fix(central-ui): resolve CentralUI-005 — sliding cookie session expiry (Security AddCookie + AuthEndpoints + SessionExpiry)

tests/ScadaLink.CentralUI.Tests/Auth/SessionExpiryPolicyTests.cs

@@ -0,0 +1,46 @@
+using Microsoft.AspNetCore.Authentication;
+using ScadaLink.CentralUI.Auth;
+
+namespace ScadaLink.CentralUI.Tests.Auth;
+
+/// <summary>
+/// Regression tests for CentralUI-005. <c>AuthEndpoints</c> previously stamped a
+/// fixed <c>expires_at = UtcNow + 30 min</c> claim and a 30-minute absolute cookie
+/// <c>ExpiresUtc</c> with no sliding refresh, contradicting the documented
+/// "sliding refresh, 30-minute idle timeout" policy. The login handler must now
+/// build <see cref="AuthenticationProperties"/> that let the cookie middleware
+/// own expiry (sliding window) rather than imposing a contradictory fixed
+/// absolute cap.
+/// </summary>
+public class SessionExpiryPolicyTests
+{
+    [Fact]
+    public void BuildSignInProperties_DoesNotSetFixedAbsoluteExpiry()
+    {
+        var props = AuthEndpoints.BuildSignInProperties();
+
+        // A fixed ExpiresUtc would re-introduce the hard 30-minute cap that
+        // overrides the middleware's sliding window. Expiry must be owned by
+        // the cookie middleware (ExpireTimeSpan + SlidingExpiration).
+        Assert.Null(props.ExpiresUtc);
+    }
+
+    [Fact]
+    public void BuildSignInProperties_IsPersistent()
+    {
+        var props = AuthEndpoints.BuildSignInProperties();
+
+        Assert.True(props.IsPersistent);
+    }
+
+    [Fact]
+    public void BuildSignInProperties_AllowsSlidingRefresh()
+    {
+        var props = AuthEndpoints.BuildSignInProperties();
+
+        // AllowRefresh left null/true lets the cookie middleware slide the
+        // expiry on activity. A false value would freeze the session to an
+        // absolute cap — the bug this finding pins.
+        Assert.NotEqual(false, props.AllowRefresh);
+    }
+}