test: refresh token rotation, logout revocation, login refresh token

2026-06-11 14:42:39 +02:00
parent 96c753c2c6
commit 4f0f44dec3
5 changed files with 164 additions and 8 deletions
--- a/crates/application/src/auth/tests/login.rs
+++ b/crates/application/src/auth/tests/login.rs
@@ -44,6 +44,7 @@ async fn test_login_valid_credentials_returns_token() {
    .unwrap();

    assert!(!result.token.is_empty());
+    assert!(!result.refresh_token.is_empty());
    assert_eq!(result.email, "carol@example.com");
 }

--- a/crates/application/src/auth/tests/logout.rs
+++ b/crates/application/src/auth/tests/logout.rs
@@ -0,0 +1,55 @@
+use std::sync::Arc;
+
+use domain::models::UserRole;
+use domain::testing::InMemoryUserRepository;
+
+use crate::{
+    auth::commands::RegisterCommand,
+    auth::queries::LoginQuery,
+    auth::{login, logout, refresh, register},
+    test_helpers::TestContextBuilder,
+};
+
+#[tokio::test]
+async fn logout_revokes_refresh_token() {
+    let users = InMemoryUserRepository::new();
+    let ctx = TestContextBuilder::new()
+        .with_users(Arc::clone(&users) as _)
+        .build();
+
+    register::execute(
+        &ctx,
+        RegisterCommand {
+            email: "bob@example.com".to_string(),
+            username: "bob".to_string(),
+            password: "password123".to_string(),
+            role: UserRole::Standard,
+        },
+    )
+    .await
+    .unwrap();
+
+    let login_result = login::execute(
+        &ctx,
+        LoginQuery {
+            email: "bob@example.com".into(),
+            password: "password123".into(),
+        },
+    )
+    .await
+    .unwrap();
+
+    logout::execute(&ctx, &login_result.refresh_token)
+        .await
+        .unwrap();
+
+    let refresh_attempt = refresh::execute(&ctx, &login_result.refresh_token).await;
+    assert!(refresh_attempt.is_err());
+}
+
+#[tokio::test]
+async fn logout_with_unknown_token_succeeds() {
+    let ctx = TestContextBuilder::new().build();
+    let result = logout::execute(&ctx, "nonexistent-token").await;
+    assert!(result.is_ok());
+}
--- a/crates/application/src/auth/tests/refresh.rs
+++ b/crates/application/src/auth/tests/refresh.rs
@@ -0,0 +1,98 @@
+use std::sync::Arc;
+
+use domain::models::UserRole;
+use domain::testing::InMemoryUserRepository;
+
+use crate::{
+    auth::commands::RegisterCommand,
+    auth::queries::LoginQuery,
+    auth::{login, refresh, register},
+    test_helpers::TestContextBuilder,
+};
+
+async fn login_user(ctx: &crate::context::AppContext) -> login::LoginResult {
+    register::execute(
+        ctx,
+        RegisterCommand {
+            email: "alice@example.com".to_string(),
+            username: "alice".to_string(),
+            password: "password123".to_string(),
+            role: UserRole::Standard,
+        },
+    )
+    .await
+    .unwrap();
+
+    login::execute(
+        ctx,
+        LoginQuery {
+            email: "alice@example.com".into(),
+            password: "password123".into(),
+        },
+    )
+    .await
+    .unwrap()
+}
+
+#[tokio::test]
+async fn refresh_returns_new_tokens() {
+    let users = InMemoryUserRepository::new();
+    let ctx = TestContextBuilder::new()
+        .with_users(Arc::clone(&users) as _)
+        .build();
+
+    let login_result = login_user(&ctx).await;
+
+    let result = refresh::execute(&ctx, &login_result.refresh_token)
+        .await
+        .unwrap();
+
+    assert!(!result.token.is_empty());
+    assert!(!result.refresh_token.is_empty());
+    assert_ne!(result.refresh_token, login_result.refresh_token);
+}
+
+#[tokio::test]
+async fn refresh_rotates_token_old_one_invalid() {
+    let users = InMemoryUserRepository::new();
+    let ctx = TestContextBuilder::new()
+        .with_users(Arc::clone(&users) as _)
+        .build();
+
+    let login_result = login_user(&ctx).await;
+    let old_token = login_result.refresh_token.clone();
+
+    refresh::execute(&ctx, &old_token).await.unwrap();
+
+    let retry = refresh::execute(&ctx, &old_token).await;
+    assert!(retry.is_err());
+}
+
+#[tokio::test]
+async fn refresh_with_new_token_works() {
+    let users = InMemoryUserRepository::new();
+    let ctx = TestContextBuilder::new()
+        .with_users(Arc::clone(&users) as _)
+        .build();
+
+    let login_result = login_user(&ctx).await;
+
+    let first = refresh::execute(&ctx, &login_result.refresh_token)
+        .await
+        .unwrap();
+
+    let second = refresh::execute(&ctx, &first.refresh_token)
+        .await
+        .unwrap();
+
+    assert!(!second.token.is_empty());
+    assert_ne!(second.refresh_token, first.refresh_token);
+}
+
+#[tokio::test]
+async fn refresh_with_unknown_token_fails() {
+    let ctx = TestContextBuilder::new().build();
+
+    let result = refresh::execute(&ctx, "nonexistent-token").await;
+    assert!(result.is_err());
+}