test: add coverage for uncovered CoreIdent.Core models, stores, and interfaces

- OpenIdConfigurationDocument: all 3 constructor overloads
- InMemoryUserGrantStore: MergeScopesAsync (create new + merge existing + validation)
- IUserGrantStore: default interface MergeScopesAsync via stub
- PasswordlessToken: property defaults and round-trip

Author: stimpy77

tests/CoreIdent.Core.Tests/Models/OpenIdConfigurationDocumentTests.cs

@@ -0,0 +1,84 @@
+using CoreIdent.Core.Models;
+using Shouldly;
+using Xunit;
+
+namespace CoreIdent.Core.Tests.Models;
+
+public class OpenIdConfigurationDocumentTests
+{
+    private static readonly IReadOnlyList<string> GrantTypes = ["authorization_code", "client_credentials"];
+    private static readonly IReadOnlyList<string> Scopes = ["openid", "profile"];
+    private static readonly IReadOnlyList<string> Algorithms = ["RS256"];
+
+    [Fact]
+    public void Ctor_8param_sets_required_fields_and_nulls_optional()
+    {
+        var doc = new OpenIdConfigurationDocument(
+            Issuer: "https://issuer.example.com",
+            JwksUri: "https://issuer.example.com/.well-known/jwks.json",
+            TokenEndpoint: "https://issuer.example.com/token",
+            RevocationEndpoint: "https://issuer.example.com/revoke",
+            IntrospectionEndpoint: "https://issuer.example.com/introspect",
+            GrantTypesSupported: GrantTypes,
+            ScopesSupported: Scopes,
+            IdTokenSigningAlgValuesSupported: Algorithms);
+
+        doc.Issuer.ShouldBe("https://issuer.example.com", "Issuer should be set.");
+        doc.JwksUri.ShouldBe("https://issuer.example.com/.well-known/jwks.json", "JwksUri should be set.");
+        doc.TokenEndpoint.ShouldBe("https://issuer.example.com/token", "TokenEndpoint should be set.");
+        doc.RevocationEndpoint.ShouldBe("https://issuer.example.com/revoke", "RevocationEndpoint should be set.");
+        doc.IntrospectionEndpoint.ShouldBe("https://issuer.example.com/introspect", "IntrospectionEndpoint should be set.");
+        doc.GrantTypesSupported.ShouldBe(GrantTypes, "GrantTypesSupported should be set.");
+        doc.ScopesSupported.ShouldBe(Scopes, "ScopesSupported should be set.");
+        doc.IdTokenSigningAlgValuesSupported.ShouldBe(Algorithms, "IdTokenSigningAlgValuesSupported should be set.");
+        doc.ResponseTypesSupported.ShouldBeNull("ResponseTypesSupported should default to null.");
+        doc.TokenEndpointAuthMethodsSupported.ShouldBeNull("TokenEndpointAuthMethodsSupported should default to null.");
+        doc.AuthorizationEndpoint.ShouldBeNull("AuthorizationEndpoint should default to null.");
+        doc.UserInfoEndpoint.ShouldBeNull("UserInfoEndpoint should default to null.");
+    }
+
+    [Fact]
+    public void Ctor_10param_sets_response_types_and_auth_methods()
+    {
+        var responseTypes = new List<string> { "code" };
+        var authMethods = new List<string> { "client_secret_basic", "client_secret_post" };
+
+        var doc = new OpenIdConfigurationDocument(
+            Issuer: "https://issuer.example.com",
+            JwksUri: "https://issuer.example.com/.well-known/jwks.json",
+            TokenEndpoint: "https://issuer.example.com/token",
+            RevocationEndpoint: "https://issuer.example.com/revoke",
+            IntrospectionEndpoint: "https://issuer.example.com/introspect",
+            GrantTypesSupported: GrantTypes,
+            ScopesSupported: Scopes,
+            IdTokenSigningAlgValuesSupported: Algorithms,
+            ResponseTypesSupported: responseTypes,
+            TokenEndpointAuthMethodsSupported: authMethods);
+
+        doc.ResponseTypesSupported.ShouldBe(responseTypes, "ResponseTypesSupported should be set.");
+        doc.TokenEndpointAuthMethodsSupported.ShouldBe(authMethods, "TokenEndpointAuthMethodsSupported should be set.");
+        doc.AuthorizationEndpoint.ShouldBeNull("AuthorizationEndpoint should default to null.");
+        doc.UserInfoEndpoint.ShouldBeNull("UserInfoEndpoint should default to null.");
+    }
+
+    [Fact]
+    public void Ctor_12param_sets_all_fields()
+    {
+        var doc = new OpenIdConfigurationDocument(
+            Issuer: "https://issuer.example.com",
+            JwksUri: "https://issuer.example.com/.well-known/jwks.json",
+            TokenEndpoint: "https://issuer.example.com/token",
+            RevocationEndpoint: "https://issuer.example.com/revoke",
+            IntrospectionEndpoint: "https://issuer.example.com/introspect",
+            GrantTypesSupported: GrantTypes,
+            ScopesSupported: Scopes,
+            IdTokenSigningAlgValuesSupported: Algorithms,
+            ResponseTypesSupported: ["code"],
+            TokenEndpointAuthMethodsSupported: ["client_secret_basic"],
+            AuthorizationEndpoint: "https://issuer.example.com/authorize",
+            UserInfoEndpoint: "https://issuer.example.com/userinfo");
+
+        doc.AuthorizationEndpoint.ShouldBe("https://issuer.example.com/authorize", "AuthorizationEndpoint should be set.");
+        doc.UserInfoEndpoint.ShouldBe("https://issuer.example.com/userinfo", "UserInfoEndpoint should be set.");
+    }
+}

tests/CoreIdent.Core.Tests/Models/PasswordlessTokenTests.cs

@@ -0,0 +1,49 @@
+using CoreIdent.Core.Models;
+using Shouldly;
+using Xunit;
+
+namespace CoreIdent.Core.Tests.Models;
+
+public class PasswordlessTokenTests
+{
+    [Fact]
+    public void Properties_default_to_expected_values()
+    {
+        var token = new PasswordlessToken();
+
+        token.Id.ShouldBe(string.Empty, "Id should default to empty string.");
+        token.Recipient.ShouldBe(string.Empty, "Recipient should default to empty string.");
+        token.TokenType.ShouldBe(string.Empty, "TokenType should default to empty string.");
+        token.TokenHash.ShouldBe(string.Empty, "TokenHash should default to empty string.");
+        token.CreatedAt.ShouldBe(default(DateTime), "CreatedAt should default to default DateTime.");
+        token.ExpiresAt.ShouldBe(default(DateTime), "ExpiresAt should default to default DateTime.");
+        token.Consumed.ShouldBeFalse("Consumed should default to false.");
+        token.UserId.ShouldBeNull("UserId should default to null.");
+    }
+
+    [Fact]
+    public void Properties_round_trip_correctly()
+    {
+        var now = DateTime.UtcNow;
+        var token = new PasswordlessToken
+        {
+            Id = "tok-1",
+            Recipient = "user@example.com",
+            TokenType = "email",
+            TokenHash = "abc123",
+            CreatedAt = now,
+            ExpiresAt = now.AddMinutes(15),
+            Consumed = true,
+            UserId = "user-1"
+        };
+
+        token.Id.ShouldBe("tok-1", "Id should round-trip.");
+        token.Recipient.ShouldBe("user@example.com", "Recipient should round-trip.");
+        token.TokenType.ShouldBe("email", "TokenType should round-trip.");
+        token.TokenHash.ShouldBe("abc123", "TokenHash should round-trip.");
+        token.CreatedAt.ShouldBe(now, "CreatedAt should round-trip.");
+        token.ExpiresAt.ShouldBe(now.AddMinutes(15), "ExpiresAt should round-trip.");
+        token.Consumed.ShouldBeTrue("Consumed should round-trip.");
+        token.UserId.ShouldBe("user-1", "UserId should round-trip.");
+    }
+}

tests/CoreIdent.Core.Tests/Stores/IUserGrantStoreDefaultTests.cs

@@ -0,0 +1,100 @@
+using CoreIdent.Core.Models;
+using CoreIdent.Core.Stores;
+using Shouldly;
+using Xunit;
+
+namespace CoreIdent.Core.Tests.Stores;
+
+/// <summary>
+/// Tests the default interface method <see cref="IUserGrantStore.MergeScopesAsync"/>
+/// using a minimal stub that does NOT override the default.
+/// </summary>
+public class IUserGrantStoreDefaultTests
+{
+    /// <summary>
+    /// Minimal stub that only implements required members, leaving the default MergeScopesAsync.
+    /// </summary>
+    private sealed class StubUserGrantStore : IUserGrantStore
+    {
+        private readonly Dictionary<string, CoreIdentUserGrant> _grants = new(StringComparer.Ordinal);
+
+        public Task<CoreIdentUserGrant?> FindAsync(string subjectId, string clientId, CancellationToken ct = default)
+        {
+            _grants.TryGetValue($"{subjectId}::{clientId}", out var grant);
+            return Task.FromResult(grant);
+        }
+
+        public Task SaveAsync(CoreIdentUserGrant grant, CancellationToken ct = default)
+        {
+            _grants[$"{grant.SubjectId}::{grant.ClientId}"] = grant;
+            return Task.CompletedTask;
+        }
+
+        public Task RevokeAsync(string subjectId, string clientId, CancellationToken ct = default)
+        {
+            _grants.Remove($"{subjectId}::{clientId}");
+            return Task.CompletedTask;
+        }
+
+        public Task<bool> HasUserGrantedConsentAsync(string subjectId, string clientId, IEnumerable<string> scopes, CancellationToken ct = default)
+        {
+            if (!_grants.TryGetValue($"{subjectId}::{clientId}", out var grant))
+                return Task.FromResult(false);
+            var granted = grant.Scopes.ToHashSet(StringComparer.Ordinal);
+            return Task.FromResult(scopes.All(s => granted.Contains(s)));
+        }
+    }
+
+    [Fact]
+    public async Task Default_MergeScopesAsync_creates_grant_when_none_exists()
+    {
+        IUserGrantStore store = new StubUserGrantStore();
+
+        await store.MergeScopesAsync("sub-d1", "client-d1", ["openid", "profile"]);
+
+        var grant = await store.FindAsync("sub-d1", "client-d1");
+        grant.ShouldNotBeNull("Default MergeScopesAsync should create a new grant.");
+        grant!.Scopes.ShouldBe(new[] { "openid", "profile" }, "New grant should contain the provided scopes.");
+    }
+
+    [Fact]
+    public async Task Default_MergeScopesAsync_merges_into_existing_grant()
+    {
+        IUserGrantStore store = new StubUserGrantStore();
+
+        await store.SaveAsync(new CoreIdentUserGrant
+        {
+            SubjectId = "sub-d2",
+            ClientId = "client-d2",
+            Scopes = ["openid"],
+            CreatedAt = DateTime.UtcNow
+        });
+
+        await store.MergeScopesAsync("sub-d2", "client-d2", ["profile", "email"]);
+
+        var grant = await store.FindAsync("sub-d2", "client-d2");
+        grant.ShouldNotBeNull("Grant should still exist after merge.");
+        grant!.Scopes.Count.ShouldBe(3, "Merged grant should have union of scopes.");
+        grant.Scopes.ShouldContain("openid", "Existing scope should be preserved.");
+        grant.Scopes.ShouldContain("profile", "New scope should be added.");
+        grant.Scopes.ShouldContain("email", "New scope should be added.");
+    }
+
+    [Fact]
+    public async Task Default_MergeScopesAsync_throws_for_invalid_arguments()
+    {
+        IUserGrantStore store = new StubUserGrantStore();
+
+        await Should.ThrowAsync<ArgumentException>(
+            () => store.MergeScopesAsync("", "client", ["openid"]),
+            "Default MergeScopesAsync should throw for empty subjectId.");
+
+        await Should.ThrowAsync<ArgumentException>(
+            () => store.MergeScopesAsync("sub", "", ["openid"]),
+            "Default MergeScopesAsync should throw for empty clientId.");
+
+        await Should.ThrowAsync<ArgumentNullException>(
+            () => store.MergeScopesAsync("sub", "client", null!),
+            "Default MergeScopesAsync should throw for null scopes.");
+    }
+}

tests/CoreIdent.Core.Tests/Stores/InMemoryUserGrantStoreTests.cs

@@ -126,4 +126,60 @@ public async Task SaveAsync_throws_for_invalid_arguments()
         var missingClient = new CoreIdentUserGrant { SubjectId = "s", ClientId = "", Scopes = [], CreatedAt = DateTime.UtcNow };
         await Should.ThrowAsync<ArgumentException>(() => store.SaveAsync(missingClient), "SaveAsync should throw when ClientId is missing.");
     }
+
+    [Fact]
+    public async Task MergeScopesAsync_creates_new_grant_when_none_exists()
+    {
+        var time = new MutableTimeProvider(new DateTimeOffset(2025, 12, 12, 0, 0, 0, TimeSpan.Zero));
+        var store = new InMemoryUserGrantStore(time);
+
+        await store.MergeScopesAsync("sub-m1", "client-m1", ["openid", "profile"]);
+
+        var grant = await store.FindAsync("sub-m1", "client-m1");
+        grant.ShouldNotBeNull("MergeScopesAsync should create a new grant when none exists.");
+        grant!.Scopes.ShouldBe(new[] { "openid", "profile" }, "New grant should contain the merged scopes.");
+        grant.SubjectId.ShouldBe("sub-m1", "Grant SubjectId should match.");
+        grant.ClientId.ShouldBe("client-m1", "Grant ClientId should match.");
+    }
+
+    [Fact]
+    public async Task MergeScopesAsync_merges_into_existing_grant()
+    {
+        var store = new InMemoryUserGrantStore();
+
+        await store.SaveAsync(new CoreIdentUserGrant
+        {
+            SubjectId = "sub-m2",
+            ClientId = "client-m2",
+            Scopes = ["openid", "profile"],
+            CreatedAt = DateTime.UtcNow
+        });
+
+        await store.MergeScopesAsync("sub-m2", "client-m2", ["email", "openid"]);
+
+        var grant = await store.FindAsync("sub-m2", "client-m2");
+        grant.ShouldNotBeNull("Grant should still exist after merge.");
+        grant!.Scopes.Count.ShouldBe(3, "Merged grant should have union of scopes.");
+        grant.Scopes.ShouldContain("openid", "Existing scope should be preserved.");
+        grant.Scopes.ShouldContain("profile", "Existing scope should be preserved.");
+        grant.Scopes.ShouldContain("email", "New scope should be added.");
+    }
+
+    [Fact]
+    public async Task MergeScopesAsync_throws_for_invalid_arguments()
+    {
+        var store = new InMemoryUserGrantStore();
+
+        await Should.ThrowAsync<ArgumentException>(
+            () => store.MergeScopesAsync("", "client", ["openid"]),
+            "MergeScopesAsync should throw for empty subjectId.");
+
+        await Should.ThrowAsync<ArgumentException>(
+            () => store.MergeScopesAsync("sub", "", ["openid"]),
+            "MergeScopesAsync should throw for empty clientId.");
+
+        await Should.ThrowAsync<ArgumentNullException>(
+            () => store.MergeScopesAsync("sub", "client", null!),
+            "MergeScopesAsync should throw for null scopes.");
+    }
 }