nodejs-quickstart-structure 2.0.0 → 2.1.0

package/templates/common/auth/js/controllers/authController.spec.js.ejs

@@ -0,0 +1,148 @@
+<%_ if (architecture === 'Clean Architecture') { _%>
+const AuthController = require('@/interfaces/controllers/auth/authController');
+const JwtService = require('@/infrastructure/auth/jwtService');
+<%_ } else { _%>
+const AuthController = require('@/controllers/authController');
+const JwtService = require('@/services/jwtService');
+<%_ } _%>
+const HTTP_STATUS = require('@/utils/httpCodes');
+const bcrypt = require('bcryptjs');
+
+jest.mock('bcryptjs');
+<%_ if (architecture === 'Clean Architecture') { _%>
+jest.mock('@/infrastructure/auth/jwtService');
+jest.mock('@/infrastructure/database/models/User', () => ({
+    findOne: jest.fn()
+}));
+const User = require('@/infrastructure/database/models/User');
+<%_ } else { _%>
+jest.mock('@/services/jwtService');
+jest.mock('@/models/User', () => ({
+    findOne: jest.fn()
+}));
+const User = require('@/models/User');
+<%_ } _%>
+<%_ if (caching !== 'None') { _%>
+<%_ const cachePath = (architecture === "MVC") ? (caching === "Redis" ? "@/config/redisClient" : "@/config/memoryCache") : (caching === "Redis" ? "@/infrastructure/caching/redisClient" : "@/infrastructure/caching/memoryCache"); _%>
+jest.mock('<%= cachePath %>', () => ({
+    get: jest.fn(),
+    set: jest.fn(),
+    del: jest.fn()
+}), { virtual: true });
+const cacheService = require('<%= cachePath %>');
+<%_ } _%>
+
+describe('AuthController', () => {
+    let controller;
+    let mockReq;
+    let mockRes;
+    let next;
+
+    beforeEach(() => {
+        controller = new AuthController();
+        mockReq = {
+            body: {},
+            headers: {}
+        };
+        mockRes = {
+            status: jest.fn().mockReturnThis(),
+            json: jest.fn()
+        };
+        next = jest.fn();
+        jest.clearAllMocks();
+    });
+
+    describe('login', () => {
+        it('should return tokens on success', async () => {
+            const user = { id: 1, email: 'test@test.com', password: 'hashedpassword' };
+            mockReq.body = { email: 'test@test.com', password: 'password123' };
+            User.findOne.mockResolvedValue(user);
+            bcrypt.compare.mockResolvedValue(true);
+            JwtService.generateToken.mockReturnValue('mock-access-token');
+            JwtService.generateRefreshToken.mockReturnValue('mock-refresh-token');
+            JwtService.decodeToken.mockReturnValue({ jti: 'test-jti' });
+
+            // Mock cacheService
+            <% if (caching !== 'None') { %>
+            cacheService.get.mockResolvedValue([]);
+            cacheService.set.mockResolvedValue();<% } %>
+
+            await controller.login(mockReq, mockRes, next);
+
+            expect(JwtService.generateToken).toHaveBeenCalledWith(expect.objectContaining({ sid: 'test-jti' }));
+            expect(mockRes.json).toHaveBeenCalledWith({ token: 'mock-access-token', accessToken: 'mock-access-token', refreshToken: 'mock-refresh-token' });
+        });
+
+        it('should return 401 on invalid email', async () => {
+            mockReq.body = { email: 'wrong@test.com', password: 'password123' };
+            User.findOne.mockResolvedValue(null);
+
+            await controller.login(mockReq, mockRes, next);
+
+            expect(mockRes.status).toHaveBeenCalledWith(HTTP_STATUS.UNAUTHORIZED);
+        });
+
+        it('should return 401 on invalid password', async () => {
+            const user = { id: 1, email: 'test@test.com', password: 'hashedpassword' };
+            mockReq.body = { email: 'test@test.com', password: 'wrongpassword' };
+            User.findOne.mockResolvedValue(user);
+            bcrypt.compare.mockResolvedValue(false);
+
+            await controller.login(mockReq, mockRes, next);
+
+            expect(mockRes.status).toHaveBeenCalledWith(HTTP_STATUS.UNAUTHORIZED);
+        });
+    });
+
+    describe('refresh', () => {
+        it('should return new tokens for a valid refresh token', async () => {
+            mockReq.body = { refreshToken: 'valid-refresh' };
+            const decoded = { id: '1', email: 'test@test.com', jti: 'old-jti' };
+            JwtService.verifyRefreshToken.mockReturnValue(decoded);
+            JwtService.generateToken.mockReturnValue('new-access');
+            JwtService.generateRefreshToken.mockReturnValue('new-refresh');
+            JwtService.decodeToken.mockReturnValue({ jti: 'new-jti' });
+
+            <% if (caching !== 'None') { %>
+            cacheService.get.mockResolvedValue(['old-jti']);
+            cacheService.set.mockResolvedValue();
+            <% } else { %>
+            JwtService.activeRefreshTokens.set('1', ['old-jti']);<% } %>
+
+            await controller.refresh(mockReq, mockRes, next);
+
+            expect(JwtService.generateToken).toHaveBeenCalledWith(expect.objectContaining({ sid: 'new-jti' }));
+            expect(mockRes.json).toHaveBeenCalledWith({ accessToken: 'new-access', refreshToken: 'new-refresh' });
+        });
+
+        it('should detect theft and revoke if jti is not active', async () => {
+            mockReq.body = { refreshToken: 'stolen-refresh' };
+            const decoded = { id: '1', email: 'test@test.com', jti: 'stolen-jti' };
+            JwtService.verifyRefreshToken.mockReturnValue(decoded);
+
+            <% if (caching !== 'None') { %>
+            cacheService.get.mockResolvedValue(['different-jti']);
+            <% } else { %>
+            JwtService.activeRefreshTokens.set('1', ['different-jti']);<% } %>
+
+            await controller.refresh(mockReq, mockRes, next);
+
+            expect(mockRes.status).toHaveBeenCalledWith(HTTP_STATUS.UNAUTHORIZED);
+        });
+    });
+
+    describe('logout', () => {
+        it('should blacklist access jti and remove refresh jti', async () => {
+            mockReq.headers.authorization = 'Bearer access-token';
+            mockReq.body = { refreshToken: 'refresh-token' };
+            
+            JwtService.decodeToken
+                .mockReturnValueOnce({ jti: 'access-jti', exp: Math.floor(Date.now() / 1000) + 3600 })
+                .mockReturnValueOnce({ id: '1', jti: 'refresh-jti' });
+
+            await controller.logout(mockReq, mockRes, next);
+
+            expect(mockRes.json).toHaveBeenCalledWith({ message: 'Logged out successfully' });
+        });
+    });
+});

package/templates/common/auth/js/middleware/authMiddleware.js.ejs

@@ -0,0 +1,58 @@
+<% if (architecture === 'MVC') { -%>
+const JwtService = require('../services/jwtService');
+const HTTP_STATUS = require('../utils/httpCodes');
+<% if (caching !== 'None') { -%>
+const cacheService = require('<% if (caching === "Redis") { %>../config/redisClient<% } else { %>../config/memoryCache<% } %>');
+<% } -%>
+<% } else { -%>
+const JwtService = require('../../../infrastructure/auth/jwtService');
+const HTTP_STATUS = require('../../../utils/httpCodes');
+<% if (caching !== 'None') { -%>
+const cacheService = require('<% if (caching === "Redis") { %>../../../infrastructure/caching/redisClient<% } else { %>../../../infrastructure/caching/memoryCache<% } %>');
+<% } -%>
+<% } -%>
+
+const authMiddleware = async (req, res, next) => {
+  const authHeader = req.headers.authorization;
+
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'No token provided' });
+  }
+
+  const token = authHeader.split(' ')[1];
+  const decoded = JwtService.verifyToken(token);
+
+  if (!decoded) {
+    return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Invalid or expired token' });
+  }
+
+  if (decoded.jti) {
+    <%_ if (caching !== 'None') { -%>
+    const isBlacklisted = await cacheService.get(`blacklist:${decoded.jti}`);
+    if (isBlacklisted) {
+      return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Token revoked' });
+    }<%_ } else { -%>
+    const expiryDate = JwtService.blacklistedTokens.get(decoded.jti);
+    if (expiryDate && Date.now() < expiryDate) {
+      return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Token revoked' });
+    }<% } %>
+  }
+
+  if (decoded.sid) {
+    <%_ if (caching !== 'None') { %>
+    const cacheKey = `refresh_tokens:${decoded.id}`;
+    const activeTokens = await cacheService.get(cacheKey) || [];
+    if (!activeTokens.includes(decoded.sid)) {
+      return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Session expired' });
+    }<%_ } else { -%>
+    const activeTokens = JwtService.activeRefreshTokens.get(String(decoded.id)) || [];
+    if (!activeTokens.includes(decoded.sid)) {
+      return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Session expired' });
+    }<%_ } -%>
+  }
+
+  req.user = decoded;
+  next();
+};
+
+module.exports = authMiddleware;

package/templates/common/auth/js/middleware/authMiddleware.spec.js.ejs

@@ -0,0 +1,108 @@
+<%_ if (architecture === 'Clean Architecture') { _%>
+const authMiddleware = require('@/infrastructure/webserver/middleware/authMiddleware');
+const JwtService = require('@/infrastructure/auth/jwtService');
+<%_ } else { _%>
+const authMiddleware = require('@/middleware/authMiddleware');
+const JwtService = require('@/services/jwtService');
+<%_ } _%>
+const HTTP_STATUS = require('@/utils/httpCodes');
+
+<%_ if (architecture === 'Clean Architecture') { _%>
+jest.mock('@/infrastructure/auth/jwtService');
+<%_ } else { _%>
+jest.mock('@/services/jwtService');
+<%_ } _%>
+<%_ if (caching !== 'None') { _%>
+<%_ const cachePath = (architecture === "MVC") ? (caching === "Redis" ? "@/config/redisClient" : "@/config/memoryCache") : (caching === "Redis" ? "@/infrastructure/caching/redisClient" : "@/infrastructure/caching/memoryCache"); _%>
+jest.mock('<%= cachePath %>', () => ({
+    get: jest.fn(),
+    set: jest.fn(),
+    del: jest.fn()
+}), { virtual: true });
+const cacheService = require('<%= cachePath %>');
+<%_ } _%>
+
+describe('AuthMiddleware', () => {
+    let mockReq;
+    let mockRes;
+    let next;
+
+    beforeEach(() => {
+        mockReq = {
+            headers: {}
+        };
+        mockRes = {
+            status: jest.fn().mockReturnThis(),
+            json: jest.fn()
+        };
+        next = jest.fn();
+        jest.clearAllMocks();
+    });
+
+    it('should return 401 if no authorization header', async () => {
+        await authMiddleware(mockReq, mockRes, next);
+        expect(mockRes.status).toHaveBeenCalledWith(HTTP_STATUS.UNAUTHORIZED);
+        expect(next).not.toHaveBeenCalled();
+    });
+
+    it('should return 401 if token is blacklisted', async () => {
+        const user = { id: 1, email: 'test@example.com', jti: 'blacklisted-jti' };
+        mockReq.headers.authorization = 'Bearer valid-token';
+        JwtService.verifyToken.mockReturnValue(user);
+        
+        // Mock the blacklist check
+        <% if (caching !== 'None') { %>
+        cacheService.get.mockResolvedValue(true);
+        <% } else { %>
+        JwtService.blacklistedTokens.set('blacklisted-jti', Date.now() + 10000);<% } %>
+
+        await authMiddleware(mockReq, mockRes, next);
+
+        expect(mockRes.status).toHaveBeenCalledWith(HTTP_STATUS.UNAUTHORIZED);
+        expect(mockRes.json).toHaveBeenCalledWith({ message: 'Token revoked' });
+        expect(next).not.toHaveBeenCalled();
+    });
+
+    it('should return 401 if session is expired (sid not in activeTokens)', async () => {
+        const user = { id: 1, email: 'test@example.com', jti: 'valid-jti', sid: 'expired-sid' };
+        mockReq.headers.authorization = 'Bearer valid-token';
+        JwtService.verifyToken.mockReturnValue(user);
+        
+        <% if (caching !== 'None') { %>
+        cacheService.get.mockImplementation((key) => {
+            if (key.startsWith('blacklist:')) return Promise.resolve(false);
+            if (key === 'refresh_tokens:1') return Promise.resolve(['other-sid']);
+            return Promise.resolve(null);
+        });
+        <% } else { %>
+        JwtService.blacklistedTokens.delete('valid-jti');
+        JwtService.activeRefreshTokens.set('1', ['other-sid']);<% } %>
+
+        await authMiddleware(mockReq, mockRes, next);
+
+        expect(mockRes.status).toHaveBeenCalledWith(HTTP_STATUS.UNAUTHORIZED);
+        expect(mockRes.json).toHaveBeenCalledWith({ message: 'Session expired' });
+        expect(next).not.toHaveBeenCalled();
+    });
+
+    it('should set req.user and call next if token is valid, not blacklisted and session is active', async () => {
+        const user = { id: 1, jti: 'valid-jti', sid: 'active-sid' };
+        mockReq.headers.authorization = 'Bearer valid-token';
+        JwtService.verifyToken.mockReturnValue(user);
+
+        <% if (caching !== 'None') { %>
+        cacheService.get.mockImplementation((key) => {
+            if (key.startsWith('blacklist:')) return Promise.resolve(false);
+            if (key === 'refresh_tokens:1') return Promise.resolve(['active-sid']);
+            return Promise.resolve(null);
+        });
+        <% } else { %>
+        JwtService.blacklistedTokens.delete('valid-jti');
+        JwtService.activeRefreshTokens.set('1', ['active-sid']);<% } %>
+
+        await authMiddleware(mockReq, mockRes, next);
+
+        expect(mockReq.user).toEqual(user);
+        expect(next).toHaveBeenCalled();
+    });
+});

package/templates/common/auth/js/routes/authRoutes.js.ejs

@@ -0,0 +1,16 @@
+const { Router } = require('express');
+const AuthController = require('<% if (architecture === "MVC") { %>../controllers/authController<% } else { %>../controllers/auth/authController<% } %>');
+<%_ if (architecture === 'MVC') { -%>
+const authMiddleware = require('../middleware/authMiddleware');
+<%_ } else { -%>
+const authMiddleware = require('../../infrastructure/webserver/middleware/authMiddleware');
+<%_ } -%>
+
+const router = Router();
+const authController = new AuthController();
+
+router.post('/login', (req, res, next) => authController.login(req, res, next));
+router.post('/refresh', (req, res, next) => authController.refresh(req, res, next));
+router.post('/logout', authMiddleware, (req, res, next) => authController.logout(req, res, next));
+
+module.exports = router;

package/templates/common/auth/js/services/jwtService.js.ejs

@@ -0,0 +1,54 @@
+const jwt = require('jsonwebtoken');
+const crypto = require('crypto');
+<% if (architecture === 'Clean Architecture') { %>
+const { env } = require('../config/env');
+<% } else { %>
+const { env } = require('../config/env');
+<% } %>
+
+class JwtService {
+  static SECRET = env.JWT_SECRET || 'your-secret-key';
+  static REFRESH_SECRET = env.JWT_REFRESH_SECRET || 'your-refresh-secret-key';
+  static EXPIRES_IN = env.JWT_EXPIRES_IN || '15m'; // Access tokens should be short-lived
+  static REFRESH_EXPIRES_IN = env.JWT_REFRESH_EXPIRES_IN || '7d';
+
+  static generateToken(payload, expiresIn) {
+    const jti = crypto.randomUUID();
+    return jwt.sign({ ...payload, jti }, this.SECRET, { expiresIn: expiresIn || this.EXPIRES_IN });
+  }
+
+  static generateRefreshToken(payload, expiresIn) {
+    const jti = crypto.randomUUID();
+    return jwt.sign({ ...payload, jti }, this.REFRESH_SECRET, { expiresIn: expiresIn || this.REFRESH_EXPIRES_IN });
+  }
+
+  static verifyToken(token) {
+    try {
+      return jwt.verify(token, this.SECRET);
+    } catch {
+      return null;
+    }
+  }
+
+  static verifyRefreshToken(token) {
+    try {
+      return jwt.verify(token, this.REFRESH_SECRET);
+    } catch {
+      return null;
+    }
+  }
+
+  static decodeToken(token) {
+    try {
+      return jwt.decode(token);
+    } catch {
+      return null;
+    }
+  }
+
+  // Fallback in-memory storage if caching = 'None'
+  static activeRefreshTokens = new Map();
+  static blacklistedTokens = new Map();
+}
+
+module.exports = JwtService;

package/templates/common/auth/js/services/jwtService.spec.js.ejs

@@ -0,0 +1,84 @@
+const jwt = require('jsonwebtoken');
+<%_ if (architecture === 'Clean Architecture') { _%>
+const JwtService = require('@/infrastructure/auth/jwtService');
+<%_ } else { _%>
+const JwtService = require('@/services/jwtService');
+<%_ } _%>
+
+jest.mock('jsonwebtoken');
+
+describe('JwtService', () => {
+    const secret = 'test-secret';
+    const payload = { id: 1, email: 'test@example.com' };
+    const token = 'mock-token';
+
+    beforeEach(() => {
+        JwtService.SECRET = secret;
+        JwtService.REFRESH_SECRET = 'test-refresh-secret';
+        process.env.JWT_SECRET = secret;
+        jest.clearAllMocks();
+    });
+
+    describe('generateToken', () => {
+        it('should generate a token with standard expiration and jti', () => {
+            jwt.sign.mockReturnValue(token);
+
+            const result = JwtService.generateToken(payload);
+
+            expect(jwt.sign).toHaveBeenCalledWith(
+                expect.objectContaining({ ...payload, jti: expect.any(String) }),
+                secret,
+                { expiresIn: '15m' }
+            );
+            expect(result).toBe(token);
+        });
+    });
+
+    describe('generateRefreshToken', () => {
+        it('should generate a refresh token with refresh secret and jti', () => {
+            jwt.sign.mockReturnValue(token);
+
+            const result = JwtService.generateRefreshToken(payload);
+
+            expect(jwt.sign).toHaveBeenCalledWith(
+                expect.objectContaining({ ...payload, jti: expect.any(String) }),
+                'test-refresh-secret',
+                { expiresIn: '7d' }
+            );
+            expect(result).toBe(token);
+        });
+    });
+
+    describe('verifyToken', () => {
+        it('should return decoded payload for a valid token', () => {
+            jwt.verify.mockReturnValue(payload);
+
+            const result = JwtService.verifyToken(token);
+
+            expect(jwt.verify).toHaveBeenCalledWith(token, secret);
+            expect(result).toEqual(payload);
+        });
+    });
+
+    describe('verifyRefreshToken', () => {
+        it('should return decoded payload for a valid refresh token', () => {
+            jwt.verify.mockReturnValue(payload);
+
+            const result = JwtService.verifyRefreshToken(token);
+
+            expect(jwt.verify).toHaveBeenCalledWith(token, 'test-refresh-secret');
+            expect(result).toEqual(payload);
+        });
+    });
+
+    describe('decodeToken', () => {
+        it('should return decoded payload without verification', () => {
+            jwt.decode.mockReturnValue(payload);
+
+            const result = JwtService.decodeToken(token);
+
+            expect(jwt.decode).toHaveBeenCalledWith(token);
+            expect(result).toEqual(payload);
+        });
+    });
+});

package/templates/common/auth/ts/controllers/authController.spec.ts.ejs

@@ -0,0 +1,161 @@
+<%_ if (architecture === 'Clean Architecture') { _%>
+import { AuthController } from '@/interfaces/controllers/auth/authController';
+import { JwtService } from '@/infrastructure/auth/jwtService';
+<%_ } else { _%>
+import { AuthController } from '@/controllers/authController';
+import { JwtService } from '@/services/jwtService';
+<%_ } _%>
+import { HTTP_STATUS } from '@/utils/httpCodes';
+import bcrypt from 'bcryptjs';
+import { Request, Response, NextFunction } from 'express';
+
+<%_ if (architecture === 'Clean Architecture') { _%>
+jest.mock('@/infrastructure/auth/jwtService');
+<%_ } else { _%>
+jest.mock('@/services/jwtService');
+<%_ } _%>
+jest.mock('bcryptjs');
+
+<%_ if (architecture === 'Clean Architecture') { _%>
+jest.mock('@/infrastructure/database/models/User', () => ({ findOne: jest.fn() }));
+const User = require('@/infrastructure/database/models/User');
+<%_ } else { _%>
+jest.mock('@/models/User', () => ({ findOne: jest.fn() }));
+const User = require('@/models/User');
+<%_ } _%>
+
+<%_ if (caching !== 'None') { _%>
+<%_ const cachePath = (architecture === "MVC") ? (caching === "Redis" ? "@/config/redisClient" : "@/config/memoryCache") : (caching === "Redis" ? "@/infrastructure/caching/redisClient" : "@/infrastructure/caching/memoryCache"); _%>
+jest.mock('<%= cachePath %>', () => ({
+  __esModule: true,
+  default: {
+    get: jest.fn(),
+    set: jest.fn(),
+    del: jest.fn()
+  }
+}), { virtual: true });
+import cacheService from '<%= cachePath %>';
+<%_ } _%>
+
+describe('AuthController', () => {
+  let authController: AuthController;
+  let mockRequest: any;
+  let mockResponse: any;
+  const nextFunction: NextFunction = jest.fn();
+
+  beforeEach(() => {
+    authController = new AuthController();
+    mockRequest = {
+      body: {}
+    };
+    mockResponse = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn()
+    };
+    jest.clearAllMocks();
+  });
+
+  describe('login', () => {
+    it('should return 401 if user not found', async () => {
+      mockRequest.body = { email: 'notfound@test.com', password: 'password' };
+      (User.findOne as jest.Mock).mockResolvedValue(null);
+
+      await authController.login(mockRequest as Request, mockResponse as Response, nextFunction);
+
+      expect(mockResponse.status).toHaveBeenCalledWith(HTTP_STATUS.UNAUTHORIZED);
+      expect(mockResponse.json).toHaveBeenCalledWith({ message: 'Invalid credentials' });
+    });
+
+    it('should return 401 if password does not match', async () => {
+      const user = { email: 'test@test.com', password: 'hashedpassword' };
+      mockRequest.body = { email: 'test@test.com', password: 'wrongpassword' };
+      (User.findOne as jest.Mock).mockResolvedValue(user);
+      (bcrypt.compare as jest.Mock).mockResolvedValue(false);
+
+      await authController.login(mockRequest as Request, mockResponse as Response, nextFunction);
+
+      expect(mockResponse.status).toHaveBeenCalledWith(HTTP_STATUS.UNAUTHORIZED);
+      expect(mockResponse.json).toHaveBeenCalledWith({ message: 'Invalid credentials' });
+    });
+
+    it('should return 200 and a token if credentials are valid', async () => {
+      const user = { id: 1, email: 'test@test.com', password: 'hashedpassword' };
+      mockRequest.body = { email: 'test@test.com', password: 'password123' };
+      (User.findOne as jest.Mock).mockResolvedValue(user);
+      (bcrypt.compare as jest.Mock).mockResolvedValue(true);
+      (JwtService.generateToken as jest.Mock).mockReturnValue('mock-token');
+      (JwtService.generateRefreshToken as jest.Mock).mockReturnValue('mock-refresh-token');
+      (JwtService.decodeToken as jest.Mock).mockReturnValue({ jti: 'test-jti' });
+
+      await authController.login(mockRequest as Request, mockResponse as Response, nextFunction);
+
+      expect(JwtService.generateToken).toHaveBeenCalledWith(expect.objectContaining({ sid: 'test-jti' }));
+      expect(mockResponse.json).toHaveBeenCalledWith({ token: 'mock-token', accessToken: 'mock-token', refreshToken: 'mock-refresh-token' });
+    });
+
+    it('should call next with error if something fails', async () => {
+      const error = new Error('DB Error');
+      mockRequest.body = { email: 'test@test.com', password: 'password123' };
+      (User.findOne as jest.Mock).mockRejectedValue(error);
+
+      await authController.login(mockRequest as Request, mockResponse as Response, nextFunction);
+
+      expect(nextFunction).toHaveBeenCalledWith(error);
+    });
+  });
+
+  describe('refresh', () => {
+    it('should return new tokens for a valid refresh token', async () => {
+      mockRequest.body = { refreshToken: 'valid-refresh' };
+      const decoded = { id: '1', email: 'test@test.com', jti: 'old-jti' };
+      (JwtService.verifyRefreshToken as jest.Mock).mockReturnValue(decoded);
+      (JwtService.generateToken as jest.Mock).mockReturnValue('new-access');
+      (JwtService.generateRefreshToken as jest.Mock).mockReturnValue('new-refresh');
+      (JwtService.decodeToken as jest.Mock).mockReturnValue({ jti: 'new-jti' });
+
+      // Mock cache success
+      <% if (caching !== 'None') { %>
+      (cacheService.get as jest.Mock).mockResolvedValue(['old-jti']);
+      <% } else { %>
+      JwtService.activeRefreshTokens.set('1', ['old-jti']);
+      <% } %>
+
+      await authController.refresh(mockRequest as Request, mockResponse as Response, nextFunction);
+
+      expect(JwtService.generateToken).toHaveBeenCalledWith(expect.objectContaining({ sid: 'new-jti' }));
+      expect(mockResponse.json).toHaveBeenCalledWith({ accessToken: 'new-access', refreshToken: 'new-refresh' });
+    });
+
+    it('should detect theft and revoke all tokens if jti is not active', async () => {
+      mockRequest.body = { refreshToken: 'stolen-refresh' };
+      const decoded = { id: '1', email: 'test@test.com', jti: 'stolen-jti' };
+      (JwtService.verifyRefreshToken as jest.Mock).mockReturnValue(decoded);
+
+      <% if (caching !== 'None') { %>
+      (cacheService.get as jest.Mock).mockResolvedValue(['some-other-jti']);
+      <% } else { %>
+      JwtService.activeRefreshTokens.set('1', ['some-other-jti']);
+      <% } %>
+
+      await authController.refresh(mockRequest as Request, mockResponse as Response, nextFunction);
+
+      expect(mockResponse.status).toHaveBeenCalledWith(HTTP_STATUS.UNAUTHORIZED);
+      expect(mockResponse.json).toHaveBeenCalledWith({ message: 'Invalid session' });
+    });
+  });
+
+  describe('logout', () => {
+    it('should blacklist the access token and remove the refresh token', async () => {
+      mockRequest.headers = { authorization: 'Bearer access-token' };
+      mockRequest.body = { refreshToken: 'refresh-token' };
+      
+      (JwtService.decodeToken as jest.Mock)
+        .mockReturnValueOnce({ jti: 'access-jti', exp: Math.floor(Date.now() / 1000) + 3600 }) // for access token
+        .mockReturnValueOnce({ id: '1', jti: 'refresh-jti' }); // for refresh token
+
+      await authController.logout(mockRequest as Request, mockResponse as Response, nextFunction);
+
+      expect(mockResponse.json).toHaveBeenCalledWith({ message: 'Logged out successfully' });
+    });
+  });
+});