Merge pull request #1 from sameboat-platform/feat/auth-testing-fixes

Feat/auth testing fixes

Author: ArchILLtect

.github/dependabot.yml

@@ -0,0 +1,23 @@
+version: 2
+updates:
+  # Maven dependencies (pom.xml)
+  - package-ecosystem: maven
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: sunday
+      time: "05:30"
+      timezone: "America/Chicago"
+    open-pull-requests-limit: 5
+    ignore:
+      # optional: avoid major jumps until you're ready
+      - dependency-name: "org.flywaydb:flyway-core"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "org.springframework.boot:*"
+        update-types: ["version-update:semver-major"]
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: weekly

.github/workflows/backend-coverage.yml

@@ -0,0 +1,76 @@
+name: Backend Coverage
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  coverage:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+      checks: write
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: '21'
+          cache: maven
+
+      - name: Ensure wrapper & scripts are executable
+        run: |
+          chmod +x mvnw || true
+          chmod +x scripts/check-migration-immutability.sh || true
+
+      - name: Build & Test (with coverage)
+        run: |
+          ./mvnw -B -ntp clean verify
+
+      - name: Upload JaCoCo HTML report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: jacoco-report
+          path: target/site/jacoco
+
+      - name: Extract coverage summary
+        id: coverage
+        run: |
+          LINE=$(grep -m1 -E '<counter type="INSTRUCTION"' target/site/jacoco/jacoco.xml || true)
+          # Fallback if grep fails
+          if [ -z "$LINE" ]; then echo "instr_covered=0" >> $GITHUB_OUTPUT; echo "instr_missed=0" >> $GITHUB_OUTPUT; exit 0; fi
+          MISSED=$(echo "$LINE" | sed -E 's/.*missed="([0-9]+)" covered="([0-9]+)".*/\1/')
+          COVERED=$(echo "$LINE" | sed -E 's/.*missed="([0-9]+)" covered="([0-9]+)".*/\2/')
+          TOTAL=$((MISSED + COVERED))
+          if [ "$TOTAL" -gt 0 ]; then PCT=$(( 100 * COVERED / TOTAL )); else PCT=0; fi
+          echo "instr_covered=$COVERED" >> $GITHUB_OUTPUT
+          echo "instr_missed=$MISSED" >> $GITHUB_OUTPUT
+          echo "instr_total=$TOTAL" >> $GITHUB_OUTPUT
+          echo "instr_pct=$PCT" >> $GITHUB_OUTPUT
+
+      - name: Add PR comment with coverage (if PR)
+        if: github.event_name == 'pull_request'
+        uses: marocchino/sticky-pull-request-comment@v2
+        with:
+          header: coverage-report
+          message: |
+            **Coverage (Instructions)**: ${{ steps.coverage.outputs.instr_pct }}%  
+            Covered: ${{ steps.coverage.outputs.instr_covered }} / ${{ steps.coverage.outputs.instr_total }}  
+            (Missed: ${{ steps.coverage.outputs.instr_missed }})
+
+      - name: Create coverage summary
+        if: always()
+        run: |
+          echo "### Coverage Summary" >> $GITHUB_STEP_SUMMARY
+          echo "Instructions: ${{ steps.coverage.outputs.instr_pct }}% (covered=${{ steps.coverage.outputs.instr_covered }}, missed=${{ steps.coverage.outputs.instr_missed }})" >> $GITHUB_STEP_SUMMARY
+

MIGRATION_NOTES.md

@@ -1,6 +1,11 @@
-![Backend CI](https://github.com/ArchILLtect/sameboat-backend/actions/workflows/backend-ci.yml/badge.svg)
+![Backend CI](https://github.com/sameboat-platform/sameboat-backend/actions/workflows/backend-ci.yml/badge.svg)
 # SameBoat Backend (Spring Boot + Java 21)
 
+> Repository migration: moved from `ArchILLtect/*` to `sameboat-platform/*` on 2025-09-28. Update any local remotes:
+> ```bash
+> git remote set-url origin git@github.com:sameboat-platform/sameboat-backend.git
+> ```
+
 > Quick Links: [Instructions (setup & migrations)](./docs/instructions.md) | [API Reference](./docs/api.md) | [Week 3 Plan](./docs/Weekly%20Plan%20Docs/week_3_plan_same_boat_honors_project_fall_2025.md) | Journals: [Index](./docs/journals/README.md) · [Week 1](./docs/journals/Week1-Journal.md) · [Week 2](./docs/journals/Week2-Journal.md)
 
 ## Run locally

README.md

@@ -2,7 +2,7 @@ Week 1
 9/13/2025
 
 Tasks Completed:
-- Created two repos: [sameboat-frontend](https://github.com/ArchILLtect/sameboat-frontend) and [sameboat-backend](https://github.com/ArchILLtect/sameboat-backend).
+- Created two repos: [sameboat-frontend](https://github.com/sameboat-platform/sameboat-frontend) and [sameboat-backend](https://github.com/sameboat-platform/sameboat-backend).
 - Scaffolded both repos (frontend with Vite + React + TS, backend with Spring Boot 3 + Java 21).
 - Installed core backend dependencies (Spring Web, JPA, Validation, Lombok, Flyway, PostgreSQL Driver, DevTools).
 - Set up Neon PostgreSQL database, created initial `sameboat` DB, and ran Flyway migration V1__init.sql with `users`, `stories`, and `trust_events` tables.
@@ -19,4 +19,4 @@ This week was all about laying down the foundation. It felt amazing to hit that
 
 Biggest win? Seeing the repos fully structured, DB initialized, CI/CD passing, and docs + calendar all organized. It feels like a *real project* now, not just an idea. Honestly, I’m still riding that high.
 
-Next week’s focus: auth stubs + basic user profiles. Time to move from foundation into actual feature work. WOOHOO! Finally!  
+Next week’s focus: auth stubs + basic user profiles. Time to move from foundation into actual feature work. WOOHOO! Finally!

docs/journals/Week1-Journal.md

@@ -0,0 +1,12 @@
+package com.sameboat.backend.auth;
+// ...existing code...
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.TestPropertySource;
+// ...existing code...
+@DataJpaTest
+@Import(SessionService.class)
+@ActiveProfiles("test")
+@TestPropertySource(properties = "sameboat.security.enabled=false")
+class SessionServiceTest {
+// ...existing code...
+

mvnw

@@ -1,48 +1,59 @@
 package com.sameboat.backend.auth.session;
 
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
 
-import java.time.Duration;
-import java.time.OffsetDateTime;
+import java.time.*;
 import java.util.Optional;
 import java.util.UUID;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 @Service
+@Transactional
 public class SessionService {
 
+    private static final Logger log = LoggerFactory.getLogger(SessionService.class);
+
     private final SessionRepository repository;
+    private final Clock clock;
 
-    public SessionService(SessionRepository repository) {
+    public SessionService(SessionRepository repository, ObjectProvider<java.time.Clock> clockProvider) {
         this.repository = repository;
+        this.clock = clockProvider.getIfAvailable(java.time.Clock::systemUTC);
     }
 
     public SessionEntity createSession(UUID userId, Duration ttl) {
         SessionEntity s = new SessionEntity();
         s.setUserId(userId);
-        s.setExpiresAt(OffsetDateTime.now().plus(ttl));
-        return repository.save(s);
+        s.setExpiresAt(OffsetDateTime.ofInstant(clock.instant().plus(ttl), ZoneOffset.UTC));
+        SessionEntity saved = repository.save(s);
+        repository.flush(); // ensure persistence before returning (visibility for immediate follow-up request)
+        log.debug("Created session id={} userId={} expiresAt={} nowUTC={}", saved.getId(), userId, saved.getExpiresAt(), clock.instant());
+        return saved;
     }
 
     public Optional<SessionEntity> findValid(UUID id) {
+        Instant now = clock.instant();
         return repository.findById(id)
-                .filter(s -> s.getExpiresAt() != null && s.getExpiresAt().isAfter(OffsetDateTime.now()));
+                .filter(s -> s.getExpiresAt() != null && s.getExpiresAt().toInstant().isAfter(now));
     }
 
-    public Optional<SessionEntity> findById(UUID id) {
-        return repository.findById(id);
-    }
+    public Optional<SessionEntity> findById(UUID id) { return repository.findById(id); }
 
     public void touch(SessionEntity s) {
-        s.setLastSeenAt(OffsetDateTime.now());
+        s.setLastSeenAt(OffsetDateTime.ofInstant(clock.instant(), ZoneOffset.UTC));
         repository.save(s);
     }
 
     public void invalidate(String token) {
         try {
             UUID id = UUID.fromString(token);
             repository.deleteById(id);
-        } catch (IllegalArgumentException ignored) {
-            // ignore invalid format
-        }
+        } catch (IllegalArgumentException ignored) { }
     }
+
+    public long count() { return repository.count(); }
 }

sameboat-backend/src/test/java/com/sameboat/backend/auth/SessionServiceTest.java

@@ -2,8 +2,8 @@
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatusCode;
 import org.springframework.http.ResponseEntity;
 import org.springframework.lang.NonNull;
@@ -13,13 +13,19 @@
 import org.springframework.web.context.request.WebRequest;
 import org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler;
 
+import jakarta.validation.ConstraintViolationException;
+
 import java.util.stream.Collectors;
 
 @ControllerAdvice
 public class GlobalExceptionHandler extends ResponseEntityExceptionHandler {
 
     private static final Logger log = LoggerFactory.getLogger(GlobalExceptionHandler.class);
 
+    private ResponseEntity<ErrorResponse> build(HttpStatus status, String code, String message) {
+        return ResponseEntity.status(status).body(new ErrorResponse(code, message));
+    }
+
     @Override
     protected ResponseEntity<Object> handleMethodArgumentNotValid(@NonNull MethodArgumentNotValidException ex,
                                                                   @NonNull HttpHeaders headers,
@@ -33,15 +39,21 @@ protected ResponseEntity<Object> handleMethodArgumentNotValid(@NonNull MethodArg
                 .body(new ErrorResponse("VALIDATION_ERROR", msg));
     }
 
+    @ExceptionHandler(ConstraintViolationException.class)
+    public ResponseEntity<ErrorResponse> handleConstraintViolation(ConstraintViolationException ex) {
+        String msg = ex.getConstraintViolations().stream().findFirst()
+                .map(cv -> cv.getPropertyPath() + " " + cv.getMessage())
+                .orElse("Validation failed");
+        return build(HttpStatus.BAD_REQUEST, "VALIDATION_ERROR", msg);
+    }
+
     @ExceptionHandler(IllegalArgumentException.class)
-    public ResponseEntity<ErrorResponse> handleIllegalArgument(@NonNull IllegalArgumentException ex) {
-        log.warn("Bad request: {}", ex.getMessage());
-        return ResponseEntity.status(HttpStatus.BAD_REQUEST)
-                .body(new ErrorResponse("BAD_REQUEST", ex.getMessage()));
+    public ResponseEntity<ErrorResponse> handleIllegalArgument(IllegalArgumentException ex) {
+        return build(HttpStatus.BAD_REQUEST, "BAD_REQUEST", ex.getMessage());
     }
 
     @ExceptionHandler(Exception.class)
-    public ResponseEntity<ErrorResponse> handleGeneric(@NonNull Exception ex) {
+    public ResponseEntity<ErrorResponse> handleGeneric(Exception ex) {
         String id = java.util.UUID.randomUUID().toString();
         log.error("Unhandled exception traceId={}", id, ex);
         return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)