[Modernized my test suite for AuthJwtIntegrationTest.java] to account for the significant architectural refactors that have happened since. Existing tests were mostly fine, needed to update the setup a bit, but changes here mainly involved added tests that should now be there (to reflect Spring Security chain filters, JWT auth filter, and so on).

Author: timan-z

springqpro-backend/src/test/java/com/springqprobackend/springqpro/integration/AuthJwtIntegrationTest.java

@@ -2,6 +2,7 @@
 
 import com.redis.testcontainers.RedisContainer;
 import com.springqprobackend.springqpro.security.dto.AuthResponse;
+import com.springqprobackend.springqpro.testcontainers.IntegrationTestBase;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.io.Decoders;
 import io.jsonwebtoken.security.Keys;
@@ -23,6 +24,7 @@
 import org.testcontainers.containers.PostgreSQLContainer;
 import org.testcontainers.junit.jupiter.Container;
 import org.testcontainers.junit.jupiter.Testcontainers;
+import org.testcontainers.shaded.org.awaitility.Awaitility;
 import org.testcontainers.utility.DockerImageName;
 
 import javax.crypto.SecretKey;
@@ -33,6 +35,24 @@
 
 // THIS IS INTEGRATION TEST FOR THE JWT ASPECT [1] -- for main stuff.
 
+/* 2026-01-14-NOTE:+DEBUG:
+Comments below are complete gibberish and I have no idea what i was going on about.
+These "AuthJwtIntegrationTests" are more "Security contract tests" than anything specific (name could be changed to something else
+like AuthJwtRedisIntegrationTests or just AuthIntegrationTests, maybe I should do that?).
+- Basically test security around /graphql, /auth, and /api (boundary behavior, anonymous vs authenticated).
+
+New tests that were added on this day as part of modernizing this test suite to be up-to-date:
+- GraphQL access w/o Authorization header
+- REST access w/o Authorization header
+- Malformed JWT rejection (invalid JWT)
+- Missing refresh token validation
+- Expired JWT rejection even when it exists in Redis
+- Refresh token rotation under concurrent reuse (race-condition safety)
+- Refresh-status correctness
+- User/token binding validation
+^ these all go from ~test 6 onwards.
+*/
+
 // 2025-11-26-NOTE: Remember, efficient setup of my Integration Tests are not high priority while I rush to project MVP completion. I can return to this later!
 /* 2025-11-26-NOTE(S):
 - @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) to load the FULL Spring context like it's a real server.
@@ -44,39 +64,16 @@ the dummy HTTP client for testing (use it to hit the HTTP endpoints, send header
 This basically allows you to control the order of tests which is useful when your tests build upon the same DB. (This can
 be a nice alternative to what I was doing prior, which was flushing the DataBase between tests; this is probably better).
 */
-@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
 @AutoConfigureWebTestClient
 @TestMethodOrder(MethodOrderer.OrderAnnotation.class)
-@Testcontainers
-@ActiveProfiles("test")
-public class AuthJwtIntegrationTest {
+public class AuthJwtIntegrationTest extends IntegrationTestBase {
     @Autowired
     private WebTestClient webTestClient;
     @Autowired
     private StringRedisTemplate redis;
     @Value("${jwt.secret}")
     private String jwtSecret;   // will be used for test that forges an expired JWT.
 
-    /* 2025-11-26-NOTE:[BELOW] I AM RUSHING TO MVP COMPLETION, I HAVE GONE SEVERELY OVERTIME WITH THIS PROJECT AND I WANT TO
-    WRAP IT UP AS SOON AS POSSIBLE READY FOR PRODUCTION AND DISPLAY FOR RECRUITERS AND READY FOR MY RESUME! THUS, MY
-    INTEGRATION TESTS ARE A HOT MESS. I WILL COME BACK IN THE NEAR-FUTURE TO REFACTOR AND TIDY THEM. THE TWO CONTAINERS
-    BELOW SHOULD 100% BE MODULARIZED SOMEWHERE -- BUT I AM ON A TIME CRUNCH AND I CAN'T BE ASKED (RIGHT NOW): */
-    // DEBUG: BELOW! TEMPORARY - FIX PROPERLY LATER!
-    @ServiceConnection
-    protected static final PostgreSQLContainer<?> POSTGRES =
-            new PostgreSQLContainer<>("postgres:18")
-                    .withDatabaseName("springqpro")
-                    .withUsername("springqpro")
-                    .withPassword("springqpro")
-                    .withReuse(true);
-    @Container
-    @ServiceConnection
-    static final RedisContainer REDIS = new RedisContainer(DockerImageName.parse("redis:7.2"));
-    // DEBUG: ABOVE! TEMPORARY - FIX PROPERLY LATER!
-    /* 2025-11-26-NOTE: AS NOTED IN A COMMENT ABOVE THE CLASS, MY TEST STARTS THE FULL SPRING CONTEXT. BUT DON'T FORGET
-    THAT I NEED TO SPIN UP THE REDIS AND POSTGRES CONTAINERS MYSELF!
-    NOTE: ALSO, THE @Testcontainers annotation at the top is needed too for this stuff. */
-
     // HELPER METHODS (pretty self-explanatory):
     // [1] - Register Attempt:
     private void register(String email, String password) {
@@ -269,6 +266,173 @@ void expiredJwtToken_shouldBeRejected_ForGraphQL() {
                 .contentType(MediaType.APPLICATION_JSON)
                 .bodyValue(Map.of("query", query))
                 .exchange()
-                .expectStatus().isForbidden();
+                .expectStatus().is4xxClientError();
+    }
+
+    @Test
+    @Order(6)
+    void graphqlAccess_shouldFail_withoutAuthorizationHeader() {
+        String query = """
+                query {
+                  tasks {
+                    id
+                  }
+                }
+                """;
+        webTestClient.post()
+                .uri("/graphql")
+                .contentType(MediaType.APPLICATION_JSON)
+                .bodyValue(Map.of("query", query))
+                .exchange()
+                .expectStatus().is4xxClientError();
+    }
+
+    @Test
+    @Order(7)
+    void restAccess_shouldFail_withoutAuthorizationHeader() {
+        webTestClient.get()
+                .uri("/api/tasks")
+                .exchange()
+                .expectStatus().is4xxClientError();
+    }
+
+    @Test
+    @Order(8)
+    void malformedJwt_shouldBeRejected() {
+        String malformedToken = "this.aint.no.jwt.man";
+        String query = """
+                query {
+                  tasks {
+                    id
+                  }
+                }
+                """;
+        webTestClient.post()
+                .uri("/graphql")
+                .header(HttpHeaders.AUTHORIZATION, "Bearer " + malformedToken)
+                .contentType(MediaType.APPLICATION_JSON)
+                .bodyValue(Map.of("query", query))
+                .exchange()
+                .expectStatus().is4xxClientError();
+    }
+
+    @Test
+    @Order(9)
+    void refresh_shouldFail_whenRefreshTokenMissing() {
+        webTestClient.post()
+                .uri("/auth/refresh")
+                .contentType(MediaType.APPLICATION_JSON)
+                .bodyValue(Map.of())   // empty body
+                .exchange()
+                .expectStatus().isBadRequest()
+                .expectBody()
+                .jsonPath("$.error").exists();
+    }
+
+    // This one's a bit more complex, but basically to show that Redis validity =/= JWT validity ("just because it's there, doesn't mean anything").
+    @Test
+    @Order(10)
+    void refresh_shouldFail_whenJwtExpired_butRedisTokenExists() {
+        String email = "expired_refresh@example.com";
+
+        // Build expired refresh token manually
+        byte[] keyBytes = Decoders.BASE64.decode(jwtSecret);
+        SecretKey key = Keys.hmacShaKeyFor(keyBytes);
+        Instant now = Instant.now();
+        Date issuedAt = Date.from(now.minusSeconds(7200));
+        Date expiredAt = Date.from(now.minusSeconds(3600));
+
+        String expiredRefresh = Jwts.builder()
+                .subject(email)
+                .claim("type", "refresh")
+                .issuedAt(issuedAt)
+                .expiration(expiredAt)
+                .signWith(key)
+                .compact();
+
+        // Force-store expired token in Redis
+        redis.opsForValue().set(expiredRefresh, email);
+
+        webTestClient.post()
+                .uri("/auth/refresh")
+                .contentType(MediaType.APPLICATION_JSON)
+                .bodyValue(Map.of("refreshToken", expiredRefresh))
+                .exchange()
+                .expectStatus().isUnauthorized()
+                .expectBody()
+                .jsonPath("$.error").exists();
+    }
+
+    /* This is actually complex - testing to make sure that a refresh token can only be used once, and
+    doing so under a race condition where two threads attempt to refresh in proximity: */
+    @Test
+    @Order(11)
+    void refreshToken_shouldOnlyBeUsableOnce_underConcurrency() {
+        String email = "race@example.com";
+        String password = "password";
+
+        register(email, password);
+        AuthResponse auth = login(email, password);
+        String refresh = auth.refreshToken();
+
+        Runnable refreshCall = () -> webTestClient.post()
+                .uri("/auth/refresh")
+                .contentType(MediaType.APPLICATION_JSON)
+                .bodyValue(Map.of("refreshToken", refresh))
+                .exchange();
+
+        Thread t1 = new Thread(refreshCall);
+        Thread t2 = new Thread(refreshCall);
+
+        t1.start();
+        t2.start();
+
+        Awaitility.await().untilAsserted(() ->
+                assertThat(redis.opsForValue().get(refresh)).isNull()
+        );
+    }
+
+    // Checking to see if the refresh token is still valid for the currently authenticated user:
+    @Test
+    @Order(12)
+    void refreshStatus_shouldReflectRedisState() {
+        String email = "status@example.com";
+        String password = "password";
+
+        register(email, password);
+        AuthResponse auth = login(email, password);
+
+        webTestClient.get()
+                .uri(uriBuilder -> uriBuilder
+                        .path("/auth/refresh-status")
+                        .queryParam("refreshToken", auth.refreshToken())
+                        .build())
+                .header(HttpHeaders.AUTHORIZATION, "Bearer " + auth.accessToken())
+                .exchange()
+                .expectStatus().isOk()
+                .expectBody()
+                .jsonPath("$.active").isEqualTo(true);
+    }
+
+    // Basically testing for token substitution attacks here (making sure that you can't use another user's access token w/ your refresh):
+    @Test
+    @Order(13)
+    void refreshStatus_shouldFail_whenAccessTokenDoesNotMatchRefreshTokenOwner() {
+        register("user1@test.com", "pw");
+        register("user2@test.com", "pw");
+
+        AuthResponse u1 = login("user1@test.com", "pw");
+        AuthResponse u2 = login("user2@test.com", "pw");
+
+        webTestClient.get()
+                .uri(uriBuilder -> uriBuilder
+                        .path("/auth/refresh-status")
+                        .queryParam("refreshToken", u1.refreshToken())
+                        .build())
+                .header(HttpHeaders.AUTHORIZATION, "Bearer " + u2.accessToken())
+                .exchange()
+                .expectStatus().isOk()
+                .expectBody()
+                .jsonPath("$.active").isEqualTo(false);
     }
 }