Auth Integration Tests
Summary
Add database-backed integration tests for the auth module. The current test suite covers helper logic (JWT, password hashing, token generation) but not the provider flows that interact with Postgres transactions.
Requirements
- Test infrastructure: spin up a test Postgres instance (or use the existing
rangeday dbDocker container), run migrations, provide a clean DB per test or test suite - Test cases:
- Register creates user, personal org, org membership, and refresh token atomically
- Login returns populated user with correct status and created_at
- Refresh token is single-use (second use returns error)
- Refresh token theft detection revokes entire family
- Password reset token is single-use
- Email verification token is single-use
- Invite accept for existing user (idempotent membership, placeholder merge)
- Invite accept for new/placeholder user (upgrade, personal org creation, token issuance)
- Email normalization (mixed-case email matches lowercase insert)
- Concurrent refresh token use (two simultaneous refreshes, only one succeeds)
Details
The risky behavior in the auth module is DB/transaction semantics (FOR UPDATE locking, token family revocation, placeholder merge), which cannot be validated by unit tests alone. These tests should run against real Postgres to catch query errors, constraint violations, and race conditions.