From d7eca25eb771b141fdcd79275ebc4057562d82cb Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 18 May 2026 13:27:29 +0200
Subject: [PATCH] fix(auth): guard revokeOtherSessions/revokeAllSessions
 against null sessionRepository

Addresses Nora (blocker 1) and Felix (suggestion): both revocation methods
now return 0 immediately when sessionRepository is unavailable (non-web
test contexts where JdbcHttpSessionAutoConfiguration does not fire).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../familienarchiv/auth/AuthService.java      |  2 ++
 .../familienarchiv/auth/AuthServiceTest.java  | 20 +++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/backend/src/main/java/org/raddatz/familienarchiv/auth/AuthService.java b/backend/src/main/java/org/raddatz/familienarchiv/auth/AuthService.java
index 8ce1219d..8377a78a 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/auth/AuthService.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/auth/AuthService.java
@@ -75,6 +75,7 @@ public class AuthService {
     }
 
     public int revokeOtherSessions(String currentSessionId, String principalName) {
+        if (sessionRepository == null) return 0;
         int count = 0;
         for (String id : sessionRepository.findByPrincipalName(principalName).keySet()) {
             if (!id.equals(currentSessionId)) {
@@ -86,6 +87,7 @@ public class AuthService {
     }
 
     public int revokeAllSessions(String principalName) {
+        if (sessionRepository == null) return 0;
         var sessions = sessionRepository.findByPrincipalName(principalName);
         sessions.keySet().forEach(sessionRepository::deleteById);
         return sessions.size();
diff --git a/backend/src/test/java/org/raddatz/familienarchiv/auth/AuthServiceTest.java b/backend/src/test/java/org/raddatz/familienarchiv/auth/AuthServiceTest.java
index 3dc4d018..1366dbc5 100644
--- a/backend/src/test/java/org/raddatz/familienarchiv/auth/AuthServiceTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/auth/AuthServiceTest.java
@@ -214,4 +214,24 @@ class AuthServiceTest {
         verify(sessionRepository).deleteById("session-1");
         verify(sessionRepository).deleteById("session-2");
     }
+
+    // ─── null-guard when sessionRepository is unavailable ────────────────────
+
+    @Test
+    void revokeAllSessions_returns_zero_when_sessionRepository_is_null() {
+        ReflectionTestUtils.setField(authService, "sessionRepository", null);
+
+        int count = authService.revokeAllSessions("user@test.de");
+
+        assertThat(count).isEqualTo(0);
+    }
+
+    @Test
+    void revokeOtherSessions_returns_zero_when_sessionRepository_is_null() {
+        ReflectionTestUtils.setField(authService, "sessionRepository", null);
+
+        int count = authService.revokeOtherSessions("session-keep", "user@test.de");
+
+        assertThat(count).isEqualTo(0);
+    }
 }