Testing: Add edge case tests for OAuth2 flows

[knowlen]

Description

As identified in PR #32 review, we should add comprehensive edge case testing for OAuth2 flows including token expiration scenarios, concurrent flows, and clock skew.

Test Scenarios to Add

1. Token Expiration Edge Cases

def test_token_expires_exactly_at_buffer():
    '''Test behavior when token expires exactly at buffer time'''
    
def test_token_already_expired():
    '''Test handling of already expired tokens'''
    
def test_token_without_expiry():
    '''Test tokens that don't include expiry time'''
    
def test_very_short_lived_token():
    '''Test tokens with < 60 second lifetime'''

2. Concurrent OAuth2 Flows

async def test_multiple_concurrent_auth_flows():
    '''Test multiple users authenticating simultaneously'''
    
async def test_concurrent_token_refresh():
    '''Test race condition during token refresh'''
    
def test_state_parameter_uniqueness():
    '''Ensure state parameters are unique across flows'''

3. Clock Skew Scenarios

def test_server_clock_ahead():
    '''Test when server clock is ahead of client'''
    
def test_server_clock_behind():
    '''Test when server clock is behind client'''
    
def test_timezone_handling():
    '''Test token expiry across timezones'''

4. Error Recovery

def test_network_failure_during_token_exchange():
    '''Test handling of network errors'''
    
def test_invalid_callback_data():
    '''Test malformed callback parameters'''
    
def test_csrf_attack_prevention():
    '''Test state parameter validation'''

5. Callback Server Edge Cases

def test_port_already_in_use():
    '''Test when callback port is occupied'''
    
def test_callback_timeout():
    '''Test when user doesn't complete auth'''
    
def test_multiple_callbacks():
    '''Test handling of duplicate callbacks'''

Implementation Tools

• pytest-asyncio for async test support
• freezegun for time manipulation
• pytest-timeout for timeout testing
• Mock OAuth2 server for controlled testing

Test Data Requirements

• Various token lifetime scenarios
• Different error responses
• Edge case timestamps

Success Criteria

• 100% code coverage for OAuth2 module
• All edge cases documented and tested
• Clear error messages for each failure mode

References

• PR Release v0.2.0b1 - First Beta Release #32 review feedback
• OAuth2 security considerations
• Common OAuth2 implementation pitfalls

[knowlen]

Additional Test Scenarios from PR Review

The reviewer highlighted these specific concurrent client scenarios that should be tested:

1. Multiple OAuth2 Flows Simultaneously

• Test multiple users authenticating at the same time
• Verify state parameter uniqueness across flows
• Ensure callback server handles concurrent requests properly
• Test port allocation when multiple flows use same callback port

2. Token Refresh Race Conditions

• Multiple threads/tasks refreshing the same expired token
• Ensure only one refresh request is made
• Test token storage updates are atomic
• Verify all waiting requests use the new token

3. Connection Pool Exhaustion Under Load

• Test behavior when connection pool is exhausted
• Verify proper queueing and timeout handling
• Test cleanup of connections in error scenarios
• Validate context manager cleanup under high concurrency

These tests will help validate our context manager implementation and inform the caching strategy planned for v0.3.0.

Reference: PR #32 review follow-up