till/mana-swift-core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: till:main
Branches Tags
till:main
till:v1.5.0
till:v1.4.0
till:v1.3.0
till:v1.2.0
till:v1.1.1
till:v1.1.0
till:v1.0.1
till:v1.0.0
..
compare: till:v1.1.1
Branches Tags
till:main
till:v1.5.0
till:v1.4.0
till:v1.3.0
till:v1.2.0
till:v1.1.1
till:v1.1.0
till:v1.0.1
till:v1.0.0

No commits in common. "main" and "v1.1.1" have entirely different histories.
main ... v1.1.1

12 changed files with 160 additions and 1442 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -5,4 +5,3 @@
Package.resolved
xcuserdata/
DerivedData/
build/

162
CHANGELOG.md
View file

@ -4,168 +4,6 @@ Alle Änderungen werden hier dokumentiert. Format orientiert an
[Keep a Changelog](https://keepachangelog.com), Versionierung nach
[Semver](https://semver.org).
## [1.5.0] — 2026-05-14
Minor — `getProfile()` + `ProfileInfo`. Apps können den 2FA-Status
des eingeloggten Users lesen, damit AccountView entscheidet ob
"Aktivieren" oder "Deaktivieren" angezeigt wird.
### Neu
- `ProfileInfo` (public struct) — `id`, `email`, `name`,
`emailVerified`, `twoFactorEnabled`.
- `AuthClient.getProfile() -> ProfileInfo` — lädt aktuelles Profil
vom Server (`GET /api/v1/auth/profile` → Better Auths
`/api/auth/get-session`). Nutzt Session-Token als Bearer.
### Tests
- 4 neue Tests (twoFactor-on, twoFactor-off, ohne Session,
unauthorized). 70/70 grün.
## [1.4.0] — 2026-05-14
Minor — 2FA-Enrollment (Mini-Sprint B). Setzt Mini-Sprint A
(`v1.3.0`) voraus. Komplett additiv.
### ManaCore — 2FA-Enrollment
- `TotpEnrollment` (public struct) — `totpURI` (für QR-Code-Display)
+ `backupCodes` (Liste).
- `AuthClient.enrollTotp(password:) -> TotpEnrollment` — aktiviert
TOTP-2FA; Server generiert Secret + Backup-Codes.
- `AuthClient.disableTotp(password:)` — deaktiviert wieder.
- `AuthClient.getTotpUri(password:) -> String` — Re-Display für
zweites Authenticator-Gerät.
- `AuthClient.regenerateBackupCodes(password:) -> [String]` — neue
Codes, alte werden ungültig.
Alle vier Methoden senden Bearer-Header mit Session-Token (Wire-
Konvention für mana-auth-Account-Endpoints).
### Server-Side Voraussetzung
`mana-auth` ≥ Commit der Wrapper-Endpoints:
- `POST /api/v1/auth/two-factor/enable`
- `POST /api/v1/auth/two-factor/disable`
- `POST /api/v1/auth/two-factor/get-totp-uri`
- `POST /api/v1/auth/two-factor/generate-backup-codes`
### Tests
- 7 neue Tests (Success-Pfade aller vier Methoden, leeres Passwort,
ohne Session, falsches Passwort). 66/66 grün.
## [1.3.0] — 2026-05-14
Minor — 2FA-Login-Challenge (Mini-Sprint A). Apps mit aktiviertem
TOTP-2FA können sich jetzt nativ einloggen. Komplett additiv.
### ManaCore — 2FA-Login
- `AuthClient.Status.twoFactorRequired(token: String, methods: [String], email: String)`
als neuer Case. Tritt nach `signIn(...)` auf, wenn der Account 2FA
aktiviert hat. `token` ist der opaque `two_factor`-Cookie-Wert vom
Server, den die App bei `verifyTotp(...)` zurückschickt.
- `AuthClient.verifyTotp(code:trustDevice:)` — verifiziert 6-stelligen
TOTP-Code. Bei Erfolg `.signedIn`, bei Fehler bleibt der Status im
Challenge (User kann retry).
- `AuthClient.verifyBackupCode(code:trustDevice:)` — Fallback wenn das
TOTP-Gerät verloren wurde. Backup-Codes sind einmalig.
- `signIn(...)` erkennt den Server-Pfad `{twoFactorRequired: true, ...}`
und routet automatisch zu `.twoFactorRequired`.
### Server-Side Voraussetzung
Setzt zwei neue Custom-Endpoints in `mana-auth` voraus:
- `POST /api/v1/auth/two-factor/verify-totp`
- `POST /api/v1/auth/two-factor/verify-backup-code`
Plus die `/api/v1/auth/login`-Erweiterung um den `twoFactorRequired`-
Pfad. Siehe `mana/services/mana-auth/src/routes/auth.ts`.
### Tests
- 5 neue Tests (signIn-Redirect, verifyTotp-Success/-Fail, ohne-Challenge-
Guard, verifyBackupCode). 59/59 grün.
### Bewusst NICHT in v1.3.0
- 2FA-**Enrollment** (TOTP-Setup) — eigener Mini-Sprint B mit
`enrollTotp()`, `disableTotp()`, `regenerateBackupCodes()`.
- Magic-Link, Passkey — eigene Sprints.
## [1.2.0] — 2026-05-13
Minor — Guest-Mode + Auth-Resilience. Native-Apps werden gegen mana-auth-
Downtime gehärtet und können jetzt einen anonymen Local-First-Modus
anbieten. Komplett additiv — keine Breaking Changes für bestehende
Konsumenten (Memoro, Cards, Manaspur, Nutriphi).
### ManaCore — Guest-Identität
- `AuthClient.Status` um Case `.guest(id: String)` erweitert. Persistente
lokale UUID ohne Server-Account; gleichberechtigt mit `.signedIn` als
„App ist nutzbar"-Zustand. Apps können in diesem Modus alles Lokale
und alle unauthenticated-Server-Endpoints anbieten, schreibende
Endpoints poppen Auth-Sheet.
- `AuthClient.enterGuestMode() throws -> String` — idempotent, erzeugt
oder reuse die Guest-UUID aus Keychain. Wechselt den Status nur,
wenn aktuell `.signedOut`/`.unknown` (eine aktive Session bleibt
unangetastet, App kann die Guest-ID parallel lesen).
- `AuthClient.currentGuestId() -> String?` — Lookup unabhängig vom Status.
Genutzt z.B. um lokale Guest-Daten beim Sign-In dem neuen Server-
Account zuzuordnen.
- `AuthClient.clearGuestId()` — entfernt die Guest-ID, etwa nach
erfolgreicher Migration der lokalen Daten auf einen Server-Account.
- `AuthClient.signOut(keepGuestMode: Bool = false)` — Default-Verhalten
unverändert (`false` löscht alles, Status `.signedOut`). Mit `true`
bleibt die App im anonymen Modus weiter nutzbar.
- `KeychainStore.Key.guestId` als neuer Key. `wipe()` löscht jetzt
*nur* Session-Felder (accessToken/refreshToken/email) — die Guest-ID
überlebt. Für komplettes Vergessen: neue `wipeAll()`.
### ManaCore — Refresh-Resilience
- `refreshAccessToken()` wipt nicht mehr blind den Keychain bei jedem
Nicht-200. Stattdessen Heuristik via `AuthError.invalidatesSession`:
- **Wipe** bei `.invalidCredentials`, `.unauthorized`, `.tokenExpired`,
`.tokenInvalid`, `.emailNotVerified` — Session ist tatsächlich tot.
- **Behalten** bei `.serviceUnavailable` (503), `.serverInternal`
(500), `.networkFailure`, `.rateLimited`, weiteren transienten
Fehlern. Apps werden bei mana-auth-Downtime nicht mehr in den
Login-Screen geworfen.
- Beim Wipe-Pfad fällt der Status auf `.guest(id)` zurück, falls eine
Guest-Identität existiert; sonst auf `.signedOut`.
- `AuthError.invalidatesSession: Bool` — public computed Property,
auch von Apps direkt nutzbar (z.B. um auf Transport-Fehler zu
reagieren).
### Tests
- 15 neue Tests: Guest-Mode (Idempotenz, Bootstrap-Priorität, Status-
Übergänge), signOut(keepGuestMode:) in beiden Modi, Refresh-Verhalten
bei 401/429/500/503/Network, invalidatesSession-Partitionierung.
### Migration für Apps
Bestehende Apps brauchen **keine** Änderung — Default-Verhalten ist
identisch. Wer den anonymen Modus nutzen will:
```swift
// Beim App-Start nach bootstrap():
auth.bootstrap()
if case .signedOut = auth.status {
try? auth.enterGuestMode() // Statt sofort Login-Screen
}
// In Aktionen, die einen Account brauchen:
guard case .signedIn = auth.status else {
presentLoginSheet()
return
}
```
## [1.1.1] — 2026-05-13
Patch — Wire-Konvention für authenticated Account-Calls geklärt.

345
Sources/ManaCore/Auth/AuthClient+Account.swift
View file

@ -388,348 +388,3 @@ private struct ChangePasswordRequest: Encodable {
private struct DeleteAccountRequest: Encodable {
let password: String
}
// MARK: - Two-Factor (Login-Challenge)
public extension AuthClient {
/// Verifiziert einen TOTP-Code im 2FA-Login-Flow. Vorbedingung:
/// Status ist ``Status/twoFactorRequired(token:methods:email:)``
/// (typisch nach `signIn(...)`).
///
/// Bei Erfolg setzt der Server die Session, ManaCore persistiert
/// Tokens und der Status wird `.signedIn(email:)`.
///
/// - Parameters:
/// - code: 6-stelliger TOTP-Code aus der Authenticator-App.
/// - trustDevice: Wenn `true`, setzt der Server einen
/// `trust_device`-Cookie. Bei Native heute ohne Effekt
/// (Cookies werden nicht persistiert) wir spiegeln das Flag
/// trotzdem für künftige Erweiterungen.
///
/// - Throws: ``AuthError/twoFactorFailed`` bei falschem Code,
/// ``AuthError/tokenExpired`` wenn der Challenge-Token alt ist,
/// plus Standard-Netzwerk-Fehler.
func verifyTotp(code: String, trustDevice: Bool = false) async throws {
try await verifyTwoFactor(
path: "/api/v1/auth/two-factor/verify-totp",
code: code,
trustDevice: trustDevice
)
}
/// Verifiziert einen Backup-Code im 2FA-Login-Flow. Same Pre-/
/// Postconditions wie ``verifyTotp(code:trustDevice:)`` der
/// Server entscheidet anhand des Endpoints, welches Verfahren er
/// nutzt. Backup-Codes werden vom Server beim Setup generiert
/// und einmalig konsumiert.
func verifyBackupCode(code: String, trustDevice: Bool = false) async throws {
try await verifyTwoFactor(
path: "/api/v1/auth/two-factor/verify-backup-code",
code: code,
trustDevice: trustDevice
)
}
private func verifyTwoFactor(
path: String,
code: String,
trustDevice: Bool
) async throws {
guard case let .twoFactorRequired(token, _, email) = status else {
throw AuthError.validation(
message: "Kein 2FA-Challenge aktiv — verifyTotp setzt eine vorherige signIn-Antwort mit .twoFactorRequired voraus"
)
}
guard !code.isEmpty else {
throw AuthError.validation(message: "Code ist erforderlich")
}
let body = TwoFactorVerifyRequest(
code: code,
twoFactorToken: token,
trustDevice: trustDevice
)
let (data, http) = try await postJSON(path: path, body: body)
guard http.statusCode == 200 else {
throw AuthError.classify(
status: http.statusCode,
data: data,
retryAfterHeader: http.retryAfterSeconds
)
}
let token2 = try JSONDecoder().decode(TwoFactorVerifyResponse.self, from: data)
guard let access = token2.accessToken, let refresh = token2.refreshToken else {
// Server hat 200 zurück, aber keine Tokens. Sollte nicht
// passieren UI bleibt im 2FA-Required-Zustand.
throw AuthError.decoding("Tokens fehlen in 2FA-Verify-Antwort")
}
try persistSession(email: email, accessToken: access, refreshToken: refresh)
CoreLog.auth.info("2FA verify successful — signed in")
}
}
private struct TwoFactorVerifyRequest: Encodable {
let code: String
let twoFactorToken: String
let trustDevice: Bool
}
private struct TwoFactorVerifyResponse: Decodable {
let success: Bool?
let accessToken: String?
let refreshToken: String?
}
// MARK: - Two-Factor (Enrollment)
/// Ergebnis von ``AuthClient/enrollTotp(password:)``: enthält die
/// otpauth-URI (für QR-Code-Display) und die Backup-Codes. Backup-
/// Codes sind einmalig nutzbar und sollten dem User zum Sichern
/// (Kopieren/Drucken) angeboten werden der Server zeigt sie nie
/// mehr.
public struct TotpEnrollment: Sendable, Equatable {
/// `otpauth://totp/Issuer:email?secret=...&...`-URI. Direkt als
/// QR-Code rendern (z.B. via `CIFilter.qrCodeGenerator`).
public let totpURI: String
/// Liste der Backup-Codes (üblich 10 Stück). Der User sollte sie
/// sicher aufbewahren bei Verlust des TOTP-Geräts sind sie der
/// einzige Fallback. Server merkt sich nur Hashes; bei Verbrauch
/// werden sie als consumed markiert.
public let backupCodes: [String]
}
public extension AuthClient {
/// Aktiviert TOTP-2FA für den aktuellen Account.
///
/// Re-Auth via aktuellem Passwort. Bei Erfolg generiert der Server
/// ein TOTP-Secret und gibt die otpauth-URI + Backup-Codes zurück.
/// Die App rendert die URI als QR-Code, der User scannt mit
/// Authenticator-App und gibt zur Bestätigung den ersten Code ein
/// dieser zweite Schritt läuft über die regulären
/// ``verifyTotp(code:trustDevice:)``-Methode oder einen Re-Auth
/// signIn twoFactorRequired-Flow (der Server entscheidet).
///
/// - Important: Nutzt den Session-Token als Bearer (Wire-Konvention
/// für mana-auth-Account-Endpoints, siehe Doc-Header dieser Datei).
func enrollTotp(password: String) async throws -> TotpEnrollment {
guard !password.isEmpty else {
throw AuthError.validation(message: "Passwort ist erforderlich")
}
let body = TotpEnableRequest(password: password)
let (data, http) = try await postJSON(
path: "/api/v1/auth/two-factor/enable",
body: body,
authenticated: true
)
guard http.statusCode == 200 else {
throw AuthError.classify(
status: http.statusCode,
data: data,
retryAfterHeader: http.retryAfterSeconds
)
}
let decoded = try JSONDecoder().decode(TotpEnableResponse.self, from: data)
guard let uri = decoded.totpURI else {
throw AuthError.decoding("totpURI fehlt in Enroll-Antwort")
}
CoreLog.auth.info("2FA TOTP enrollment initiated")
return TotpEnrollment(totpURI: uri, backupCodes: decoded.backupCodes ?? [])
}
/// Deaktiviert TOTP-2FA für den aktuellen Account. Re-Auth via
/// Passwort.
func disableTotp(password: String) async throws {
guard !password.isEmpty else {
throw AuthError.validation(message: "Passwort ist erforderlich")
}
let body = TotpEnableRequest(password: password)
let (data, http) = try await postJSON(
path: "/api/v1/auth/two-factor/disable",
body: body,
authenticated: true
)
guard http.statusCode == 200 else {
throw AuthError.classify(
status: http.statusCode,
data: data,
retryAfterHeader: http.retryAfterSeconds
)
}
CoreLog.auth.info("2FA TOTP disabled")
}
/// Liefert die otpauth-URI des aktuellen TOTP-Secrets. Nützlich
/// wenn der User den QR-Code erneut sehen will (z.B. zweites
/// Gerät einrichten). Re-Auth via Passwort.
///
/// - Returns: `otpauth://totp/`-URI, direkt als QR-Code renderbar.
func getTotpUri(password: String) async throws -> String {
guard !password.isEmpty else {
throw AuthError.validation(message: "Passwort ist erforderlich")
}
let body = TotpEnableRequest(password: password)
let (data, http) = try await postJSON(
path: "/api/v1/auth/two-factor/get-totp-uri",
body: body,
authenticated: true
)
guard http.statusCode == 200 else {
throw AuthError.classify(
status: http.statusCode,
data: data,
retryAfterHeader: http.retryAfterSeconds
)
}
let decoded = try JSONDecoder().decode(TotpEnableResponse.self, from: data)
guard let uri = decoded.totpURI else {
throw AuthError.decoding("totpURI fehlt in get-totp-uri-Antwort")
}
return uri
}
/// Regeneriert die Backup-Codes. Alte Codes werden ungültig. Der
/// User sollte die neuen direkt sichern.
func regenerateBackupCodes(password: String) async throws -> [String] {
guard !password.isEmpty else {
throw AuthError.validation(message: "Passwort ist erforderlich")
}
let body = TotpEnableRequest(password: password)
let (data, http) = try await postJSON(
path: "/api/v1/auth/two-factor/generate-backup-codes",
body: body,
authenticated: true
)
guard http.statusCode == 200 else {
throw AuthError.classify(
status: http.statusCode,
data: data,
retryAfterHeader: http.retryAfterSeconds
)
}
let decoded = try JSONDecoder().decode(TotpEnableResponse.self, from: data)
guard let codes = decoded.backupCodes else {
throw AuthError.decoding("backupCodes fehlen in Antwort")
}
return codes
}
}
private struct TotpEnableRequest: Encodable {
let password: String
}
/// Antwort-Format für alle Enrollment-Endpoints. Felder sind optional
/// damit derselbe Type für `enable` (beide), `get-totp-uri` (nur URI)
/// und `generate-backup-codes` (nur Codes) dekodierbar ist.
private struct TotpEnableResponse: Decodable {
let totpURI: String?
let backupCodes: [String]?
}
// MARK: - Profile
/// Subset des Server-User-Profiles, das die Apps für UI-Entscheidungen
/// brauchen. Wird von ``AuthClient/getProfile()`` geliefert.
///
/// Server-Quelle: `GET /api/v1/auth/profile` ( Better Auths
/// `/api/auth/get-session`). Returnt `{user: {}, session: {}}`.
/// Wir nehmen nur die UI-relevanten Felder mit.
public struct ProfileInfo: Sendable, Equatable {
public let id: String
public let email: String
public let name: String?
public let emailVerified: Bool
/// `true` wenn der User TOTP-2FA aktiviert hat. Apps zeigen
/// dann den Disable-/Regenerate-Pfad statt des Enroll-Wizards.
public let twoFactorEnabled: Bool
public init(
id: String,
email: String,
name: String?,
emailVerified: Bool,
twoFactorEnabled: Bool
) {
self.id = id
self.email = email
self.name = name
self.emailVerified = emailVerified
self.twoFactorEnabled = twoFactorEnabled
}
}
public extension AuthClient {
/// Lädt das aktuelle Profil des eingeloggten Users vom Server.
///
/// - Important: Nutzt den Session-Token als Bearer (Wire-Konvention
/// für mana-auth-Endpoints, siehe Doc-Header dieser Datei).
///
/// - Throws: ``AuthError/notSignedIn`` ohne Session,
/// ``AuthError/unauthorized`` wenn Server den Token rejected,
/// Netzwerk-Cases.
func getProfile() async throws -> ProfileInfo {
let token = try currentSessionToken()
let url = config.authBaseURL.appending(path: "/api/v1/auth/profile")
var request = URLRequest(url: url)
request.httpMethod = "GET"
request.setValue("Bearer \(token)", forHTTPHeaderField: "Authorization")
let (data, http): (Data, HTTPURLResponse)
do {
let (d, r) = try await session.data(for: request)
guard let h = r as? HTTPURLResponse else {
throw AuthError.networkFailure("Keine HTTP-Antwort")
}
data = d
http = h
} catch let error as URLError {
throw AuthError.networkFailure(error.localizedDescription)
}
guard http.statusCode == 200 else {
throw AuthError.classify(
status: http.statusCode,
data: data,
retryAfterHeader: http.retryAfterSeconds
)
}
let envelope = try JSONDecoder().decode(ProfileEnvelope.self, from: data)
guard let user = envelope.user else {
throw AuthError.decoding("user-Feld fehlt in profile-Antwort")
}
return ProfileInfo(
id: user.id,
email: user.email,
name: user.name,
emailVerified: user.emailVerified ?? false,
twoFactorEnabled: user.twoFactorEnabled ?? false
)
}
}
/// Wire-Format-Hülle für `GET /api/v1/auth/profile`. Better-Auth-
/// `/api/auth/get-session` returnt `{user: {...}, session: {...}}`;
/// wir lesen `user` und ignorieren `session`.
private struct ProfileEnvelope: Decodable {
let user: ProfileUser?
}
private struct ProfileUser: Decodable {
let id: String
let email: String
let name: String?
let emailVerified: Bool?
let twoFactorEnabled: Bool?
}

159
Sources/ManaCore/Auth/AuthClient.swift
View file

@ -15,27 +15,9 @@ import Observation
@Observable
public final class AuthClient {
public enum Status: Equatable, Sendable {
/// Vor `bootstrap()` Keychain noch nicht ausgewertet.
case unknown
/// Kein Account, keine Guest-Identität. UI sollte Login/Sign-Up
/// anbieten oder via `enterGuestMode()` einen anonymen Modus
/// starten.
case signedOut
/// Anonyme lokale Identität ohne Server-Account. Apps können
/// lokale Daten unter dieser UUID persistieren und sie später
/// beim Sign-In einem Server-Account zuordnen. Read-only-
/// Server-Endpoints, die keinen User brauchen, sind in diesem
/// Status erreichbar; schreibende Endpoints nicht.
case guest(id: String)
case signingIn
/// Sign-In war erfolgreich aber der Account hat 2FA aktiviert.
/// UI fragt nun den TOTP-Code (oder einen Backup-Code) ab und
/// ruft `verifyTotp(code:trustDevice:)` / `verifyBackupCode(...)`
/// mit dem hier gespeicherten Token auf.
///
/// `token` ist der Better-Auth-`two_factor`-Cookie-Wert, vom
/// Server in der Login-Response als `twoFactorToken` mitgeliefert.
case twoFactorRequired(token: String, methods: [String], email: String)
case signedIn(email: String)
case error(String)
}
@ -67,73 +49,16 @@ public final class AuthClient {
return nil
}
/// Liest den persistierten Auth-Zustand aus dem Keychain. Reihenfolge:
/// vollwertige Session > Guest-Identität > komplett ausgeloggt.
///
/// Keine Server-Roundtrips Apps starten offline-fähig und mana-auth-
/// Downtime kann den letzten gültigen Zustand nicht überschreiben.
/// Token-Gültigkeit wird erst beim nächsten authentifizierten Call
/// geprüft (siehe ``refreshAccessToken()``).
public func bootstrap() {
let email = keychain.getString(for: .email)
let hasToken = keychain.getString(for: .accessToken) != nil
if let email, hasToken {
status = .signedIn(email: email)
} else if let guestId = keychain.getString(for: .guestId) {
status = .guest(id: guestId)
} else {
status = .signedOut
}
}
/// Aktive Guest-Identität, falls vorhanden. Persistiert über
/// App-Starts hinweg. Existiert sowohl im ``Status/guest(id:)`` als
/// auch parallel zu einer eingeloggten Session letzteres erlaubt
/// es einer App, beim Sign-In die zuvor lokal gesammelten anonymen
/// Daten dem neuen Server-Account zuzuordnen.
public func currentGuestId() -> String? {
keychain.getString(for: .guestId)
}
/// Setzt die App in den anonymen Modus. Idempotent: liefert eine
/// bestehende Guest-ID zurück, wenn schon eine im Keychain liegt;
/// sonst wird eine neue UUID erzeugt und persistiert.
///
/// Ändert den Status nur, wenn aktuell `.signedOut` oder `.unknown`
/// vorliegt. Bei aktiver Session (`.signedIn`/`.signingIn`) bleibt
/// der Status unverändert die App kann trotzdem `currentGuestId()`
/// nutzen, um die anonyme ID zu lesen, ohne die Session zu stören.
///
/// - Throws: ``AuthError/keychain(_:)`` wenn der Keychain-Write
/// scheitert.
@discardableResult
public func enterGuestMode() throws -> String {
if let existing = keychain.getString(for: .guestId) {
if case .signedIn = status {} else if case .signingIn = status {} else {
status = .guest(id: existing)
}
return existing
}
let newId = UUID().uuidString
try keychain.setString(newId, for: .guestId)
if case .signedIn = status {} else if case .signingIn = status {} else {
status = .guest(id: newId)
}
CoreLog.auth.info("Entered guest mode")
return newId
}
/// Löscht die Guest-Identität aus dem Keychain. Genutzt nach einer
/// erfolgreichen Migration der lokalen Guest-Daten auf einen
/// Server-Account die anonyme ID wird dann nicht mehr gebraucht.
/// Wenn der Status aktuell `.guest` ist, wechselt er auf `.signedOut`.
public func clearGuestId() {
keychain.remove(for: .guestId)
if case .guest = status {
status = .signedOut
}
}
public func signIn(email: String, password: String) async {
let trimmed = email.trimmingCharacters(in: .whitespacesAndNewlines)
guard !trimmed.isEmpty, !password.isEmpty else {
@ -168,23 +93,6 @@ public final class AuthClient {
return
}
// 2FA-Pfad: Server hat statt Tokens einen
// `twoFactorRequired`-Response geliefert. UI muss jetzt
// den TOTP-Code abfragen und `verifyTotp(...)` aufrufen.
if let twoFactor = try? JSONDecoder().decode(TwoFactorChallenge.self, from: data),
twoFactor.twoFactorRequired == true,
let tfToken = twoFactor.twoFactorToken
{
status = .twoFactorRequired(
token: tfToken,
methods: twoFactor.twoFactorMethods ?? ["totp"],
email: trimmed
)
lastError = nil
CoreLog.auth.info("Sign-in needs 2FA challenge")
return
}
let token = try JSONDecoder().decode(TokenResponse.self, from: data)
try keychain.setString(token.accessToken, for: .accessToken)
try keychain.setString(token.refreshToken, for: .refreshToken)
@ -205,15 +113,7 @@ public final class AuthClient {
}
}
/// Logged den User aus. Versucht den Server zu informieren (Logout-
/// Endpoint), wischt den lokalen Keychain und setzt den Status.
///
/// - Parameter keepGuestMode: Wenn `true`, bleibt die App in einem
/// anonymen Local-First-Modus aktiv. Eine bestehende Guest-ID
/// wird beibehalten oder eine neue erzeugt; der Status wechselt
/// auf ``Status/guest(id:)``. Default `false` für strict-Logout
/// (Status `.signedOut`, auch Guest-ID gelöscht).
public func signOut(keepGuestMode: Bool = false) async {
public func signOut() async {
if let token = keychain.getString(for: .accessToken) {
let url = config.authBaseURL.appending(path: "/api/v1/auth/logout")
var request = URLRequest(url: url)
@ -222,20 +122,8 @@ public final class AuthClient {
_ = try? await session.data(for: request)
}
keychain.wipe()
if keepGuestMode {
if let existing = keychain.getString(for: .guestId) {
status = .guest(id: existing)
} else {
let newId = UUID().uuidString
try? keychain.setString(newId, for: .guestId)
status = .guest(id: newId)
}
CoreLog.auth.info("Signed out — kept guest mode")
} else {
keychain.remove(for: .guestId)
status = .signedOut
CoreLog.auth.info("Signed out")
}
status = .signedOut
CoreLog.auth.info("Signed out")
}
public func currentAccessToken() throws -> String {
@ -284,30 +172,13 @@ public final class AuthClient {
throw AuthError.networkFailure("Keine HTTP-Antwort")
}
guard http.statusCode == 200 else {
let err = AuthError.classify(
keychain.wipe()
status = .signedOut
throw AuthError.classify(
status: http.statusCode,
data: data,
retryAfterHeader: http.retryAfterSeconds
)
// Wipe nur bei tatsächlich invalidierter Session. Transiente
// Fehler (5xx, Rate-Limit) lassen den Token erhalten sonst
// wirft jeder mana-auth-Downtime-Moment alle Apps in den
// Login-Screen. Falls eine Guest-Identität existiert, wird
// beim Wipe in den Guest-Status zurückgefallen statt in
// strict `.signedOut`.
if err.invalidatesSession {
keychain.wipe()
if let guestId = keychain.getString(for: .guestId) {
status = .guest(id: guestId)
} else {
status = .signedOut
}
} else {
CoreLog.auth.notice(
"Refresh failed transiently (\(http.statusCode, privacy: .public)) — keeping session"
)
}
throw err
}
let token = try JSONDecoder().decode(TokenResponse.self, from: data)
@ -331,12 +202,10 @@ public final class AuthClient {
status = .signedIn(email: email)
}
/// Setzt den Status auf `.signedOut` und wirft den Keychain
/// vollständig leer inklusive Guest-ID. Genutzt nach
/// `deleteAccount()`: Account ist gelöscht, also auch die
/// (potenziell verknüpfte) anonyme Identität.
/// Setzt den Status auf `.signedOut` und wirft den Keychain leer.
/// Genutzt nach `deleteAccount()`.
func clearSession() {
keychain.wipeAll()
keychain.wipe()
status = .signedOut
}
}
@ -364,16 +233,6 @@ struct TokenResponse: Decodable {
let refreshToken: String
}
/// 2FA-Pfad aus `/api/v1/auth/login`. Wenn `twoFactorRequired == true`,
/// kein Token-Paar UI muss `verifyTotp(...)` / `verifyBackupCode(...)`
/// aufrufen. `twoFactorToken` ist der Server-injecten `two_factor`-Cookie-
/// Wert (opaque).
struct TwoFactorChallenge: Decodable {
let twoFactorRequired: Bool?
let twoFactorMethods: [String]?
let twoFactorToken: String?
}
extension HTTPURLResponse {
/// Liest `Retry-After` als Anzahl Sekunden. Server schickt Integer-
/// Sekunden (siehe `lib/auth-errors.ts`). HTTP-Datum-Variante wird

43
Sources/ManaCore/Auth/AuthError.swift
View file

@ -126,49 +126,6 @@ public enum AuthError: Error, LocalizedError, Sendable, Equatable {
}
}
/// `true` wenn dieser Fehler bedeutet, dass die gespeicherten
/// Tokens nicht mehr gültig sind und die App den Nutzer ausloggen
/// muss. `false` für *transiente* Fehler (Server-Downtime, Netzwerk-
/// Fehler, Rate-Limiting), bei denen die Session erhalten bleiben
/// soll die App sollte den Versuch nur wiederholen.
///
/// Genutzt von ``AuthClient/refreshAccessToken()`` um zu entscheiden,
/// ob der Keychain gewiped werden muss. Apps können denselben
/// Test auf Fehler aus ``AuthenticatedTransport`` anwenden, um
/// zwischen "neuer Login nötig" und "später nochmal probieren" zu
/// unterscheiden.
public var invalidatesSession: Bool {
switch self {
case .invalidCredentials,
.unauthorized,
.tokenExpired,
.tokenInvalid,
.emailNotVerified:
true
case .notSignedIn,
.encoding,
.keychain,
.decoding,
.networkFailure,
.emailAlreadyRegistered,
.weakPassword,
.accountLocked,
.signupLimitReached,
.rateLimited,
.twoFactorRequired,
.twoFactorFailed,
.passkeyNotEnabled,
.passkeyCancelled,
.passkeyVerificationFailed,
.validation,
.notFound,
.serviceUnavailable,
.serverInternal,
.serverError:
false
}
}
/// Klassifiziert eine `mana-auth`-Fehler-Antwort. `data` ist der
/// Response-Body, `status` der HTTP-Status, `retryAfterHeader` der
/// `Retry-After`-Header-Wert in Sekunden (falls vorhanden).

18
Sources/ManaCore/Auth/KeychainStore.swift
View file

@ -5,18 +5,10 @@ import Security
/// pro `ManaAppConfig`.
public final class KeychainStore: Sendable {
/// Bekannte Keys für mana-auth-Tokens.
///
/// `.guestId` ist eine lokal generierte anonyme UUID für Apps mit
/// Local-First-/Guest-Modus. Sie wird unabhängig von den Session-
/// Tokens persistiert und vom Default-``wipe()`` *nicht* gelöscht
/// damit eine App nach einem Logout im Guest-Modus weiterlaufen
/// kann, ohne dass die lokalen anonymen Daten ihre Besitzer-Spur
/// verlieren. Vollständiger Reset über ``wipeAll()``.
public enum Key: String, Sendable {
case accessToken = "access_token"
case refreshToken = "refresh_token"
case email
case guestId = "guest_id"
}
private let service: String
@ -72,22 +64,12 @@ public final class KeychainStore: Sendable {
SecItemDelete(query as CFDictionary)
}
/// Löscht Session-Daten (accessToken, refreshToken, email). Behält
/// die ``Key/guestId``, damit lokale Guest-Daten nach einem Logout
/// erhalten bleiben können.
public func wipe() {
remove(for: .accessToken)
remove(for: .refreshToken)
remove(for: .email)
}
/// Löscht *alles* inklusive der Guest-Identität. Genutzt nach
/// `deleteAccount()` oder bei explizitem "anonyme Daten vergessen".
public func wipeAll() {
wipe()
remove(for: .guestId)
}
private func baseQuery(for key: Key) -> [CFString: Any] {
var query: [CFString: Any] = [
kSecClass: kSecClassGenericPassword,

194
Tests/ManaCoreTests/AuthClientAccountTests.swift
View file

@ -2,10 +2,27 @@ import Foundation
import Testing
@testable import ManaCore
@Suite("AuthClient+Account")
@Suite("AuthClient+Account", .serialized)
@MainActor
struct AuthClientAccountTests {
// MARK: - Fixtures
private static func makeClient() -> (AuthClient, URLSession) {
let configuration = URLSessionConfiguration.ephemeral
configuration.protocolClasses = [MockURLProtocol.self]
let session = URLSession(configuration: configuration)
let config = DefaultManaAppConfig(
authBaseURL: URL(string: "https://auth.test")!,
keychainService: "ev.mana.test.\(UUID().uuidString)",
keychainAccessGroup: nil
)
return (AuthClient(config: config, session: session), session)
}
private func recordedBody(_ request: URLRequest) -> [String: Any] {
// URLSession verschiebt den Body in den BodyStream wenn er nicht
// klein-genug ist ephemeral-Session lässt ihn als httpBody.
guard let body = request.httpBody ?? request.bodyStreamData(),
let json = try? JSONSerialization.jsonObject(with: body) as? [String: Any]
else { return [:] }
@ -16,62 +33,66 @@ struct AuthClientAccountTests {
@Test("register schickt POST /api/v1/auth/register mit JSON-Body")
func registerSendsCorrectRequest() async throws {
let mocked = makeMockedAuth()
mocked.setHandler { request in
let (client, _) = Self.makeClient()
MockURLProtocol.handler = { request in
#expect(request.httpMethod == "POST")
#expect(request.url?.path == "/api/v1/auth/register")
#expect(request.value(forHTTPHeaderField: "Content-Type") == "application/json")
return (200, Data(#"{"user":{"id":"u1","email":"new@x.de"}}"#.utf8))
}
try await mocked.auth.register(
try await client.register(
email: "new@x.de",
password: "Aa-123456789",
name: "Neu",
sourceAppUrl: URL(string: "https://cardecky.mana.how/auth/verify")
)
if case .signedIn = mocked.auth.status {
// Mit requireEmailVerification:true gibt es noch keine Session.
if case .signedIn = client.status {
Issue.record("Expected not-signed-in after register without tokens")
}
}
@Test("register mit Token-Antwort führt direkt zu signedIn")
func registerWithTokensSignsIn() async throws {
let mocked = makeMockedAuth()
let access = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1MSIsImV4cCI6MjAwMDAwMDAwMH0.sig"
let (client, _) = Self.makeClient()
// gültiger HS256-Header.payload (exp 2_000_000_000).sig JWT.expiry()
// läuft danach nicht in den Refresh-Pfad.
let access =
"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1MSIsImV4cCI6MjAwMDAwMDAwMH0.sig"
let refresh = "refresh-token-value"
mocked.setHandler { _ in
MockURLProtocol.handler = { _ in
(200, Data(#"""
{"user":{"id":"u1","email":"new@x.de"},"accessToken":"\#(access)","refreshToken":"\#(refresh)"}
"""#.utf8))
}
try await mocked.auth.register(email: "new@x.de", password: "Aa-123456789")
#expect(mocked.auth.status == .signedIn(email: "new@x.de"))
try await client.register(email: "new@x.de", password: "Aa-123456789")
#expect(client.status == .signedIn(email: "new@x.de"))
}
@Test("register mit existierender Email wirft emailAlreadyRegistered")
func registerEmailAlreadyRegistered() async {
let mocked = makeMockedAuth()
mocked.setHandler { _ in
let (client, _) = Self.makeClient()
MockURLProtocol.handler = { _ in
(409, Data(#"{"error":"EMAIL_ALREADY_REGISTERED","status":409}"#.utf8))
}
await #expect(throws: AuthError.emailAlreadyRegistered) {
try await mocked.auth.register(email: "old@x.de", password: "Aa-123456789")
try await client.register(email: "old@x.de", password: "Aa-123456789")
}
}
@Test("register mit leerer Email wirft validation ohne Server-Call")
func registerValidatesEmptyEmail() async {
let mocked = makeMockedAuth()
mocked.setHandler { _ in
let (client, _) = Self.makeClient()
MockURLProtocol.handler = { _ in
Issue.record("Server darf nicht aufgerufen werden")
return (500, Data())
}
await #expect(throws: (any Error).self) {
try await mocked.auth.register(email: " ", password: "Aa-123456789")
try await client.register(email: " ", password: "Aa-123456789")
}
}
@ -79,14 +100,14 @@ struct AuthClientAccountTests {
@Test("forgotPassword schickt email + redirectTo")
func forgotPasswordPayload() async throws {
let mocked = makeMockedAuth()
let (client, _) = Self.makeClient()
let capturedURL = MockURLProtocol.Capture()
mocked.setHandler { request in
MockURLProtocol.handler = { request in
capturedURL.store(request)
return (200, Data(#"{"success":true}"#.utf8))
}
try await mocked.auth.forgotPassword(
try await client.forgotPassword(
email: "user@x.de",
resetUniversalLink: URL(string: "https://cardecky.mana.how/auth/reset")!
)
@ -101,14 +122,14 @@ struct AuthClientAccountTests {
@Test("resetPassword schickt token + newPassword")
func resetPasswordPayload() async throws {
let mocked = makeMockedAuth()
let (client, _) = Self.makeClient()
let captured = MockURLProtocol.Capture()
mocked.setHandler { request in
MockURLProtocol.handler = { request in
captured.store(request)
return (200, Data(#"{"success":true}"#.utf8))
}
try await mocked.auth.resetPassword(token: "tok123", newPassword: "Neu-987654321")
try await client.resetPassword(token: "tok123", newPassword: "Neu-987654321")
let request = try #require(captured.request)
let json = recordedBody(request)
#expect(json["token"] as? String == "tok123")
@ -118,13 +139,13 @@ struct AuthClientAccountTests {
@Test("resetPassword mit abgelaufenem Token wirft tokenExpired")
func resetPasswordTokenExpired() async {
let mocked = makeMockedAuth()
mocked.setHandler { _ in
let (client, _) = Self.makeClient()
MockURLProtocol.handler = { _ in
(400, Data(#"{"error":"TOKEN_EXPIRED","status":400}"#.utf8))
}
await #expect(throws: AuthError.tokenExpired) {
try await mocked.auth.resetPassword(token: "old", newPassword: "Neu-987654321")
try await client.resetPassword(token: "old", newPassword: "Neu-987654321")
}
}
@ -132,14 +153,14 @@ struct AuthClientAccountTests {
@Test("resendVerification schickt email + sourceAppUrl")
func resendVerificationPayload() async throws {
let mocked = makeMockedAuth()
let (client, _) = Self.makeClient()
let captured = MockURLProtocol.Capture()
mocked.setHandler { request in
MockURLProtocol.handler = { request in
captured.store(request)
return (200, Data(#"{"success":true}"#.utf8))
}
try await mocked.auth.resendVerification(
try await client.resendVerification(
email: "user@x.de",
sourceAppUrl: URL(string: "https://cardecky.mana.how/auth/verify")
)
@ -151,8 +172,8 @@ struct AuthClientAccountTests {
@Test("resendVerification mit Rate-Limit liefert retryAfter")
func resendVerificationRateLimited() async {
let mocked = makeMockedAuth()
mocked.setHandler { _ in
let (client, _) = Self.makeClient()
MockURLProtocol.handler = { _ in
(
429,
Data(#"{"error":"RATE_LIMITED","retryAfterSec":42,"status":429}"#.utf8),
@ -161,7 +182,7 @@ struct AuthClientAccountTests {
}
do {
try await mocked.auth.resendVerification(email: "user@x.de")
try await client.resendVerification(email: "user@x.de")
Issue.record("Expected throw")
} catch let AuthError.rateLimited(retryAfter) {
#expect(retryAfter == 42)
@ -174,26 +195,30 @@ struct AuthClientAccountTests {
@Test("changeEmail ohne Login wirft notSignedIn")
func changeEmailRequiresSession() async {
let mocked = makeMockedAuth()
let (client, _) = Self.makeClient()
await #expect(throws: AuthError.notSignedIn) {
try await mocked.auth.changeEmail(newEmail: "neu@x.de")
try await client.changeEmail(newEmail: "neu@x.de")
}
}
@Test("changePassword schickt Session-Token als Bearer (nicht JWT)")
func changePasswordSendsBearer() async throws {
let mocked = makeMockedAuth()
let (client, _) = Self.makeClient()
// Authenticated Account-Calls senden den Session-Token (refreshToken)
// statt des JWT, weil server-seitig Better Auths bearer-Plugin
// den Session-Token zu einem Session-Cookie konvertiert. Siehe
// AuthClient+Account.swift Doc-Header.
let access = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1MSIsImV4cCI6MjAwMDAwMDAwMH0.sig"
let session = "session-token-value"
try mocked.auth.persistSession(email: "u@x.de", accessToken: access, refreshToken: session)
try client.persistSession(email: "u@x.de", accessToken: access, refreshToken: session)
let captured = MockURLProtocol.Capture()
mocked.setHandler { request in
MockURLProtocol.handler = { request in
captured.store(request)
return (200, Data(#"{"success":true}"#.utf8))
}
try await mocked.auth.changePassword(currentPassword: "alt", newPassword: "neu")
try await client.changePassword(currentPassword: "alt", newPassword: "neu")
let request = try #require(captured.request)
#expect(request.value(forHTTPHeaderField: "Authorization") == "Bearer \(session)")
#expect(request.url?.path == "/api/v1/auth/change-password")
@ -201,16 +226,99 @@ struct AuthClientAccountTests {
@Test("deleteAccount wiped Session bei Erfolg")
func deleteAccountClearsSession() async throws {
let mocked = makeMockedAuth()
let (client, _) = Self.makeClient()
let access = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1MSIsImV4cCI6MjAwMDAwMDAwMH0.sig"
try mocked.auth.persistSession(email: "u@x.de", accessToken: access, refreshToken: "r")
#expect(mocked.auth.status == .signedIn(email: "u@x.de"))
try client.persistSession(email: "u@x.de", accessToken: access, refreshToken: "r")
#expect(client.status == .signedIn(email: "u@x.de"))
mocked.setHandler { request in
MockURLProtocol.handler = { request in
#expect(request.httpMethod == "DELETE")
return (200, Data(#"{"success":true}"#.utf8))
}
try await mocked.auth.deleteAccount(password: "pw")
#expect(mocked.auth.status == .signedOut)
try await client.deleteAccount(password: "pw")
#expect(client.status == .signedOut)
}
}
// MARK: - URLProtocol Mock
final class MockURLProtocol: URLProtocol, @unchecked Sendable {
/// Antwort-Tuple: (status, body) oder (status, body, headers).
typealias Response = (status: Int, body: Data, headers: [String: String])
typealias Handler = @Sendable (URLRequest) -> Any // (Int, Data) | (Int, Data, [String:String])
nonisolated(unsafe) static var handler: Handler?
/// Thread-safer Capture-Container Tests können den Request darin
/// festhalten und nach dem await aus dem Test-Body lesen.
final class Capture: @unchecked Sendable {
private let lock = NSLock()
private var stored: URLRequest?
func store(_ r: URLRequest) {
lock.lock(); defer { lock.unlock() }
stored = r
}
var request: URLRequest? {
lock.lock(); defer { lock.unlock() }
return stored
}
}
override class func canInit(with request: URLRequest) -> Bool { true }
override class func canonicalRequest(for request: URLRequest) -> URLRequest { request }
override func stopLoading() {}
override func startLoading() {
guard let handler = MockURLProtocol.handler else {
client?.urlProtocol(
self,
didFailWithError: URLError(.unknown)
)
return
}
let result = handler(request)
let status: Int
let body: Data
let headers: [String: String]
if let tuple = result as? (Int, Data, [String: String]) {
status = tuple.0; body = tuple.1; headers = tuple.2
} else if let tuple = result as? (Int, Data) {
status = tuple.0; body = tuple.1; headers = [:]
} else {
client?.urlProtocol(self, didFailWithError: URLError(.unknown))
return
}
let response = HTTPURLResponse(
url: request.url!,
statusCode: status,
httpVersion: "HTTP/1.1",
headerFields: headers
)!
client?.urlProtocol(self, didReceive: response, cacheStoragePolicy: .notAllowed)
client?.urlProtocol(self, didLoad: body)
client?.urlProtocolDidFinishLoading(self)
}
}
extension URLRequest {
/// Liest httpBodyStream in einen Data. URLSession ephemeral-Session
/// nutzt manchmal Streams statt httpBody.
func bodyStreamData() -> Data? {
guard let stream = httpBodyStream else { return nil }
stream.open(); defer { stream.close() }
var data = Data()
let bufferSize = 1024
let buffer = UnsafeMutablePointer<UInt8>.allocate(capacity: bufferSize)
defer { buffer.deallocate() }
while stream.hasBytesAvailable {
let read = stream.read(buffer, maxLength: bufferSize)
if read <= 0 { break }
data.append(buffer, count: read)
}
return data
}
}

230
Tests/ManaCoreTests/AuthClientGuestAndResilienceTests.swift
View file

@ -1,230 +0,0 @@
import Foundation
import Testing
@testable import ManaCore
@Suite("AuthClient Guest-Mode + Resilience")
@MainActor
struct AuthClientGuestAndResilienceTests {
// MARK: - enterGuestMode / currentGuestId
@Test("enterGuestMode aus signedOut erzeugt UUID und setzt .guest")
func enterGuestModeFromSignedOut() throws {
let mocked = makeMockedAuth()
mocked.auth.bootstrap()
#expect(mocked.auth.status == .signedOut)
let id = try mocked.auth.enterGuestMode()
#expect(!id.isEmpty)
#expect(mocked.auth.status == .guest(id: id))
#expect(mocked.auth.currentGuestId() == id)
}
@Test("enterGuestMode ist idempotent")
func enterGuestModeIdempotent() throws {
let mocked = makeMockedAuth()
let first = try mocked.auth.enterGuestMode()
let second = try mocked.auth.enterGuestMode()
#expect(first == second)
#expect(mocked.auth.status == .guest(id: first))
}
@Test("enterGuestMode stört aktive Session nicht")
func enterGuestModeKeepsSignedIn() throws {
let mocked = makeMockedAuth()
try mocked.auth.persistSession(email: "u@x.de", accessToken: "a", refreshToken: "r")
#expect(mocked.auth.status == .signedIn(email: "u@x.de"))
let id = try mocked.auth.enterGuestMode()
#expect(mocked.auth.status == .signedIn(email: "u@x.de"))
#expect(mocked.auth.currentGuestId() == id)
}
@Test("clearGuestId aus .guest fällt auf .signedOut")
func clearGuestIdFromGuest() throws {
let mocked = makeMockedAuth()
_ = try mocked.auth.enterGuestMode()
mocked.auth.clearGuestId()
#expect(mocked.auth.status == .signedOut)
#expect(mocked.auth.currentGuestId() == nil)
}
@Test("clearGuestId aus .signedIn behält Status")
func clearGuestIdKeepsSignedIn() throws {
let mocked = makeMockedAuth()
_ = try mocked.auth.enterGuestMode()
try mocked.auth.persistSession(email: "u@x.de", accessToken: "a", refreshToken: "r")
mocked.auth.clearGuestId()
#expect(mocked.auth.status == .signedIn(email: "u@x.de"))
#expect(mocked.auth.currentGuestId() == nil)
}
// MARK: - bootstrap
@Test("bootstrap erkennt nur-Guest-Keychain als .guest")
func bootstrapDetectsGuest() throws {
let mocked = makeMockedAuth()
_ = try mocked.auth.enterGuestMode()
mocked.auth.bootstrap()
if case let .guest(id) = mocked.auth.status {
#expect(!id.isEmpty)
} else {
Issue.record("Expected .guest after bootstrap, got \(mocked.auth.status)")
}
}
@Test("bootstrap priorisiert Session über Guest")
func bootstrapPrioritisesSession() throws {
let mocked = makeMockedAuth()
_ = try mocked.auth.enterGuestMode()
try mocked.auth.persistSession(email: "u@x.de", accessToken: "a", refreshToken: "r")
mocked.auth.bootstrap()
#expect(mocked.auth.status == .signedIn(email: "u@x.de"))
}
// MARK: - signOut(keepGuestMode:)
@Test("signOut Default löscht alles inkl. Guest-ID")
func signOutDefaultClearsGuest() async throws {
let mocked = makeMockedAuth()
_ = try mocked.auth.enterGuestMode()
try mocked.auth.persistSession(email: "u@x.de", accessToken: "a", refreshToken: "r")
mocked.setHandler { _ in (200, Data()) }
await mocked.auth.signOut()
#expect(mocked.auth.status == .signedOut)
#expect(mocked.auth.currentGuestId() == nil)
}
@Test("signOut(keepGuestMode: true) behält existierende Guest-ID")
func signOutKeepsExistingGuest() async throws {
let mocked = makeMockedAuth()
let id = try mocked.auth.enterGuestMode()
try mocked.auth.persistSession(email: "u@x.de", accessToken: "a", refreshToken: "r")
mocked.setHandler { _ in (200, Data()) }
await mocked.auth.signOut(keepGuestMode: true)
#expect(mocked.auth.status == .guest(id: id))
#expect(mocked.auth.currentGuestId() == id)
}
@Test("signOut(keepGuestMode: true) erzeugt neue Guest-ID wenn keine existiert")
func signOutCreatesGuestWhenMissing() async throws {
let mocked = makeMockedAuth()
try mocked.auth.persistSession(email: "u@x.de", accessToken: "a", refreshToken: "r")
mocked.setHandler { _ in (200, Data()) }
await mocked.auth.signOut(keepGuestMode: true)
if case let .guest(id) = mocked.auth.status {
#expect(!id.isEmpty)
#expect(mocked.auth.currentGuestId() == id)
} else {
Issue.record("Expected .guest after signOut(keepGuestMode:), got \(mocked.auth.status)")
}
}
// MARK: - refreshAccessToken Resilience
@Test("refresh 503 wirft serviceUnavailable, behält Session")
func refreshKeepsSessionOn503() async throws {
let mocked = makeMockedAuth()
try mocked.auth.persistSession(email: "u@x.de", accessToken: "a", refreshToken: "r")
mocked.setHandler { _ in
(503, Data(#"{"error":"SERVICE_UNAVAILABLE","status":503}"#.utf8))
}
do {
_ = try await mocked.auth.refreshAccessToken()
Issue.record("Expected throw on 503")
} catch let err as AuthError {
#expect(err == .serviceUnavailable)
}
#expect(mocked.auth.status == .signedIn(email: "u@x.de"))
}
@Test("refresh 500 wirft serverInternal, behält Session")
func refreshKeepsSessionOn500() async throws {
let mocked = makeMockedAuth()
try mocked.auth.persistSession(email: "u@x.de", accessToken: "a", refreshToken: "r")
mocked.setHandler { _ in
(500, Data(#"{"error":"INTERNAL","status":500}"#.utf8))
}
do {
_ = try await mocked.auth.refreshAccessToken()
Issue.record("Expected throw on 500")
} catch let err as AuthError {
#expect(err == .serverInternal)
}
#expect(mocked.auth.status == .signedIn(email: "u@x.de"))
}
@Test("refresh 429 wirft rateLimited, behält Session")
func refreshKeepsSessionOnRateLimit() async throws {
let mocked = makeMockedAuth()
try mocked.auth.persistSession(email: "u@x.de", accessToken: "a", refreshToken: "r")
mocked.setHandler { _ in
(429, Data(#"{"error":"RATE_LIMITED","retryAfterSec":30,"status":429}"#.utf8))
}
do {
_ = try await mocked.auth.refreshAccessToken()
Issue.record("Expected throw on 429")
} catch let err as AuthError {
if case let .rateLimited(retryAfter) = err {
#expect(retryAfter == 30)
} else {
Issue.record("Expected .rateLimited, got \(err)")
}
}
#expect(mocked.auth.status == .signedIn(email: "u@x.de"))
}
@Test("refresh 401 invalidiert Session ohne Guest → .signedOut")
func refreshInvalidates401NoGuest() async throws {
let mocked = makeMockedAuth()
try mocked.auth.persistSession(email: "u@x.de", accessToken: "a", refreshToken: "r")
mocked.setHandler { _ in
(401, Data(#"{"error":"UNAUTHORIZED","status":401}"#.utf8))
}
do {
_ = try await mocked.auth.refreshAccessToken()
Issue.record("Expected throw on 401")
} catch let err as AuthError {
#expect(err.invalidatesSession)
}
#expect(mocked.auth.status == .signedOut)
}
@Test("refresh 401 mit Guest-ID fällt auf .guest zurück")
func refreshInvalidates401WithGuest() async throws {
let mocked = makeMockedAuth()
let id = try mocked.auth.enterGuestMode()
try mocked.auth.persistSession(email: "u@x.de", accessToken: "a", refreshToken: "r")
mocked.setHandler { _ in
(401, Data(#"{"error":"UNAUTHORIZED","status":401}"#.utf8))
}
_ = try? await mocked.auth.refreshAccessToken()
#expect(mocked.auth.status == .guest(id: id))
#expect(mocked.auth.currentGuestId() == id)
}
// MARK: - AuthError.invalidatesSession
@Test("invalidatesSession unterscheidet Session-Tot vs. transient")
func invalidatesSessionPartitioning() {
// Tot Session muss weg
#expect(AuthError.invalidCredentials.invalidatesSession)
#expect(AuthError.unauthorized.invalidatesSession)
#expect(AuthError.tokenExpired.invalidatesSession)
#expect(AuthError.tokenInvalid.invalidatesSession)
// Transient Session bleibt
#expect(!AuthError.serviceUnavailable.invalidatesSession)
#expect(!AuthError.serverInternal.invalidatesSession)
#expect(!AuthError.networkFailure("offline").invalidatesSession)
#expect(!AuthError.rateLimited(retryAfter: 30).invalidatesSession)
#expect(!AuthError.accountLocked(retryAfter: nil).invalidatesSession)
}
}

77
Tests/ManaCoreTests/AuthClientProfileTests.swift
View file

@ -1,77 +0,0 @@
import Foundation
import Testing
@testable import ManaCore
@Suite("AuthClient getProfile")
@MainActor
struct AuthClientProfileTests {
private func signedInAuth() async -> MockedAuth {
let mocked = makeMockedAuth()
let access = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1MSIsImV4cCI6MjAwMDAwMDAwMH0.sig"
mocked.setHandler { _ in
(200, Data(#"{"accessToken":"\#(access)","refreshToken":"session-tok"}"#.utf8))
}
await mocked.auth.signIn(email: "u@x.de", password: "pw")
return mocked
}
@Test("getProfile mit twoFactor on")
func profileTwoFactorOn() async throws {
let mocked = await signedInAuth()
let captured = MockURLProtocol.Capture()
mocked.setHandler { request in
captured.store(request)
return (200, Data(#"""
{"user":{"id":"u1","email":"u@x.de","name":"Test","emailVerified":true,"twoFactorEnabled":true},
"session":{"id":"s1"}}
"""#.utf8))
}
let profile = try await mocked.auth.getProfile()
#expect(profile.id == "u1")
#expect(profile.email == "u@x.de")
#expect(profile.name == "Test")
#expect(profile.emailVerified == true)
#expect(profile.twoFactorEnabled == true)
let request = try #require(captured.request)
#expect(request.httpMethod == "GET")
#expect(request.url?.path == "/api/v1/auth/profile")
// Bearer-Header trägt den Session-Token
#expect(request.value(forHTTPHeaderField: "Authorization") == "Bearer session-tok")
}
@Test("getProfile mit twoFactor off (Feld fehlt)")
func profileTwoFactorOff() async throws {
let mocked = await signedInAuth()
mocked.setHandler { _ in
(200, Data(#"""
{"user":{"id":"u1","email":"u@x.de","name":null,"emailVerified":true}}
"""#.utf8))
}
let profile = try await mocked.auth.getProfile()
#expect(profile.twoFactorEnabled == false)
#expect(profile.name == nil)
}
@Test("getProfile ohne Session → notSignedIn")
func profileNoSession() async {
let mocked = makeMockedAuth()
await #expect(throws: AuthError.notSignedIn) {
try await mocked.auth.getProfile()
}
}
@Test("getProfile mit abgelaufenem Token → unauthorized")
func profileUnauthorized() async {
let mocked = await signedInAuth()
mocked.setHandler { _ in
(401, Data(#"{"error":"UNAUTHORIZED","status":401}"#.utf8))
}
await #expect(throws: AuthError.unauthorized) {
try await mocked.auth.getProfile()
}
}
}

119
Tests/ManaCoreTests/AuthClientTwoFactorEnrollmentTests.swift
View file

@ -1,119 +0,0 @@
import Foundation
import Testing
@testable import ManaCore
@Suite("AuthClient 2FA-Enrollment")
@MainActor
struct AuthClientTwoFactorEnrollmentTests {
/// Bringt den AuthClient in den `.signedIn`-Status mit einem
/// Session-Token für authenticated Calls.
private func signedInAuth() async -> MockedAuth {
let mocked = makeMockedAuth()
let access = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1MSIsImV4cCI6MjAwMDAwMDAwMH0.sig"
mocked.setHandler { _ in
(200, Data(#"{"accessToken":"\#(access)","refreshToken":"session-tok"}"#.utf8))
}
await mocked.auth.signIn(email: "u@x.de", password: "pw")
return mocked
}
@Test("enrollTotp liefert URI + Backup-Codes")
func enrollSuccess() async throws {
let mocked = await signedInAuth()
let captured = MockURLProtocol.Capture()
mocked.setHandler { request in
captured.store(request)
return (200, Data(#"""
{"totpURI":"otpauth://totp/Mana:u@x.de?secret=ABC&issuer=Mana","backupCodes":["a-b-c","d-e-f","g-h-i"]}
"""#.utf8))
}
let enrollment = try await mocked.auth.enrollTotp(password: "pw")
#expect(enrollment.totpURI.hasPrefix("otpauth://totp/"))
#expect(enrollment.backupCodes == ["a-b-c", "d-e-f", "g-h-i"])
let request = try #require(captured.request)
#expect(request.url?.path == "/api/v1/auth/two-factor/enable")
// Bearer-Header trägt den Session-Token (nicht JWT)
#expect(request.value(forHTTPHeaderField: "Authorization") == "Bearer session-tok")
}
@Test("enrollTotp mit leerem Passwort → validation, kein Server-Call")
func enrollEmptyPassword() async {
let mocked = await signedInAuth()
mocked.setHandler { _ in
Issue.record("Server darf nicht aufgerufen werden")
return (500, Data())
}
await #expect(throws: AuthError.validation(message: "Passwort ist erforderlich")) {
try await mocked.auth.enrollTotp(password: "")
}
}
@Test("enrollTotp ohne Session → notSignedIn")
func enrollNoSession() async {
let mocked = makeMockedAuth()
await #expect(throws: AuthError.notSignedIn) {
try await mocked.auth.enrollTotp(password: "pw")
}
}
@Test("disableTotp success")
func disableSuccess() async throws {
let mocked = await signedInAuth()
let captured = MockURLProtocol.Capture()
mocked.setHandler { request in
captured.store(request)
return (200, Data(#"{"success":true}"#.utf8))
}
try await mocked.auth.disableTotp(password: "pw")
let request = try #require(captured.request)
#expect(request.url?.path == "/api/v1/auth/two-factor/disable")
}
@Test("disableTotp mit falschem Passwort → invalidCredentials")
func disableWrongPassword() async {
let mocked = await signedInAuth()
mocked.setHandler { _ in
(401, Data(#"{"error":"INVALID_CREDENTIALS","status":401}"#.utf8))
}
await #expect(throws: AuthError.invalidCredentials) {
try await mocked.auth.disableTotp(password: "wrong")
}
}
@Test("getTotpUri liefert URI ohne Backup-Codes")
func getUriSuccess() async throws {
let mocked = await signedInAuth()
mocked.setHandler { _ in
(200, Data(#"""
{"totpURI":"otpauth://totp/Mana:u@x.de?secret=XYZ&issuer=Mana"}
"""#.utf8))
}
let uri = try await mocked.auth.getTotpUri(password: "pw")
#expect(uri.hasPrefix("otpauth://totp/"))
#expect(uri.contains("secret=XYZ"))
}
@Test("regenerateBackupCodes liefert neue Codes")
func regenerateSuccess() async throws {
let mocked = await signedInAuth()
let captured = MockURLProtocol.Capture()
mocked.setHandler { request in
captured.store(request)
return (200, Data(#"""
{"backupCodes":["new-1","new-2","new-3","new-4","new-5"]}
"""#.utf8))
}
let codes = try await mocked.auth.regenerateBackupCodes(password: "pw")
#expect(codes.count == 5)
#expect(codes.first == "new-1")
let request = try #require(captured.request)
#expect(request.url?.path == "/api/v1/auth/two-factor/generate-backup-codes")
}
}

127
Tests/ManaCoreTests/AuthClientTwoFactorTests.swift
View file

@ -1,127 +0,0 @@
import Foundation
import Testing
@testable import ManaCore
@Suite("AuthClient 2FA-Login-Challenge")
@MainActor
struct AuthClientTwoFactorTests {
@Test("signIn mit 2FA-Account → .twoFactorRequired statt .signedIn")
func signInRedirectsToTwoFactor() async {
let mocked = makeMockedAuth()
mocked.setHandler { _ in
(200, Data(#"""
{"twoFactorRequired":true,"twoFactorMethods":["totp"],"twoFactorToken":"tf-abc123"}
"""#.utf8))
}
await mocked.auth.signIn(email: "u@x.de", password: "pw")
if case let .twoFactorRequired(token, methods, email) = mocked.auth.status {
#expect(token == "tf-abc123")
#expect(methods == ["totp"])
#expect(email == "u@x.de")
} else {
Issue.record("Expected .twoFactorRequired, got \(mocked.auth.status)")
}
}
@Test("verifyTotp erfolgreich → .signedIn")
func verifyTotpSuccess() async throws {
let mocked = makeMockedAuth()
// Schritt 1: signIn liefert 2FA-Challenge.
mocked.setHandler { _ in
(200, Data(#"""
{"twoFactorRequired":true,"twoFactorMethods":["totp"],"twoFactorToken":"tf-xyz"}
"""#.utf8))
}
await mocked.auth.signIn(email: "u@x.de", password: "pw")
// Schritt 2: verifyTotp liefert Tokens.
let access = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1MSIsImV4cCI6MjAwMDAwMDAwMH0.sig"
let captured = MockURLProtocol.Capture()
mocked.setHandler { request in
captured.store(request)
return (200, Data(#"""
{"success":true,"accessToken":"\#(access)","refreshToken":"r1"}
"""#.utf8))
}
try await mocked.auth.verifyTotp(code: "123456")
#expect(mocked.auth.status == .signedIn(email: "u@x.de"))
let request = try #require(captured.request)
#expect(request.url?.path == "/api/v1/auth/two-factor/verify-totp")
// Body trägt code + twoFactorToken aus dem Challenge-Status
let body = request.httpBody ?? request.bodyStreamData() ?? Data()
let json = try JSONSerialization.jsonObject(with: body) as? [String: Any] ?? [:]
#expect(json["code"] as? String == "123456")
#expect(json["twoFactorToken"] as? String == "tf-xyz")
}
@Test("verifyTotp ohne aktiven 2FA-Challenge wirft validation")
func verifyTotpRequiresChallenge() async {
let mocked = makeMockedAuth()
// Status ist initial .unknown kein 2FA-Challenge.
do {
try await mocked.auth.verifyTotp(code: "123456")
Issue.record("Expected throw")
} catch let AuthError.validation(message) {
#expect(message?.contains("2FA-Challenge") == true)
} catch {
Issue.record("Unexpected error: \(error)")
}
}
@Test("verifyTotp mit falschem Code → twoFactorFailed, bleibt im Challenge")
func verifyTotpWrongCode() async {
let mocked = makeMockedAuth()
mocked.setHandler { _ in
(200, Data(#"""
{"twoFactorRequired":true,"twoFactorMethods":["totp"],"twoFactorToken":"tf-xyz"}
"""#.utf8))
}
await mocked.auth.signIn(email: "u@x.de", password: "pw")
mocked.setHandler { _ in
(401, Data(#"{"error":"TWO_FACTOR_FAILED","status":401}"#.utf8))
}
do {
try await mocked.auth.verifyTotp(code: "000000")
Issue.record("Expected throw")
} catch AuthError.twoFactorFailed {
// Status bleibt im Challenge User kann erneut versuchen
if case .twoFactorRequired = mocked.auth.status {
#expect(Bool(true))
} else {
Issue.record("Status should remain .twoFactorRequired, got \(mocked.auth.status)")
}
} catch {
Issue.record("Unexpected error: \(error)")
}
}
@Test("verifyBackupCode erfolgreich → .signedIn")
func verifyBackupCodeSuccess() async throws {
let mocked = makeMockedAuth()
mocked.setHandler { _ in
(200, Data(#"""
{"twoFactorRequired":true,"twoFactorMethods":["totp"],"twoFactorToken":"tf-xyz"}
"""#.utf8))
}
await mocked.auth.signIn(email: "u@x.de", password: "pw")
let access = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1MSIsImV4cCI6MjAwMDAwMDAwMH0.sig"
let captured = MockURLProtocol.Capture()
mocked.setHandler { request in
captured.store(request)
return (200, Data(#"""
{"success":true,"accessToken":"\#(access)","refreshToken":"r1"}
"""#.utf8))
}
try await mocked.auth.verifyBackupCode(code: "abc-def-ghi")
#expect(mocked.auth.status == .signedIn(email: "u@x.de"))
let request = try #require(captured.request)
#expect(request.url?.path == "/api/v1/auth/two-factor/verify-backup-code")
}
}

127
Tests/ManaCoreTests/MockURLProtocol.swift
View file

@ -1,127 +0,0 @@
import Foundation
@testable import ManaCore
/// URLProtocol-Mock mit Pro-Test-Routing: jede Test-AuthClient-
/// Instanz kriegt eine eigene Test-ID als HTTP-Header, der Mock
/// routet nach ID zum richtigen Handler. Das löst die Cross-Suite-
/// Pollution (mehrere `.serialized`-Suites laufen untereinander
/// parallel, der globale Handler-Slot wäre sonst ein Race).
///
/// Identisches Pattern wie in mana-swift-ui wenn weitere Test-
/// Helper hier hinzukommen, beide Pakete parallel halten.
final class MockURLProtocol: URLProtocol, @unchecked Sendable {
typealias Handler = @Sendable (URLRequest) -> Any
nonisolated(unsafe) static var handlersStorage: [String: Handler] = [:]
static let handlersLock = NSLock()
static func register(testID: String, handler: @escaping Handler) {
handlersLock.lock(); defer { handlersLock.unlock() }
handlersStorage[testID] = handler
}
static func unregister(testID: String) {
handlersLock.lock(); defer { handlersLock.unlock() }
handlersStorage.removeValue(forKey: testID)
}
private static func lookup(testID: String) -> Handler? {
handlersLock.lock(); defer { handlersLock.unlock() }
return handlersStorage[testID]
}
final class Capture: @unchecked Sendable {
private let lock = NSLock()
private var stored: URLRequest?
func store(_ r: URLRequest) {
lock.lock(); defer { lock.unlock() }
stored = r
}
var request: URLRequest? {
lock.lock(); defer { lock.unlock() }
return stored
}
}
override class func canInit(with request: URLRequest) -> Bool { true }
override class func canonicalRequest(for request: URLRequest) -> URLRequest { request }
override func stopLoading() {}
override func startLoading() {
let testID = request.value(forHTTPHeaderField: "X-Test-ID") ?? ""
guard let handler = MockURLProtocol.lookup(testID: testID) else {
client?.urlProtocol(self, didFailWithError: URLError(.unknown))
return
}
let result = handler(request)
let status: Int
let body: Data
let headers: [String: String]
if let tuple = result as? (Int, Data, [String: String]) {
status = tuple.0; body = tuple.1; headers = tuple.2
} else if let tuple = result as? (Int, Data) {
status = tuple.0; body = tuple.1; headers = [:]
} else {
client?.urlProtocol(self, didFailWithError: URLError(.unknown))
return
}
let response = HTTPURLResponse(
url: request.url!,
statusCode: status,
httpVersion: "HTTP/1.1",
headerFields: headers
)!
client?.urlProtocol(self, didReceive: response, cacheStoragePolicy: .notAllowed)
client?.urlProtocol(self, didLoad: body)
client?.urlProtocolDidFinishLoading(self)
}
}
/// Bündelt einen `AuthClient` mit seiner Test-ID.
@MainActor
struct MockedAuth {
let auth: AuthClient
let testID: String
func setHandler(_ handler: @escaping MockURLProtocol.Handler) {
MockURLProtocol.register(testID: testID, handler: handler)
}
}
@MainActor
func makeMockedAuth() -> MockedAuth {
let testID = UUID().uuidString
let configuration = URLSessionConfiguration.ephemeral
configuration.protocolClasses = [MockURLProtocol.self]
configuration.httpAdditionalHeaders = ["X-Test-ID": testID]
let session = URLSession(configuration: configuration)
let config = DefaultManaAppConfig(
authBaseURL: URL(string: "https://auth.test")!,
keychainService: "ev.mana.test.\(testID)",
keychainAccessGroup: nil
)
return MockedAuth(auth: AuthClient(config: config, session: session), testID: testID)
}
extension URLRequest {
/// Liest httpBodyStream in einen Data. URLSession ephemeral-Session
/// nutzt manchmal Streams statt httpBody.
func bodyStreamData() -> Data? {
guard let stream = httpBodyStream else { return nil }
stream.open(); defer { stream.close() }
var data = Data()
let bufferSize = 1024
let buffer = UnsafeMutablePointer<UInt8>.allocate(capacity: bufferSize)
defer { buffer.deallocate() }
while stream.hasBytesAvailable {
let read = stream.read(buffer, maxLength: bufferSize)
if read <= 0 { break }
data.append(buffer, count: read)
}
return data
}
}