using System.IdentityModel.Tokens.Jwt; using System.Security.Claims; using System.Text; using JobTrackerApi.Services; using Microsoft.Extensions.Configuration; using Microsoft.IdentityModel.Protocols; using Microsoft.IdentityModel.Protocols.OpenIdConnect; using Microsoft.IdentityModel.Tokens; using Moq; using Xunit; namespace JobTrackerApi.Tests; public sealed class GoogleTokenValidatorTests { [Fact] public async Task ValidateAsync_accepts_subject_mapped_to_nameidentifier_claim() { var config = new ConfigurationBuilder() .AddInMemoryCollection(new Dictionary { ["Auth:GoogleClientId"] = "client-123", }) .Build(); var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("super-secret-signing-key-super-secret")); var oidc = new OpenIdConnectConfiguration(); oidc.SigningKeys.Add(signingKey); var configManager = new Mock>(); configManager.Setup(x => x.GetConfigurationAsync(It.IsAny())).ReturnsAsync(oidc); var token = new JwtSecurityTokenHandler().WriteToken(new JwtSecurityToken( issuer: "https://accounts.google.com", audience: "client-123", claims: new[] { new Claim(JwtRegisteredClaimNames.Sub, "google-subject-1"), new Claim("email", "demo@example.com"), new Claim("email_verified", "true"), new Claim("given_name", "Demo"), new Claim("family_name", "User"), new Claim("name", "Demo User"), }, expires: DateTime.UtcNow.AddMinutes(10), signingCredentials: new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256))); var validator = new GoogleTokenValidator(config, configManager.Object); var result = await validator.ValidateAsync(token); Assert.Equal("google-subject-1", result.Subject); Assert.Equal("demo@example.com", result.Email); Assert.True(result.EmailVerified); Assert.Equal("Demo", result.GivenName); Assert.Equal("User", result.FamilyName); Assert.Equal("Demo User", result.Name); } }