Comprehensive tests on auth system

Severity: Critical

Check automatically:

1. Find auth-related test files:

   find . -type f \( -name "*.test.ts" -o -name "*.spec.ts" -o -name "*.test.js" -o -name "*.spec.js" \) \
     -not -path "*/node_modules/*" 2>/dev/null | xargs grep -li "auth\|login\|session\|token" 2>/dev/null
   

2. Check test coverage of auth files (if coverage report exists):

   # Look for coverage reports
   find . -type d -name "coverage" -not -path "*/node_modules/*" 2>/dev/null
   cat coverage/lcov-report/index.html 2>/dev/null | grep -A5 "auth"
   

3. Read auth test files and verify coverage of:

   • Login success and failure cases
   • Token/session creation and validation
   • Token/session expiration and refresh
   • Logout/invalidation
   • Protected route access (with and without auth)
   • Edge cases (expired token, malformed token, missing token)

Cross-reference with:

• AUTH-001: Tests should cover the auth flow you traced

Pass criteria:

• Dedicated auth test file(s) exist
• Tests cover happy path (login, access protected resource, logout)
• Tests cover failure cases (invalid credentials, expired token, unauthorized access)
• Tests run and pass

Fail criteria:

• No auth-specific tests
• Tests only cover happy path, no failure cases
• Auth tests exist but are skipped or failing

If tests are minimal, ask user: "Found auth tests but they only cover [X]. Are there additional auth tests elsewhere, or is this a known gap?"

Evidence to capture:

• Auth test file locations
• Scenarios covered (login, logout, expiry, invalid token, etc.)
• Test pass/fail status (run them if possible)
• Coverage gaps identified

---