import Foundation import Testing @testable import ManaCore @Suite("AuthClient+Account", .serialized) @MainActor struct AuthClientAccountTests { // MARK: - Fixtures private static func makeClient() -> (AuthClient, URLSession) { let configuration = URLSessionConfiguration.ephemeral configuration.protocolClasses = [MockURLProtocol.self] let session = URLSession(configuration: configuration) let config = DefaultManaAppConfig( authBaseURL: URL(string: "https://auth.test")!, keychainService: "ev.mana.test.\(UUID().uuidString)", keychainAccessGroup: nil ) return (AuthClient(config: config, session: session), session) } private func recordedBody(_ request: URLRequest) -> [String: Any] { // URLSession verschiebt den Body in den BodyStream wenn er nicht // klein-genug ist — ephemeral-Session lässt ihn als httpBody. guard let body = request.httpBody ?? request.bodyStreamData(), let json = try? JSONSerialization.jsonObject(with: body) as? [String: Any] else { return [:] } return json } // MARK: - register @Test("register schickt POST /api/v1/auth/register mit JSON-Body") func registerSendsCorrectRequest() async throws { let (client, _) = Self.makeClient() MockURLProtocol.handler = { request in #expect(request.httpMethod == "POST") #expect(request.url?.path == "/api/v1/auth/register") #expect(request.value(forHTTPHeaderField: "Content-Type") == "application/json") return (200, Data(#"{"user":{"id":"u1","email":"new@x.de"}}"#.utf8)) } try await client.register( email: "new@x.de", password: "Aa-123456789", name: "Neu", sourceAppUrl: URL(string: "https://cardecky.mana.how/auth/verify") ) // Mit requireEmailVerification:true gibt es noch keine Session. if case .signedIn = client.status { Issue.record("Expected not-signed-in after register without tokens") } } @Test("register mit Token-Antwort führt direkt zu signedIn") func registerWithTokensSignsIn() async throws { let (client, _) = Self.makeClient() // gültiger HS256-Header.payload (exp 2_000_000_000).sig — JWT.expiry() // läuft danach nicht in den Refresh-Pfad. let access = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1MSIsImV4cCI6MjAwMDAwMDAwMH0.sig" let refresh = "refresh-token-value" MockURLProtocol.handler = { _ in (200, Data(#""" {"user":{"id":"u1","email":"new@x.de"},"accessToken":"\#(access)","refreshToken":"\#(refresh)"} """#.utf8)) } try await client.register(email: "new@x.de", password: "Aa-123456789") #expect(client.status == .signedIn(email: "new@x.de")) } @Test("register mit existierender Email wirft emailAlreadyRegistered") func registerEmailAlreadyRegistered() async { let (client, _) = Self.makeClient() MockURLProtocol.handler = { _ in (409, Data(#"{"error":"EMAIL_ALREADY_REGISTERED","status":409}"#.utf8)) } await #expect(throws: AuthError.emailAlreadyRegistered) { try await client.register(email: "old@x.de", password: "Aa-123456789") } } @Test("register mit leerer Email wirft validation ohne Server-Call") func registerValidatesEmptyEmail() async { let (client, _) = Self.makeClient() MockURLProtocol.handler = { _ in Issue.record("Server darf nicht aufgerufen werden") return (500, Data()) } await #expect(throws: (any Error).self) { try await client.register(email: " ", password: "Aa-123456789") } } // MARK: - forgotPassword @Test("forgotPassword schickt email + redirectTo") func forgotPasswordPayload() async throws { let (client, _) = Self.makeClient() let capturedURL = MockURLProtocol.Capture() MockURLProtocol.handler = { request in capturedURL.store(request) return (200, Data(#"{"success":true}"#.utf8)) } try await client.forgotPassword( email: "user@x.de", resetUniversalLink: URL(string: "https://cardecky.mana.how/auth/reset")! ) let captured = try #require(capturedURL.request) let json = recordedBody(captured) #expect(json["email"] as? String == "user@x.de") #expect(json["redirectTo"] as? String == "https://cardecky.mana.how/auth/reset") #expect(captured.url?.path == "/api/v1/auth/forgot-password") } // MARK: - resetPassword @Test("resetPassword schickt token + newPassword") func resetPasswordPayload() async throws { let (client, _) = Self.makeClient() let captured = MockURLProtocol.Capture() MockURLProtocol.handler = { request in captured.store(request) return (200, Data(#"{"success":true}"#.utf8)) } try await client.resetPassword(token: "tok123", newPassword: "Neu-987654321") let request = try #require(captured.request) let json = recordedBody(request) #expect(json["token"] as? String == "tok123") #expect(json["newPassword"] as? String == "Neu-987654321") #expect(request.url?.path == "/api/v1/auth/reset-password") } @Test("resetPassword mit abgelaufenem Token wirft tokenExpired") func resetPasswordTokenExpired() async { let (client, _) = Self.makeClient() MockURLProtocol.handler = { _ in (400, Data(#"{"error":"TOKEN_EXPIRED","status":400}"#.utf8)) } await #expect(throws: AuthError.tokenExpired) { try await client.resetPassword(token: "old", newPassword: "Neu-987654321") } } // MARK: - resendVerification @Test("resendVerification schickt email + sourceAppUrl") func resendVerificationPayload() async throws { let (client, _) = Self.makeClient() let captured = MockURLProtocol.Capture() MockURLProtocol.handler = { request in captured.store(request) return (200, Data(#"{"success":true}"#.utf8)) } try await client.resendVerification( email: "user@x.de", sourceAppUrl: URL(string: "https://cardecky.mana.how/auth/verify") ) let request = try #require(captured.request) let json = recordedBody(request) #expect(json["email"] as? String == "user@x.de") #expect(json["sourceAppUrl"] as? String == "https://cardecky.mana.how/auth/verify") } @Test("resendVerification mit Rate-Limit liefert retryAfter") func resendVerificationRateLimited() async { let (client, _) = Self.makeClient() MockURLProtocol.handler = { _ in ( 429, Data(#"{"error":"RATE_LIMITED","retryAfterSec":42,"status":429}"#.utf8), ["Retry-After": "42"] ) } do { try await client.resendVerification(email: "user@x.de") Issue.record("Expected throw") } catch let AuthError.rateLimited(retryAfter) { #expect(retryAfter == 42) } catch { Issue.record("Unexpected error: \(error)") } } // MARK: - Authenticated calls (require signed-in state) @Test("changeEmail ohne Login wirft notSignedIn") func changeEmailRequiresSession() async { let (client, _) = Self.makeClient() await #expect(throws: AuthError.notSignedIn) { try await client.changeEmail(newEmail: "neu@x.de") } } @Test("changePassword schickt Bearer-Header wenn eingeloggt") func changePasswordSendsBearer() async throws { let (client, _) = Self.makeClient() // Mock-Token im Keychain ablegen via persistSession-Helper. let access = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1MSIsImV4cCI6MjAwMDAwMDAwMH0.sig" try client.persistSession(email: "u@x.de", accessToken: access, refreshToken: "r") let captured = MockURLProtocol.Capture() MockURLProtocol.handler = { request in captured.store(request) return (200, Data(#"{"success":true}"#.utf8)) } try await client.changePassword(currentPassword: "alt", newPassword: "neu") let request = try #require(captured.request) #expect(request.value(forHTTPHeaderField: "Authorization") == "Bearer \(access)") #expect(request.url?.path == "/api/v1/auth/change-password") } @Test("deleteAccount wiped Session bei Erfolg") func deleteAccountClearsSession() async throws { let (client, _) = Self.makeClient() let access = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1MSIsImV4cCI6MjAwMDAwMDAwMH0.sig" try client.persistSession(email: "u@x.de", accessToken: access, refreshToken: "r") #expect(client.status == .signedIn(email: "u@x.de")) MockURLProtocol.handler = { request in #expect(request.httpMethod == "DELETE") return (200, Data(#"{"success":true}"#.utf8)) } try await client.deleteAccount(password: "pw") #expect(client.status == .signedOut) } } // MARK: - URLProtocol Mock final class MockURLProtocol: URLProtocol, @unchecked Sendable { /// Antwort-Tuple: (status, body) oder (status, body, headers). typealias Response = (status: Int, body: Data, headers: [String: String]) typealias Handler = @Sendable (URLRequest) -> Any // (Int, Data) | (Int, Data, [String:String]) nonisolated(unsafe) static var handler: Handler? /// Thread-safer Capture-Container — Tests können den Request darin /// festhalten und nach dem await aus dem Test-Body lesen. final class Capture: @unchecked Sendable { private let lock = NSLock() private var stored: URLRequest? func store(_ r: URLRequest) { lock.lock(); defer { lock.unlock() } stored = r } var request: URLRequest? { lock.lock(); defer { lock.unlock() } return stored } } override class func canInit(with request: URLRequest) -> Bool { true } override class func canonicalRequest(for request: URLRequest) -> URLRequest { request } override func stopLoading() {} override func startLoading() { guard let handler = MockURLProtocol.handler else { client?.urlProtocol( self, didFailWithError: URLError(.unknown) ) return } let result = handler(request) let status: Int let body: Data let headers: [String: String] if let tuple = result as? (Int, Data, [String: String]) { status = tuple.0; body = tuple.1; headers = tuple.2 } else if let tuple = result as? (Int, Data) { status = tuple.0; body = tuple.1; headers = [:] } else { client?.urlProtocol(self, didFailWithError: URLError(.unknown)) return } let response = HTTPURLResponse( url: request.url!, statusCode: status, httpVersion: "HTTP/1.1", headerFields: headers )! client?.urlProtocol(self, didReceive: response, cacheStoragePolicy: .notAllowed) client?.urlProtocol(self, didLoad: body) client?.urlProtocolDidFinishLoading(self) } } extension URLRequest { /// Liest httpBodyStream in einen Data. URLSession ephemeral-Session /// nutzt manchmal Streams statt httpBody. func bodyStreamData() -> Data? { guard let stream = httpBodyStream else { return nil } stream.open(); defer { stream.close() } var data = Data() let bufferSize = 1024 let buffer = UnsafeMutablePointer.allocate(capacity: bufferSize) defer { buffer.deallocate() } while stream.hasBytesAvailable { let read = stream.read(buffer, maxLength: bufferSize) if read <= 0 { break } data.append(buffer, count: read) } return data } }