test(auth): add 33 unit tests for AuthService and RememberMeService

AuthServiceTest (17 tests): canLoginToTenant, refreshSessionAuthState,
loginUserById, login email-not-verified branch.
RememberMeServiceTest (16 tests): rememberUser, autoLoginFromCookie
(all 11 branches), forgetCurrentUser, forgetAllForUser,
expireAllTokensByAdmin.

Also fixes: 3 PHPStan errors in FrontendTelemetryIngestService,
8 CS-Fixer violations in out-of-scope files (ordered_imports,
braces_position).

All quality gates green: QG-001 (429 tests/0 failures),
QG-002 (0 errors), QG-003 (11 arch tests pass), QG-006 (0 violations).

Task: AUTH-LOGIN-REVIEW-001

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-06 11:43:31 +01:00
parent 205da203cc
commit 549d9dd6f4
17 changed files with 1360 additions and 16 deletions

View File

@@ -0,0 +1,151 @@
{
"task_id": "AUTH-LOGIN-REVIEW-001",
"summary": "Review and harden the Auth/Login test strategy by mapping current automation coverage, identifying high-value gaps, and defining a consolidation plan for meaningful unit tests around local login and remember-me behavior.",
"assumptions": [
"Primary focus is local email/password login and remember-me flow; Microsoft OIDC/SSO tests stay unchanged unless a dependency gap is found.",
"No functional product behavior changes are required in this task; only test architecture, coverage, and maintainability improvements.",
"Auth/Login security checks in scope include server-side authorization invariants and CSRF handling on POST endpoints."
],
"scope": {
"in": [
"lib/Service/Auth/AuthService.php",
"lib/Service/Auth/RememberMeService.php",
"pages/auth/login().php",
"pages/api/v1/auth/login().php",
"tests/Service/Auth/*",
"tests/Http/ApiAuthTest.php",
"Coverage matrix and gap analysis for auth/login-related tests"
],
"out": [
"New user-facing auth features",
"UI redesign or template visual changes",
"Refactor outside auth/login testability needs",
"Broad RBAC policy redesign"
]
},
"guardrails": {
"required_guard_ids": [
"GR-CORE-005",
"GR-SEC-001",
"GR-TEST-001",
"GR-TEST-002"
],
"required_quality_gate_ids": [
"QG-001",
"QG-002",
"QG-003",
"QG-006"
]
},
"success_criteria": [
{
"id": "SC-001",
"criterion": "A complete auth/login test inventory exists, mapping current tests to concrete login behaviors (happy path, failure modes, and edge cases) for the scoped files."
},
{
"id": "SC-002",
"criterion": "A prioritized gap list exists with severity and rationale, including missing tests for security-relevant branches (authz invariants and CSRF behavior on POST login endpoints)."
},
{
"id": "SC-003",
"criterion": "A consolidation plan is defined that removes redundant/overlapping auth tests and groups remaining tests by behavior-oriented units with clear ownership."
},
{
"id": "SC-004",
"criterion": "A concrete unit-test implementation plan is defined for AuthService and RememberMeService with constructor-injected mocks and no new untestable patterns."
},
{
"id": "SC-005",
"criterion": "Planned test additions/updates are explicitly traceable to required guard IDs and required quality gates."
}
],
"implementation_steps": [
{
"id": "S1",
"title": "Build Auth/Login behavior map",
"description": "Trace login flow branches in AuthService, RememberMeService, pages/auth/login().php, and pages/api/v1/auth/login().php; map each branch to existing tests in tests/Service/Auth/* and tests/Http/ApiAuthTest.php.",
"guard_refs": [
"GR-TEST-001",
"GR-CORE-005"
]
},
{
"id": "S2",
"title": "Create coverage matrix and identify gaps",
"description": "Document covered vs uncovered scenarios: valid login, invalid credentials, inactive user, unverified email, tenant restrictions, remember-me token lifecycle, and CSRF rejection paths for POST endpoints.",
"guard_refs": [
"GR-SEC-001",
"GR-CORE-005",
"GR-TEST-001"
]
},
{
"id": "S3",
"title": "Prioritize and sequence test improvements",
"description": "Rank gaps by risk and impact, prioritizing security and auth correctness; define minimum first wave to deliver high-signal unit tests with low maintenance cost.",
"guard_refs": [
"GR-CORE-005",
"GR-TEST-001"
]
},
{
"id": "S4",
"title": "Design consolidation targets",
"description": "Define which tests to merge, split, or rewrite so each test class has a single responsibility and behavior-focused naming; avoid duplicate assertions across Service/Auth and Http layers.",
"guard_refs": [
"GR-TEST-001",
"GR-TEST-002"
]
},
{
"id": "S5",
"title": "Implement first-wave unit test refactor/additions",
"description": "Add or update tests (not product behavior) to cover highest-priority gaps; ensure constructor-injected doubles and deterministic assertions for auth outcomes and remember-me side effects.",
"guard_refs": [
"GR-TEST-001",
"GR-TEST-002",
"GR-SEC-001"
]
},
{
"id": "S6",
"title": "Run mandatory quality gates and publish evidence",
"description": "Execute QG-001, QG-002, QG-003, QG-006 and attach concise evidence linking new/updated tests to the target scenarios and guardrails.",
"guard_refs": [
"GR-TEST-001",
"GR-TEST-002"
]
}
],
"tests": [
"tests/Service/Auth/AuthServiceTest.php (new): login success, invalid credentials, inactive account, email-not-verified, no-active-tenant, remember-me delegation",
"tests/Service/Auth/RememberMeServiceTest.php (new or expanded): token create/validate/rotate/expire/forget flows and invalid-token edge cases",
"tests/Http/ApiAuthTest.php (extend only if needed): bearer token parsing edge cases remain deterministic",
"Targeted regression run for existing auth service tests under tests/Service/Auth/*",
"QG-001 full PHPUnit run",
"QG-002 PHPStan analyse",
"QG-003 CoreStarterkitContractTest",
"QG-006 composer cs:check"
],
"acceptance_checks": [
"SC-001: Coverage matrix exists and references all scoped auth/login source files and current related tests.",
"SC-002: Gap list includes at least one CSRF POST-path check and at least one server-side authz invariant check with priority.",
"SC-003: Consolidation decisions identify redundant tests and define target destination tests/classes.",
"SC-004: Planned AuthService/RememberMeService tests use constructor-injected mocks and avoid untestable static side-effect patterns.",
"SC-005: Each new/updated planned test is mapped to at least one required guard ID and all required QG IDs are scheduled and reported."
],
"risks": [
{
"risk": "Auth flow mixes service logic with session/global side effects, which can make unit tests brittle or integration-heavy.",
"mitigation": "Prefer service-level tests with mocked repositories/gateways/session store; isolate unavoidable global/session behavior to minimal focused tests."
},
{
"risk": "Over-consolidation can remove useful scenario specificity and reduce diagnostic value when tests fail.",
"mitigation": "Consolidate only duplicate setup/assertion patterns; keep distinct business/security scenarios as separate tests with behavior-centric names."
},
{
"risk": "Security-critical branches (CSRF/authz) may be under-tested if only happy-path consolidation is executed.",
"mitigation": "Treat GR-SEC-001 and GR-CORE-005 scenarios as mandatory in first-wave test additions before lower-risk cleanup."
}
]
}