acinguiux-dnr-utils 0.0.1

package/CHANGELOG.md

@@ -0,0 +1,55 @@
+# acinguiux-dnr-utils
+
+## 1.1.1
+
+### Patch Changes
+
+- [#1688](https://github.com/sede-enterprise/dnr-ts-geneva-ui/pull/1688) [`427424e`](https://github.com/sede-enterprise/dnr-ts-geneva-ui/commit/427424ed9cf248f35a1861ed2d5203ff1b9253e2) Thanks [@Hasan-Haque_shell](https://github.com/Hasan-Haque_shell)! - nextjs version update
+
+## 1.1.0
+
+### Minor Changes
+
+- [#1297](https://github.com/sede-enterprise/dnr-ts-geneva-ui/pull/1297) [`4c2f21d`](https://github.com/sede-enterprise/dnr-ts-geneva-ui/commit/4c2f21d29ea86872f56544f93ecbacd844f200b5) Thanks [@Palash-Debnath_shell](https://github.com/Palash-Debnath_shell)! - Biome integration and eslint prettier deprecation
+
+## 1.0.6
+
+### Patch Changes
+
+- [#1529](https://github.com/sede-enterprise/dnr-ts-geneva-ui/pull/1529) [`66d3999`](https://github.com/sede-enterprise/dnr-ts-geneva-ui/commit/66d3999248f3adaa76b3d748bf29b6de60a954e5) Thanks [@Palash-Debnath_shell](https://github.com/Palash-Debnath_shell)! - Dependency upgrade
+
+## 1.0.5
+
+### Patch Changes
+
+- [#1394](https://github.com/sede-enterprise/dnr-ts-geneva-ui/pull/1394) [`baa69e3`](https://github.com/sede-enterprise/dnr-ts-geneva-ui/commit/baa69e3524f279871b5ebb299baa7dab3200b282) Thanks [@github-actions](https://github.com/apps/github-actions)! - Automated patch version bump for changed packages.
+
+## 1.0.4
+
+### Patch Changes
+
+- [#1204](https://github.com/sede-enterprise/dnr-ts-geneva-ui/pull/1204) [`105466e`](https://github.com/sede-enterprise/dnr-ts-geneva-ui/commit/105466ed9f62390f75460a6ab0f97caeb3842f1e) Thanks [@github-actions](https://github.com/apps/github-actions)! - Automated patch version bump for changed packages.
+
+## 1.0.3
+
+### Patch Changes
+
+- [#941](https://github.com/sede-enterprise/geneva-ui/pull/941) [`eeda330`](https://github.com/sede-enterprise/geneva-ui/commit/eeda330b4ef7823c517748fa3ee045d6f49f4da5) Thanks [@github-actions](https://github.com/apps/github-actions)! - Automated patch version bump for changed packages.
+
+## 1.0.2
+
+### Patch Changes
+
+- [#932](https://github.com/sede-enterprise/geneva-ui/pull/932) [`5524022`](https://github.com/sede-enterprise/geneva-ui/commit/55240229cb5e483683bf8569df56b9c48378c593) Thanks [@PalashDebnath](https://github.com/PalashDebnath)! - update package
+
+## 1.0.1
+
+### Patch Changes
+
+- [#801](https://github.com/sede-enterprise/geneva-ui/pull/801) [`1f81db1`](https://github.com/sede-enterprise/geneva-ui/commit/1f81db1ae464635954f5b548b18b6a4e31a87047) Thanks [@maslianok](https://github.com/maslianok)! - Update next.js to 14.2.25
+
+## 1.0.0
+
+### Major Changes
+
+- [#233](https://github.com/sede-enterprise/geneva-ui/pull/233) [`f694180`](https://github.com/sede-enterprise/geneva-ui/commit/f69418071be8840acaaf821cc351445cba755c14) Thanks [@billcreative](https://github.com/billcreative)! - geneva-ui/feat/update-next-auth

package/README.md

@@ -0,0 +1,43 @@
+## Geneva Utils
+
+### Overview
+
+The Geneva Utils package is designed to provide a collection of reusable functions that can be used across various Geneva Frontend applications. These functions aim to enhance the development process and improve code efficiency by offering commonly used functionalities in a modular and organized manner.
+
+### Integrate User Authorisation with monorepo App
+
+We get user authorisation from a different endpoint from authentication. PingID is used for authentication and for authorisation we use https://ted.shell.com/
+
+For a user getUserPermissions service can be used to fetch Authorisation from Ted
+
+The authorisation needs an environment variables to work with.
+
+AUTHORISATION_URL="https://ted-api-\*.shell.com"
+
+Without this variable it is assumed the application is not setup for user Authorisation and it will not fetch user permission from Ted endpoints.
+
+The getUserPermissions service is always cached and revalidate every 15 minutes. Even if the application requests for multiple fetch it will alway return from cahce until expires;
+
+From the application layout it can be integrated like
+
+```
+  const userRoles = await getUserPermissions('PLATO');
+
+  const hasAccess = !!(userRoles?.[0]?.items?.[0].item_name === 'ALL RESOURCES');
+
+  return (
+    <html lang="en">
+      <head>
+        <link rel="icon" href="favicon.ico" />
+        <link rel="stylesheet" href="https://shell-fonts.azureedge.net/index.css" />
+      </head>
+      <body>
+        <Application session={session} aiConnectionString={process.env.INSIGHTS_CONNECTION_STRING} sidebar={hasAccess}>
+          {hasAccess ? children : <UnauthorizedAppCard title="No permissions to view Plato" />}
+        </Application>
+      </body>
+    </html>
+  );
+};
+
+```

package/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "acinguiux-dnr-utils",
+  "version": "0.0.1",
+  "dependencies": {
+    "@auth/core": "^0.41.1",
+    "@grafana/faro-web-sdk": "^1.19.0",
+    "@microsoft/applicationinsights-clickanalytics-js": "^3.3.10",
+    "@microsoft/applicationinsights-react-js": "^17.3.6",
+    "@microsoft/applicationinsights-web": "^3.3.10",
+    "@opentelemetry/core": "^2.2.0",
+    "@opentelemetry/exporter-logs-otlp-http": "^0.204.0",
+    "@opentelemetry/exporter-metrics-otlp-http": "^0.202.0",
+    "@opentelemetry/exporter-trace-otlp-http": "^0.202.0",
+    "@opentelemetry/instrumentation-http": "^0.203.0",
+    "@opentelemetry/instrumentation-undici": "^0.13.2",
+    "@opentelemetry/instrumentation-winston": "^0.50.2",
+    "@opentelemetry/resources": "^2.2.0",
+    "@opentelemetry/sdk-node": "^0.203.0",
+    "@opentelemetry/semantic-conventions": "^1.37.0",
+    "@opentelemetry/winston-transport": "^0.16.2",
+    "next": "14.2.35",
+    "winston": "^3.18.3"
+  },
+  "devDependencies": {
+    "acinguiux-dnr-typescript": "0.0.1",
+    "acinguiux-dnr-vitest": "0.0.1",
+    "@types/node": "^22.19.0",
+    "@types/react": "^18.0.0"
+  },
+  "exports": {
+    "./application-insights": "./src/application-insights/index.ts",
+    "./authentication": "./src/authentication/index.ts",
+    "./authentication/middleware": "./src/authentication/middleware.ts",
+    "./authentication/client-auth-guard": "./src/authentication/client-auth-guard.ts",
+    "./ms-graph": "./src/ms-graph/index.ts",
+    "./formatters": "./src/formatters/index.ts",
+    "./mappers": "./src/mappers/index.ts",
+    "./instrumentation/node": "./src/instrumentation/node.ts",
+    "./instrumentation/browser": "./src/instrumentation/browser.ts",
+    "./loggers": "./src/loggers/index.ts"
+  },
+  "peerDependencies": {
+    "next-auth": "5.0.0-beta.30",
+    "react": "^18.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "clean": "rm -rf node_modules && rm -rf .turbo",
+    "lint": "biome check --write",
+    "test": "vitest run --coverage",
+    "test:watch": "vitest",
+    "types": "tsc"
+  },
+  "type": "module"
+}

package/src/application-insights/index.ts

@@ -0,0 +1,37 @@
+import { ClickAnalyticsPlugin } from "@microsoft/applicationinsights-clickanalytics-js";
+import { ReactPlugin } from "@microsoft/applicationinsights-react-js";
+import { ApplicationInsights, type Snippet } from "@microsoft/applicationinsights-web";
+import type { Session } from "next-auth";
+
+export let applicationInsights: ApplicationInsights | undefined;
+
+export const initApplicationInsights = (connectionString?: string, user?: Session["user"]) => {
+  if (!connectionString) return;
+  if (applicationInsights) return;
+  if (typeof window === "undefined") return;
+
+  const reactPlugin = new ReactPlugin();
+  const clickAnalyticsPlugin = new ClickAnalyticsPlugin();
+  const config: Snippet["config"] = {
+    connectionString,
+    enableCorsCorrelation: true,
+    enableAjaxPerfTracking: true,
+    enableAutoRouteTracking: false,
+    enableRequestHeaderTracking: true,
+    enableResponseHeaderTracking: true,
+    isBrowserLinkTrackingEnabled: true,
+    extensions: [reactPlugin, clickAnalyticsPlugin] as Snippet["config"]["extensions"],
+    extensionConfig: {
+      [clickAnalyticsPlugin.identifier]: { autoCapture: true },
+    },
+  };
+
+  applicationInsights = new ApplicationInsights({ config });
+
+  applicationInsights.loadAppInsights();
+  applicationInsights.setAuthenticatedUserContext(
+    user?.email || "anonymous@shell.com",
+    undefined,
+    true,
+  );
+};

package/src/authentication/auth.ts

@@ -0,0 +1,59 @@
+import { NextResponse } from "next/server";
+import NextAuth, { type NextAuthResult } from "next-auth";
+import type { Session } from "next-auth";
+import { callbacks } from "./callbacks";
+import PingID from "./provider";
+
+const isAuthDisabled = ["true", "1", "yes"].includes(
+  (process.env.AUTH_DISABLED || "").toLowerCase(),
+);
+
+const mockSession: Session = {
+  user: {
+    name: "Local User",
+    email: "local.user@example.com",
+  },
+  access_token: "local-access-token",
+  expires_at: Math.floor(Date.now() / 1000) + 60 * 60,
+  expires: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+};
+
+const nextAuthResult: NextAuthResult | null = isAuthDisabled
+  ? null
+  : NextAuth({
+      providers: [
+        PingID({ clientId: process.env.CLIENT_ID, baseUrl: process.env.SSO_ISSUER_URL }),
+      ],
+      pages: {
+        signIn: "/auth/signin",
+        signOut: "/auth/signout",
+      },
+      session: {
+        maxAge: 60 * 14,
+      },
+      callbacks,
+      trustHost: true,
+    });
+
+export const auth = isAuthDisabled ? async () => mockSession : nextAuthResult!.auth;
+
+export const GET = isAuthDisabled
+  ? async (request: Request) => {
+      const pathname = new URL(request.url).pathname;
+
+      if (pathname.endsWith("/session")) {
+        return NextResponse.json(mockSession);
+      }
+
+      return new NextResponse(null, { status: 204 });
+    }
+  : nextAuthResult!.handlers.GET;
+
+export const POST = isAuthDisabled
+  ? async () => new NextResponse(null, { status: 204 })
+  : nextAuthResult!.handlers.POST;
+
+export const signOut = isAuthDisabled ? async () => undefined : nextAuthResult!.signOut;
+export const signIn = isAuthDisabled ? async () => undefined : nextAuthResult!.signIn;
+
+export { isAuthDisabled, mockSession };

package/src/authentication/callbacks.test.ts

@@ -0,0 +1,226 @@
+import type { NextRequest } from "next/server.js";
+import type { Account, Session } from "next-auth";
+import type { JWT } from "next-auth/jwt";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { callbacks } from "./callbacks";
+
+describe("callbacks", () => {
+  const mockJWT: JWT = {
+    access_token: "old_access_token",
+    refresh_token: "refresh_token",
+    expires_at: Math.floor(Date.now() / 1000) + 3600,
+  };
+
+  const mockAccount: Account = {
+    provider: "pingid",
+    type: "oidc",
+    providerAccountId: "user123",
+    access_token: "new_access_token",
+    refresh_token: "new_refresh_token",
+    expires_at: Math.floor(Date.now() / 1000) + 7200,
+  };
+
+  const mockSession: Session = {
+    user: { name: "John Doe", email: "john@example.com" },
+    expires: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
+  };
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    vi.stubGlobal("fetch", vi.fn());
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe("jwt callback", () => {
+    it("should map account fields to token on initial sign-in", async () => {
+      const result = await callbacks.jwt({ token: mockJWT, account: mockAccount });
+
+      expect(result.access_token).toBe("new_access_token");
+      expect(result.refresh_token).toBe("new_refresh_token");
+      expect(result.expires_at).toBe(mockAccount.expires_at);
+    });
+
+    it("should return token unchanged when no account and token not expired", async () => {
+      const futureExpiry = Math.floor(Date.now() / 1000) + 3600;
+      const token = { ...mockJWT, expires_at: futureExpiry };
+
+      const result = await callbacks.jwt({ token });
+
+      expect(result).toEqual(token);
+    });
+
+    it("should attempt token refresh when token is expired and no account", async () => {
+      const pastExpiry = Math.floor(Date.now() / 1000) - 1000;
+      const token = { ...mockJWT, expires_at: pastExpiry };
+
+      const mockFetch = vi.fn().mockResolvedValue({
+        ok: true,
+        json: async () => ({
+          access_token: "refreshed_access_token",
+          refresh_token: "refreshed_refresh_token",
+          expires_in: 3600,
+        }),
+      });
+
+      vi.stubGlobal("fetch", mockFetch);
+      vi.stubEnv("SSO_TOKEN_ENDPOINT_URL", "https://sso.example.com/token");
+      vi.stubEnv("CLIENT_ID", "client123");
+
+      const result = await callbacks.jwt({ token });
+
+      expect(result.access_token).toBe("refreshed_access_token");
+      expect(result.refresh_token).toBe("refreshed_refresh_token");
+      expect(mockFetch).toHaveBeenCalledWith(
+        "https://sso.example.com/token",
+        expect.objectContaining({
+          method: "POST",
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        }),
+      );
+    });
+
+    it("should return error object when token refresh fails", async () => {
+      const pastExpiry = Math.floor(Date.now() / 1000) - 1000;
+      const token = { ...mockJWT, expires_at: pastExpiry };
+
+      const mockFetch = vi.fn().mockResolvedValue({
+        ok: false,
+        statusText: "Unauthorized",
+      });
+
+      vi.stubGlobal("fetch", mockFetch);
+      vi.stubEnv("SSO_TOKEN_ENDPOINT_URL", "https://sso.example.com/token");
+      vi.stubEnv("CLIENT_ID", "client123");
+
+      const result = await callbacks.jwt({ token });
+
+      expect(result).toEqual({ error: "RefreshAccessTokenError" });
+    });
+
+    it("should handle fetch exception during token refresh", async () => {
+      const pastExpiry = Math.floor(Date.now() / 1000) - 1000;
+      const token = { ...mockJWT, expires_at: pastExpiry };
+
+      const mockFetch = vi.fn().mockRejectedValue(new Error("Network error"));
+
+      vi.stubGlobal("fetch", mockFetch);
+      vi.stubEnv("SSO_TOKEN_ENDPOINT_URL", "https://sso.example.com/token");
+      vi.stubEnv("CLIENT_ID", "client123");
+
+      const result = await callbacks.jwt({ token });
+
+      expect(result).toEqual({ error: "RefreshAccessTokenError" });
+    });
+
+    it("should use zero for expires_in when not provided in response", async () => {
+      const pastExpiry = Math.floor(Date.now() / 1000) - 1000;
+      const token = { ...mockJWT, expires_at: pastExpiry };
+
+      const mockFetch = vi.fn().mockResolvedValue({
+        ok: true,
+        json: async () => ({
+          access_token: "refreshed_access_token",
+          refresh_token: "refreshed_refresh_token",
+        }),
+      });
+
+      vi.stubGlobal("fetch", mockFetch);
+      vi.stubEnv("SSO_TOKEN_ENDPOINT_URL", "https://sso.example.com/token");
+      vi.stubEnv("CLIENT_ID", "client123");
+
+      const timeBefore = Math.floor(Date.now() / 1000);
+      const result = await callbacks.jwt({ token });
+      const timeAfter = Math.floor(Date.now() / 1000);
+
+      expect(result.access_token).toBe("refreshed_access_token");
+      expect(result.expires_at).toBeGreaterThanOrEqual(timeBefore);
+      expect(result.expires_at).toBeLessThanOrEqual(timeAfter + 1);
+    });
+
+    it("should use URLSearchParams to build request body correctly", async () => {
+      const pastExpiry = Math.floor(Date.now() / 1000) - 1000;
+      const token = { ...mockJWT, expires_at: pastExpiry, refresh_token: "my-refresh-token" };
+
+      const mockFetch = vi.fn().mockResolvedValue({
+        ok: true,
+        json: async () => ({
+          access_token: "new_token",
+          refresh_token: "new_refresh_token",
+          expires_in: 3600,
+        }),
+      });
+
+      vi.stubGlobal("fetch", mockFetch);
+      vi.stubEnv("SSO_TOKEN_ENDPOINT_URL", "https://sso.example.com/token");
+      vi.stubEnv("CLIENT_ID", "client123");
+
+      await callbacks.jwt({ token });
+
+      const callArgs = mockFetch.mock.calls[0];
+      const body = callArgs[1].body as URLSearchParams;
+
+      expect(body.get("grant_type")).toBe("refresh_token");
+      expect(body.get("client_id")).toBe("client123");
+      expect(body.get("refresh_token")).toBe("my-refresh-token");
+    });
+  });
+
+  describe("session callback", () => {
+    it("should map token fields to session", async () => {
+      const token = {
+        access_token: "session_access_token",
+        expires_at: 1234567890,
+      };
+
+      const result = await callbacks.session({ session: mockSession, token });
+
+      expect(result.expires_at).toBe(1234567890);
+      expect(result.access_token).toBe("session_access_token");
+      expect(result.user).toBe(mockSession.user);
+    });
+
+    it("should preserve existing session user data", async () => {
+      const session: Session = {
+        ...mockSession,
+        user: { name: "Jane", email: "jane@example.com", image: "avatar.jpg" },
+      };
+      const token = { access_token: "token123", expires_at: 9999999999 };
+
+      const result = await callbacks.session({ session, token });
+
+      expect(result.user).toEqual(session.user);
+      expect(result.access_token).toBe("token123");
+    });
+  });
+
+  describe("authorized callback", () => {
+    it("should return true when session has access_token", async () => {
+      const request = {} as NextRequest;
+      const auth = { user: { email: "user@example.com" }, access_token: "token123" } as any;
+
+      const result = await callbacks.authorized({ request, auth });
+
+      expect(result).toBe(true);
+    });
+
+    it("should return false when session is null", async () => {
+      const request = {} as NextRequest;
+
+      const result = await callbacks.authorized({ request, auth: null });
+
+      expect(result).toBe(false);
+    });
+
+    it("should return false when session has no access_token", async () => {
+      const request = {} as NextRequest;
+      const auth = { user: { email: "user@example.com" } } as any;
+
+      const result = await callbacks.authorized({ request, auth });
+
+      expect(result).toBe(false);
+    });
+  });
+});

package/src/authentication/callbacks.ts

@@ -0,0 +1,68 @@
+import type { NextRequest } from "next/server.js";
+import type { Account, Session } from "next-auth";
+import type { JWT } from "next-auth/jwt";
+
+async function jwt({ token, account }: { token: JWT; account?: Account | null }) {
+  // The first time jwt is called, account exists. We map fields from account to token
+  // which is passed to the session callback. User is also available in this callback which
+  // comes from the profile function in the provider. We can use this in the future to surface
+  // more user details in session
+
+  if (account) {
+    token.expires_at = account.expires_at;
+    token.access_token = account.access_token;
+    token.refresh_token = account.refresh_token;
+  } else if (token.expires_at && Date.now() < token.expires_at * 1000) {
+    return token;
+  } else {
+    try {
+      const response = await fetch(`${process.env.SSO_TOKEN_ENDPOINT_URL}`, {
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          client_id: process.env.CLIENT_ID || "",
+          grant_type: "refresh_token",
+          refresh_token: token.refresh_token || "",
+        }),
+        method: "POST",
+      });
+
+      const tokens = await response.json();
+
+      if (!response.ok) throw tokens;
+
+      const newToken = {
+        ...token,
+        access_token: tokens.access_token,
+        expires_at: Math.floor(Date.now() / 1000 + (tokens.expires_in ? tokens.expires_in : 0)),
+        refresh_token: tokens.refresh_token ?? token.refresh_token,
+      };
+
+      return newToken;
+    } catch (_error) {
+      return { error: "RefreshAccessTokenError" as const };
+    }
+  }
+
+  return token;
+}
+
+async function session({ session, token }: { session: Session; token: JWT }) {
+  // We map fields from token to make them available in the session.
+  session.expires_at = token.expires_at;
+  session.access_token = token.access_token;
+
+  return session;
+}
+
+async function authorized({ auth }: { request: NextRequest; auth: Session | null }) {
+  // If there is no access token, the user is not authorized. Returning false from this
+  // callback will redirect the user to the sign in page.
+
+  return !!auth?.access_token;
+}
+
+export const callbacks = {
+  jwt,
+  session,
+  authorized,
+};

package/src/authentication/client-auth-guard.test.ts

@@ -0,0 +1,116 @@
+import { usePathname, useRouter, useSearchParams } from "next/navigation";
+import { useSession } from "next-auth/react";
+import { useEffect } from "react";
+import { beforeEach, describe, expect, it, type Mock, vi } from "vitest";
+import { ClientAuthGuard } from "./client-auth-guard";
+
+// Mock Next.js navigation hooks
+vi.mock("next/navigation", () => ({
+  usePathname: vi.fn(),
+  useRouter: vi.fn(),
+  useSearchParams: vi.fn(),
+}));
+
+// Mock next-auth
+vi.mock("next-auth/react", () => ({
+  useSession: vi.fn(),
+}));
+
+// Mock React hooks
+vi.mock("react", async () => {
+  const actual = await vi.importActual("react");
+  return {
+    ...actual,
+    useEffect: vi.fn((fn) => fn()),
+  };
+});
+
+describe("AuthGuard", () => {
+  const mockPush = vi.fn();
+  const mockSearchParams = {
+    toString: vi.fn(),
+  };
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    (useRouter as Mock).mockReturnValue({ push: mockPush });
+    (useSearchParams as Mock).mockReturnValue(mockSearchParams);
+  });
+
+  it("should render children when authenticated", () => {
+    (useSession as Mock).mockReturnValue({ status: "authenticated" });
+    (usePathname as Mock).mockReturnValue("/dashboard");
+    mockSearchParams.toString.mockReturnValue("");
+
+    const children = "Protected Content";
+    const result = ClientAuthGuard({ children });
+
+    expect(result).toBe(children);
+    expect(mockPush).not.toHaveBeenCalled();
+  });
+
+  it("should return null when loading", () => {
+    (useSession as Mock).mockReturnValue({ status: "loading" });
+    (usePathname as Mock).mockReturnValue("/dashboard");
+    mockSearchParams.toString.mockReturnValue("");
+
+    const result = ClientAuthGuard({ children: "Protected Content" });
+
+    expect(result).toBeNull();
+    expect(mockPush).not.toHaveBeenCalled();
+  });
+
+  it("should redirect to signin when unauthenticated", () => {
+    (useSession as Mock).mockReturnValue({ status: "unauthenticated" });
+    (usePathname as Mock).mockReturnValue("/dashboard");
+    mockSearchParams.toString.mockReturnValue("");
+
+    ClientAuthGuard({ children: "Protected Content" });
+
+    expect(mockPush).toHaveBeenCalledWith("/auth/signin?callbackUrl=%2Fdashboard");
+  });
+
+  it("should redirect to root when already on signin page", () => {
+    (useSession as Mock).mockReturnValue({ status: "unauthenticated" });
+    (usePathname as Mock).mockReturnValue("/auth/signin");
+    mockSearchParams.toString.mockReturnValue("");
+
+    ClientAuthGuard({ children: "Protected Content" });
+
+    expect(mockPush).toHaveBeenCalledWith("/auth/signin?callbackUrl=%2F");
+  });
+
+  it("should include search params in callback URL", () => {
+    (useSession as Mock).mockReturnValue({ status: "unauthenticated" });
+    (usePathname as Mock).mockReturnValue("/dashboard");
+    mockSearchParams.toString.mockReturnValue("tab=settings&view=list");
+
+    ClientAuthGuard({ children: "Protected Content" });
+
+    expect(mockPush).toHaveBeenCalledWith(
+      "/auth/signin?callbackUrl=%2Fdashboard%3Ftab%3Dsettings%26view%3Dlist",
+    );
+  });
+
+  it("should properly encode special characters in callback URL", () => {
+    (useSession as Mock).mockReturnValue({ status: "unauthenticated" });
+    (usePathname as Mock).mockReturnValue("/dashboard/item");
+    mockSearchParams.toString.mockReturnValue("name=John Doe&email=test@example.com");
+
+    ClientAuthGuard({ children: "Protected Content" });
+
+    expect(mockPush).toHaveBeenCalledWith(
+      "/auth/signin?callbackUrl=%2Fdashboard%2Fitem%3Fname%3DJohn%20Doe%26email%3Dtest%40example.com",
+    );
+  });
+
+  it("should call useEffect with correct dependencies", () => {
+    (useSession as Mock).mockReturnValue({ status: "authenticated" });
+    (usePathname as Mock).mockReturnValue("/dashboard");
+    mockSearchParams.toString.mockReturnValue("");
+
+    ClientAuthGuard({ children: "Protected Content" });
+
+    expect(useEffect).toHaveBeenCalled();
+  });
+});