fix(notification-service): resolve NotificationService-005..009 — explicit TLS modes, per-credential token cache, timeout/throttle, address validation, credential redaction

tests/ScadaLink.NotificationService.Tests/OAuth2TokenServiceTests.cs

@@ -87,6 +87,70 @@ public class OAuth2TokenServiceTests
             () => service.GetTokenAsync("tenant:client:secret"));
     }
 
+    // ── NotificationService-006: token cache must be keyed to credential identity ──
+
+    [Fact]
+    public async Task GetTokenAsync_DifferentCredentials_ReturnPerCredentialTokens()
+    {
+        // NS-006: the singleton cached a single token ignoring the credentials
+        // argument, so a second SMTP config with a different tenant/client got the
+        // first config's token. Each distinct credential must get its own token.
+        var handler = new PerTenantHttpMessageHandler();
+        var client = new HttpClient(handler);
+        var factory = CreateMockFactory(client);
+        var service = new OAuth2TokenService(factory, NullLogger<OAuth2TokenService>.Instance);
+
+        var tokenA = await service.GetTokenAsync("tenantA:clientA:secretA");
+        var tokenB = await service.GetTokenAsync("tenantB:clientB:secretB");
+
+        Assert.Equal("token-for-tenantA", tokenA);
+        Assert.Equal("token-for-tenantB", tokenB);
+    }
+
+    [Fact]
+    public async Task GetTokenAsync_SameCredentials_CachedPerCredential()
+    {
+        // NS-006: caching still works — repeated calls with the same credential
+        // identity make exactly one HTTP call.
+        var handler = new PerTenantHttpMessageHandler();
+        var client = new HttpClient(handler);
+        var factory = CreateMockFactory(client);
+        var service = new OAuth2TokenService(factory, NullLogger<OAuth2TokenService>.Instance);
+
+        await service.GetTokenAsync("tenantA:clientA:secretA");
+        await service.GetTokenAsync("tenantA:clientA:secretA");
+        await service.GetTokenAsync("tenantB:clientB:secretB");
+
+        Assert.Equal(2, handler.CallCount); // one per distinct credential, not per call
+    }
+
+    /// <summary>
+    /// HTTP handler that returns a distinct access token per tenant id, parsed from
+    /// the request URL (<c>https://login.microsoftonline.com/{tenantId}/...</c>).
+    /// </summary>
+    private class PerTenantHttpMessageHandler : HttpMessageHandler
+    {
+        public int CallCount { get; private set; }
+
+        protected override Task<HttpResponseMessage> SendAsync(
+            HttpRequestMessage request, CancellationToken cancellationToken)
+        {
+            CallCount++;
+            var segments = request.RequestUri!.AbsolutePath.Trim('/').Split('/');
+            var tenantId = segments[0];
+            var json = JsonSerializer.Serialize(new
+            {
+                access_token = $"token-for-{tenantId}",
+                expires_in = 3600,
+                token_type = "Bearer"
+            });
+            return Task.FromResult(new HttpResponseMessage(HttpStatusCode.OK)
+            {
+                Content = new StringContent(json)
+            });
+        }
+    }
+
     /// <summary>
     /// Simple mock HTTP handler that returns a fixed response.
     /// </summary>