test: validate rotated refresh token and old-token failure

test: enforce refresh token rotation and old-token rejection
2026-01-08 06:17:21 +01:00 · 2026-01-08 06:17:15 +01:00
2 changed files with 26 additions and 9 deletions
--- a/internal/integration/complete_api_endpoints_integration_test.go
+++ b/internal/integration/complete_api_endpoints_integration_test.go
@@ -589,18 +589,22 @@ func TestIntegration_CompleteAPIEndpoints(t *testing.T) {

 			response := assertJSONResponse(t, request, http.StatusOK)
 			if data, ok := getDataFromResponse(response); ok {
-				if newAccessToken, ok := data["access_token"].(string); ok {
-					if newAccessToken == "" {
-						t.Error("Expected new access token in refresh response")
-					}
+				newAccessToken, _ := data["access_token"].(string)
+				if newAccessToken == "" {
+					t.Error("Expected new access token in refresh response")
+				}

-					if newRefreshToken, ok := data["refresh_token"].(string); ok {
-						if newRefreshToken != "" && newRefreshToken == originalRefreshToken {
-							t.Log("Refresh token rotation may not be implemented (same token returned)")
-						}
-					}
+				newRefreshToken, _ := data["refresh_token"].(string)
+				if newRefreshToken == "" {
+					t.Error("Expected new refresh token in refresh response")
+				}
+				if newRefreshToken == originalRefreshToken {
+					t.Error("Expected refresh token to rotate")
 				}
 			}
+
+			request = makePostRequestWithJSON(t, ctx.Router, "/api/auth/refresh", map[string]any{"refresh_token": originalRefreshToken})
+			assertErrorResponse(t, request, http.StatusUnauthorized)
 		})

 		t.Run("Refresh_After_Account_Lock", func(t *testing.T) {
--- a/internal/integration/services_integration_test.go
+++ b/internal/integration/services_integration_test.go
@@ -610,6 +610,14 @@ func TestIntegration_Services(t *testing.T) {
 			t.Error("New access token should be different from original")
 		}

+		if newAccessToken.RefreshToken == "" {
+			t.Fatal("Refresh should return a new refresh token")
+		}
+
+		if newAccessToken.RefreshToken == loginResult.RefreshToken {
+			t.Error("Refresh token should rotate")
+		}
+
 		userID, err := authService.VerifyToken(newAccessToken.AccessToken)
 		if err != nil {
 			t.Fatalf("New access token should be valid: %v", err)
@@ -618,6 +626,11 @@ func TestIntegration_Services(t *testing.T) {
 		if userID != user.ID {
 			t.Errorf("Expected user ID %d, got %d", user.ID, userID)
 		}
+
+		_, err = authService.RefreshAccessToken(loginResult.RefreshToken)
+		if err == nil {
+			t.Error("Expected error for rotated refresh token")
+		}
 	})

 	t.Run("Refresh_Token_Expiration", func(t *testing.T) {
Author	SHA1	Message	Date
Kharec	395cc299f3	test: validate rotated refresh token and old-token failure	2026-01-08 06:17:21 +01:00
Kharec	058c69b414	test: enforce refresh token rotation and old-token rejection	2026-01-08 06:17:15 +01:00