Chore: Test Coverage

[Bccorb]

Test Coverage and Reliability Improvements

Overview

This PR introduces a comprehensive testing strategy across the Seamless Auth codebase. The goal was to significantly increase confidence in system behavior, particularly around authentication flows, security boundaries, and infrastructure wiring.

The result is a robust suite of unit, integration, and end-to-end tests that validate both expected behavior and failure modes.

---

Key Achievements

1. Core Authentication Flow Coverage

Implemented full coverage for the primary authentication lifecycle:

• User registration (email and phone)
• OTP generation and verification
• Session creation and persistence
• Cookie-based authentication
• Silent refresh via middleware
• Logout flow

A real end-to-end test validates the full lifecycle using a live database and real middleware.

---

2. Middleware Coverage

Added targeted unit tests for all critical middleware:

• verifyCookieAuth
• verifyBearerAuth
• attachAuthMiddleware
• requireAdmin
• verifyServiceToken
• rate limiting and slowdown middleware

These tests validate:

• Authorization enforcement
• Token validation behavior
• Silent refresh logic
• Error handling and edge cases

---

3. Service Layer Coverage

Implemented tests for all service modules:

• sessionService
• authEventService
• messagingService

Key areas covered:

• Token validation and session lifecycle
• Session revocation and rotation
• Event logging and failure handling
• Messaging behavior across environments

---

4. Utility and Library Coverage

Added full coverage for utility and library modules:

• token signing and hashing
• cookie handling
• OTP generation and verification
• environment parsing
• secret management
• signing key store
• Zod schema generation from models

All branches, including error paths, are covered.

---

5. Configuration Coverage

Added tests for configuration logic:

• bootstrapSystemConfig
• getSystemConfig with caching and invalidation
• required config mappings

This ensures:

• Environment variable parsing correctness
• Schema validation
• Cache behavior correctness
• Proper fallback handling

---

6. Script Coverage

Added tests for script entry points:

• Initialization script
• Health check script
• Key management script

These tests validate:

• Side-effect execution on import
• Process exit behavior
• File system interactions
• Environment-based branching

---

7. Model Initialization Coverage

Added a shallow model initialization test to ensure:

• All Sequelize models load correctly
• Attributes are defined
• Associations do not throw

This provides coverage without introducing unnecessary database complexity.

---

8. Real End-to-End Test with Database

Implemented a full E2E test using:

• Real Postgres database
• Real Sequelize models
• Real Express app
• Real middleware and cookies

This test validates:

• Database schema correctness
• Cookie handling across requests
• Silent refresh behavior
• Session rotation and invalidation
• End-to-end request lifecycle

---

Architectural Improvements Identified

Silent Refresh Behavior

Confirmed that in web mode:

• Token refresh is handled by middleware, not the /refresh endpoint
• Access token expiration triggers automatic session refresh
• Refresh tokens are rotated and previous sessions invalidated

Refresh Token Handling Fix

Identified and corrected an issue where hashed refresh tokens were being sent in cookies instead of raw tokens. This prevented session matching during refresh.

---

Tooling Improvements

ESLint Header Enforcement

Added automatic license header enforcement using eslint-plugin-header.

All source files now include:

[codecov-commenter]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️

[Bccorb]

closes #6