From 2fe4c4f8e5cfd89ba02716c2d44df7cfd6559ba6 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Fri, 13 Mar 2026 21:59:35 +0000
Subject: [PATCH] test: tighten shared auth store coverage

---
 src/shared/device-auth-store.test.ts | 68 ++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/src/shared/device-auth-store.test.ts b/src/shared/device-auth-store.test.ts
index be070ee79cd..b0346afff9a 100644
--- a/src/shared/device-auth-store.test.ts
+++ b/src/shared/device-auth-store.test.ts
@@ -50,6 +50,36 @@ describe("device-auth-store", () => {
     ).toBeNull();
   });
 
+  it("returns null for missing stores and malformed token entries", () => {
+    expect(
+      loadDeviceAuthTokenFromStore({
+        adapter: createAdapter().adapter,
+        deviceId: "device-1",
+        role: "operator",
+      }),
+    ).toBeNull();
+
+    const { adapter } = createAdapter({
+      version: 1,
+      deviceId: "device-1",
+      tokens: {
+        operator: {
+          token: 123 as unknown as string,
+          role: "operator",
+          scopes: [],
+          updatedAtMs: 1,
+        },
+      },
+    });
+    expect(
+      loadDeviceAuthTokenFromStore({
+        adapter,
+        deviceId: "device-1",
+        role: "operator",
+      }),
+    ).toBeNull();
+  });
+
   it("stores normalized roles and deduped sorted scopes while preserving same-device tokens", () => {
     vi.spyOn(Date, "now").mockReturnValue(1234);
     const { adapter, writes, readStore } = createAdapter({
@@ -130,6 +160,44 @@ describe("device-auth-store", () => {
     });
   });
 
+  it("overwrites existing entries for the same normalized role", () => {
+    vi.spyOn(Date, "now").mockReturnValue(2222);
+    const { adapter, readStore } = createAdapter({
+      version: 1,
+      deviceId: "device-1",
+      tokens: {
+        operator: {
+          token: "old-token",
+          role: "operator",
+          scopes: ["operator.read"],
+          updatedAtMs: 10,
+        },
+      },
+    });
+
+    const entry = storeDeviceAuthTokenInStore({
+      adapter,
+      deviceId: "device-1",
+      role: " operator ",
+      token: "new-token",
+      scopes: ["operator.write"],
+    });
+
+    expect(entry).toEqual({
+      token: "new-token",
+      role: "operator",
+      scopes: ["operator.write"],
+      updatedAtMs: 2222,
+    });
+    expect(readStore()).toEqual({
+      version: 1,
+      deviceId: "device-1",
+      tokens: {
+        operator: entry,
+      },
+    });
+  });
+
   it("avoids writes when clearing missing roles or mismatched devices", () => {
     const missingRole = createAdapter({
       version: 1,