Skip to main content

Auth Service — Testing Strategy

Status: populated Owner: Engineering + Security Last updated: 2026-04-18

1. Coverage targets

Layer	Target
Aggregates	95%
VOs	100%
Application use cases	90% branch
Integration	All critical paths

2. Unit

Password hashing roundtrip; timing-safe compare.
TOTP verify against RFC 6238 vectors.
JWT sign → verify; rejects wrong kid.
Argon2 params fixed; regression guard.

3. Integration

test/integration/login-happy.spec.ts
test/integration/login-lockout.spec.ts (5 failures → locked)
test/integration/firebase-federation.spec.ts (mock admin SDK)
test/integration/api-key-lookup.spec.ts (Kong plugin contract)
test/integration/jwks-rotation.spec.ts (old key still verifies within window)
test/integration/tenant-isolation.spec.ts (cross-account read → 404)
test/integration/outbox.spec.ts (event persisted + published)

4. Contract

Pact consumer: Kong API-key lookup → 200/404/5xx shapes
OpenAPI diff gate

5. Security

security-reviewer agent zero critical/high
OWASP ZAP against staging
Dependency audit in CI

1. Coverage targets
2. Unit
3. Integration
4. Contract
5. Security