feat: add auth service with user, session, and API key management

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tests/services/auth.service.test.ts

@@ -0,0 +1,171 @@
+import { beforeEach, describe, expect, it } from "bun:test";
+import {
+	changePassword,
+	createApiKey,
+	createSession,
+	createUser,
+	deleteApiKey,
+	deleteSession,
+	getSession,
+	getUserCount,
+	listApiKeys,
+	verifyApiKey,
+	verifyPassword,
+} from "../../src/server/services/auth.service.ts";
+import { createTestDb } from "../helpers/db.ts";
+
+describe("Auth Service", () => {
+	let db: ReturnType<typeof createTestDb>;
+
+	beforeEach(() => {
+		db = createTestDb();
+	});
+
+	describe("User Management", () => {
+		it("creates a user with hashed password (hash !== plaintext)", async () => {
+			const user = await createUser(db, "admin", "secret123");
+
+			expect(user).toBeDefined();
+			expect(user.id).toBeGreaterThan(0);
+			expect(user.username).toBe("admin");
+			expect(user.passwordHash).not.toBe("secret123");
+			expect(user.passwordHash.length).toBeGreaterThan(0);
+		});
+
+		it("verifies correct password returns user", async () => {
+			await createUser(db, "admin", "secret123");
+			const user = await verifyPassword(db, "admin", "secret123");
+
+			expect(user).not.toBeNull();
+			expect(user!.username).toBe("admin");
+		});
+
+		it("rejects incorrect password returns null", async () => {
+			await createUser(db, "admin", "secret123");
+			const user = await verifyPassword(db, "admin", "wrongpassword");
+
+			expect(user).toBeNull();
+		});
+
+		it("getUserCount returns 0 then 1", async () => {
+			const countBefore = getUserCount(db);
+			expect(countBefore).toBe(0);
+
+			await createUser(db, "admin", "secret123");
+
+			const countAfter = getUserCount(db);
+			expect(countAfter).toBe(1);
+		});
+
+		it("changes password successfully", async () => {
+			await createUser(db, "admin", "oldpass");
+			const changed = await changePassword(db, "admin", "oldpass", "newpass");
+			expect(changed).toBe(true);
+
+			// Verify new password works
+			const user = await verifyPassword(db, "admin", "newpass");
+			expect(user).not.toBeNull();
+
+			// Verify old password no longer works
+			const oldAttempt = await verifyPassword(db, "admin", "oldpass");
+			expect(oldAttempt).toBeNull();
+		});
+
+		it("rejects password change with wrong current password", async () => {
+			await createUser(db, "admin", "secret123");
+			const changed = await changePassword(
+				db,
+				"admin",
+				"wrongcurrent",
+				"newpass",
+			);
+			expect(changed).toBe(false);
+		});
+	});
+
+	describe("Session Management", () => {
+		it("creates and retrieves a session (id length is 64 hex chars)", async () => {
+			const user = await createUser(db, "admin", "secret123");
+			const session = createSession(db, user.id);
+
+			expect(session).toBeDefined();
+			expect(session.id).toHaveLength(64);
+			expect(session.userId).toBe(user.id);
+			expect(session.expiresAt).toBeInstanceOf(Date);
+
+			const retrieved = getSession(db, session.id);
+			expect(retrieved).not.toBeNull();
+			expect(retrieved!.id).toBe(session.id);
+		});
+
+		it("returns null for expired session (expiryDays = -1)", async () => {
+			const user = await createUser(db, "admin", "secret123");
+			const session = createSession(db, user.id, -1);
+
+			const retrieved = getSession(db, session.id);
+			expect(retrieved).toBeNull();
+		});
+
+		it("deletes a session", async () => {
+			const user = await createUser(db, "admin", "secret123");
+			const session = createSession(db, user.id);
+
+			deleteSession(db, session.id);
+
+			const retrieved = getSession(db, session.id);
+			expect(retrieved).toBeNull();
+		});
+	});
+
+	describe("API Key Management", () => {
+		it("creates key and returns raw key once (length > 16, prefix matches first 8 chars)", async () => {
+			const result = await createApiKey(db, "test-key");
+
+			expect(result).toBeDefined();
+			expect(result.rawKey).toBeDefined();
+			expect(result.rawKey.length).toBeGreaterThan(16);
+			expect(result.keyPrefix).toBe(result.rawKey.slice(0, 8));
+			expect(result.name).toBe("test-key");
+		});
+
+		it("verifies valid key returns true", async () => {
+			const result = await createApiKey(db, "test-key");
+			const isValid = await verifyApiKey(db, result.rawKey);
+
+			expect(isValid).toBe(true);
+		});
+
+		it("rejects invalid key returns false", async () => {
+			await createApiKey(db, "test-key");
+			const isValid = await verifyApiKey(db, "invalidkey12345678");
+
+			expect(isValid).toBe(false);
+		});
+
+		it("deletes key so it is no longer valid", async () => {
+			const result = await createApiKey(db, "test-key");
+			deleteApiKey(db, result.id);
+
+			const isValid = await verifyApiKey(db, result.rawKey);
+			expect(isValid).toBe(false);
+		});
+
+		it("listApiKeys returns keys without hashes", async () => {
+			await createApiKey(db, "key-one");
+			await createApiKey(db, "key-two");
+
+			const keys = listApiKeys(db);
+			expect(keys).toHaveLength(2);
+			expect(keys[0].name).toBe("key-one");
+			expect(keys[1].name).toBe("key-two");
+			// Ensure no hash is exposed
+			for (const key of keys) {
+				expect(key).toHaveProperty("id");
+				expect(key).toHaveProperty("name");
+				expect(key).toHaveProperty("keyPrefix");
+				expect(key).toHaveProperty("createdAt");
+				expect(key).not.toHaveProperty("keyHash");
+			}
+		});
+	});
+});