feat: full end to end test coverage for happy auth pattern

Author: Bccorb

src/controllers/authentication.ts

@@ -227,23 +227,12 @@ export const refreshSession = async (req: Request, res: Response) => {
   const authUser = authReq.user;
   logger.info(`Refreshing user token`);
 
-  let refreshToken;
+  let refreshToken: string | null = null;
 
-  refreshToken = req.headers['authorization']?.toString().startsWith('Bearer ')
-    ? req.headers['authorization']!.slice('Bearer '.length)
-    : null;
-
-  if (!refreshToken) {
-    return res.status(401).json('Not allowed');
+  if (req.headers.authorization?.startsWith('Bearer ')) {
+    refreshToken = req.headers.authorization.slice('Bearer '.length);
   }
 
-  const serviceSecret = await getSecret('API_SERVICE_TOKEN');
-
-  const payload = jwt.verify(refreshToken, serviceSecret, {
-    issuer: process.env.APP_ORIGIN,
-    audience: process.env.ISSUER,
-  }) as jwt.JwtPayload;
-
   if (!refreshToken) {
     logger.error('Refresh token provided is not of expected type for auth server configurations');
     await AuthEventService.log({
@@ -252,10 +241,17 @@ export const refreshSession = async (req: Request, res: Response) => {
       req,
       metadata: { reason: 'Missing all required headers and tokens needed to perform a refresh' },
     });
-    res.status(401).json({ error: 'Missing refresh token parameters' });
+    res.status(401).json({ error: 'Not allowed' });
     return;
   }
 
+  const serviceSecret = await getSecret('API_SERVICE_TOKEN');
+
+  const payload = jwt.verify(refreshToken, serviceSecret, {
+    issuer: process.env.APP_ORIGIN,
+    audience: process.env.ISSUER,
+  }) as jwt.JwtPayload;
+
   const now = new Date();
 
   // Find session that is not revoked, not replaced, and not expired

src/controllers/otp.ts

@@ -241,11 +241,11 @@ export const verifyPhoneNumber = async (req: Request, res: Response) => {
 
       if (token && refreshToken) {
         if (AUTH_MODE === 'web') {
-          await setAuthCookies(res, { accessToken: token, refreshToken: refreshTokenHash });
+          await setAuthCookies(res, { accessToken: token, refreshToken });
           return res.status(200).json({ message: 'Success' });
         }
 
-        return res.status(200).json({ message: 'Success', token, refreshTokenHash });
+        return res.status(200).json({ message: 'Success', token, refreshToken });
       }
       res.json({ message: 'Success' });
     } else {
@@ -352,11 +352,11 @@ export const verifyEmail = async (req: Request, res: Response) => {
 
     if (token && refreshToken) {
       if (AUTH_MODE === 'web') {
-        await setAuthCookies(res, { accessToken: token, refreshToken: refreshTokenHash });
+        await setAuthCookies(res, { accessToken: token, refreshToken });
         return res.status(200).json({ message: 'Success' });
       }
 
-      return res.status(200).json({ message: 'Success', token, refreshTokenHash });
+      return res.status(200).json({ message: 'Success', token, refreshToken });
     }
     return res.json({ message: 'Success' });
   } else {
@@ -453,11 +453,11 @@ export const verifyLoginPhoneNumber = async (req: Request, res: Response) => {
           logger.warn(`An error occured saving user last login - ${error}`);
         }
         if (AUTH_MODE === 'web') {
-          await setAuthCookies(res, { accessToken: token, refreshToken: refreshTokenHash });
+          await setAuthCookies(res, { accessToken: token, refreshToken });
           return res.status(200).json({ message: 'Success' });
         }
 
-        return res.status(200).json({ message: 'Success', token, refreshTokenHash });
+        return res.status(200).json({ message: 'Success', token, refreshToken });
       }
       return res.json({ message: 'Success' });
     } else {
@@ -575,11 +575,11 @@ export const verifyLoginEmail = async (req: Request, res: Response) => {
         logger.warn(`An error occured saving user last login - ${error}`);
       }
       if (AUTH_MODE === 'web') {
-        await setAuthCookies(res, { accessToken: token, refreshToken: refreshTokenHash });
+        await setAuthCookies(res, { accessToken: token, refreshToken });
         return res.status(200).json({ message: 'Success' });
       }
 
-      return res.status(200).json({ message: 'Success', token, refreshTokenHash });
+      return res.status(200).json({ message: 'Success', token, refreshToken });
     }
     return res.json({ message: 'Success' });
   } else {

src/controllers/sessions.ts

@@ -33,8 +33,8 @@ export const listSessions = async (req: Request, res: Response) => {
     deviceName: session.deviceName,
     ipAddress: session.ipAddress,
     userAgent: session.userAgent,
-    lastUsedAt: session.lastUsedAt,
-    expiresAt: session.expiresAt,
+    lastUsedAt: session.lastUsedAt.toISOString(),
+    expiresAt: session.expiresAt.toISOString(),
     current: session.id === currentSessionId,
   }));
 

src/controllers/webauthn.ts

@@ -513,7 +513,7 @@ const verifyWebAuthn = async (req: Request, res: Response) => {
         clearAuthCookies(res);
 
         if (AUTH_MODE === 'web') {
-          await setAuthCookies(res, { accessToken: token, refreshToken: refreshToken });
+          await setAuthCookies(res, { accessToken: token, refreshToken });
           res.status(200).json({ message: 'Success' });
           return;
         }

src/models/index.ts

@@ -49,16 +49,6 @@ export function getSequelize(): Sequelize {
     return sequelizeInstance;
   }
 
-  if (process.env.NODE_ENV === 'test' && testDbMode === 'mock') {
-    logger.warn('TEST_DB=mock → Sequelize initialized but should not be used');
-
-    sequelizeInstance = new Sequelize('sqlite::memory:', {
-      logging: false,
-    });
-
-    return sequelizeInstance;
-  }
-
   const DATABASE_URL = buildDatabaseUrl();
 
   logger.info('Using Postgres database');

src/services/messagingService.ts

@@ -18,7 +18,6 @@ export const sendOTPEmail = async (to: string, token: string) => {
 
 export const sendOTPSMS = async (to: string, token: number) => {
   logger.debug(`Sending verification SMS: ${to} with ${token}`);
-
   if (isDevelopment) {
     return;
   }

tests/e2e/auth.happy.spec.ts

@@ -0,0 +1,152 @@
+import request from 'supertest';
+import { describe, it, expect, beforeAll, vi, afterAll } from 'vitest';
+
+vi.unmock('../../src/models/authEvents.js');
+vi.unmock('../../src/models/sessions.js');
+vi.unmock('../../src/models/users.js');
+vi.unmock('../../src/models/systemConfig.js');
+vi.unmock('../../src/models/credentials.js');
+vi.unmock('../../src/models/magicLinks.js');
+vi.unmock('../../src/services/sessionService.js');
+vi.unmock('../../src/services/authEventService.js');
+vi.unmock('../../src/models');
+vi.unmock('../../src/services/messagingService.js');
+vi.unmock('../../src/lib/cookie.js');
+vi.unmock('../../src/lib/token.js');
+vi.unmock('../../src/middleware/attachAuthMiddleware.js');
+vi.unmock('../../src/middleware/verifyCookieAuth.js');
+
+vi.unmock('../../src/config/getSystemConfig.js');
+vi.unmock('../../src/utils/utils.js');
+vi.unmock('../../src/utils/otp.js');
+vi.unmock('../../src/utils/token.js');
+vi.unmock('../../src/utils/cookie.js');
+vi.unmock('../../src/utils/secretStore.js');
+
+vi.unmock('bcrypt-ts');
+
+let app: any;
+
+beforeAll(async () => {
+  vi.stubEnv('NODE_ENV', 'test');
+  vi.stubEnv('AUTH_MODE', 'web');
+
+  vi.stubEnv('DB_DIALECT', 'postgres');
+  vi.stubEnv('DB_HOST', 'localhost');
+  vi.stubEnv('DB_PORT', '5432');
+  vi.stubEnv('DB_NAME', 'seamless_auth_test');
+  vi.stubEnv('DB_USER', 'myuser');
+  vi.stubEnv('DB_PASSWORD', 'mypassword');
+
+  vi.stubEnv('ISSUER', 'test-issuer');
+  vi.stubEnv('APP_ID', 'test-app');
+  vi.stubEnv('APP_ORIGIN', 'http://localhost');
+
+  vi.stubEnv('JWKS_ACTIVE_KIDe', 'dev-main');
+  vi.stubEnv('API_SERVICE_TOKEN', 'service-token');
+
+  vi.stubEnv('DEFAULT_ROLES', 'user');
+  vi.stubEnv('AVAILABLE_ROLES', 'user,admin');
+  vi.stubEnv('ACCESS_TOKEN_TTL', '15m');
+  vi.stubEnv('REFRESH_TOKEN_TTL', '1h');
+  vi.stubEnv('RATE_LIMIT', '100');
+  vi.stubEnv('DELAY_AFTER', '50');
+  vi.stubEnv('RPID', 'localhost');
+  vi.stubEnv('ORIGINS', 'http://localhost');
+  vi.stubEnv('APP_NAME', 'TestApp');
+
+  const { initializeModels } = await import('../../src/models');
+  const models = await initializeModels();
+
+  await models.sequelize.sync({ force: true });
+
+  const { bootstrapSystemConfig } = await import('../../src/config/bootstrapSystemConfig');
+  await bootstrapSystemConfig();
+
+  const { createApp } = await import('../../src/app');
+  app = await createApp();
+});
+
+afterAll(() => {
+  vi.unstubAllEnvs();
+});
+
+it('full auth lifecycle works', async () => {
+  const email = 'test@example.com';
+  const phone = '+14155552671';
+
+  const registerRes = await request(app).post('/registration/register').send({ email, phone });
+
+  expect(registerRes.status).toBe(200);
+
+  const cookies = registerRes.headers['set-cookie'];
+  expect(cookies).toBeDefined();
+
+  const otpRes = await request(app).get('/otp/generate-phone-otp').set('Cookie', cookies);
+
+  expect(otpRes.status).toBe(200);
+
+  const { User } = await import('../../src/models/users');
+
+  const user = await User.findOne({ where: { email } });
+
+  expect(user).toBeDefined();
+  const otp = user?.phoneVerificationToken;
+
+  expect(otp).toBeDefined();
+
+  const verifyRes = await request(app)
+    .post('/otp/verify-phone-otp')
+    .set('Cookie', cookies)
+    .send({ verificationToken: otp });
+
+  expect(verifyRes.status).toBe(200);
+
+  const emailOtpRes = await request(app).get('/otp/generate-email-otp').set('Cookie', cookies);
+
+  expect(emailOtpRes.status).toBe(200);
+
+  await user?.reload();
+  const emailOtp = user?.emailVerificationToken;
+
+  expect(emailOtp).toBeDefined();
+
+  const emailVerifyRes = await request(app)
+    .post('/otp/verify-email-otp')
+    .set('Cookie', cookies)
+    .send({ verificationToken: emailOtp });
+
+  expect(emailVerifyRes.status).toBe(200);
+
+  let authCookies = emailVerifyRes.headers['set-cookie'];
+  expect(authCookies).toBeDefined();
+
+  const meRes = await request(app).get('/users/me').set('Cookie', authCookies);
+
+  const maybeNewCookies = meRes.headers['set-cookie'];
+  if (maybeNewCookies) {
+    authCookies = maybeNewCookies;
+  }
+
+  expect(meRes.status).toBe(200);
+  expect(Array.isArray(meRes.body.user)).toBeDefined();
+
+  const brokenCookies = (authCookies as unknown as string[]).filter(
+    (c: string) => !c.includes('seamless_access'),
+  );
+
+  expect(brokenCookies.some((c) => c.includes('seamless_refresh'))).toBe(true);
+
+  const refreshRes = await request(app).get('/users/me').set('Cookie', brokenCookies);
+
+  expect(refreshRes.status).toBe(200);
+
+  const refreshedCookies = refreshRes.headers['set-cookie'];
+  expect(refreshedCookies).toBeDefined();
+
+  authCookies = refreshedCookies;
+
+  const logoutRes = await request(app).get('/logout').set('Cookie', authCookies);
+
+  expect(logoutRes.status).toBe(200);
+});

tests/unit/middleware/attachAuthMiddleware.spec.ts

@@ -1,4 +1,4 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { describe, it, expect, vi, beforeEach, afterAll } from 'vitest';
 
 vi.unmock('../../../src/middleware/verifyBearerAuth');
 vi.unmock('../../../src/middleware/verifyCookieAuth');
@@ -28,6 +28,9 @@ describe('attachAuthMiddleware', () => {
     delete process.env.AUTH_MODE;
   });
 
+  afterAll(() => {
+    vi.unstubAllEnvs();
+  });
   it('defaults to cookie auth', async () => {
     attachAuthMiddleware();