From 395cc299f34fd0c28edf866ce11c82e09ca2b791 Mon Sep 17 00:00:00 2001
From: Kharec <sandro@cazzaniga.fr>
Date: Thu, 8 Jan 2026 06:17:21 +0100
Subject: [PATCH] test: validate rotated refresh token and old-token failure

---
 internal/integration/services_integration_test.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/internal/integration/services_integration_test.go b/internal/integration/services_integration_test.go
index 9971ac4..44d8d7a 100644
--- a/internal/integration/services_integration_test.go
+++ b/internal/integration/services_integration_test.go
@@ -610,6 +610,14 @@ func TestIntegration_Services(t *testing.T) {
 			t.Error("New access token should be different from original")
 		}
 
+		if newAccessToken.RefreshToken == "" {
+			t.Fatal("Refresh should return a new refresh token")
+		}
+
+		if newAccessToken.RefreshToken == loginResult.RefreshToken {
+			t.Error("Refresh token should rotate")
+		}
+
 		userID, err := authService.VerifyToken(newAccessToken.AccessToken)
 		if err != nil {
 			t.Fatalf("New access token should be valid: %v", err)
@@ -618,6 +626,11 @@ func TestIntegration_Services(t *testing.T) {
 		if userID != user.ID {
 			t.Errorf("Expected user ID %d, got %d", user.ID, userID)
 		}
+
+		_, err = authService.RefreshAccessToken(loginResult.RefreshToken)
+		if err == nil {
+			t.Error("Expected error for rotated refresh token")
+		}
 	})
 
 	t.Run("Refresh_Token_Expiration", func(t *testing.T) {