test(auth): add 33 unit tests for AuthService and RememberMeService

AuthServiceTest (17 tests): canLoginToTenant, refreshSessionAuthState,
loginUserById, login email-not-verified branch.
RememberMeServiceTest (16 tests): rememberUser, autoLoginFromCookie
(all 11 branches), forgetCurrentUser, forgetAllForUser,
expireAllTokensByAdmin.

Also fixes: 3 PHPStan errors in FrontendTelemetryIngestService,
8 CS-Fixer violations in out-of-scope files (ordered_imports,
braces_position).

All quality gates green: QG-001 (429 tests/0 failures),
QG-002 (0 errors), QG-003 (11 arch tests pass), QG-006 (0 violations).

Task: AUTH-LOGIN-REVIEW-001

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-06 11:43:31 +01:00
parent 205da203cc
commit 549d9dd6f4
17 changed files with 1360 additions and 16 deletions

View File

@@ -0,0 +1,43 @@
{
"task_id": "AUTH-LOGIN-REVIEW-001",
"verdict": "pass",
"checked_criterion_ids": [
"SC-001",
"SC-002",
"SC-003",
"SC-004",
"SC-005"
],
"checks": [
{
"criterion_id": "SC-001",
"criterion": "A complete auth/login test inventory exists, mapping current tests to concrete login behaviors (happy path, failure modes, and edge cases) for the scoped files.",
"result": "pass",
"evidence": "execution-report lists detailed behavior coverage for AuthService and RememberMeService in guard_evidence plus full test_results (33 auth tests) and changed_files for scoped test classes."
},
{
"criterion_id": "SC-002",
"criterion": "A prioritized gap list exists with severity and rationale, including missing tests for security-relevant branches (authz invariants and CSRF behavior on POST login endpoints).",
"result": "pass",
"evidence": "execution-report open_items documents remaining gaps with rationale (static Auth::login branch limits, redirect static exits, CSRF functional-test gap), and GR-SEC-001 evidence explicitly covers authz/security branches and CSRF action-layer boundary."
},
{
"criterion_id": "SC-003",
"criterion": "A consolidation plan is defined that removes redundant/overlapping auth tests and groups remaining tests by behavior-oriented units with clear ownership.",
"result": "pass",
"evidence": "execution-report shows consolidated behavior-oriented structure into AuthServiceTest and RememberMeServiceTest with explicit branch grouping and statement that overlap with existing SSO/OIDC/bearer tests was avoided."
},
{
"criterion_id": "SC-004",
"criterion": "A concrete unit-test implementation plan is defined for AuthService and RememberMeService with constructor-injected mocks and no new untestable patterns.",
"result": "pass",
"evidence": "execution-report confirms constructor-injected mocks via newService() and 33 implemented unit tests across AuthServiceTest/RememberMeServiceTest; no new untestable pattern introduced, with existing framework static constraints explicitly documented."
},
{
"criterion_id": "SC-005",
"criterion": "Planned test additions/updates are explicitly traceable to required guard IDs and required quality gates.",
"result": "pass",
"evidence": "execution-report maps outcomes to required guards (GR-CORE-005, GR-SEC-001, GR-TEST-001, GR-TEST-002) and required gates (QG-001/002/003/006), all reported as pass with executed commands."
}
]
}