test: Add unit tests to reach 50% code coverage

Adds 89 new tests bringing total from 12 to 101. Coverage went
from 44% to 52%.

New test coverage:
- AuthService: login flow, account lockout, token refresh
- DocumentService: pagination, delete, batch generation
- TemplateService: full CRUD operations
- ExceptionHandlingMiddleware: all exception type mappings
- Validators: RegisterDto, LoginDto, CreateTemplateDto, etc.
- PaginatedResult: edge cases for pagination logic
- AuthController & ControllerExtensions: basic unit tests

Also adds coverage/ to .gitignore since test runs generate
reports there.

Author: jonmartin721

.gitignore

@@ -9,6 +9,7 @@ obj/
 *.db-wal
 GeneratedDocuments/
 TestResults/
+coverage/
 
 # TUI Log Files
 *.log

DocumentGenerator.Tests/Unit/AuthControllerTests.cs

@@ -0,0 +1,99 @@
+using DocumentGenerator.API.Controllers;
+using DocumentGenerator.Core.DTOs;
+using DocumentGenerator.Core.Interfaces;
+using FluentAssertions;
+using Microsoft.AspNetCore.Mvc;
+using Moq;
+using Xunit;
+
+namespace DocumentGenerator.Tests.Unit
+{
+    public class AuthControllerTests
+    {
+        private readonly Mock<IAuthService> _mockAuthService;
+        private readonly AuthController _controller;
+
+        public AuthControllerTests()
+        {
+            _mockAuthService = new Mock<IAuthService>();
+            _controller = new AuthController(_mockAuthService.Object);
+        }
+
+        [Fact]
+        public async Task Register_ShouldReturnOk_WithAuthResponse()
+        {
+            // Arrange
+            var registerDto = new RegisterDto
+            {
+                Username = "testuser",
+                Email = "test@example.com",
+                Password = "Password123!"
+            };
+            var authResponse = new AuthResponseDto
+            {
+                Token = "jwt-token",
+                RefreshToken = "refresh-token",
+                Expiration = DateTime.UtcNow.AddHours(1)
+            };
+            _mockAuthService.Setup(s => s.RegisterAsync(registerDto)).ReturnsAsync(authResponse);
+
+            // Act
+            var result = await _controller.Register(registerDto);
+
+            // Assert
+            var okResult = result.Result.Should().BeOfType<OkObjectResult>().Subject;
+            okResult.Value.Should().Be(authResponse);
+        }
+
+        [Fact]
+        public async Task Login_ShouldReturnOk_WithAuthResponse()
+        {
+            // Arrange
+            var loginDto = new LoginDto
+            {
+                Username = "testuser",
+                Password = "Password123!"
+            };
+            var authResponse = new AuthResponseDto
+            {
+                Token = "jwt-token",
+                RefreshToken = "refresh-token",
+                Expiration = DateTime.UtcNow.AddHours(1)
+            };
+            _mockAuthService.Setup(s => s.LoginAsync(loginDto)).ReturnsAsync(authResponse);
+
+            // Act
+            var result = await _controller.Login(loginDto);
+
+            // Assert
+            var okResult = result.Result.Should().BeOfType<OkObjectResult>().Subject;
+            okResult.Value.Should().Be(authResponse);
+        }
+
+        [Fact]
+        public async Task RefreshToken_ShouldReturnOk_WithAuthResponse()
+        {
+            // Arrange
+            var refreshDto = new RefreshTokenDto
+            {
+                Token = "old-jwt-token",
+                RefreshToken = "old-refresh-token"
+            };
+            var authResponse = new AuthResponseDto
+            {
+                Token = "new-jwt-token",
+                RefreshToken = "new-refresh-token",
+                Expiration = DateTime.UtcNow.AddHours(1)
+            };
+            _mockAuthService.Setup(s => s.RefreshTokenAsync(refreshDto.Token, refreshDto.RefreshToken))
+                .ReturnsAsync(authResponse);
+
+            // Act
+            var result = await _controller.RefreshToken(refreshDto);
+
+            // Assert
+            var okResult = result.Result.Should().BeOfType<OkObjectResult>().Subject;
+            okResult.Value.Should().Be(authResponse);
+        }
+    }
+}

DocumentGenerator.Tests/Unit/AuthServiceTests.cs

@@ -92,5 +92,236 @@ public async Task RegisterAsync_ShouldThrow_WhenUsernameExists()
             // Assert
             await act.Should().ThrowAsync<DuplicateUsernameException>();
         }
+
+        [Fact]
+        public async Task RegisterAsync_ShouldThrow_WhenEmailExists()
+        {
+            // Arrange
+            var existingUser = new User
+            {
+                Id = Guid.NewGuid(),
+                Username = "existinguser",
+                Email = "test@example.com",
+                PasswordHash = "hash"
+            };
+            _context.Users.Add(existingUser);
+            await _context.SaveChangesAsync();
+
+            var dto = new RegisterDto
+            {
+                Username = "newuser",
+                Email = "test@example.com",
+                Password = "Password123!"
+            };
+
+            // Act
+            Func<Task> act = async () => await _authService.RegisterAsync(dto);
+
+            // Assert
+            await act.Should().ThrowAsync<DuplicateEmailException>();
+        }
+
+        [Fact]
+        public async Task LoginAsync_ShouldReturnTokens_WhenCredentialsValid()
+        {
+            // Arrange
+            var registerDto = new RegisterDto
+            {
+                Username = "loginuser",
+                Email = "login@example.com",
+                Password = "Password123!"
+            };
+            await _authService.RegisterAsync(registerDto);
+
+            var loginDto = new LoginDto
+            {
+                Username = "loginuser",
+                Password = "Password123!"
+            };
+
+            // Act
+            var result = await _authService.LoginAsync(loginDto);
+
+            // Assert
+            result.Should().NotBeNull();
+            result.Token.Should().NotBeNullOrEmpty();
+            result.RefreshToken.Should().NotBeNullOrEmpty();
+        }
+
+        [Fact]
+        public async Task LoginAsync_ShouldThrow_WhenUserNotFound()
+        {
+            // Arrange
+            var loginDto = new LoginDto
+            {
+                Username = "nonexistent",
+                Password = "Password123!"
+            };
+
+            // Act
+            Func<Task> act = async () => await _authService.LoginAsync(loginDto);
+
+            // Assert
+            await act.Should().ThrowAsync<InvalidCredentialsException>();
+        }
+
+        [Fact]
+        public async Task LoginAsync_ShouldThrow_WhenPasswordInvalid()
+        {
+            // Arrange
+            var registerDto = new RegisterDto
+            {
+                Username = "testuser2",
+                Email = "test2@example.com",
+                Password = "Password123!"
+            };
+            await _authService.RegisterAsync(registerDto);
+
+            var loginDto = new LoginDto
+            {
+                Username = "testuser2",
+                Password = "WrongPassword!"
+            };
+
+            // Act
+            Func<Task> act = async () => await _authService.LoginAsync(loginDto);
+
+            // Assert
+            await act.Should().ThrowAsync<InvalidCredentialsException>();
+        }
+
+        [Fact]
+        public async Task LoginAsync_ShouldLockAccount_After5FailedAttempts()
+        {
+            // Arrange
+            var registerDto = new RegisterDto
+            {
+                Username = "lockuser",
+                Email = "lock@example.com",
+                Password = "Password123!"
+            };
+            await _authService.RegisterAsync(registerDto);
+
+            var loginDto = new LoginDto
+            {
+                Username = "lockuser",
+                Password = "WrongPassword!"
+            };
+
+            // Act - Make 5 failed attempts
+            for (int i = 0; i < 5; i++)
+            {
+                try { await _authService.LoginAsync(loginDto); } catch { }
+            }
+
+            // Try a 6th time - should throw AccountLockedException
+            Func<Task> act = async () => await _authService.LoginAsync(loginDto);
+
+            // Assert
+            await act.Should().ThrowAsync<AccountLockedException>();
+        }
+
+        [Fact]
+        public async Task LoginAsync_ShouldResetFailedAttempts_OnSuccessfulLogin()
+        {
+            // Arrange
+            var registerDto = new RegisterDto
+            {
+                Username = "resetuser",
+                Email = "reset@example.com",
+                Password = "Password123!"
+            };
+            await _authService.RegisterAsync(registerDto);
+
+            var wrongLoginDto = new LoginDto
+            {
+                Username = "resetuser",
+                Password = "WrongPassword!"
+            };
+
+            // Make a few failed attempts (but not enough to lock)
+            for (int i = 0; i < 3; i++)
+            {
+                try { await _authService.LoginAsync(wrongLoginDto); } catch { }
+            }
+
+            // Now login successfully
+            var correctLoginDto = new LoginDto
+            {
+                Username = "resetuser",
+                Password = "Password123!"
+            };
+
+            // Act
+            var result = await _authService.LoginAsync(correctLoginDto);
+
+            // Assert
+            result.Should().NotBeNull();
+            var user = await _context.Users.FirstAsync(u => u.Username == "resetuser");
+            user.FailedLoginAttempts.Should().Be(0);
+        }
+
+        [Fact]
+        public async Task RefreshTokenAsync_ShouldReturnNewTokens_WhenRefreshTokenValid()
+        {
+            // Arrange
+            var registerDto = new RegisterDto
+            {
+                Username = "refreshuser",
+                Email = "refresh@example.com",
+                Password = "Password123!"
+            };
+            var authResponse = await _authService.RegisterAsync(registerDto);
+
+            // Act
+            var result = await _authService.RefreshTokenAsync(authResponse.Token, authResponse.RefreshToken);
+
+            // Assert
+            result.Should().NotBeNull();
+            result.Token.Should().NotBeNullOrEmpty();
+            result.RefreshToken.Should().NotBeNullOrEmpty();
+        }
+
+        [Fact]
+        public async Task RefreshTokenAsync_ShouldThrow_WhenRefreshTokenInvalid()
+        {
+            // Arrange
+            var registerDto = new RegisterDto
+            {
+                Username = "invalidrefresh",
+                Email = "invalidrefresh@example.com",
+                Password = "Password123!"
+            };
+            var authResponse = await _authService.RegisterAsync(registerDto);
+
+            // Act
+            Func<Task> act = async () => await _authService.RefreshTokenAsync(authResponse.Token, "invalid-refresh-token");
+
+            // Assert
+            await act.Should().ThrowAsync<InvalidRefreshTokenException>();
+        }
+
+        [Fact]
+        public async Task RefreshTokenAsync_ShouldThrow_WhenRefreshTokenExpired()
+        {
+            // Arrange
+            var user = new User
+            {
+                Id = Guid.NewGuid(),
+                Username = "expireduser",
+                Email = "expired@example.com",
+                PasswordHash = BCrypt.Net.BCrypt.HashPassword("Password123!"),
+                RefreshToken = "expired-token",
+                RefreshTokenExpiryTime = DateTime.UtcNow.AddDays(-1) // Expired yesterday
+            };
+            _context.Users.Add(user);
+            await _context.SaveChangesAsync();
+
+            // Act
+            Func<Task> act = async () => await _authService.RefreshTokenAsync("some-token", "expired-token");
+
+            // Assert
+            await act.Should().ThrowAsync<InvalidRefreshTokenException>();
+        }
     }
 }