strapi-plugin-keycloak-realm-users 1.0.0

package/__tests__/constants.test.mjs

@@ -0,0 +1,207 @@
+/**
+ * @fileoverview Unit tests for plugin constants.
+ * Validates that constants have expected values and structures.
+ * @module __tests__/constants
+ */
+
+import {
+  PLUGIN_ID,
+  CONTENT_TYPES,
+  SERVICES,
+  AUDIT_ACTIONS,
+  ERROR_MESSAGES,
+  DEFAULT_REALM_PERMISSIONS,
+  STRAPI_SUPER_ADMIN_ROLE,
+  TOKEN_EXPIRY_BUFFER_MS,
+  EMAIL_ACTION_LIFESPAN_SECONDS,
+  DEFAULT_REALM_COLOR,
+  PAGINATION,
+  HTTP_STATUS,
+  HTTP_HEADERS,
+  KEYCLOAK_EMAIL_ACTIONS,
+  REALM_NAME_PATTERN,
+  UNKNOWN_USER_EMAIL,
+} from '../server/src/constants.js';
+
+describe('Plugin Constants', () => {
+  describe('PLUGIN_ID', () => {
+    it('should be the correct plugin identifier', () => {
+      expect(PLUGIN_ID).toBe('strapi-plugin-keycloak-realm-users');
+    });
+  });
+
+  describe('CONTENT_TYPES', () => {
+    it('should have all required content type UIDs', () => {
+      expect(CONTENT_TYPES.REALM_CONFIG).toBe(`plugin::${PLUGIN_ID}.realm-config`);
+      expect(CONTENT_TYPES.REALM_ADMIN).toBe(`plugin::${PLUGIN_ID}.realm-admin`);
+      expect(CONTENT_TYPES.AUDIT_LOG).toBe(`plugin::${PLUGIN_ID}.audit-log`);
+    });
+  });
+
+  describe('SERVICES', () => {
+    it('should have all service identifiers', () => {
+      expect(SERVICES.REALM).toBe('realm');
+      expect(SERVICES.KEYCLOAK_CLIENT).toBe('keycloak-client');
+      expect(SERVICES.USER).toBe('user');
+      expect(SERVICES.PERMISSION).toBe('permission');
+      expect(SERVICES.AUDIT_LOG).toBe('audit-log');
+    });
+  });
+
+  describe('AUDIT_ACTIONS', () => {
+    it('should have all audit action types', () => {
+      const expectedActions = [
+        'CREATE_USER',
+        'UPDATE_USER',
+        'DELETE_USER',
+        'RESET_PASSWORD',
+        'ASSIGN_ROLE',
+        'REMOVE_ROLE',
+        'ENABLE_USER',
+        'DISABLE_USER',
+        'SEND_VERIFY_EMAIL',
+        'SEND_RESET_PASSWORD_EMAIL',
+        'BULK_IMPORT',
+      ];
+
+      expectedActions.forEach((action) => {
+        expect(AUDIT_ACTIONS[action]).toBe(action);
+      });
+    });
+  });
+
+  describe('ERROR_MESSAGES', () => {
+    it('should have sanitized error messages', () => {
+      expect(ERROR_MESSAGES.REALM_NOT_FOUND).toBe('Realm configuration not found.');
+      expect(ERROR_MESSAGES.REALM_DISABLED).toBe('This realm is currently disabled.');
+      expect(ERROR_MESSAGES.USER_NOT_FOUND).toBe('Keycloak user not found.');
+      expect(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS).toBe('You do not have permission to perform this action.');
+      expect(ERROR_MESSAGES.KEYCLOAK_CONNECTION_FAILED).toBe('Failed to connect to Keycloak server.');
+      expect(ERROR_MESSAGES.KEYCLOAK_AUTH_FAILED).toBe('Failed to authenticate with Keycloak.');
+    });
+
+    it('should not contain sensitive information patterns', () => {
+      Object.values(ERROR_MESSAGES).forEach((message) => {
+        // Should not contain IP addresses
+        expect(message).not.toMatch(/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/);
+        // Should not contain stack traces
+        expect(message).not.toMatch(/at\s+\w+/);
+        // Should not contain file paths
+        expect(message).not.toMatch(/\/[a-zA-Z0-9_-]+\/[a-zA-Z0-9_-]+/);
+      });
+    });
+  });
+
+  describe('DEFAULT_REALM_PERMISSIONS', () => {
+    it('should default to read-only access', () => {
+      expect(DEFAULT_REALM_PERMISSIONS.canRead).toBe(true);
+      expect(DEFAULT_REALM_PERMISSIONS.canCreate).toBe(false);
+      expect(DEFAULT_REALM_PERMISSIONS.canUpdate).toBe(false);
+      expect(DEFAULT_REALM_PERMISSIONS.canDelete).toBe(false);
+      expect(DEFAULT_REALM_PERMISSIONS.canManageRoles).toBe(false);
+      expect(DEFAULT_REALM_PERMISSIONS.canResetPassword).toBe(false);
+    });
+
+    it('should have all permission fields', () => {
+      const permissionKeys = Object.keys(DEFAULT_REALM_PERMISSIONS);
+      expect(permissionKeys).toContain('canRead');
+      expect(permissionKeys).toContain('canCreate');
+      expect(permissionKeys).toContain('canUpdate');
+      expect(permissionKeys).toContain('canDelete');
+      expect(permissionKeys).toContain('canManageRoles');
+      expect(permissionKeys).toContain('canResetPassword');
+      expect(permissionKeys).toHaveLength(6);
+    });
+  });
+
+  describe('STRAPI_SUPER_ADMIN_ROLE', () => {
+    it('should be the correct Strapi role code', () => {
+      expect(STRAPI_SUPER_ADMIN_ROLE).toBe('strapi-super-admin');
+    });
+  });
+
+  describe('TOKEN_EXPIRY_BUFFER_MS', () => {
+    it('should be 60 seconds in milliseconds', () => {
+      expect(TOKEN_EXPIRY_BUFFER_MS).toBe(60000);
+    });
+  });
+
+  describe('EMAIL_ACTION_LIFESPAN_SECONDS', () => {
+    it('should be 12 hours in seconds', () => {
+      expect(EMAIL_ACTION_LIFESPAN_SECONDS).toBe(43200);
+      expect(EMAIL_ACTION_LIFESPAN_SECONDS).toBe(12 * 60 * 60);
+    });
+  });
+
+  describe('DEFAULT_REALM_COLOR', () => {
+    it('should be a valid hex color', () => {
+      expect(DEFAULT_REALM_COLOR).toMatch(/^#[0-9a-fA-F]{6}$/);
+    });
+  });
+
+  describe('PAGINATION', () => {
+    it('should have sensible default values', () => {
+      expect(PAGINATION.PAGE_SIZE).toBe(25);
+      expect(PAGINATION.AUDIT_LOG_LIMIT).toBe(50);
+      expect(PAGINATION.EXPORT_BATCH_SIZE).toBe(100);
+    });
+
+    it('should have positive integer values', () => {
+      Object.values(PAGINATION).forEach((value) => {
+        expect(Number.isInteger(value)).toBe(true);
+        expect(value).toBeGreaterThan(0);
+      });
+    });
+  });
+
+  describe('HTTP_STATUS', () => {
+    it('should have standard HTTP status codes', () => {
+      expect(HTTP_STATUS.OK).toBe(200);
+      expect(HTTP_STATUS.CREATED).toBe(201);
+      expect(HTTP_STATUS.NO_CONTENT).toBe(204);
+      expect(HTTP_STATUS.BAD_REQUEST).toBe(400);
+      expect(HTTP_STATUS.UNAUTHORIZED).toBe(401);
+      expect(HTTP_STATUS.FORBIDDEN).toBe(403);
+      expect(HTTP_STATUS.NOT_FOUND).toBe(404);
+      expect(HTTP_STATUS.CONFLICT).toBe(409);
+      expect(HTTP_STATUS.INTERNAL_ERROR).toBe(500);
+    });
+  });
+
+  describe('HTTP_HEADERS', () => {
+    it('should have correct content type values', () => {
+      expect(HTTP_HEADERS.CONTENT_TYPE_JSON).toBe('application/json');
+      expect(HTTP_HEADERS.CONTENT_TYPE_FORM).toBe('application/x-www-form-urlencoded');
+    });
+  });
+
+  describe('KEYCLOAK_EMAIL_ACTIONS', () => {
+    it('should have Keycloak required action types', () => {
+      expect(KEYCLOAK_EMAIL_ACTIONS.VERIFY_EMAIL).toBe('VERIFY_EMAIL');
+      expect(KEYCLOAK_EMAIL_ACTIONS.UPDATE_PASSWORD).toBe('UPDATE_PASSWORD');
+    });
+  });
+
+  describe('REALM_NAME_PATTERN', () => {
+    it('should match valid realm names', () => {
+      expect(REALM_NAME_PATTERN.test('my-realm')).toBe(true);
+      expect(REALM_NAME_PATTERN.test('realm123')).toBe(true);
+      expect(REALM_NAME_PATTERN.test('production-users-v2')).toBe(true);
+      expect(REALM_NAME_PATTERN.test('a')).toBe(true);
+    });
+
+    it('should reject invalid realm names', () => {
+      expect(REALM_NAME_PATTERN.test('My-Realm')).toBe(false); // uppercase
+      expect(REALM_NAME_PATTERN.test('my_realm')).toBe(false); // underscore
+      expect(REALM_NAME_PATTERN.test('my realm')).toBe(false); // space
+      expect(REALM_NAME_PATTERN.test('my.realm')).toBe(false); // dot
+      expect(REALM_NAME_PATTERN.test('')).toBe(false); // empty
+    });
+  });
+
+  describe('UNKNOWN_USER_EMAIL', () => {
+    it('should be a placeholder value', () => {
+      expect(UNKNOWN_USER_EMAIL).toBe('unknown');
+    });
+  });
+});

package/__tests__/mocks/strapi.mjs

@@ -0,0 +1,182 @@
+/**
+ * @fileoverview Mock Strapi instance for unit testing services.
+ * Provides configurable mocks for Strapi's document API, plugin system, and logging.
+ * @module __tests__/mocks/strapi
+ */
+
+/**
+ * Creates a mock Strapi instance with configurable behavior.
+ *
+ * @param {Object} [overrides={}] - Override default mock implementations
+ * @returns {Object} Mock Strapi instance
+ *
+ * @example
+ * const strapi = createMockStrapi({
+ *   documentResults: { findMany: [{ id: 1, name: 'test' }] }
+ * });
+ */
+export const createMockStrapi = (overrides = {}) => {
+  const documentMocks = {
+    findMany: jest.fn().mockResolvedValue(overrides.documentResults?.findMany ?? []),
+    findOne: jest.fn().mockResolvedValue(overrides.documentResults?.findOne ?? null),
+    create: jest.fn().mockResolvedValue(overrides.documentResults?.create ?? { documentId: 'new-doc-id' }),
+    update: jest.fn().mockResolvedValue(overrides.documentResults?.update ?? { documentId: 'updated-doc-id' }),
+    delete: jest.fn().mockResolvedValue(overrides.documentResults?.delete ?? { documentId: 'deleted-doc-id' }),
+    count: jest.fn().mockResolvedValue(overrides.documentResults?.count ?? 0),
+    ...overrides.documentMocks,
+  };
+
+  const dbQueryMocks = {
+    findOne: jest.fn().mockResolvedValue(overrides.dbQueryResults?.findOne ?? null),
+    findMany: jest.fn().mockResolvedValue(overrides.dbQueryResults?.findMany ?? []),
+    ...overrides.dbQueryMocks,
+  };
+
+  const pluginServiceMocks = overrides.pluginServices ?? {};
+
+  return {
+    documents: jest.fn().mockReturnValue(documentMocks),
+    db: {
+      query: jest.fn().mockReturnValue(dbQueryMocks),
+    },
+    plugin: jest.fn().mockReturnValue({
+      service: jest.fn((serviceName) => pluginServiceMocks[serviceName] ?? {}),
+    }),
+    log: {
+      error: jest.fn(),
+      warn: jest.fn(),
+      info: jest.fn(),
+      debug: jest.fn(),
+    },
+    ...overrides.strapi,
+  };
+};
+
+/**
+ * Creates a mock Strapi user for testing.
+ *
+ * @param {Object} [overrides={}] - Override default user properties
+ * @returns {Object} Mock Strapi user
+ *
+ * @example
+ * const superAdmin = createMockStrapiUser({ isSuperAdmin: true });
+ * const regularUser = createMockStrapiUser({ id: 2, email: 'user@test.com' });
+ */
+export const createMockStrapiUser = (overrides = {}) => {
+  const { isSuperAdmin = false, ...rest } = overrides;
+
+  return {
+    id: 1,
+    email: 'admin@test.com',
+    roles: isSuperAdmin
+      ? [{ code: 'strapi-super-admin' }]
+      : [{ code: 'strapi-editor' }],
+    ...rest,
+  };
+};
+
+/**
+ * Creates a mock realm configuration for testing.
+ *
+ * @param {Object} [overrides={}] - Override default realm properties
+ * @returns {Object} Mock realm configuration
+ *
+ * @example
+ * const realm = createMockRealmConfig({ name: 'production' });
+ */
+export const createMockRealmConfig = (overrides = {}) => ({
+  documentId: 'realm-doc-123',
+  name: 'test-realm',
+  displayName: 'Test Realm',
+  serverUrl: 'https://keycloak.example.com',
+  realmName: 'test',
+  clientId: 'strapi-admin',
+  clientSecret: 'secret-value',
+  enabled: true,
+  color: '#4945ff',
+  createdAt: new Date().toISOString(),
+  updatedAt: new Date().toISOString(),
+  ...overrides,
+});
+
+/**
+ * Creates a mock Keycloak user for testing.
+ *
+ * @param {Object} [overrides={}] - Override default user properties
+ * @returns {Object} Mock Keycloak user
+ *
+ * @example
+ * const kcUser = createMockKeycloakUser({ username: 'john.doe' });
+ */
+export const createMockKeycloakUser = (overrides = {}) => ({
+  id: 'kc-user-123',
+  username: 'testuser',
+  email: 'testuser@example.com',
+  firstName: 'Test',
+  lastName: 'User',
+  enabled: true,
+  emailVerified: true,
+  createdTimestamp: Date.now(),
+  ...overrides,
+});
+
+/**
+ * Creates a mock Keycloak role for testing.
+ *
+ * @param {Object} [overrides={}] - Override default role properties
+ * @returns {Object} Mock Keycloak role
+ *
+ * @example
+ * const role = createMockKeycloakRole({ name: 'admin' });
+ */
+export const createMockKeycloakRole = (overrides = {}) => ({
+  id: 'role-123',
+  name: 'user',
+  description: 'Default user role',
+  composite: false,
+  clientRole: false,
+  containerId: 'test-realm',
+  ...overrides,
+});
+
+/**
+ * Creates a mock realm admin assignment for testing.
+ *
+ * @param {Object} [overrides={}] - Override default assignment properties
+ * @returns {Object} Mock realm admin assignment
+ */
+export const createMockRealmAdmin = (overrides = {}) => ({
+  documentId: 'admin-assignment-123',
+  strapiUserId: 1,
+  strapiUserEmail: 'admin@test.com',
+  realmConfig: createMockRealmConfig(),
+  permissions: {
+    canRead: true,
+    canCreate: false,
+    canUpdate: false,
+    canDelete: false,
+    canManageRoles: false,
+    canResetPassword: false,
+  },
+  ...overrides,
+});
+
+/**
+ * Creates a mock audit log entry for testing.
+ *
+ * @param {Object} [overrides={}] - Override default entry properties
+ * @returns {Object} Mock audit log entry
+ */
+export const createMockAuditLogEntry = (overrides = {}) => ({
+  documentId: 'audit-123',
+  realmName: 'test-realm',
+  realmDisplayName: 'Test Realm',
+  action: 'CREATE_USER',
+  keycloakUserId: 'kc-user-123',
+  keycloakUsername: 'testuser',
+  details: null,
+  performedById: 1,
+  performedByEmail: 'admin@test.com',
+  createdAt: new Date().toISOString(),
+  ...overrides,
+});

package/__tests__/services/audit-log.test.mjs

@@ -0,0 +1,283 @@
+/**
+ * @fileoverview Unit tests for the audit log service.
+ * @module __tests__/services/audit-log
+ */
+
+import auditLogService from '../../server/src/services/audit-log.js';
+import {
+  createMockStrapi,
+  createMockStrapiUser,
+  createMockAuditLogEntry,
+} from '../mocks/strapi.mjs';
+import { CONTENT_TYPES, AUDIT_ACTIONS, PAGINATION, UNKNOWN_USER_EMAIL } from '../../server/src/constants.js';
+
+describe('Audit Log Service', () => {
+  let strapi;
+  let service;
+
+  beforeEach(() => {
+    strapi = createMockStrapi();
+    service = auditLogService({ strapi });
+  });
+
+  describe('log', () => {
+    it('should create an audit log entry with all fields', async () => {
+      const user = createMockStrapiUser();
+      const createMock = jest.fn().mockResolvedValue({ documentId: 'audit-123' });
+      strapi.documents.mockReturnValue({ create: createMock });
+
+      await service.log({
+        realmName: 'production',
+        realmDisplayName: 'Production Users',
+        action: AUDIT_ACTIONS.CREATE_USER,
+        keycloakUserId: 'kc-user-123',
+        keycloakUsername: 'john.doe',
+        details: { email: 'john@example.com' },
+        user,
+      });
+
+      expect(createMock).toHaveBeenCalledWith({
+        data: {
+          realmName: 'production',
+          realmDisplayName: 'Production Users',
+          action: AUDIT_ACTIONS.CREATE_USER,
+          keycloakUserId: 'kc-user-123',
+          keycloakUsername: 'john.doe',
+          details: { email: 'john@example.com' },
+          performedById: user.id,
+          performedByEmail: user.email,
+        },
+      });
+      expect(strapi.documents).toHaveBeenCalledWith(CONTENT_TYPES.AUDIT_LOG);
+    });
+
+    it('should use realmName as displayName when not provided', async () => {
+      const createMock = jest.fn().mockResolvedValue({});
+      strapi.documents.mockReturnValue({ create: createMock });
+
+      await service.log({
+        realmName: 'test-realm',
+        action: AUDIT_ACTIONS.DELETE_USER,
+      });
+
+      const calledWith = createMock.mock.calls[0][0];
+      expect(calledWith.data.realmDisplayName).toBe('test-realm');
+    });
+
+    it('should handle null optional fields', async () => {
+      const createMock = jest.fn().mockResolvedValue({});
+      strapi.documents.mockReturnValue({ create: createMock });
+
+      await service.log({
+        realmName: 'test-realm',
+        action: AUDIT_ACTIONS.BULK_IMPORT,
+      });
+
+      const calledWith = createMock.mock.calls[0][0];
+      expect(calledWith.data.keycloakUserId).toBeNull();
+      expect(calledWith.data.keycloakUsername).toBeNull();
+      expect(calledWith.data.details).toBeNull();
+      expect(calledWith.data.performedById).toBeNull();
+      expect(calledWith.data.performedByEmail).toBe(UNKNOWN_USER_EMAIL);
+    });
+
+    it('should not throw when create fails', async () => {
+      strapi.documents.mockReturnValue({
+        create: jest.fn().mockRejectedValue(new Error('Database error')),
+      });
+
+      // Should not throw
+      await expect(
+        service.log({
+          realmName: 'test',
+          action: AUDIT_ACTIONS.CREATE_USER,
+        })
+      ).resolves.not.toThrow();
+
+      expect(strapi.log.error).toHaveBeenCalled();
+    });
+
+    it('should return created entry on success', async () => {
+      const entry = createMockAuditLogEntry();
+      strapi.documents.mockReturnValue({
+        create: jest.fn().mockResolvedValue(entry),
+      });
+
+      const result = await service.log({
+        realmName: 'test',
+        action: AUDIT_ACTIONS.UPDATE_USER,
+      });
+
+      expect(result).toEqual(entry);
+    });
+  });
+
+  describe('find', () => {
+    it('should query with default pagination', async () => {
+      const findManyMock = jest.fn().mockResolvedValue([]);
+      const countMock = jest.fn().mockResolvedValue(0);
+      strapi.documents.mockReturnValue({
+        findMany: findManyMock,
+        count: countMock,
+      });
+
+      await service.find();
+
+      expect(findManyMock).toHaveBeenCalledWith({
+        filters: {},
+        sort: { createdAt: 'desc' },
+        limit: PAGINATION.AUDIT_LOG_LIMIT,
+        offset: 0,
+      });
+    });
+
+    it('should apply filters when provided', async () => {
+      const findManyMock = jest.fn().mockResolvedValue([]);
+      const countMock = jest.fn().mockResolvedValue(0);
+      strapi.documents.mockReturnValue({
+        findMany: findManyMock,
+        count: countMock,
+      });
+
+      await service.find({
+        realmName: 'production',
+        action: AUDIT_ACTIONS.RESET_PASSWORD,
+        keycloakUserId: 'user-123',
+      });
+
+      expect(findManyMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          filters: {
+            realmName: 'production',
+            action: AUDIT_ACTIONS.RESET_PASSWORD,
+            keycloakUserId: 'user-123',
+          },
+        })
+      );
+    });
+
+    it('should use custom pagination parameters', async () => {
+      const findManyMock = jest.fn().mockResolvedValue([]);
+      const countMock = jest.fn().mockResolvedValue(100);
+      strapi.documents.mockReturnValue({
+        findMany: findManyMock,
+        count: countMock,
+      });
+
+      await service.find({ limit: 10, offset: 20 });
+
+      expect(findManyMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          limit: 10,
+          offset: 20,
+        })
+      );
+    });
+
+    it('should return entries and total count', async () => {
+      const entries = [
+        createMockAuditLogEntry({ action: AUDIT_ACTIONS.CREATE_USER }),
+        createMockAuditLogEntry({ action: AUDIT_ACTIONS.UPDATE_USER }),
+      ];
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue(entries),
+        count: jest.fn().mockResolvedValue(2),
+      });
+
+      const result = await service.find();
+
+      expect(result.entries).toHaveLength(2);
+      expect(result.total).toBe(2);
+    });
+
+    it('should execute queries in parallel', async () => {
+      let findManyResolved = false;
+      let countResolved = false;
+
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockImplementation(() => {
+          findManyResolved = true;
+          return Promise.resolve([]);
+        }),
+        count: jest.fn().mockImplementation(() => {
+          // Check that findMany hasn't completed yet (parallel execution)
+          expect(findManyResolved).toBe(true); // Both start at same time
+          countResolved = true;
+          return Promise.resolve(0);
+        }),
+      });
+
+      await service.find();
+
+      expect(findManyResolved).toBe(true);
+      expect(countResolved).toBe(true);
+    });
+  });
+
+  describe('findByRealm', () => {
+    it('should call find with realm filter', async () => {
+      const entries = [createMockAuditLogEntry()];
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue(entries),
+        count: jest.fn().mockResolvedValue(1),
+      });
+
+      const result = await service.findByRealm('production', { limit: 10 });
+
+      expect(result.entries).toHaveLength(1);
+    });
+
+    it('should use default pagination', async () => {
+      const findManyMock = jest.fn().mockResolvedValue([]);
+      strapi.documents.mockReturnValue({
+        findMany: findManyMock,
+        count: jest.fn().mockResolvedValue(0),
+      });
+
+      await service.findByRealm('production');
+
+      expect(findManyMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          filters: { realmName: 'production' },
+          limit: PAGINATION.AUDIT_LOG_LIMIT,
+          offset: 0,
+        })
+      );
+    });
+  });
+
+  describe('findByKeycloakUser', () => {
+    it('should call find with keycloakUserId filter', async () => {
+      const entries = [
+        createMockAuditLogEntry({ action: AUDIT_ACTIONS.CREATE_USER }),
+        createMockAuditLogEntry({ action: AUDIT_ACTIONS.RESET_PASSWORD }),
+      ];
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue(entries),
+        count: jest.fn().mockResolvedValue(2),
+      });
+
+      const result = await service.findByKeycloakUser('user-123');
+
+      expect(result.entries).toHaveLength(2);
+    });
+
+    it('should use default pagination', async () => {
+      const findManyMock = jest.fn().mockResolvedValue([]);
+      strapi.documents.mockReturnValue({
+        findMany: findManyMock,
+        count: jest.fn().mockResolvedValue(0),
+      });
+
+      await service.findByKeycloakUser('user-123');
+
+      expect(findManyMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          filters: { keycloakUserId: 'user-123' },
+          limit: PAGINATION.AUDIT_LOG_LIMIT,
+          offset: 0,
+        })
+      );
+    });
+  });
+});