create-tigra 2.8.0 → 3.0.2

package/template/server/src/libs/url-safety.ts

@@ -0,0 +1,121 @@
+/**
+ * URL/IP safety helpers shared across outbound-HTTP code paths.
+ *
+ *  - `redactUrl`            — strips secrets (Telegram bot tokens, query strings)
+ *                             from a URL before it reaches any log sink.
+ *  - `isPrivateOrReservedIp`— SSRF building block: returns true for any loopback /
+ *                             private / link-local / ULA / reserved address so the
+ *                             image-fetch guard can reject internal targets.
+ *
+ * Pure, dependency-free, and side-effect-free so they are trivial to unit test.
+ */
+
+/**
+ * Redact a URL so it is safe to log.
+ *
+ * Telegram embeds the bot token directly in the request path:
+ *   https://api.telegram.org/bot<TOKEN>/getFile
+ *   https://api.telegram.org/file/bot<TOKEN>/photos/file_1.jpg
+ * Both forms (`/bot<token>/` and `/file/bot<token>/`) are rewritten to
+ * `/bot<redacted>/`. Any query string is dropped wholesale (it can also carry
+ * media tokens / signatures). Non-Telegram URLs pass through unchanged apart
+ * from query stripping. NEVER throws — an unparseable string is returned with
+ * just the same path-level redaction applied.
+ */
+export function redactUrl(url: string): string {
+  if (typeof url !== 'string' || url.length === 0) {
+    return url;
+  }
+
+  // Drop the query string (and fragment) — may hold signed tokens.
+  const noQuery = url.split(/[?#]/, 1)[0];
+
+  // Rewrite Telegram bot-token path segments. The token charset is [A-Za-z0-9_-]
+  // plus the ':' separating bot-id from secret, e.g. 123456:AAH...
+  return noQuery.replace(/\/bot[A-Za-z0-9:_-]+/g, '/bot<redacted>');
+}
+
+/**
+ * True when `addr` is a loopback / private / link-local / ULA / unspecified /
+ * reserved IP that an SSRF target could use to reach internal infrastructure.
+ *
+ * Covers:
+ *   IPv4: 0.0.0.0, 127/8, 10/8, 172.16/12, 192.168/16, 169.254/16, 100.64/10 (CGNAT)
+ *   IPv6: ::, ::1, fc00::/7 (ULA), fe80::/10 (link-local)
+ *   IPv4-mapped IPv6 (::ffff:a.b.c.d) — re-checked against the IPv4 rules.
+ *
+ * Unrecognised / unparseable input returns true (fail-closed) — the caller
+ * uses this purely to BLOCK, so an address it cannot classify is treated as
+ * unsafe rather than silently allowed.
+ */
+export function isPrivateOrReservedIp(addr: string): boolean {
+  if (typeof addr !== 'string' || addr.length === 0) {
+    return true;
+  }
+
+  const ip = addr.trim().toLowerCase();
+
+  // IPv4-mapped IPv6, e.g. ::ffff:10.0.0.5 or ::ffff:0a00:0005 — extract the v4 tail.
+  const mapped = ip.match(/^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/);
+  if (mapped) {
+    return isPrivateOrReservedIpv4(mapped[1]);
+  }
+
+  if (ip.includes(':')) {
+    return isReservedIpv6(ip);
+  }
+
+  return isPrivateOrReservedIpv4(ip);
+}
+
+function isPrivateOrReservedIpv4(ip: string): boolean {
+  const parts = ip.split('.');
+  if (parts.length !== 4) {
+    return true; // not a clean dotted-quad → block
+  }
+
+  const octets = parts.map((p) => Number(p));
+  if (octets.some((o) => !Number.isInteger(o) || o < 0 || o > 255)) {
+    return true; // malformed → block
+  }
+
+  const [a, b] = octets;
+
+  if (a === 0) return true; // 0.0.0.0/8 (incl. unspecified)
+  if (a === 127) return true; // 127.0.0.0/8 loopback
+  if (a === 10) return true; // 10.0.0.0/8 private
+  if (a === 172 && b >= 16 && b <= 31) return true; // 172.16.0.0/12 private
+  if (a === 192 && b === 168) return true; // 192.168.0.0/16 private
+  if (a === 169 && b === 254) return true; // 169.254.0.0/16 link-local
+  if (a === 100 && b >= 64 && b <= 127) return true; // 100.64.0.0/10 CGNAT
+
+  return false;
+}
+
+function isReservedIpv6(ip: string): boolean {
+  // Normalise: drop zone id (fe80::1%eth0) and any brackets.
+  const bare = ip.replace(/^\[|\]$/g, '').split('%')[0];
+
+  if (bare === '::' || bare === '::0' || bare === '0:0:0:0:0:0:0:0') return true; // unspecified
+  if (bare === '::1') return true; // loopback
+
+  // First hextet determines ULA / link-local ranges.
+  const firstHextet = bare.split(':')[0];
+  if (firstHextet === '') {
+    // Address starts with '::' (e.g. '::abcd') — already handled the special
+    // cases above; remaining such addresses are not in fc00::/7 or fe80::/10.
+    return false;
+  }
+
+  const value = parseInt(firstHextet, 16);
+  if (Number.isNaN(value)) {
+    return true; // unparseable hextet → block
+  }
+
+  // fc00::/7  → first 7 bits = 1111110  → first byte 0xfc or 0xfd
+  if ((value & 0xfe00) === 0xfc00) return true;
+  // fe80::/10 → first 10 bits = 1111111010 → 0xfe80..0xfebf
+  if ((value & 0xffc0) === 0xfe80) return true;
+
+  return false;
+}

package/template/server/src/modules/auth/__tests__/auth.service.test.ts

@@ -3,8 +3,8 @@ import * as authService from '../auth.service.js';
 import * as authRepo from '../auth.repo.js';
 import * as authLib from '@libs/auth.js';
 import { hashPassword, verifyPassword } from '@libs/password.js';
-import { ConflictError, UnauthorizedError, NotFoundError } from '@shared/errors/errors.js';
-import { testUsers, testRefreshToken, resetMocks } from '@/test/setup.js';
+import { ConflictError, UnauthorizedError, ForbiddenError, NotFoundError } from '@shared/errors/errors.js';
+import { testUsers, testRefreshToken, testSession, resetMocks } from '@/test/setup.js';
 import { sessionRepository } from '../session.repo.js';
 
 // Mock dependencies
@@ -13,10 +13,31 @@ vi.mock('@libs/auth.js');
 vi.mock('@libs/password.js');
 vi.mock('../session.repo.js');
 
+// In-memory Redis stub — account lockout (email+IP) uses Redis. Tests must
+// never require a live Redis instance.
+const mockRedis = vi.hoisted(() => ({
+  exists: vi.fn(),
+  incr: vi.fn(),
+  expire: vi.fn(),
+  set: vi.fn(),
+  get: vi.fn(),
+  del: vi.fn(),
+}));
+
+vi.mock('@libs/redis.js', () => ({
+  getRedis: (): typeof mockRedis => mockRedis,
+}));
+
 describe('Auth Service', () => {
   beforeEach(() => {
     resetMocks();
     vi.clearAllMocks();
+    // Default Redis behavior: nothing locked, first failure
+    mockRedis.exists.mockResolvedValue(0);
+    mockRedis.incr.mockResolvedValue(1);
+    mockRedis.expire.mockResolvedValue(1);
+    mockRedis.set.mockResolvedValue('OK');
+    mockRedis.del.mockResolvedValue(1);
   });
 
   describe('register', () => {
@@ -28,7 +49,8 @@ describe('Auth Service', () => {
     };
 
     it('should successfully register a new user', async () => {
-      // Arrange
+      // Arrange — REQUIRE_USER_VERIFICATION=false in tests, so the user is
+      // active immediately and tokens are issued.
       const hashedPassword = '$2a$12$hashedpassword';
       const createdUser = {
         ...testUsers.validUser,
@@ -40,11 +62,13 @@ describe('Auth Service', () => {
       const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
 
       vi.mocked(authRepo.findUserByEmail).mockResolvedValue(null);
+      vi.mocked(authRepo.findDeletedUserByEmail).mockResolvedValue(null);
       vi.mocked(hashPassword).mockResolvedValue(hashedPassword);
       vi.mocked(authRepo.createUser).mockResolvedValue(createdUser);
       vi.mocked(authLib.signAccessToken).mockReturnValue(accessToken);
       vi.mocked(authLib.generateRefreshToken).mockReturnValue(refreshToken);
       vi.mocked(authLib.getRefreshTokenExpiresAt).mockReturnValue(expiresAt);
+      vi.mocked(sessionRepository.createSession).mockResolvedValue(testSession);
       vi.mocked(authRepo.createRefreshToken).mockResolvedValue(testRefreshToken);
 
       // Act
@@ -58,15 +82,23 @@ describe('Auth Service', () => {
         password: hashedPassword,
         firstName: validRegisterInput.firstName,
         lastName: validRegisterInput.lastName,
+        isActive: true,
       });
       expect(authLib.signAccessToken).toHaveBeenCalledWith({
         userId: createdUser.id,
         role: createdUser.role,
       });
       expect(authLib.generateRefreshToken).toHaveBeenCalled();
+      expect(sessionRepository.createSession).toHaveBeenCalledWith({
+        userId: createdUser.id,
+        deviceInfo: undefined,
+        ipAddress: undefined,
+        expiresAt,
+      });
       expect(authRepo.createRefreshToken).toHaveBeenCalledWith({
         token: refreshToken,
         userId: createdUser.id,
+        sessionId: testSession.id,
         expiresAt,
       });
       expect(result).toEqual({
@@ -79,6 +111,7 @@ describe('Auth Service', () => {
         }),
         accessToken,
         refreshToken,
+        requiresVerification: false,
       });
       expect(result.user).not.toHaveProperty('password');
     });
@@ -93,6 +126,19 @@ describe('Auth Service', () => {
       expect(hashPassword).not.toHaveBeenCalled();
       expect(authRepo.createUser).not.toHaveBeenCalled();
     });
+
+    it('should throw ConflictError if a soft-deleted account exists with this email', async () => {
+      // Arrange
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(null);
+      vi.mocked(authRepo.findDeletedUserByEmail).mockResolvedValue({
+        ...testUsers.validUser,
+        deletedAt: new Date(),
+      });
+
+      // Act & Assert
+      await expect(authService.register(validRegisterInput)).rejects.toThrow(ConflictError);
+      expect(authRepo.createUser).not.toHaveBeenCalled();
+    });
   });
 
   describe('login', () => {
@@ -112,6 +158,7 @@ describe('Auth Service', () => {
       vi.mocked(authLib.signAccessToken).mockReturnValue(accessToken);
       vi.mocked(authLib.generateRefreshToken).mockReturnValue(refreshToken);
       vi.mocked(authLib.getRefreshTokenExpiresAt).mockReturnValue(expiresAt);
+      vi.mocked(sessionRepository.createSession).mockResolvedValue(testSession);
       vi.mocked(authRepo.createRefreshToken).mockResolvedValue(testRefreshToken);
 
       // Act
@@ -120,6 +167,18 @@ describe('Auth Service', () => {
       // Assert
       expect(authRepo.findUserByEmail).toHaveBeenCalledWith(validLoginInput.email);
       expect(verifyPassword).toHaveBeenCalledWith(validLoginInput.password, testUsers.validUser.password);
+      expect(sessionRepository.createSession).toHaveBeenCalledWith({
+        userId: testUsers.validUser.id,
+        deviceInfo: undefined,
+        ipAddress: undefined,
+        expiresAt,
+      });
+      expect(authRepo.createRefreshToken).toHaveBeenCalledWith({
+        token: refreshToken,
+        userId: testUsers.validUser.id,
+        sessionId: testSession.id,
+        expiresAt,
+      });
       expect(result).toEqual({
         user: expect.objectContaining({
           id: testUsers.validUser.id,
@@ -134,6 +193,7 @@ describe('Auth Service', () => {
     it('should throw UnauthorizedError if user not found', async () => {
       // Arrange
       vi.mocked(authRepo.findUserByEmail).mockResolvedValue(null);
+      vi.mocked(authRepo.findDeletedUserByEmail).mockResolvedValue(null);
 
       // Act & Assert
       await expect(authService.login(validLoginInput)).rejects.toThrow(UnauthorizedError);
@@ -141,13 +201,15 @@ describe('Auth Service', () => {
       expect(verifyPassword).not.toHaveBeenCalled();
     });
 
-    it('should throw UnauthorizedError if account is disabled', async () => {
+    it('should throw ForbiddenError if account is not activated', async () => {
       // Arrange
       vi.mocked(authRepo.findUserByEmail).mockResolvedValue(testUsers.inactiveUser);
 
       // Act & Assert
-      await expect(authService.login(validLoginInput)).rejects.toThrow(UnauthorizedError);
-      await expect(authService.login(validLoginInput)).rejects.toThrow('Invalid email or password');
+      await expect(authService.login(validLoginInput)).rejects.toThrow(ForbiddenError);
+      await expect(authService.login(validLoginInput)).rejects.toThrow(
+        'Account is not activated. Please verify your account.',
+      );
       expect(verifyPassword).not.toHaveBeenCalled();
     });
 
@@ -162,6 +224,147 @@ describe('Auth Service', () => {
     });
   });
 
+  describe('login — account lockout (email+IP scoped)', () => {
+    const loginInput = { email: 'test@example.com', password: 'WrongPassword!' };
+    const attackerIp = '203.0.113.7';
+
+    it('should reject login when the email+IP pair is locked, without verifying the password', async () => {
+      // Arrange
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(testUsers.validUser);
+      mockRedis.exists.mockResolvedValue(1); // lock key present for this pair
+
+      // Act & Assert
+      await expect(
+        authService.login(loginInput, 'test-agent', attackerIp),
+      ).rejects.toThrow('Invalid email or password');
+      expect(mockRedis.exists).toHaveBeenCalledWith(`login-lock:test@example.com:${attackerIp}`);
+      expect(verifyPassword).not.toHaveBeenCalled();
+    });
+
+    it('should NOT lock out the same email from a different IP (no remote lockout DoS)', async () => {
+      // Arrange — lock exists only for the attacker's IP; victim logs in from
+      // their own IP and Redis reports no lock for that pair.
+      const victimIp = '198.51.100.42';
+      const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
+
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(testUsers.validUser);
+      mockRedis.exists.mockResolvedValue(0);
+      vi.mocked(verifyPassword).mockResolvedValue(true);
+      vi.mocked(authLib.signAccessToken).mockReturnValue('access');
+      vi.mocked(authLib.generateRefreshToken).mockReturnValue('refresh');
+      vi.mocked(authLib.getRefreshTokenExpiresAt).mockReturnValue(expiresAt);
+      vi.mocked(sessionRepository.createSession).mockResolvedValue(testSession);
+      vi.mocked(authRepo.createRefreshToken).mockResolvedValue(testRefreshToken);
+
+      // Act
+      const result = await authService.login(
+        { ...loginInput, password: 'Password123!' },
+        'test-agent',
+        victimIp,
+      );
+
+      // Assert — lock was checked for the VICTIM's pair only, and login succeeded
+      expect(mockRedis.exists).toHaveBeenCalledWith(`login-lock:test@example.com:${victimIp}`);
+      expect(result.accessToken).toBe('access');
+    });
+
+    it('should record a failed attempt against the email+IP pair on bad password', async () => {
+      // Arrange
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(testUsers.validUser);
+      vi.mocked(verifyPassword).mockResolvedValue(false);
+      mockRedis.incr.mockResolvedValue(3); // below the first lockout threshold
+
+      // Act & Assert
+      await expect(authService.login(loginInput, 'test-agent', attackerIp)).rejects.toThrow(
+        UnauthorizedError,
+      );
+      expect(mockRedis.incr).toHaveBeenCalledWith(`login-fail:test@example.com:${attackerIp}`);
+      expect(mockRedis.set).not.toHaveBeenCalled(); // no lock yet
+    });
+
+    it('should set a lock for the email+IP pair after 5 failures (15 min)', async () => {
+      // Arrange
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(testUsers.validUser);
+      vi.mocked(verifyPassword).mockResolvedValue(false);
+      mockRedis.incr.mockResolvedValue(5); // hits the first threshold
+
+      // Act & Assert
+      await expect(authService.login(loginInput, 'test-agent', attackerIp)).rejects.toThrow(
+        UnauthorizedError,
+      );
+      expect(mockRedis.set).toHaveBeenCalledWith(
+        `login-lock:test@example.com:${attackerIp}`,
+        '1',
+        'EX',
+        15 * 60,
+      );
+    });
+
+    it('should fail open and allow login when Redis is unavailable', async () => {
+      // Arrange — Redis down: lockout checks must not block all logins
+      const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(testUsers.validUser);
+      mockRedis.exists.mockRejectedValue(new Error('Redis down'));
+      mockRedis.del.mockRejectedValue(new Error('Redis down'));
+      vi.mocked(verifyPassword).mockResolvedValue(true);
+      vi.mocked(authLib.signAccessToken).mockReturnValue('access');
+      vi.mocked(authLib.generateRefreshToken).mockReturnValue('refresh');
+      vi.mocked(authLib.getRefreshTokenExpiresAt).mockReturnValue(expiresAt);
+      vi.mocked(sessionRepository.createSession).mockResolvedValue(testSession);
+      vi.mocked(authRepo.createRefreshToken).mockResolvedValue(testRefreshToken);
+
+      // Act
+      const result = await authService.login(
+        { ...loginInput, password: 'Password123!' },
+        'test-agent',
+        attackerIp,
+      );
+
+      // Assert
+      expect(result.accessToken).toBe('access');
+    });
+  });
+
+  describe('login — soft-deleted account restore path (lockout)', () => {
+    const loginInput = { email: 'test@example.com', password: 'WrongPassword!' };
+    const attackerIp = '203.0.113.7';
+    const softDeletedUser = {
+      ...testUsers.validUser,
+      deletedAt: new Date('2024-02-01T00:00:00Z'),
+      isActive: false,
+    };
+
+    it('should record a failed attempt against the email+IP pair on wrong password for a soft-deleted account', async () => {
+      // Arrange
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(null);
+      vi.mocked(authRepo.findDeletedUserByEmail).mockResolvedValue(softDeletedUser);
+      vi.mocked(verifyPassword).mockResolvedValue(false);
+      mockRedis.incr.mockResolvedValue(3); // below the first lockout threshold
+
+      // Act & Assert
+      await expect(authService.login(loginInput, 'test-agent', attackerIp)).rejects.toThrow(
+        'Invalid email or password',
+      );
+      expect(mockRedis.incr).toHaveBeenCalledWith(`login-fail:test@example.com:${attackerIp}`);
+      expect(authRepo.restoreUser).not.toHaveBeenCalled();
+    });
+
+    it('should reject a locked email+IP pair on the soft-delete path before verifying the password', async () => {
+      // Arrange
+      vi.mocked(authRepo.findUserByEmail).mockResolvedValue(null);
+      vi.mocked(authRepo.findDeletedUserByEmail).mockResolvedValue(softDeletedUser);
+      mockRedis.exists.mockResolvedValue(1); // lock key present for this pair
+
+      // Act & Assert
+      await expect(authService.login(loginInput, 'test-agent', attackerIp)).rejects.toThrow(
+        'Invalid email or password',
+      );
+      expect(mockRedis.exists).toHaveBeenCalledWith(`login-lock:test@example.com:${attackerIp}`);
+      expect(verifyPassword).not.toHaveBeenCalled();
+      expect(authRepo.restoreUser).not.toHaveBeenCalled();
+    });
+  });
+
   describe('refresh', () => {
     const validRefreshToken = 'valid-refresh-token';
 
@@ -196,6 +399,7 @@ describe('Auth Service', () => {
       expect(authRepo.rotateRefreshToken).toHaveBeenCalledWith(validRefreshToken, {
         token: newRefreshToken,
         userId: testUsers.validUser.id,
+        sessionId: undefined, // fixture sessionId is null → normalized to undefined
         expiresAt,
       });
       expect(result).toEqual({
@@ -242,7 +446,7 @@ describe('Auth Service', () => {
       await expect(authService.refresh(validRefreshToken)).rejects.toThrow('User not found or disabled');
     });
 
-    it('should throw UnauthorizedError if user is disabled', async () => {
+    it('should throw ForbiddenError if user is not activated', async () => {
       // Arrange
       const storedToken = {
         ...testRefreshToken,
@@ -251,35 +455,73 @@ describe('Auth Service', () => {
       vi.mocked(authRepo.findRefreshToken).mockResolvedValue(storedToken);
       vi.mocked(authRepo.findUserById).mockResolvedValue(testUsers.inactiveUser);
 
+      // Act & Assert
+      await expect(authService.refresh(validRefreshToken)).rejects.toThrow(ForbiddenError);
+      await expect(authService.refresh(validRefreshToken)).rejects.toThrow(
+        'Account is not activated. Please verify your account.',
+      );
+    });
+
+    it('should revoke ALL refresh tokens and sessions when token reuse is detected', async () => {
+      // Regression test for refresh-token-reuse family revocation:
+      // the token was found, but the atomic rotation reports it was already
+      // consumed by a concurrent request — two parties presented the same
+      // single-use token. The whole family must be revoked, because whichever
+      // party redeemed it first (possibly an attacker) holds a valid token.
+      const storedToken = {
+        ...testRefreshToken,
+        expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000),
+      };
+      vi.mocked(authRepo.findRefreshToken).mockResolvedValue(storedToken);
+      vi.mocked(authRepo.findUserById).mockResolvedValue(testUsers.validUser);
+      vi.mocked(authLib.signAccessToken).mockReturnValue('access');
+      vi.mocked(authLib.generateRefreshToken).mockReturnValue('refresh');
+      vi.mocked(authLib.getRefreshTokenExpiresAt).mockReturnValue(new Date());
+      vi.mocked(authRepo.rotateRefreshToken).mockResolvedValue(false); // already consumed
+      vi.mocked(authRepo.deleteRefreshTokensByUserId).mockResolvedValue(undefined);
+      vi.mocked(sessionRepository.deleteAllUserSessions).mockResolvedValue(1);
+
       // Act & Assert
       await expect(authService.refresh(validRefreshToken)).rejects.toThrow(UnauthorizedError);
-      await expect(authService.refresh(validRefreshToken)).rejects.toThrow('User not found or disabled');
+      expect(authRepo.deleteRefreshTokensByUserId).toHaveBeenCalledWith(testUsers.validUser.id);
+      expect(sessionRepository.deleteAllUserSessions).toHaveBeenCalledWith(testUsers.validUser.id);
+    });
+
+    it('should NOT revoke the token family on a successful rotation', async () => {
+      // Companion to the reuse test — the revocation path must not fire on
+      // the happy path.
+      const storedToken = {
+        ...testRefreshToken,
+        expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000),
+      };
+      vi.mocked(authRepo.findRefreshToken).mockResolvedValue(storedToken);
+      vi.mocked(authRepo.findUserById).mockResolvedValue(testUsers.validUser);
+      vi.mocked(authLib.signAccessToken).mockReturnValue('access');
+      vi.mocked(authLib.generateRefreshToken).mockReturnValue('refresh');
+      vi.mocked(authLib.getRefreshTokenExpiresAt).mockReturnValue(new Date());
+      vi.mocked(authRepo.rotateRefreshToken).mockResolvedValue(true);
+
+      // Act
+      await authService.refresh(validRefreshToken);
+
+      // Assert
+      expect(authRepo.deleteRefreshTokensByUserId).not.toHaveBeenCalled();
+      expect(sessionRepository.deleteAllUserSessions).not.toHaveBeenCalled();
     });
   });
 
   describe('logout', () => {
-    it('should delete refresh token and matching session', async () => {
+    it('should delete refresh token and its linked session', async () => {
       // Arrange
       const refreshToken = 'valid-refresh-token';
-      const tokenCreatedAt = new Date('2024-06-01T12:00:00Z');
       const storedToken = {
         ...testRefreshToken,
         token: refreshToken,
-        createdAt: tokenCreatedAt,
-      };
-      const matchingSession = {
-        id: 'session-1',
-        userId: testUsers.validUser.id,
-        deviceInfo: 'test-agent',
-        ipAddress: '127.0.0.1',
-        lastActiveAt: new Date(),
-        expiresAt: new Date(Date.now() + 86400000),
-        createdAt: new Date('2024-06-01T12:00:00.100Z'), // within 5s of token
+        sessionId: 'session-1',
       };
 
       vi.mocked(authRepo.findRefreshToken).mockResolvedValue(storedToken);
       vi.mocked(authRepo.deleteRefreshToken).mockResolvedValue(undefined);
-      vi.mocked(sessionRepository.getUserSessions).mockResolvedValue([matchingSession]);
       vi.mocked(sessionRepository.deleteSession).mockResolvedValue(undefined as never);
 
       // Act
@@ -288,46 +530,34 @@ describe('Auth Service', () => {
       // Assert
       expect(authRepo.findRefreshToken).toHaveBeenCalledWith(refreshToken);
       expect(authRepo.deleteRefreshToken).toHaveBeenCalledWith(refreshToken);
-      expect(sessionRepository.getUserSessions).toHaveBeenCalledWith(storedToken.userId);
-      expect(sessionRepository.deleteSession).toHaveBeenCalledWith(matchingSession.id);
+      expect(sessionRepository.deleteSession).toHaveBeenCalledWith('session-1');
     });
 
-    it('should not delete session if no matching createdAt found', async () => {
-      // Arrange
+    it('should not delete a session when the token has no sessionId', async () => {
+      // Arrange — testRefreshToken fixture has sessionId: null
       const refreshToken = 'valid-refresh-token';
-      const storedToken = {
+      vi.mocked(authRepo.findRefreshToken).mockResolvedValue({
         ...testRefreshToken,
         token: refreshToken,
-        createdAt: new Date('2024-06-01T12:00:00Z'),
-      };
-      const unmatchedSession = {
-        id: 'session-2',
-        userId: testUsers.validUser.id,
-        deviceInfo: null,
-        ipAddress: null,
-        lastActiveAt: new Date(),
-        expiresAt: new Date(Date.now() + 86400000),
-        createdAt: new Date('2024-05-01T00:00:00Z'), // way off — no match
-      };
-
-      vi.mocked(authRepo.findRefreshToken).mockResolvedValue(storedToken);
+      });
       vi.mocked(authRepo.deleteRefreshToken).mockResolvedValue(undefined);
-      vi.mocked(sessionRepository.getUserSessions).mockResolvedValue([unmatchedSession]);
 
       // Act
       await authService.logout(refreshToken);
 
       // Assert
+      expect(authRepo.deleteRefreshToken).toHaveBeenCalledWith(refreshToken);
       expect(sessionRepository.deleteSession).not.toHaveBeenCalled();
     });
 
-    it('should not throw error if token deletion fails', async () => {
-      // Arrange
-      const refreshToken = 'invalid-refresh-token';
+    it('should propagate unexpected repository errors', async () => {
+      // "Token already deleted" is handled gracefully inside the repo (P2025);
+      // anything else is a real failure and must reach the global error handler.
+      const refreshToken = 'valid-refresh-token';
       vi.mocked(authRepo.findRefreshToken).mockRejectedValue(new Error('DB error'));
 
       // Act & Assert
-      await expect(authService.logout(refreshToken)).resolves.not.toThrow();
+      await expect(authService.logout(refreshToken)).rejects.toThrow('DB error');
     });
   });