test(auth): add argon2id migration specs and fix Player password validation

  - Add spec/services/authentication/password_hasher_spec.rb (16 examples)
    covering hash, verify (argon2id, bcrypt legacy, blank inputs),
    needs_upgrade? and bcrypt?
  - Add spec/models/concerns/upgradeable_password_spec.rb (10 examples)
    covering the bcrypt→argon2id lazy upgrade path for User and Player,
    including that wrong passwords do not trigger digest update
  - Fix Player#player_password validation: add format check (uppercase +
    lowercase + digit) to match User#password strength requirements
  - Remove password_confirmation from :user factory — attribute no longer
    exists after has_secure_password was removed
  - Set DatabaseCleaner.allow_remote_database_url = true: the existing
    guard at rails_helper.rb:57 already blocks supabase/prod URLs; this
    allows Docker-network hostnames in local test runs

Author: Bulletdev

app/modules/players/models/player.rb

@@ -79,7 +79,13 @@ def authenticate_player_password(plain_password)
   validates :flex_queue_tier, inclusion: { in: Constants::Player::QUEUE_TIERS }, allow_blank: true
   validates :flex_queue_rank, inclusion: { in: Constants::Player::QUEUE_RANKS }, allow_blank: true
   validates :player_email, uniqueness: true, allow_blank: true, format: { with: URI::MailTo::EMAIL_REGEXP, allow_blank: true }
-  validates :player_password, length: { minimum: 8 }, if: -> { player_password.present? }
+  validates :player_password,
+            length: { minimum: 8, message: 'must be at least 8 characters' },
+            format: {
+              with: /\A(?=.*[a-z])(?=.*[A-Z])(?=.*\d).*\z/,
+              message: 'must contain at least one uppercase letter, one lowercase letter, and one number'
+            },
+            if: -> { player_password.present? }
 
   # Callbacks
   before_validation :hash_player_password, if: -> { player_password.present? }

spec/factories/users.rb

@@ -5,7 +5,6 @@
     association :organization
     email { Faker::Internet.email }
     password { 'Test123!@#' }
-    password_confirmation { 'Test123!@#' }
     full_name { Faker::Name.name }
     role { 'analyst' }
 

spec/models/concerns/upgradeable_password_spec.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe UpgradeablePassword, type: :model do
+  let(:password) { 'Test123!@#' }
+
+  describe 'User#authenticate (argon2id path)' do
+    let(:user) { create(:user, password: password) }
+
+    it 'returns the user for the correct password' do
+      expect(user.authenticate(password)).to eq(user)
+    end
+
+    it 'returns nil for a wrong password' do
+      expect(user.authenticate('WrongPass1')).to be_nil
+    end
+
+    it 'does not modify the digest when already argon2id' do
+      original = user.password_digest
+      user.authenticate(password)
+      expect(user.reload.password_digest).to eq(original)
+    end
+  end
+
+  describe 'User#authenticate — bcrypt to argon2id lazy migration' do
+    let(:user) { create(:user, password: password) }
+    let(:bcrypt_digest) { BCrypt::Password.create(password, cost: BCrypt::Engine::MIN_COST).to_s }
+
+    before { user.update_column(:password_digest, bcrypt_digest) }
+
+    it 'authenticates successfully against a bcrypt digest' do
+      expect(user.authenticate(password)).to eq(user)
+    end
+
+    it 'upgrades the digest to argon2id transparently after successful login' do
+      user.authenticate(password)
+      expect(user.reload.password_digest).to start_with('$argon2id$')
+    end
+
+    it 'updates updated_at alongside the digest upgrade' do
+      before = user.updated_at
+      user.authenticate(password)
+      expect(user.reload.updated_at).to be >= before
+    end
+
+    it 'does not upgrade the digest when the password is wrong' do
+      user.authenticate('WrongPass1')
+      expect(user.reload.password_digest).to eq(bcrypt_digest)
+    end
+  end
+
+  describe 'Player#authenticate_player_password — bcrypt to argon2id lazy migration' do
+    let(:player) do
+      create(:player).tap do |p|
+        argon2_digest = Authentication::PasswordHasher.hash(password)
+        p.update_column(:player_password_digest, argon2_digest)
+      end
+    end
+    let(:bcrypt_digest) { BCrypt::Password.create(password, cost: BCrypt::Engine::MIN_COST).to_s }
+
+    before { player.update_column(:player_password_digest, bcrypt_digest) }
+
+    it 'authenticates successfully against a bcrypt digest' do
+      expect(player.authenticate_player_password(password)).to eq(player)
+    end
+
+    it 'upgrades the digest to argon2id transparently after successful login' do
+      player.authenticate_player_password(password)
+      expect(player.reload.player_password_digest).to start_with('$argon2id$')
+    end
+
+    it 'does not upgrade the digest when the password is wrong' do
+      player.authenticate_player_password('WrongPass1')
+      expect(player.reload.player_password_digest).to eq(bcrypt_digest)
+    end
+  end
+end

spec/rails_helper.rb

@@ -58,7 +58,9 @@
       abort('CRITICAL: Cannot run tests against production database! Use a local test database.')
     end
 
-    DatabaseCleaner.allow_remote_database_url = false
+    # Custom guard above already aborts on 'supabase'/'prod' URLs, so we can
+    # allow Docker-network hostnames (e.g. docker-postgres-1) here safely.
+    DatabaseCleaner.allow_remote_database_url = true
 
     config.before(:suite) do
       DatabaseCleaner.clean_with(:truncation)

spec/services/authentication/password_hasher_spec.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe Authentication::PasswordHasher do
+  let(:password) { 'Test123!@#' }
+
+  describe '.hash' do
+    it 'returns a string with argon2id prefix' do
+      expect(described_class.hash(password)).to start_with('$argon2id$')
+    end
+
+    it 'produces a different digest on each call due to random salt' do
+      expect(described_class.hash(password)).not_to eq(described_class.hash(password))
+    end
+  end
+
+  describe '.verify' do
+    context 'with an argon2id digest' do
+      let(:digest) { described_class.hash(password) }
+
+      it 'returns true for the correct password' do
+        expect(described_class.verify(password, digest)).to be true
+      end
+
+      it 'returns false for a wrong password' do
+        expect(described_class.verify('WrongPass1', digest)).to be false
+      end
+    end
+
+    context 'with a bcrypt digest (legacy retrocompatibility)' do
+      let(:digest) { BCrypt::Password.create(password, cost: BCrypt::Engine::MIN_COST) }
+
+      it 'returns true for the correct password' do
+        expect(described_class.verify(password, digest)).to be true
+      end
+
+      it 'returns false for a wrong password' do
+        expect(described_class.verify('WrongPass1', digest)).to be false
+      end
+
+      it 'returns false for a malformed bcrypt string' do
+        expect(described_class.verify(password, '$2a$not_a_valid_hash')).to be false
+      end
+    end
+
+    context 'with blank inputs' do
+      let(:digest) { described_class.hash(password) }
+
+      it 'returns false when password is blank' do
+        expect(described_class.verify('', digest)).to be false
+      end
+
+      it 'returns false when digest is blank' do
+        expect(described_class.verify(password, '')).to be false
+      end
+
+      it 'returns false when both are blank' do
+        expect(described_class.verify('', '')).to be false
+      end
+    end
+  end
+
+  describe '.needs_upgrade?' do
+    it 'returns true for a bcrypt digest' do
+      digest = BCrypt::Password.create(password, cost: BCrypt::Engine::MIN_COST)
+      expect(described_class.needs_upgrade?(digest)).to be true
+    end
+
+    it 'returns false for an argon2id digest' do
+      expect(described_class.needs_upgrade?(described_class.hash(password))).to be false
+    end
+  end
+
+  describe '.bcrypt?' do
+    it 'returns true for $2a$ prefix (standard bcrypt)' do
+      expect(described_class.bcrypt?('$2a$12$somehashvalue')).to be true
+    end
+
+    it 'returns true for $2b$ prefix (canonical bcrypt)' do
+      expect(described_class.bcrypt?('$2b$12$somehashvalue')).to be true
+    end
+
+    it 'returns false for an argon2id digest' do
+      expect(described_class.bcrypt?('$argon2id$v=19$m=65536,t=3,p=2$salt$hash')).to be false
+    end
+
+    it 'returns false for a blank string' do
+      expect(described_class.bcrypt?('')).to be false
+    end
+  end
+end