Add backend refinements, new API tests, and fix flaky tests (#795)

### Summary & Motivation

Add SharedKernel improvements, new API tests, and fix flaky tests caused
by non-deterministic test data.

- Add `StronglyTypedString<T>` base class for creating string-based
strongly typed IDs with optional prefix validation (Stripe-style IDs
like `cus_abc123`).
- Add `IBlobStorageClient` interface to enable mocking and improve
testability.
- Add `Result.Redirect()` and corresponding `ApiResult` support for HTTP
redirects.
- Add bulk repository interfaces `IBulkAddRepository<T>` and
`IBulkUpdateRepository<T>`, and rename `BulkRemove` to `RemoveRange` for
consistency with EF Core naming.
- Add `AddRangeAsync`, `UpdateRange`, and `RemoveRange` methods to
`RepositoryBase`.
- Add `MapStronglyTypedString` and `OwnedNavigationBuilder` overloads to
`ModelBuilderExtensions` for EF Core mapping of owned entities.
- Add `CreateContainerIfNotExistsAsync`, `DeleteIfExistsAsync`, and User
Delegation Key SAS support to `BlobStorageClient`.
- Fix `UseStringForEnums` to handle nullable enum properties.
- Simplify email validation by using `MailAddress.TryCreate` instead of
custom regex rules.
- Move `AddCrossServiceDataProtection` from `ApiDependencyConfiguration`
to `SharedDependencyConfiguration`.
- Exclude owned entities from global tenant query filters to fix query
issues.
- Fix `NotSupportedException` when copying avatar during tenant switch
by buffering Azure's non-seekable stream.
- Add API tests for `Logout`, `ChangeLocale`, and `ChangeUserRole`
commands.
- Fix flaky tests by adding `Faker.Internet.UniqueEmail()` to prevent
email collisions when tests run in parallel.
- Fix flaky test using `Faker.Random.String2()` instead of `String()` to
avoid whitespace trimming issues.

### Downstream projects

1. Update any `BlobStorageClient` usage to use the `IBlobStorageClient`
interface:

```diff
- BlobStorageClient blobStorageClient
+ IBlobStorageClient blobStorageClient
```

```diff
- services.AddKeyedSingleton("your-self-contained-system-storage",
+ services.AddKeyedSingleton<IBlobStorageClient>("your-self-contained-system-storage",
```

2. Rename `BulkRemove` to `RemoveRange` in repositories:

```diff
- repository.BulkRemove(entities);
+ repository.RemoveRange(entities);
```

### Checklist

- [x] I have added tests, or done manual regression tests
- [x] I have updated the documentation, if necessary

Author: tjementum

application/AppGateway/Transformations/SharedAccessSignatureRequestTransform.cs

@@ -3,7 +3,7 @@
 
 namespace PlatformPlatform.AppGateway.Transformations;
 
-public class SharedAccessSignatureRequestTransform([FromKeyedServices("account-management-storage")] BlobStorageClient accountManagementBlobStorageClient)
+public class SharedAccessSignatureRequestTransform([FromKeyedServices("account-management-storage")] IBlobStorageClient accountManagementBlobStorageClient)
     : RequestTransform
 {
     public override ValueTask ApplyAsync(RequestTransformContext context)

application/account-management/Core/Features/Authentication/Commands/SwitchTenant.cs

@@ -20,7 +20,7 @@ public sealed class SwitchTenantHandler(
     AuthenticationTokenService authenticationTokenService,
     AvatarUpdater avatarUpdater,
     [FromKeyedServices("account-management-storage")]
-    BlobStorageClient blobStorageClient,
+    IBlobStorageClient blobStorageClient,
     IExecutionContext executionContext,
     ITelemetryEventsCollector events,
     ILogger<SwitchTenantHandler> logger
@@ -73,8 +73,14 @@ private async Task CopyProfileDataFromCurrentUser(User targetUser, CancellationT
             var avatarData = await blobStorageClient.DownloadAsync("avatars", sourceBlobPath, cancellationToken);
             if (avatarData is not null)
             {
+                // Copy to MemoryStream since Azure's RetriableStream doesn't support seeking (Position reset)
+                await using var avatarStream = avatarData.Value.Stream;
+                using var memoryStream = new MemoryStream();
+                await avatarStream.CopyToAsync(memoryStream, cancellationToken);
+                memoryStream.Position = 0;
+
                 // Upload the avatar to the target tenant's storage location
-                await avatarUpdater.UpdateAvatar(targetUser, false, avatarData.Value.ContentType, avatarData.Value.Stream, cancellationToken);
+                await avatarUpdater.UpdateAvatar(targetUser, false, avatarData.Value.ContentType, memoryStream, cancellationToken);
             }
         }
 

application/account-management/Core/Features/Tenants/Commands/DeleteTenant.cs

@@ -32,7 +32,7 @@ public async Task<Result> Handle(DeleteTenantCommand command, CancellationToken
         if (tenant is null) return Result.NotFound($"Tenant with id '{command.Id}' not found.");
 
         var tenantUsers = await userRepository.GetTenantUsers(cancellationToken);
-        userRepository.BulkRemove(tenantUsers);
+        userRepository.RemoveRange(tenantUsers);
 
         tenantRepository.Remove(tenant);
 

application/account-management/Core/Features/Tenants/Commands/UpdateTenantLogo.cs

@@ -32,7 +32,7 @@ public sealed class UpdateTenantLogoHandler(
     ITenantRepository tenantRepository,
     IExecutionContext executionContext,
     [FromKeyedServices("account-management-storage")]
-    BlobStorageClient blobStorageClient,
+    IBlobStorageClient blobStorageClient,
     ITelemetryEventsCollector events
 )
     : IRequestHandler<UpdateTenantLogoCommand, Result>

application/account-management/Core/Features/Users/Commands/BulkDeleteUsers.cs

@@ -49,7 +49,7 @@ public async Task<Result> Handle(BulkDeleteUsersCommand command, CancellationTok
             return Result.NotFound($"Users with ids '{string.Join(", ", missingUserIds.Select(id => id.ToString()))}' not found.");
         }
 
-        userRepository.BulkRemove(usersToDelete);
+        userRepository.RemoveRange(usersToDelete);
 
         foreach (var userId in command.UserIds)
         {

application/account-management/Core/Features/Users/Shared/AvatarUpdater.cs

@@ -5,7 +5,7 @@
 
 namespace PlatformPlatform.AccountManagement.Features.Users.Shared;
 
-public sealed class AvatarUpdater(IUserRepository userRepository, [FromKeyedServices("account-management-storage")] BlobStorageClient blobStorageClient)
+public sealed class AvatarUpdater(IUserRepository userRepository, [FromKeyedServices("account-management-storage")] IBlobStorageClient blobStorageClient)
 {
     private const string ContainerName = "avatars";
 

application/account-management/Tests/Authentication/CompleteLoginTests.cs

@@ -201,7 +201,7 @@ public async Task CompleteLogin_WhenUserInviteCompleted_ShouldTrackUserInviteAcc
             [("Name", "Test Company")]
         );
 
-        var email = Faker.Internet.Email();
+        var email = Faker.Internet.UniqueEmail();
         var inviteUserCommand = new InviteUserCommand(email);
         await AuthenticatedOwnerHttpClient.PostAsJsonAsync("/api/account-management/users/invite", inviteUserCommand);
         TelemetryEventsCollectorSpy.Reset();
@@ -210,9 +210,11 @@ public async Task CompleteLogin_WhenUserInviteCompleted_ShouldTrackUserInviteAcc
         var command = new CompleteLoginCommand(CorrectOneTimePassword);
 
         // Act
-        await AnonymousHttpClient.PostAsJsonAsync($"/api/account-management/authentication/login/{loginId}/complete", command);
+        var response = await AnonymousHttpClient
+            .PostAsJsonAsync($"/api/account-management/authentication/login/{loginId}/complete", command);
 
         // Assert
+        await response.ShouldBeSuccessfulPostRequest(hasLocation: false);
         Connection.ExecuteScalar<long>(
             "SELECT COUNT(*) FROM Users WHERE TenantId = @tenantId AND Email = @email AND EmailConfirmed = 1",
             [new { tenantId = DatabaseSeeder.Tenant1.Id.ToString(), email = email.ToLower() }]

application/account-management/Tests/Authentication/LogoutTests.cs

@@ -0,0 +1,62 @@
+using System.Net;
+using System.Net.Http.Json;
+using FluentAssertions;
+using PlatformPlatform.AccountManagement.Database;
+using PlatformPlatform.AccountManagement.Features.Authentication.Commands;
+using PlatformPlatform.SharedKernel.Tests;
+using Xunit;
+
+namespace PlatformPlatform.AccountManagement.Tests.Authentication;
+
+public sealed class LogoutTests : EndpointBaseTest<AccountManagementDbContext>
+{
+    [Fact]
+    public async Task Logout_WhenAuthenticatedAsOwner_ShouldSucceedAndCollectLogoutEvent()
+    {
+        // Arrange
+        var command = new LogoutCommand();
+
+        // Act
+        var response = await AuthenticatedOwnerHttpClient.PostAsJsonAsync("/api/account-management/authentication/logout", command);
+
+        // Assert
+        await response.ShouldBeSuccessfulPostRequest(hasLocation: false);
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Count.Should().Be(1);
+        TelemetryEventsCollectorSpy.CollectedEvents[0].GetType().Name.Should().Be("Logout");
+        TelemetryEventsCollectorSpy.AreAllEventsDispatched.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task Logout_WhenAuthenticatedAsMember_ShouldSucceedAndCollectLogoutEvent()
+    {
+        // Arrange
+        var command = new LogoutCommand();
+
+        // Act
+        var response = await AuthenticatedMemberHttpClient.PostAsJsonAsync("/api/account-management/authentication/logout", command);
+
+        // Assert
+        await response.ShouldBeSuccessfulPostRequest(hasLocation: false);
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Count.Should().Be(1);
+        TelemetryEventsCollectorSpy.CollectedEvents[0].GetType().Name.Should().Be("Logout");
+        TelemetryEventsCollectorSpy.AreAllEventsDispatched.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task Logout_WhenNotAuthenticated_ShouldReturnUnauthorized()
+    {
+        // Arrange
+        var command = new LogoutCommand();
+
+        // Act
+        var response = await AnonymousHttpClient.PostAsJsonAsync("/api/account-management/authentication/logout", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+        TelemetryEventsCollectorSpy.AreAllEventsDispatched.Should().BeFalse();
+    }
+}

application/account-management/Tests/Authentication/StartLoginTests.cs

@@ -68,6 +68,9 @@ public async Task StartLoginCommand_WhenEmailIsEmpty_ShouldFail()
     [Theory]
     [InlineData("Invalid Email Format", "invalid-email")]
     [InlineData("Email Too Long", "abcdefghijklmnopqrstuvwyz0123456789-abcdefghijklmnopqrstuvwyz0123456789-abcdefghijklmnopqrstuvwyz0123456789@example.com")]
+    [InlineData("Double Dots In Domain", "neo@gmail..com")]
+    [InlineData("Comma Instead Of Dot", "q@q,com")]
+    [InlineData("Space In Domain", "tje@mentum .dk")]
     public async Task StartLoginCommand_WhenEmailInvalid_ShouldFail(string scenario, string invalidEmail)
     {
         // Arrange
@@ -91,7 +94,7 @@ public async Task StartLoginCommand_WhenEmailInvalid_ShouldFail(string scenario,
     public async Task StartLoginCommand_WhenUserDoesNotExist_ShouldReturnFakeLoginId()
     {
         // Arrange
-        var email = Faker.Internet.Email();
+        var email = Faker.Internet.UniqueEmail();
         var command = new StartLoginCommand(email);
 
         // Act

application/account-management/Tests/Authentication/SwitchTenantTests.cs

@@ -106,7 +106,7 @@ public async Task SwitchTenant_WhenUserDoesNotExistInTargetTenant_ShouldReturnFo
                 ("Id", UserId.NewId().ToString()),
                 ("CreatedAt", TimeProvider.System.GetUtcNow()),
                 ("ModifiedAt", null),
-                ("Email", Faker.Internet.Email()),
+                ("Email", Faker.Internet.UniqueEmail()),
                 ("EmailConfirmed", true),
                 ("FirstName", Faker.Name.FirstName()),
                 ("LastName", Faker.Name.LastName()),