create-tigra 2.7.2 → 3.0.0

package/template/server/src/libs/auth.ts

@@ -3,8 +3,15 @@ import { v4 as uuidv4 } from 'uuid';
 import { env } from '@config/env.js';
 import { prisma } from '@libs/prisma.js';
 import { UnauthorizedError, ForbiddenError, BadRequestError } from '@shared/errors/errors.js';
+import { clearAuthCookies } from '@libs/cookies.js';
+import { parseDurationMs } from '@libs/duration.js';
 import type { JwtPayload, UserRole } from '@shared/types/index.js';
 
+// Re-export so existing consumers of `parseDurationMs` from '@libs/auth.js'
+// keep working. The implementation lives in the import-free leaf module
+// duration.ts to avoid the cookies.ts ↔ auth.ts circular import (TDZ crash).
+export { parseDurationMs } from '@libs/duration.js';
+
 let app: FastifyInstance | null = null;
 
 export function initAuth(fastify: FastifyInstance): void {
@@ -29,22 +36,6 @@ export function generateRefreshToken(): string {
   return uuidv4();
 }
 
-export function parseDurationMs(duration: string, fallbackMs: number): number {
-  const match = duration.match(/^(\d+)([smhd])$/);
-  if (!match) return fallbackMs;
-
-  const value = parseInt(match[1], 10);
-  const unit = match[2];
-  const multipliers: Record<string, number> = {
-    s: 1000,
-    m: 60 * 1000,
-    h: 60 * 60 * 1000,
-    d: 24 * 60 * 60 * 1000,
-  };
-
-  return value * multipliers[unit];
-}
-
 export function getRefreshTokenExpiresAt(): Date {
   const ms = parseDurationMs(env.JWT_REFRESH_EXPIRY, 7 * 24 * 60 * 60 * 1000);
   return new Date(Date.now() + ms);
@@ -52,7 +43,7 @@ export function getRefreshTokenExpiresAt(): Date {
 
 export async function authenticate(
   request: FastifyRequest,
-  _reply: FastifyReply,
+  reply: FastifyReply,
 ): Promise<void> {
   try {
     await request.jwtVerify();
@@ -60,16 +51,22 @@ export async function authenticate(
     throw new UnauthorizedError('Invalid or expired token');
   }
 
-  // Verify user still exists, is active, and not soft-deleted
+  // Verify user still exists, is active, and not soft-deleted.
+  // When the session is definitively dead (user gone/deleted/inactive), clear auth
+  // cookies on the response so the browser stops replaying stale credentials.
+  // Without this, middleware keeps seeing the (still-unexpired) JWT cookie and
+  // bounces /login → /dashboard → 401 → /login in an infinite loop.
   const user = await prisma.user.findUnique({
     where: { id: request.user.userId },
     select: { isActive: true, deletedAt: true },
   });
 
   if (!user || user.deletedAt) {
+    clearAuthCookies(reply);
     throw new UnauthorizedError('Account is deactivated or deleted');
   }
   if (!user.isActive) {
+    clearAuthCookies(reply);
     throw new ForbiddenError('Account is not activated. Please verify your account.', 'ACCOUNT_NOT_ACTIVE');
   }
 }

package/template/server/src/libs/cookies.ts

@@ -1,6 +1,6 @@
 import type { FastifyReply } from 'fastify';
 import { env } from '@config/env.js';
-import { parseDurationMs } from '@libs/auth.js';
+import { parseDurationMs } from '@libs/duration.js';
 
 const isProduction = env.NODE_ENV === 'production';
 

package/template/server/src/libs/duration.ts

@@ -0,0 +1,30 @@
+/**
+ * Duration parsing — LEAF MODULE.
+ *
+ * This file must have ZERO imports. It exists to break the circular import
+ * between cookies.ts and auth.ts: cookies.ts calls parseDurationMs at module
+ * top-level, so if it imported the function from auth.ts (which imports
+ * clearAuthCookies from cookies.ts), the cycle left auth.ts partially
+ * initialized and crashed module evaluation with
+ * "parseDurationMs is not a function" (TDZ). Keep this module dependency-free.
+ */
+
+/**
+ * Parse a duration string like "15m", "7d", "30s", "12h" into milliseconds.
+ * Returns `fallbackMs` when the string doesn't match the expected format.
+ */
+export function parseDurationMs(duration: string, fallbackMs: number): number {
+  const match = duration.match(/^(\d+)([smhd])$/);
+  if (!match) return fallbackMs;
+
+  const value = parseInt(match[1], 10);
+  const unit = match[2];
+  const multipliers: Record<string, number> = {
+    s: 1000,
+    m: 60 * 1000,
+    h: 60 * 60 * 1000,
+    d: 24 * 60 * 60 * 1000,
+  };
+
+  return value * multipliers[unit];
+}

package/template/server/src/libs/ip-block.ts

@@ -13,6 +13,7 @@
  * - Lazy cleanup: expired auto-blocks are removed on check, no separate cleanup job needed
  */
 
+import { env } from '@config/env.js';
 import { prisma } from '@libs/prisma.js';
 import { getRedis } from '@libs/redis.js';
 import { logger } from '@libs/logger.js';
@@ -23,10 +24,15 @@ const BLOCKED_IPS_KEY = 'blocked_ips';
 const AUTO_BLOCKED_KEY = 'auto_blocked_ips';
 const VIOLATION_PREFIX = 'rl_violations:';
 
-// Auto-block thresholds
-const AUTO_BLOCK_THRESHOLD = 10;         // violations before auto-block
-const AUTO_BLOCK_WINDOW_SECONDS = 300;   // 5-minute sliding window
-const AUTO_BLOCK_DURATION_SECONDS = 3600; // block for 1 hour
+// Auto-block thresholds — env-configurable (see .env.example).
+// The threshold default is deliberately high (20): auto-block must catch
+// SUSTAINED abuse, not a single burst. Rate-limit counting happens before
+// validation, so a retry-looping but legitimate client (or a NAT'd office
+// sharing one egress IP) can rack up violations quickly — see the self-ban
+// interaction note in src/config/rate-limit.config.ts before lowering it.
+const AUTO_BLOCK_THRESHOLD = env.IP_AUTO_BLOCK_THRESHOLD;                 // violations before auto-block (default 20)
+const AUTO_BLOCK_WINDOW_SECONDS = env.IP_AUTO_BLOCK_WINDOW_SECONDS;       // sliding window (default 300 = 5 min)
+const AUTO_BLOCK_DURATION_SECONDS = env.IP_AUTO_BLOCK_DURATION_SECONDS;   // block duration (default 3600 = 1 hour)
 
 /**
  * Sync all permanent blocked IPs from DB to Redis.

package/template/server/src/libs/origin-check.ts

@@ -0,0 +1,38 @@
+/**
+ * CSRF defense-in-depth — Origin verification for state-changing requests.
+ *
+ * With cross-origin cookie deployments (sameSite=none), browsers attach auth
+ * cookies to cross-site requests. CORS only protects *reading* responses — it
+ * does not stop the side effects of a forged POST/PUT/PATCH/DELETE. This check
+ * rejects browser-originated state-changing requests whose Origin header is
+ * neither the API itself (same-origin) nor a configured CORS origin.
+ *
+ * Deliberately conservative:
+ * - No Origin header → ALLOWED. Non-browser clients (curl, Postman,
+ *   server-to-server) omit it, and they carry no ambient cookies, so they are
+ *   not CSRF vectors. Browsers always send Origin on cross-site state-changing
+ *   requests, which is the only case this defends against.
+ * - allowAllOrigins (development CORS) → ALLOWED.
+ */
+export function isOriginAllowed(
+  origin: string | undefined,
+  requestHost: string | undefined,
+  allowedOrigins: ReadonlySet<string>,
+  allowAllOrigins: boolean,
+): boolean {
+  if (!origin) return true; // non-browser client — not a CSRF vector
+  if (allowAllOrigins) return true; // development: CORS allows all origins
+  if (allowedOrigins.has(origin)) return true; // configured cross-origin client
+
+  // Same-origin request: the Origin's host matches the request's Host header.
+  // Compared scheme-insensitively — TLS usually terminates at the reverse
+  // proxy, so the API may see the request as http while Origin says https.
+  // The Host header is lowercased before comparing: `new URL()` normalizes the
+  // Origin's host to lowercase, but the raw Host header arrives as-sent and
+  // host names are case-insensitive (RFC 9110).
+  try {
+    return requestHost !== undefined && new URL(origin).host === requestHost.toLowerCase();
+  } catch {
+    return false; // malformed Origin header — reject
+  }
+}

package/template/server/src/libs/redis.ts

@@ -10,7 +10,7 @@ export function getRedis(): Redis {
       maxRetriesPerRequest: env.REDIS_MAX_RETRIES,
       connectTimeout: env.REDIS_CONNECT_TIMEOUT,
       lazyConnect: true,
-      retryStrategy: (times: number) => {
+      retryStrategy: (times: number): number | null => {
         // Exponential backoff with max delay of 3 seconds
         if (times > env.REDIS_MAX_RETRIES) {
           // Stop retrying after max retries

package/template/server/src/modules/auth/__tests__/auth.service.test.ts

@@ -3,8 +3,8 @@ import * as authService from '../auth.service.js';
 import * as authRepo from '../auth.repo.js';
 import * as authLib from '@libs/auth.js';
 import { hashPassword, verifyPassword } from '@libs/password.js';
-import { ConflictError, UnauthorizedError, NotFoundError } from '@shared/errors/errors.js';
-import { testUsers, testRefreshToken, resetMocks } from '@/test/setup.js';
+import { ConflictError, UnauthorizedError, ForbiddenError, NotFoundError } from '@shared/errors/errors.js';
+import { testUsers, testRefreshToken, testSession, resetMocks } from '@/test/setup.js';
 import { sessionRepository } from '../session.repo.js';
 
 // Mock dependencies
@@ -13,10 +13,31 @@ vi.mock('@libs/auth.js');
 vi.mock('@libs/password.js');
 vi.mock('../session.repo.js');
 
+// In-memory Redis stub — account lockout (email+IP) uses Redis. Tests must
+// never require a live Redis instance.
+const mockRedis = vi.hoisted(() => ({
+  exists: vi.fn(),
+  incr: vi.fn(),
+  expire: vi.fn(),
+  set: vi.fn(),
+  get: vi.fn(),
+  del: vi.fn(),
+}));
+
+vi.mock('@libs/redis.js', () => ({
+  getRedis: (): typeof mockRedis => mockRedis,
+}));
+
 describe('Auth Service', () => {
   beforeEach(() => {
     resetMocks();
     vi.clearAllMocks();
+    // Default Redis behavior: nothing locked, first failure
+    mockRedis.exists.mockResolvedValue(0);
+    mockRedis.incr.mockResolvedValue(1);
+    mockRedis.expire.mockResolvedValue(1);
+    mockRedis.set.mockResolvedValue('OK');
+    mockRedis.del.mockResolvedValue(1);
   });
 
   describe('register', () => {
@@ -28,7 +49,8 @@ describe('Auth Service', () => {
     };
 
     it('should successfully register a new user', async () => {
-      // Arrange
+      // Arrange — REQUIRE_USER_VERIFICATION=false in tests, so the user is
+      // active immediately and tokens are issued.
       const hashedPassword = '$2a$12$hashedpassword';
       const createdUser = {
         ...testUsers.validUser,
@@ -40,11 +62,13 @@ describe('Auth Service', () => {
       const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
 
       vi.mocked(authRepo.findUserByEmail).mockResolvedValue(null);
+      vi.mocked(authRepo.findDeletedUserByEmail).mockResolvedValue(null);
       vi.mocked(hashPassword).mockResolvedValue(hashedPassword);
       vi.mocked(authRepo.createUser).mockResolvedValue(createdUser);
       vi.mocked(authLib.signAccessToken).mockReturnValue(accessToken);
       vi.mocked(authLib.generateRefreshToken).mockReturnValue(refreshToken);
       vi.mocked(authLib.getRefreshTokenExpiresAt).mockReturnValue(expiresAt);
+      vi.mocked(sessionRepository.createSession).mockResolvedValue(testSession);
       vi.mocked(authRepo.createRefreshToken).mockResolvedValue(testRefreshToken);
 
       // Act
@@ -58,15 +82,23 @@ describe('Auth Service', () => {
         password: hashedPassword,
         firstName: validRegisterInput.firstName,
         lastName: validRegisterInput.lastName,
+        isActive: true,
       });
       expect(authLib.signAccessToken).toHaveBeenCalledWith({
         userId: createdUser.id,
         role: createdUser.role,
       });
       expect(authLib.generateRefreshToken).toHaveBeenCalled();
+      expect(sessionRepository.createSession).toHaveBeenCalledWith({
+        userId: createdUser.id,
+        deviceInfo: undefined,
+        ipAddress: undefined,
+        expiresAt,
+      });
       expect(authRepo.createRefreshToken).toHaveBeenCalledWith({
         token: refreshToken,
         userId: createdUser.id,
+        sessionId: testSession.id,
         expiresAt,
       });
       expect(result).toEqual({
@@ -79,6 +111,7 @@ describe('Auth Service', () => {
         }),
         accessToken,
         refreshToken,
+        requiresVerification: false,
       });
       expect(result.user).not.toHaveProperty('password');
     });
@@ -93,6 +126,19 @@ describe('Auth Service', () => {
       expect(hashPassword).not.toHaveBeenCalled();
       expect(authRepo.createUser).not.toHaveBeenCalled();
     });
+
+    it('should throw ConflictError if a soft-deleted account exists with this email', async () => {
+      // Arrange
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(null);
+      vi.mocked(authRepo.findDeletedUserByEmail).mockResolvedValue({
+        ...testUsers.validUser,
+        deletedAt: new Date(),
+      });
+
+      // Act & Assert
+      await expect(authService.register(validRegisterInput)).rejects.toThrow(ConflictError);
+      expect(authRepo.createUser).not.toHaveBeenCalled();
+    });
   });
 
   describe('login', () => {
@@ -112,6 +158,7 @@ describe('Auth Service', () => {
       vi.mocked(authLib.signAccessToken).mockReturnValue(accessToken);
       vi.mocked(authLib.generateRefreshToken).mockReturnValue(refreshToken);
       vi.mocked(authLib.getRefreshTokenExpiresAt).mockReturnValue(expiresAt);
+      vi.mocked(sessionRepository.createSession).mockResolvedValue(testSession);
       vi.mocked(authRepo.createRefreshToken).mockResolvedValue(testRefreshToken);
 
       // Act
@@ -120,6 +167,18 @@ describe('Auth Service', () => {
       // Assert
       expect(authRepo.findUserByEmail).toHaveBeenCalledWith(validLoginInput.email);
       expect(verifyPassword).toHaveBeenCalledWith(validLoginInput.password, testUsers.validUser.password);
+      expect(sessionRepository.createSession).toHaveBeenCalledWith({
+        userId: testUsers.validUser.id,
+        deviceInfo: undefined,
+        ipAddress: undefined,
+        expiresAt,
+      });
+      expect(authRepo.createRefreshToken).toHaveBeenCalledWith({
+        token: refreshToken,
+        userId: testUsers.validUser.id,
+        sessionId: testSession.id,
+        expiresAt,
+      });
       expect(result).toEqual({
         user: expect.objectContaining({
           id: testUsers.validUser.id,
@@ -134,6 +193,7 @@ describe('Auth Service', () => {
     it('should throw UnauthorizedError if user not found', async () => {
       // Arrange
       vi.mocked(authRepo.findUserByEmail).mockResolvedValue(null);
+      vi.mocked(authRepo.findDeletedUserByEmail).mockResolvedValue(null);
 
       // Act & Assert
       await expect(authService.login(validLoginInput)).rejects.toThrow(UnauthorizedError);
@@ -141,13 +201,15 @@ describe('Auth Service', () => {
       expect(verifyPassword).not.toHaveBeenCalled();
     });
 
-    it('should throw UnauthorizedError if account is disabled', async () => {
+    it('should throw ForbiddenError if account is not activated', async () => {
       // Arrange
       vi.mocked(authRepo.findUserByEmail).mockResolvedValue(testUsers.inactiveUser);
 
       // Act & Assert
-      await expect(authService.login(validLoginInput)).rejects.toThrow(UnauthorizedError);
-      await expect(authService.login(validLoginInput)).rejects.toThrow('Invalid email or password');
+      await expect(authService.login(validLoginInput)).rejects.toThrow(ForbiddenError);
+      await expect(authService.login(validLoginInput)).rejects.toThrow(
+        'Account is not activated. Please verify your account.',
+      );
       expect(verifyPassword).not.toHaveBeenCalled();
     });
 
@@ -162,6 +224,147 @@ describe('Auth Service', () => {
     });
   });
 
+  describe('login — account lockout (email+IP scoped)', () => {
+    const loginInput = { email: 'test@example.com', password: 'WrongPassword!' };
+    const attackerIp = '203.0.113.7';
+
+    it('should reject login when the email+IP pair is locked, without verifying the password', async () => {
+      // Arrange
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(testUsers.validUser);
+      mockRedis.exists.mockResolvedValue(1); // lock key present for this pair
+
+      // Act & Assert
+      await expect(
+        authService.login(loginInput, 'test-agent', attackerIp),
+      ).rejects.toThrow('Invalid email or password');
+      expect(mockRedis.exists).toHaveBeenCalledWith(`login-lock:test@example.com:${attackerIp}`);
+      expect(verifyPassword).not.toHaveBeenCalled();
+    });
+
+    it('should NOT lock out the same email from a different IP (no remote lockout DoS)', async () => {
+      // Arrange — lock exists only for the attacker's IP; victim logs in from
+      // their own IP and Redis reports no lock for that pair.
+      const victimIp = '198.51.100.42';
+      const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
+
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(testUsers.validUser);
+      mockRedis.exists.mockResolvedValue(0);
+      vi.mocked(verifyPassword).mockResolvedValue(true);
+      vi.mocked(authLib.signAccessToken).mockReturnValue('access');
+      vi.mocked(authLib.generateRefreshToken).mockReturnValue('refresh');
+      vi.mocked(authLib.getRefreshTokenExpiresAt).mockReturnValue(expiresAt);
+      vi.mocked(sessionRepository.createSession).mockResolvedValue(testSession);
+      vi.mocked(authRepo.createRefreshToken).mockResolvedValue(testRefreshToken);
+
+      // Act
+      const result = await authService.login(
+        { ...loginInput, password: 'Password123!' },
+        'test-agent',
+        victimIp,
+      );
+
+      // Assert — lock was checked for the VICTIM's pair only, and login succeeded
+      expect(mockRedis.exists).toHaveBeenCalledWith(`login-lock:test@example.com:${victimIp}`);
+      expect(result.accessToken).toBe('access');
+    });
+
+    it('should record a failed attempt against the email+IP pair on bad password', async () => {
+      // Arrange
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(testUsers.validUser);
+      vi.mocked(verifyPassword).mockResolvedValue(false);
+      mockRedis.incr.mockResolvedValue(3); // below the first lockout threshold
+
+      // Act & Assert
+      await expect(authService.login(loginInput, 'test-agent', attackerIp)).rejects.toThrow(
+        UnauthorizedError,
+      );
+      expect(mockRedis.incr).toHaveBeenCalledWith(`login-fail:test@example.com:${attackerIp}`);
+      expect(mockRedis.set).not.toHaveBeenCalled(); // no lock yet
+    });
+
+    it('should set a lock for the email+IP pair after 5 failures (15 min)', async () => {
+      // Arrange
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(testUsers.validUser);
+      vi.mocked(verifyPassword).mockResolvedValue(false);
+      mockRedis.incr.mockResolvedValue(5); // hits the first threshold
+
+      // Act & Assert
+      await expect(authService.login(loginInput, 'test-agent', attackerIp)).rejects.toThrow(
+        UnauthorizedError,
+      );
+      expect(mockRedis.set).toHaveBeenCalledWith(
+        `login-lock:test@example.com:${attackerIp}`,
+        '1',
+        'EX',
+        15 * 60,
+      );
+    });
+
+    it('should fail open and allow login when Redis is unavailable', async () => {
+      // Arrange — Redis down: lockout checks must not block all logins
+      const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(testUsers.validUser);
+      mockRedis.exists.mockRejectedValue(new Error('Redis down'));
+      mockRedis.del.mockRejectedValue(new Error('Redis down'));
+      vi.mocked(verifyPassword).mockResolvedValue(true);
+      vi.mocked(authLib.signAccessToken).mockReturnValue('access');
+      vi.mocked(authLib.generateRefreshToken).mockReturnValue('refresh');
+      vi.mocked(authLib.getRefreshTokenExpiresAt).mockReturnValue(expiresAt);
+      vi.mocked(sessionRepository.createSession).mockResolvedValue(testSession);
+      vi.mocked(authRepo.createRefreshToken).mockResolvedValue(testRefreshToken);
+
+      // Act
+      const result = await authService.login(
+        { ...loginInput, password: 'Password123!' },
+        'test-agent',
+        attackerIp,
+      );
+
+      // Assert
+      expect(result.accessToken).toBe('access');
+    });
+  });
+
+  describe('login — soft-deleted account restore path (lockout)', () => {
+    const loginInput = { email: 'test@example.com', password: 'WrongPassword!' };
+    const attackerIp = '203.0.113.7';
+    const softDeletedUser = {
+      ...testUsers.validUser,
+      deletedAt: new Date('2024-02-01T00:00:00Z'),
+      isActive: false,
+    };
+
+    it('should record a failed attempt against the email+IP pair on wrong password for a soft-deleted account', async () => {
+      // Arrange
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(null);
+      vi.mocked(authRepo.findDeletedUserByEmail).mockResolvedValue(softDeletedUser);
+      vi.mocked(verifyPassword).mockResolvedValue(false);
+      mockRedis.incr.mockResolvedValue(3); // below the first lockout threshold
+
+      // Act & Assert
+      await expect(authService.login(loginInput, 'test-agent', attackerIp)).rejects.toThrow(
+        'Invalid email or password',
+      );
+      expect(mockRedis.incr).toHaveBeenCalledWith(`login-fail:test@example.com:${attackerIp}`);
+      expect(authRepo.restoreUser).not.toHaveBeenCalled();
+    });
+
+    it('should reject a locked email+IP pair on the soft-delete path before verifying the password', async () => {
+      // Arrange
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(null);
+      vi.mocked(authRepo.findDeletedUserByEmail).mockResolvedValue(softDeletedUser);
+      mockRedis.exists.mockResolvedValue(1); // lock key present for this pair
+
+      // Act & Assert
+      await expect(authService.login(loginInput, 'test-agent', attackerIp)).rejects.toThrow(
+        'Invalid email or password',
+      );
+      expect(mockRedis.exists).toHaveBeenCalledWith(`login-lock:test@example.com:${attackerIp}`);
+      expect(verifyPassword).not.toHaveBeenCalled();
+      expect(authRepo.restoreUser).not.toHaveBeenCalled();
+    });
+  });
+
   describe('refresh', () => {
     const validRefreshToken = 'valid-refresh-token';
 
@@ -196,6 +399,7 @@ describe('Auth Service', () => {
       expect(authRepo.rotateRefreshToken).toHaveBeenCalledWith(validRefreshToken, {
         token: newRefreshToken,
         userId: testUsers.validUser.id,
+        sessionId: undefined, // fixture sessionId is null → normalized to undefined
         expiresAt,
       });
       expect(result).toEqual({
@@ -242,7 +446,7 @@ describe('Auth Service', () => {
       await expect(authService.refresh(validRefreshToken)).rejects.toThrow('User not found or disabled');
     });
 
-    it('should throw UnauthorizedError if user is disabled', async () => {
+    it('should throw ForbiddenError if user is not activated', async () => {
       // Arrange
       const storedToken = {
         ...testRefreshToken,
@@ -251,35 +455,73 @@ describe('Auth Service', () => {
       vi.mocked(authRepo.findRefreshToken).mockResolvedValue(storedToken);
       vi.mocked(authRepo.findUserById).mockResolvedValue(testUsers.inactiveUser);
 
+      // Act & Assert
+      await expect(authService.refresh(validRefreshToken)).rejects.toThrow(ForbiddenError);
+      await expect(authService.refresh(validRefreshToken)).rejects.toThrow(
+        'Account is not activated. Please verify your account.',
+      );
+    });
+
+    it('should revoke ALL refresh tokens and sessions when token reuse is detected', async () => {
+      // Regression test for refresh-token-reuse family revocation:
+      // the token was found, but the atomic rotation reports it was already
+      // consumed by a concurrent request — two parties presented the same
+      // single-use token. The whole family must be revoked, because whichever
+      // party redeemed it first (possibly an attacker) holds a valid token.
+      const storedToken = {
+        ...testRefreshToken,
+        expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000),
+      };
+      vi.mocked(authRepo.findRefreshToken).mockResolvedValue(storedToken);
+      vi.mocked(authRepo.findUserById).mockResolvedValue(testUsers.validUser);
+      vi.mocked(authLib.signAccessToken).mockReturnValue('access');
+      vi.mocked(authLib.generateRefreshToken).mockReturnValue('refresh');
+      vi.mocked(authLib.getRefreshTokenExpiresAt).mockReturnValue(new Date());
+      vi.mocked(authRepo.rotateRefreshToken).mockResolvedValue(false); // already consumed
+      vi.mocked(authRepo.deleteRefreshTokensByUserId).mockResolvedValue(undefined);
+      vi.mocked(sessionRepository.deleteAllUserSessions).mockResolvedValue(1);
+
       // Act & Assert
       await expect(authService.refresh(validRefreshToken)).rejects.toThrow(UnauthorizedError);
-      await expect(authService.refresh(validRefreshToken)).rejects.toThrow('User not found or disabled');
+      expect(authRepo.deleteRefreshTokensByUserId).toHaveBeenCalledWith(testUsers.validUser.id);
+      expect(sessionRepository.deleteAllUserSessions).toHaveBeenCalledWith(testUsers.validUser.id);
+    });
+
+    it('should NOT revoke the token family on a successful rotation', async () => {
+      // Companion to the reuse test — the revocation path must not fire on
+      // the happy path.
+      const storedToken = {
+        ...testRefreshToken,
+        expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000),
+      };
+      vi.mocked(authRepo.findRefreshToken).mockResolvedValue(storedToken);
+      vi.mocked(authRepo.findUserById).mockResolvedValue(testUsers.validUser);
+      vi.mocked(authLib.signAccessToken).mockReturnValue('access');
+      vi.mocked(authLib.generateRefreshToken).mockReturnValue('refresh');
+      vi.mocked(authLib.getRefreshTokenExpiresAt).mockReturnValue(new Date());
+      vi.mocked(authRepo.rotateRefreshToken).mockResolvedValue(true);
+
+      // Act
+      await authService.refresh(validRefreshToken);
+
+      // Assert
+      expect(authRepo.deleteRefreshTokensByUserId).not.toHaveBeenCalled();
+      expect(sessionRepository.deleteAllUserSessions).not.toHaveBeenCalled();
     });
   });
 
   describe('logout', () => {
-    it('should delete refresh token and matching session', async () => {
+    it('should delete refresh token and its linked session', async () => {
       // Arrange
       const refreshToken = 'valid-refresh-token';
-      const tokenCreatedAt = new Date('2024-06-01T12:00:00Z');
       const storedToken = {
         ...testRefreshToken,
         token: refreshToken,
-        createdAt: tokenCreatedAt,
-      };
-      const matchingSession = {
-        id: 'session-1',
-        userId: testUsers.validUser.id,
-        deviceInfo: 'test-agent',
-        ipAddress: '127.0.0.1',
-        lastActiveAt: new Date(),
-        expiresAt: new Date(Date.now() + 86400000),
-        createdAt: new Date('2024-06-01T12:00:00.100Z'), // within 5s of token
+        sessionId: 'session-1',
       };
 
       vi.mocked(authRepo.findRefreshToken).mockResolvedValue(storedToken);
       vi.mocked(authRepo.deleteRefreshToken).mockResolvedValue(undefined);
-      vi.mocked(sessionRepository.getUserSessions).mockResolvedValue([matchingSession]);
       vi.mocked(sessionRepository.deleteSession).mockResolvedValue(undefined as never);
 
       // Act
@@ -288,46 +530,34 @@ describe('Auth Service', () => {
       // Assert
       expect(authRepo.findRefreshToken).toHaveBeenCalledWith(refreshToken);
       expect(authRepo.deleteRefreshToken).toHaveBeenCalledWith(refreshToken);
-      expect(sessionRepository.getUserSessions).toHaveBeenCalledWith(storedToken.userId);
-      expect(sessionRepository.deleteSession).toHaveBeenCalledWith(matchingSession.id);
+      expect(sessionRepository.deleteSession).toHaveBeenCalledWith('session-1');
     });
 
-    it('should not delete session if no matching createdAt found', async () => {
-      // Arrange
+    it('should not delete a session when the token has no sessionId', async () => {
+      // Arrange — testRefreshToken fixture has sessionId: null
       const refreshToken = 'valid-refresh-token';
-      const storedToken = {
+      vi.mocked(authRepo.findRefreshToken).mockResolvedValue({
         ...testRefreshToken,
         token: refreshToken,
-        createdAt: new Date('2024-06-01T12:00:00Z'),
-      };
-      const unmatchedSession = {
-        id: 'session-2',
-        userId: testUsers.validUser.id,
-        deviceInfo: null,
-        ipAddress: null,
-        lastActiveAt: new Date(),
-        expiresAt: new Date(Date.now() + 86400000),
-        createdAt: new Date('2024-05-01T00:00:00Z'), // way off — no match
-      };
-
-      vi.mocked(authRepo.findRefreshToken).mockResolvedValue(storedToken);
+      });
       vi.mocked(authRepo.deleteRefreshToken).mockResolvedValue(undefined);
-      vi.mocked(sessionRepository.getUserSessions).mockResolvedValue([unmatchedSession]);
 
       // Act
       await authService.logout(refreshToken);
 
       // Assert
+      expect(authRepo.deleteRefreshToken).toHaveBeenCalledWith(refreshToken);
       expect(sessionRepository.deleteSession).not.toHaveBeenCalled();
     });
 
-    it('should not throw error if token deletion fails', async () => {
-      // Arrange
-      const refreshToken = 'invalid-refresh-token';
+    it('should propagate unexpected repository errors', async () => {
+      // "Token already deleted" is handled gracefully inside the repo (P2025);
+      // anything else is a real failure and must reach the global error handler.
+      const refreshToken = 'valid-refresh-token';
       vi.mocked(authRepo.findRefreshToken).mockRejectedValue(new Error('DB error'));
 
       // Act & Assert
-      await expect(authService.logout(refreshToken)).resolves.not.toThrow();
+      await expect(authService.logout(refreshToken)).rejects.toThrow('DB error');
     });
   });