{ "task_id": "AUTH-LOGIN-REVIEW-001", "summary": "Review and harden the Auth/Login test strategy by mapping current automation coverage, identifying high-value gaps, and defining a consolidation plan for meaningful unit tests around local login and remember-me behavior.", "assumptions": [ "Primary focus is local email/password login and remember-me flow; Microsoft OIDC/SSO tests stay unchanged unless a dependency gap is found.", "No functional product behavior changes are required in this task; only test architecture, coverage, and maintainability improvements.", "Auth/Login security checks in scope include server-side authorization invariants and CSRF handling on POST endpoints." ], "scope": { "in": [ "lib/Service/Auth/AuthService.php", "lib/Service/Auth/RememberMeService.php", "pages/auth/login().php", "pages/api/v1/auth/login().php", "tests/Service/Auth/*", "tests/Http/ApiAuthTest.php", "Coverage matrix and gap analysis for auth/login-related tests" ], "out": [ "New user-facing auth features", "UI redesign or template visual changes", "Refactor outside auth/login testability needs", "Broad RBAC policy redesign" ] }, "guardrails": { "required_guard_ids": [ "GR-CORE-005", "GR-SEC-001", "GR-TEST-001", "GR-TEST-002" ], "required_quality_gate_ids": [ "QG-001", "QG-002", "QG-003", "QG-006" ] }, "success_criteria": [ { "id": "SC-001", "criterion": "A complete auth/login test inventory exists, mapping current tests to concrete login behaviors (happy path, failure modes, and edge cases) for the scoped files." }, { "id": "SC-002", "criterion": "A prioritized gap list exists with severity and rationale, including missing tests for security-relevant branches (authz invariants and CSRF behavior on POST login endpoints)." }, { "id": "SC-003", "criterion": "A consolidation plan is defined that removes redundant/overlapping auth tests and groups remaining tests by behavior-oriented units with clear ownership." }, { "id": "SC-004", "criterion": "A concrete unit-test implementation plan is defined for AuthService and RememberMeService with constructor-injected mocks and no new untestable patterns." }, { "id": "SC-005", "criterion": "Planned test additions/updates are explicitly traceable to required guard IDs and required quality gates." } ], "implementation_steps": [ { "id": "S1", "title": "Build Auth/Login behavior map", "description": "Trace login flow branches in AuthService, RememberMeService, pages/auth/login().php, and pages/api/v1/auth/login().php; map each branch to existing tests in tests/Service/Auth/* and tests/Http/ApiAuthTest.php.", "guard_refs": [ "GR-TEST-001", "GR-CORE-005" ] }, { "id": "S2", "title": "Create coverage matrix and identify gaps", "description": "Document covered vs uncovered scenarios: valid login, invalid credentials, inactive user, unverified email, tenant restrictions, remember-me token lifecycle, and CSRF rejection paths for POST endpoints.", "guard_refs": [ "GR-SEC-001", "GR-CORE-005", "GR-TEST-001" ] }, { "id": "S3", "title": "Prioritize and sequence test improvements", "description": "Rank gaps by risk and impact, prioritizing security and auth correctness; define minimum first wave to deliver high-signal unit tests with low maintenance cost.", "guard_refs": [ "GR-CORE-005", "GR-TEST-001" ] }, { "id": "S4", "title": "Design consolidation targets", "description": "Define which tests to merge, split, or rewrite so each test class has a single responsibility and behavior-focused naming; avoid duplicate assertions across Service/Auth and Http layers.", "guard_refs": [ "GR-TEST-001", "GR-TEST-002" ] }, { "id": "S5", "title": "Implement first-wave unit test refactor/additions", "description": "Add or update tests (not product behavior) to cover highest-priority gaps; ensure constructor-injected doubles and deterministic assertions for auth outcomes and remember-me side effects.", "guard_refs": [ "GR-TEST-001", "GR-TEST-002", "GR-SEC-001" ] }, { "id": "S6", "title": "Run mandatory quality gates and publish evidence", "description": "Execute QG-001, QG-002, QG-003, QG-006 and attach concise evidence linking new/updated tests to the target scenarios and guardrails.", "guard_refs": [ "GR-TEST-001", "GR-TEST-002" ] } ], "tests": [ "tests/Service/Auth/AuthServiceTest.php (new): login success, invalid credentials, inactive account, email-not-verified, no-active-tenant, remember-me delegation", "tests/Service/Auth/RememberMeServiceTest.php (new or expanded): token create/validate/rotate/expire/forget flows and invalid-token edge cases", "tests/Http/ApiAuthTest.php (extend only if needed): bearer token parsing edge cases remain deterministic", "Targeted regression run for existing auth service tests under tests/Service/Auth/*", "QG-001 full PHPUnit run", "QG-002 PHPStan analyse", "QG-003 CoreStarterkitContractTest", "QG-006 composer cs:check" ], "acceptance_checks": [ "SC-001: Coverage matrix exists and references all scoped auth/login source files and current related tests.", "SC-002: Gap list includes at least one CSRF POST-path check and at least one server-side authz invariant check with priority.", "SC-003: Consolidation decisions identify redundant tests and define target destination tests/classes.", "SC-004: Planned AuthService/RememberMeService tests use constructor-injected mocks and avoid untestable static side-effect patterns.", "SC-005: Each new/updated planned test is mapped to at least one required guard ID and all required QG IDs are scheduled and reported." ], "risks": [ { "risk": "Auth flow mixes service logic with session/global side effects, which can make unit tests brittle or integration-heavy.", "mitigation": "Prefer service-level tests with mocked repositories/gateways/session store; isolate unavoidable global/session behavior to minimal focused tests." }, { "risk": "Over-consolidation can remove useful scenario specificity and reduce diagnostic value when tests fail.", "mitigation": "Consolidate only duplicate setup/assertion patterns; keep distinct business/security scenarios as separate tests with behavior-centric names." }, { "risk": "Security-critical branches (CSRF/authz) may be under-tested if only happy-path consolidation is executed.", "mitigation": "Treat GR-SEC-001 and GR-CORE-005 scenarios as mandatory in first-wave test additions before lower-risk cleanup." } ] }