'),
-        (expect as any).any(Object),
-      );
-    });
-
-    it('should handle validateAndConsumeSession with null session IP and userAgent', async () => {
-      const validSession = {
-        ...mockChallengeSession,
-        expiresAt: new Date(Date.now() + 60000),
-        ipAddress: null,
-        userAgent: null,
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(validSession as any);
-      const completedSession = { ...validSession, isCompleted: true };
-      mockChallengeSessionRepository.save.mockResolvedValue(completedSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      await service.validateAndConsumeSession('session-token-123', AuthChallenge.VERIFY_EMAIL);
-
-      expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          ipAddress: undefined,
-          userAgent: undefined,
-        }),
-      );
-    });
-
-    it('should throw if validation fails', async () => {
-      mockChallengeSessionRepository.findOne.mockResolvedValue(null);
-
-      try {
-        await service.validateAndConsumeSession('invalid-token', AuthChallenge.VERIFY_EMAIL);
-        fail('Should have thrown NAuthException');
-      } catch (error) {
-        expect(error).toBeInstanceOf(NAuthException);
-        expect(mockChallengeSessionRepository.save).not.toHaveBeenCalled();
-      }
-    });
-
-    it('should use session IP and user agent in audit event', async () => {
-      const validSession = {
-        ...mockChallengeSession,
-        expiresAt: new Date(Date.now() + 60000),
-        ipAddress: '5.6.7.8',
-        userAgent: 'session-agent',
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(validSession as any);
-      const completedSession = { ...validSession, isCompleted: true };
-      mockChallengeSessionRepository.save.mockResolvedValue(completedSession as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      await service.validateAndConsumeSession('session-token-123', AuthChallenge.VERIFY_EMAIL);
-
-      expect(mockAuditService.recordEvent).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          ipAddress: '5.6.7.8',
-          userAgent: 'session-agent',
-        }),
-      );
-    });
-  });
-
-  // ============================================================================
-  // cleanupExpiredSessions() Method
-  // ============================================================================
-
-  describe('cleanupExpiredSessions', () => {
-    it('should delete expired and completed sessions', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 5 } as any);
-
-      await service.cleanupExpiredSessions(1);
-
-      expect(mockChallengeSessionRepository.delete).toHaveBeenCalledTimes(2); // Once for expired, once for completed
-      expect(mockChallengeSessionRepository.delete).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          userId: 1,
-        }),
-      );
-      expect(mockChallengeSessionRepository.delete).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          userId: 1,
-          isCompleted: true,
-        }),
-      );
-    });
-
-    it('should handle cleanup with no sessions to delete', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-
-      await service.cleanupExpiredSessions(1);
-
-      expect(mockChallengeSessionRepository.delete).toHaveBeenCalledTimes(2);
-    });
-
-    it('should use LessThan for expiration check', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-
-      await service.cleanupExpiredSessions(1);
-
-      // LessThan is a TypeORM operator - we can't easily test it, but we verify the call was made
-      expect(mockChallengeSessionRepository.delete).toHaveBeenCalled();
-    });
-  });
-
-  // ============================================================================
-  // cleanupAllExpiredSessions() Method
-  // ============================================================================
-
-  describe('cleanupAllExpiredSessions', () => {
-    it('should delete all expired sessions and return count', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 10 } as any);
-
-      const result = await service.cleanupAllExpiredSessions();
-
-      expect(result).toBe(10);
-      expect(mockChallengeSessionRepository.delete).toHaveBeenCalledWith((expect as any).objectContaining({}));
-      expect(mockLogger.log).toHaveBeenCalledWith(
-        (expect as any).stringContaining('Cleaned up 10 expired challenge sessions'),
-      );
-    });
-
-    it('should return 0 when no sessions deleted', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-
-      const result = await service.cleanupAllExpiredSessions();
-
-      expect(result).toBe(0);
-      expect(mockLogger.log).toHaveBeenCalledWith(
-        (expect as any).stringContaining('Cleaned up 0 expired challenge sessions'),
-      );
-    });
-
-    it('should handle delete result without affected property', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({} as any);
-
-      const result = await service.cleanupAllExpiredSessions();
-
-      expect(result).toBe(0);
-    });
-  });
-
-  // ============================================================================
-  // deleteUserChallengeSessions() Method
-  // ============================================================================
-
-  describe('deleteUserChallengeSessions', () => {
-    it('should delete active challenge sessions by type', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 2 } as any);
-
-      const result = await service.deleteUserChallengeSessions(1, AuthChallenge.MFA_SETUP_REQUIRED);
-
-      expect(result).toBe(2);
-      expect(mockChallengeSessionRepository.delete).toHaveBeenCalledWith({
-        userId: 1,
-        challengeName: AuthChallenge.MFA_SETUP_REQUIRED,
-        isCompleted: false,
-      });
-      expect(mockLogger.log).toHaveBeenCalledWith(
-        (expect as any).stringContaining('Deleted 2 MFA_SETUP_REQUIRED challenge session(s)'),
-      );
-    });
-
-    it('should return 0 when no sessions deleted', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-
-      const result = await service.deleteUserChallengeSessions(1, AuthChallenge.VERIFY_EMAIL);
-
-      expect(result).toBe(0);
-      expect(mockLogger.log).not.toHaveBeenCalled();
-    });
-
-    it('should delete sessions for all challenge types', async () => {
-      const challengeTypes = [
-        AuthChallenge.VERIFY_EMAIL,
-        AuthChallenge.VERIFY_PHONE,
-        AuthChallenge.MFA_REQUIRED,
-        AuthChallenge.MFA_SETUP_REQUIRED,
-        AuthChallenge.FORCE_CHANGE_PASSWORD,
-      ];
-
-      for (const challengeType of challengeTypes) {
-        mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 1 } as any);
-        const result = await service.deleteUserChallengeSessions(1, challengeType);
-        expect(result).toBe(1);
-        expect(mockChallengeSessionRepository.delete).toHaveBeenCalledWith(
-          (expect as any).objectContaining({
-            challengeName: challengeType,
-          }),
-        );
-      }
-    });
-  });
-
-  // ============================================================================
-  // Helper Methods
-  // ============================================================================
-
-  describe('maskEmail', () => {
-    it('should mask email address correctly', () => {
-      const masked = service.maskEmail('john.doe@example.com');
-      expect(masked).toBe('j***@example.com');
-    });
-
-    it('should handle single character local part', () => {
-      const masked = service.maskEmail('j@example.com');
-      expect(masked).toBe('j***@example.com');
-    });
-
-    it('should handle invalid email gracefully', () => {
-      const masked = service.maskEmail('invalid-email');
-      expect(masked).toBe('invalid-email');
-    });
-
-    it('should handle email without @ symbol', () => {
-      const masked = service.maskEmail('noatdomain');
-      expect(masked).toBe('noatdomain');
-    });
-
-    it('should handle empty email', () => {
-      const masked = service.maskEmail('');
-      expect(masked).toBe('');
-    });
-
-    it('should mask long email addresses', () => {
-      const masked = service.maskEmail('verylongemailaddress@example.com');
-      expect(masked).toBe('v***@example.com');
-    });
-
-    it('should handle email with empty local part', () => {
-      const masked = service.maskEmail('@example.com');
-      // When split('@'), first part is empty string, so localPart[0] is undefined
-      // Implementation concatenates undefined with '***@' resulting in 'undefined***@example.com'
-      expect(masked).toBe('undefined***@example.com');
-    });
-
-    it('should handle email with multiple @ symbols', () => {
-      // split('@') on 'invalid@email@example.com' creates ['invalid', 'email', 'example.com']
-      // Takes first element as localPart and second as domain
-      const masked = service.maskEmail('invalid@email@example.com');
-      expect(masked).toBe('i***@email');
-    });
-
-    it('should handle email with special characters in local part', () => {
-      const masked = service.maskEmail('user+tag@example.com');
-      expect(masked).toBe('u***@example.com');
-    });
-  });
-
-  describe('maskPhone', () => {
-    it('should mask phone number correctly', () => {
-      const masked = service.maskPhone('+1234567890');
-      expect(masked).toBe('***-***-7890');
-    });
-
-    it('should handle phone with formatting', () => {
-      const masked = service.maskPhone('+1 (234) 567-8901');
-      expect(masked).toBe('***-***-8901');
-    });
-
-    it('should handle short phone numbers', () => {
-      const masked = service.maskPhone('123');
-      expect(masked).toBe('123');
-    });
-
-    it('should handle phone with exactly 4 digits', () => {
-      const masked = service.maskPhone('1234');
-      expect(masked).toBe('***-***-1234');
-    });
-
-    it('should handle phone with less than 4 digits', () => {
-      const masked = service.maskPhone('12');
-      expect(masked).toBe('12');
-    });
-
-    it('should handle phone with only special characters', () => {
-      const masked = service.maskPhone('+--()');
-      expect(masked).toBe('+--()');
-    });
-
-    it('should handle international phone numbers', () => {
-      const masked = service.maskPhone('+441234567890');
-      expect(masked).toBe('***-***-7890');
-    });
-
-    it('should handle empty phone', () => {
-      const masked = service.maskPhone('');
-      expect(masked).toBe('');
-    });
-
-    it('should handle phone with only letters', () => {
-      const masked = service.maskPhone('abc');
-      expect(masked).toBe('abc');
-    });
-
-    it('should handle phone with mixed characters', () => {
-      // maskPhone extracts digits only: '+1-800-CALL-NOW' -> '1800' -> last 4 = '1800'
-      const masked = service.maskPhone('+1-800-CALL-NOW');
-      expect(masked).toBe('***-***-1800');
-    });
-
-    it('should handle phone with exactly 3 digits', () => {
-      const masked = service.maskPhone('123');
-      expect(masked).toBe('123');
-    });
-  });
-
-  // ============================================================================
-  // Edge Cases and Error Handling
-  // ============================================================================
-
-  describe('Edge Cases', () => {
-    it('should handle service without audit service', async () => {
-      const serviceWithoutAudit = new ChallengeService(
-        mockChallengeSessionRepository,
-        mockClientInfoService,
-        mockLogger,
-        undefined, // No audit service
-      );
-
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      mockChallengeSessionRepository.create.mockReturnValue(mockChallengeSession as any);
-      mockChallengeSessionRepository.save.mockResolvedValue(mockChallengeSession as any);
-
-      const result = await serviceWithoutAudit.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL);
-
-      expect(result).toBeDefined();
-      // Should not throw
-    });
-
-    it('should handle repository save errors', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      mockChallengeSessionRepository.create.mockReturnValue(mockChallengeSession as any);
-      mockChallengeSessionRepository.save.mockRejectedValue(new Error('Database error'));
-
-      try {
-        await service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL);
-        fail('Should have thrown error');
-      } catch (error) {
-        expect((error as Error).message).toContain('Database error');
-      }
-    });
-
-    it('should handle concurrent session creation', async () => {
-      mockChallengeSessionRepository.delete.mockResolvedValue({ affected: 0 } as any);
-      mockChallengeSessionRepository.create
-        .mockReturnValueOnce({ ...mockChallengeSession, challengeName: AuthChallenge.VERIFY_EMAIL } as any)
-        .mockReturnValueOnce({ ...mockChallengeSession, challengeName: AuthChallenge.VERIFY_PHONE } as any);
-      mockChallengeSessionRepository.save
-        .mockResolvedValueOnce({ ...mockChallengeSession, challengeName: AuthChallenge.VERIFY_EMAIL } as any)
-        .mockResolvedValueOnce({ ...mockChallengeSession, challengeName: AuthChallenge.VERIFY_PHONE } as any);
-      mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-      const promises = [
-        service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_EMAIL),
-        service.createChallengeSession(mockUser as IUser, AuthChallenge.VERIFY_PHONE),
-      ];
-
-      const results = await Promise.all(promises);
-
-      expect(results.length).toBe(2);
-      expect(results[0].challengeName).toBe(AuthChallenge.VERIFY_EMAIL);
-      expect(results[1].challengeName).toBe(AuthChallenge.VERIFY_PHONE);
-    });
-
-    it('should handle validateAndConsumeSession for all challenge types', async () => {
-      const challengeTypes = [
-        AuthChallenge.VERIFY_EMAIL,
-        AuthChallenge.VERIFY_PHONE,
-        AuthChallenge.MFA_REQUIRED,
-        AuthChallenge.MFA_SETUP_REQUIRED,
-        AuthChallenge.FORCE_CHANGE_PASSWORD,
-      ];
-
-      for (const challengeType of challengeTypes) {
-        const validSession = {
-          ...mockChallengeSession,
-          challengeName: challengeType,
-          expiresAt: new Date(Date.now() + 60000),
-        };
-        mockChallengeSessionRepository.findOne.mockResolvedValue(validSession as any);
-        const completedSession = { ...validSession, isCompleted: true };
-        mockChallengeSessionRepository.save.mockResolvedValue(completedSession as any);
-        mockAuditService.recordEvent.mockResolvedValue({} as any);
-
-        const result = await service.validateAndConsumeSession('session-token-123', challengeType);
-
-        expect(result.isCompleted).toBe(true);
-        expect(result.challengeName).toBe(challengeType);
-        jest.clearAllMocks();
-      }
-    });
-
-    it('should handle session validation with null user gracefully', async () => {
-      const sessionWithoutUser = {
-        ...mockChallengeSession,
-        expiresAt: new Date(Date.now() + 60000),
-        user: null,
-      };
-      mockChallengeSessionRepository.findOne.mockResolvedValue(sessionWithoutUser as any);
-
-      try {
-        await service.validateSession('session-token-123');
-        // Should not throw if user is null but session is valid
-      } catch (error) {
-        // Only expiresAt check might fail if user is needed for logging
-        // But validation should still work
-      }
-    });
-  });
-});