From 0926ce4dda69e4bd64b8638a7d7991b49e3e5a2f Mon Sep 17 00:00:00 2001
From: Joseph Doherty <dohejw01@gmail.com>
Date: Tue, 16 Jun 2026 08:44:06 -0400
Subject: [PATCH] =?UTF-8?q?test(security):=20DL-2=20review=20nits=20?=
 =?UTF-8?q?=E2=80=94=20assert=20IsAuthenticated=20+=20clarify=20handler=20?=
 =?UTF-8?q?flag=20gating?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Auth/AutoLoginAuthenticationHandler.cs                     | 3 +++
 .../AutoLoginAuthenticationHandlerTests.cs                     | 1 +
 2 files changed, 4 insertions(+)

diff --git a/src/ZB.MOM.WW.ScadaBridge.Security/Auth/AutoLoginAuthenticationHandler.cs b/src/ZB.MOM.WW.ScadaBridge.Security/Auth/AutoLoginAuthenticationHandler.cs
index c170f863..0ff6137e 100644
--- a/src/ZB.MOM.WW.ScadaBridge.Security/Auth/AutoLoginAuthenticationHandler.cs
+++ b/src/ZB.MOM.WW.ScadaBridge.Security/Auth/AutoLoginAuthenticationHandler.cs
@@ -17,6 +17,9 @@ namespace ZB.MOM.WW.ScadaBridge.Security.Auth;
 public sealed class AutoLoginAuthenticationHandler
     : AuthenticationHandler<AuthenticationSchemeOptions>, IAuthenticationSignInHandler
 {
+    // Only _opts.User is consumed here. The DisableLogin flag is gated at registration time
+    // (AddSecurity); if DisableLogin is false this handler is never registered, so it is
+    // never reached and the flag itself is irrelevant inside the handler.
     private readonly AuthDisableLoginOptions _opts;
     private readonly TimeProvider _clock;
 
diff --git a/tests/ZB.MOM.WW.ScadaBridge.Security.Tests/AutoLoginAuthenticationHandlerTests.cs b/tests/ZB.MOM.WW.ScadaBridge.Security.Tests/AutoLoginAuthenticationHandlerTests.cs
index 124665b1..33662e13 100644
--- a/tests/ZB.MOM.WW.ScadaBridge.Security.Tests/AutoLoginAuthenticationHandlerTests.cs
+++ b/tests/ZB.MOM.WW.ScadaBridge.Security.Tests/AutoLoginAuthenticationHandlerTests.cs
@@ -49,6 +49,7 @@ public class AutoLoginAuthenticationHandlerTests
 
         Assert.True(result.Succeeded);
         var p = result.Principal!;
+        Assert.True(p.Identity!.IsAuthenticated);  // first gate checked by [Authorize] + Blazor AuthenticationStateProvider
         Assert.Equal("multi-role", p.Identity!.Name);
         foreach (var role in Roles.All)
             Assert.True(p.IsInRole(role), $"expected role {role}");