create Infrastructure directory

src/Core/Infrastructure/Infrastructure.Jwt/IJwtService.cs

@@ -0,0 +1,6 @@
+namespace Service.Core.Jwt;
+
+public interface IJwtService
+{
+    string GenerateJwt(Guid userId, string username, DateTime expiry);
+}

src/Core/Infrastructure/Infrastructure.Jwt/Infrastructure.Jwt.csproj

@@ -0,0 +1,13 @@
+<Project Sdk="Microsoft.NET.Sdk">
+   <PropertyGroup>
+      <TargetFramework>net10.0</TargetFramework>
+      <ImplicitUsings>enable</ImplicitUsings>
+      <Nullable>enable</Nullable>
+      <RootNamespace>Service.Core.Jwt</RootNamespace>
+   </PropertyGroup>
+
+   <ItemGroup>
+      <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.2.1" />
+      <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.2.1" />
+   </ItemGroup>
+</Project>

src/Core/Infrastructure/Infrastructure.Jwt/JwtService.cs

@@ -0,0 +1,36 @@
+using System.Security.Claims;
+using System.Text;
+using Microsoft.IdentityModel.JsonWebTokens;
+using Microsoft.IdentityModel.Tokens;
+using JwtRegisteredClaimNames = System.IdentityModel.Tokens.Jwt.JwtRegisteredClaimNames;
+
+namespace Service.Core.Jwt;
+public class JwtService : IJwtService
+{
+    private readonly string? _secret = Environment.GetEnvironmentVariable("JWT_SECRET");
+    public string GenerateJwt(Guid userId, string username, DateTime expiry)
+    {
+        var handler = new JsonWebTokenHandler();
+
+        var key = Encoding.UTF8.GetBytes(_secret ?? throw new InvalidOperationException("secret not set"));
+
+        // Base claims (always present)
+        var claims = new List<Claim>
+        {
+            new(JwtRegisteredClaimNames.Sub, userId.ToString()),
+            new(JwtRegisteredClaimNames.UniqueName, username),
+            new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString())
+        };
+
+        var tokenDescriptor = new SecurityTokenDescriptor
+        {
+            Subject = new ClaimsIdentity(claims),
+            Expires = expiry,
+            SigningCredentials = new SigningCredentials(
+                new SymmetricSecurityKey(key),
+                SecurityAlgorithms.HmacSha256)
+        };
+
+        return handler.CreateToken(tokenDescriptor);
+    }
+}

src/Core/Infrastructure/Infrastructure.PasswordHashing/IPasswordService.cs

@@ -0,0 +1,7 @@
+namespace Service.Core.Password;
+
+public interface IPasswordService
+{
+    public string Hash(string password);
+    public bool Verify(string password, string stored);
+}

src/Core/Infrastructure/Infrastructure.PasswordHashing/Infrastructure.PasswordHashing.csproj

@@ -0,0 +1,12 @@
+<Project Sdk="Microsoft.NET.Sdk">
+   <PropertyGroup>
+      <TargetFramework>net10.0</TargetFramework>
+      <ImplicitUsings>enable</ImplicitUsings>
+      <Nullable>enable</Nullable>
+      <RootNamespace>Service.Core.Password</RootNamespace>
+   </PropertyGroup>
+
+   <ItemGroup>
+      <PackageReference Include="Konscious.Security.Cryptography.Argon2" Version="1.3.1" />
+   </ItemGroup>
+</Project>

src/Core/Infrastructure/Infrastructure.PasswordHashing/PasswordService.cs

@@ -0,0 +1,55 @@
+using System.Security.Cryptography;
+using System.Text;
+using Konscious.Security.Cryptography;
+
+namespace Service.Core.Password;
+
+public class PasswordService : IPasswordService
+{
+    private const int SaltSize = 16; // 128-bit
+    private const int HashSize = 32; // 256-bit
+    private const int ArgonIterations = 4;
+    private const int ArgonMemoryKb = 65536; // 64MB
+
+    public string Hash(string password)
+    {
+        var salt = RandomNumberGenerator.GetBytes(SaltSize);
+        var argon2 = new Argon2id(Encoding.UTF8.GetBytes(password))
+        {
+            Salt = salt,
+            DegreeOfParallelism = Math.Max(Environment.ProcessorCount, 1),
+            MemorySize = ArgonMemoryKb,
+            Iterations = ArgonIterations
+        };
+
+        var hash = argon2.GetBytes(HashSize);
+        return $"{Convert.ToBase64String(salt)}:{Convert.ToBase64String(hash)}";
+    }
+
+    public bool Verify(string password, string stored)
+    {
+        try
+        {
+            var parts = stored.Split(':', StringSplitOptions.RemoveEmptyEntries);
+            if (parts.Length != 2) return false;
+
+            var salt = Convert.FromBase64String(parts[0]);
+            var expected = Convert.FromBase64String(parts[1]);
+
+            var argon2 = new Argon2id(Encoding.UTF8.GetBytes(password))
+            {
+                Salt = salt,
+                DegreeOfParallelism = Math.Max(Environment.ProcessorCount, 1),
+                MemorySize = ArgonMemoryKb,
+                Iterations = ArgonIterations
+            };
+
+            var actual = argon2.GetBytes(expected.Length);
+            return CryptographicOperations.FixedTimeEquals(actual, expected);
+        }
+        catch
+        {
+            return false;
+        }
+    }
+}

src/Core/Infrastructure/Infrastructure.Repository/Repository.Core/Repositories/Auth/AuthRepository.cs

@@ -0,0 +1,168 @@
+using System.Data;
+using System.Data.Common;
+using Domain.Core.Entities;
+using Repository.Core.Sql;
+
+namespace Repository.Core.Repositories.Auth
+{
+    public class AuthRepository : Repository<Domain.Core.Entities.UserAccount>, IAuthRepository
+    {
+        public AuthRepository(ISqlConnectionFactory connectionFactory)
+            : base(connectionFactory)
+        {
+        }
+
+
+        public async Task<Domain.Core.Entities.UserAccount> RegisterUserAsync(
+            string username,
+            string firstName,
+            string lastName,
+            string email,
+            DateTime dateOfBirth,
+            string passwordHash)
+        {
+            await using var connection = await CreateConnection();
+            await using var command = connection.CreateCommand();
+
+            command.CommandText = "USP_RegisterUser";
+            command.CommandType = CommandType.StoredProcedure;
+
+            AddParameter(command, "@Username", username);
+            AddParameter(command, "@FirstName", firstName);
+            AddParameter(command, "@LastName", lastName);
+            AddParameter(command, "@Email", email);
+            AddParameter(command, "@DateOfBirth", dateOfBirth);
+            AddParameter(command, "@Hash", passwordHash);
+
+            var result = await command.ExecuteScalarAsync();
+            var userAccountId = result != null ? (Guid)result : Guid.Empty;
+
+            return new Domain.Core.Entities.UserAccount
+            {
+                UserAccountId = userAccountId,
+                Username = username,
+                FirstName = firstName,
+                LastName = lastName,
+                Email = email,
+                DateOfBirth = dateOfBirth,
+                CreatedAt = DateTime.UtcNow
+            };
+        }
+
+
+        public async Task<Domain.Core.Entities.UserAccount?> GetUserByEmailAsync(string email)
+        {
+            await using var connection = await CreateConnection();
+            await using var command = connection.CreateCommand();
+            command.CommandText = "usp_GetUserAccountByEmail";
+            command.CommandType = CommandType.StoredProcedure;
+
+            AddParameter(command, "@Email", email);
+
+            await using var reader = await command.ExecuteReaderAsync();
+            return await reader.ReadAsync() ? MapToEntity(reader) : null;
+        }
+
+
+        public async Task<Domain.Core.Entities.UserAccount?> GetUserByUsernameAsync(string username)
+        {
+            await using var connection = await CreateConnection();
+            await using var command = connection.CreateCommand();
+            command.CommandText = "usp_GetUserAccountByUsername";
+            command.CommandType = CommandType.StoredProcedure;
+
+            AddParameter(command, "@Username", username);
+
+            await using var reader = await command.ExecuteReaderAsync();
+            return await reader.ReadAsync() ? MapToEntity(reader) : null;
+        }
+
+        public async Task<UserCredential?> GetActiveCredentialByUserAccountIdAsync(Guid userAccountId)
+        {
+            await using var connection = await CreateConnection();
+            await using var command = connection.CreateCommand();
+            command.CommandText = "USP_GetActiveUserCredentialByUserAccountId";
+            command.CommandType = CommandType.StoredProcedure;
+
+            AddParameter(command, "@UserAccountId", userAccountId);
+
+            await using var reader = await command.ExecuteReaderAsync();
+            return await reader.ReadAsync() ? MapToCredentialEntity(reader) : null;
+        }
+
+        public async Task RotateCredentialAsync(Guid userAccountId, string newPasswordHash)
+        {
+            await using var connection = await CreateConnection();
+            await using var command = connection.CreateCommand();
+            command.CommandText = "USP_RotateUserCredential";
+            command.CommandType = CommandType.StoredProcedure;
+
+            AddParameter(command, "@UserAccountId_", userAccountId);
+            AddParameter(command, "@Hash", newPasswordHash);
+
+            await command.ExecuteNonQueryAsync();
+        }
+
+        /// <summary>
+        /// Maps a data reader row to a UserAccount entity.
+        /// </summary>
+        protected override Domain.Core.Entities.UserAccount MapToEntity(DbDataReader reader)
+        {
+            return new Domain.Core.Entities.UserAccount
+            {
+                UserAccountId = reader.GetGuid(reader.GetOrdinal("UserAccountId")),
+                Username = reader.GetString(reader.GetOrdinal("Username")),
+                FirstName = reader.GetString(reader.GetOrdinal("FirstName")),
+                LastName = reader.GetString(reader.GetOrdinal("LastName")),
+                Email = reader.GetString(reader.GetOrdinal("Email")),
+                CreatedAt = reader.GetDateTime(reader.GetOrdinal("CreatedAt")),
+                UpdatedAt = reader.IsDBNull(reader.GetOrdinal("UpdatedAt"))
+                    ? null
+                    : reader.GetDateTime(reader.GetOrdinal("UpdatedAt")),
+                DateOfBirth = reader.GetDateTime(reader.GetOrdinal("DateOfBirth")),
+                Timer = reader.IsDBNull(reader.GetOrdinal("Timer"))
+                    ? null
+                    : (byte[])reader["Timer"]
+            };
+        }
+
+        /// <summary>
+        /// Maps a data reader row to a UserCredential entity.
+        /// </summary>
+        private static UserCredential MapToCredentialEntity(DbDataReader reader)
+        {
+            var entity = new UserCredential
+            {
+                UserCredentialId = reader.GetGuid(reader.GetOrdinal("UserCredentialId")),
+                UserAccountId = reader.GetGuid(reader.GetOrdinal("UserAccountId")),
+                Hash = reader.GetString(reader.GetOrdinal("Hash")),
+                CreatedAt = reader.GetDateTime(reader.GetOrdinal("CreatedAt"))
+            };
+
+            // Optional columns
+            var hasTimer = reader.GetSchemaTable()?.Rows
+                               .Cast<System.Data.DataRow>()
+                               .Any(r => string.Equals(r["ColumnName"]?.ToString(), "Timer",
+                                   StringComparison.OrdinalIgnoreCase)) ??
+                           false;
+
+            if (hasTimer)
+            {
+                entity.Timer = reader.IsDBNull(reader.GetOrdinal("Timer")) ? null : (byte[])reader["Timer"];
+            }
+
+            return entity;
+        }
+
+        /// <summary>
+        /// Helper method to add a parameter to a database command.
+        /// </summary>
+        private static void AddParameter(DbCommand command, string name, object? value)
+        {
+            var p = command.CreateParameter();
+            p.ParameterName = name;
+            p.Value = value ?? DBNull.Value;
+            command.Parameters.Add(p);
+        }
+    }
+}

src/Core/Infrastructure/Infrastructure.Repository/Repository.Core/Repositories/Auth/IAuthRepository.cs

@@ -0,0 +1,61 @@
+using Domain.Core.Entities;
+
+namespace Repository.Core.Repositories.Auth
+{
+    /// <summary>
+    /// Repository for authentication-related database operations including user registration and credential management.
+    /// </summary>
+    public interface IAuthRepository
+    {
+        /// <summary>
+        /// Registers a new user with account details and initial credential.
+        /// Uses stored procedure: USP_RegisterUser
+        /// </summary>
+        /// <param name="username">Unique username for the user</param>
+        /// <param name="firstName">User's first name</param>
+        /// <param name="lastName">User's last name</param>
+        /// <param name="email">User's email address</param>
+        /// <param name="dateOfBirth">User's date of birth</param>
+        /// <param name="passwordHash">Hashed password</param>
+        /// <returns>The newly created UserAccount with generated ID</returns>
+        Task<Domain.Core.Entities.UserAccount> RegisterUserAsync(
+            string username,
+            string firstName,
+            string lastName,
+            string email,
+            DateTime dateOfBirth,
+            string passwordHash);
+
+        /// <summary>
+        /// Retrieves a user account by email address (typically used for login).
+        /// Uses stored procedure: usp_GetUserAccountByEmail
+        /// </summary>
+        /// <param name="email">Email address to search for</param>
+        /// <returns>UserAccount if found, null otherwise</returns>
+        Task<Domain.Core.Entities.UserAccount?> GetUserByEmailAsync(string email);
+
+        /// <summary>
+        /// Retrieves a user account by username (typically used for login).
+        /// Uses stored procedure: usp_GetUserAccountByUsername
+        /// </summary>
+        /// <param name="username">Username to search for</param>
+        /// <returns>UserAccount if found, null otherwise</returns>
+        Task<Domain.Core.Entities.UserAccount?> GetUserByUsernameAsync(string username);
+
+        /// <summary>
+        /// Retrieves the active (non-revoked) credential for a user account.
+        /// Uses stored procedure: USP_GetActiveUserCredentialByUserAccountId
+        /// </summary>
+        /// <param name="userAccountId">ID of the user account</param>
+        /// <returns>Active UserCredential if found, null otherwise</returns>
+        Task<UserCredential?> GetActiveCredentialByUserAccountIdAsync(Guid userAccountId);
+
+        /// <summary>
+        /// Rotates a user's credential by invalidating all existing credentials and creating a new one.
+        /// Uses stored procedure: USP_RotateUserCredential
+        /// </summary>
+        /// <param name="userAccountId">ID of the user account</param>
+        /// <param name="newPasswordHash">New hashed password</param>
+        Task RotateCredentialAsync(Guid userAccountId, string newPasswordHash);
+    }
+}

src/Core/Infrastructure/Infrastructure.Repository/Repository.Core/Repositories/Repository.cs

@@ -0,0 +1,18 @@
+using System.Data.Common;
+using Repository.Core.Sql;
+
+namespace Repository.Core.Repositories
+{
+    public abstract class Repository<T>(ISqlConnectionFactory connectionFactory)
+        where T : class
+    {
+        protected async Task<DbConnection> CreateConnection()
+        {
+            var connection = connectionFactory.CreateConnection();
+            await connection.OpenAsync();
+            return connection;
+        }
+
+        protected abstract T MapToEntity(DbDataReader reader);
+    }
+}

src/Core/Infrastructure/Infrastructure.Repository/Repository.Core/Repositories/UserAccount/IUserAccountRepository.cs

@@ -0,0 +1,15 @@
+using Domain.Core.Entities;
+
+
+namespace Repository.Core.Repositories.UserAccount
+{
+    public interface IUserAccountRepository
+    {
+        Task<Domain.Core.Entities.UserAccount?> GetByIdAsync(Guid id);
+        Task<IEnumerable<Domain.Core.Entities.UserAccount>> GetAllAsync(int? limit, int? offset);
+        Task UpdateAsync(Domain.Core.Entities.UserAccount userAccount);
+        Task DeleteAsync(Guid id);
+        Task<Domain.Core.Entities.UserAccount?> GetByUsernameAsync(string username);
+        Task<Domain.Core.Entities.UserAccount?> GetByEmailAsync(string email);
+    }
+}

src/Core/Infrastructure/Infrastructure.Repository/Repository.Core/Repositories/UserAccount/UserAccountRepository.cs

@@ -0,0 +1,130 @@
+using System.Data;
+using System.Data.Common;
+using Domain.Core.Entities;
+using Repository.Core.Sql;
+
+namespace Repository.Core.Repositories.UserAccount
+{
+    public class UserAccountRepository(ISqlConnectionFactory connectionFactory)
+        : Repository<Domain.Core.Entities.UserAccount>(connectionFactory), IUserAccountRepository
+    {
+        public async Task<Domain.Core.Entities.UserAccount?> GetByIdAsync(Guid id)
+        {
+            await using var connection = await CreateConnection();
+            await using var command = connection.CreateCommand();
+            command.CommandText = "usp_GetUserAccountById";
+            command.CommandType = CommandType.StoredProcedure;
+
+            AddParameter(command, "@UserAccountId", id);
+
+            await using var reader = await command.ExecuteReaderAsync();
+            return await reader.ReadAsync() ? MapToEntity(reader) : null;
+        }
+
+        public async Task<IEnumerable<Domain.Core.Entities.UserAccount>> GetAllAsync(int? limit, int? offset)
+        {
+            await using var connection = await CreateConnection();
+            await using var command = connection.CreateCommand();
+            command.CommandText = "usp_GetAllUserAccounts";
+            command.CommandType = CommandType.StoredProcedure;
+
+            if (limit.HasValue)
+                AddParameter(command, "@Limit", limit.Value);
+
+            if (offset.HasValue)
+                AddParameter(command, "@Offset", offset.Value);
+
+            await using var reader = await command.ExecuteReaderAsync();
+            var users = new List<Domain.Core.Entities.UserAccount>();
+
+            while (await reader.ReadAsync())
+            {
+                users.Add(MapToEntity(reader));
+            }
+
+            return users;
+        }
+
+        public async Task UpdateAsync(Domain.Core.Entities.UserAccount userAccount)
+        {
+            await using var connection = await CreateConnection();
+            await using var command = connection.CreateCommand();
+            command.CommandText = "usp_UpdateUserAccount";
+            command.CommandType = CommandType.StoredProcedure;
+
+            AddParameter(command, "@UserAccountId", userAccount.UserAccountId);
+            AddParameter(command, "@Username", userAccount.Username);
+            AddParameter(command, "@FirstName", userAccount.FirstName);
+            AddParameter(command, "@LastName", userAccount.LastName);
+            AddParameter(command, "@Email", userAccount.Email);
+            AddParameter(command, "@DateOfBirth", userAccount.DateOfBirth);
+
+            await command.ExecuteNonQueryAsync();
+        }
+
+        public async Task DeleteAsync(Guid id)
+        {
+            await using var connection = await CreateConnection();
+            await using var command = connection.CreateCommand();
+            command.CommandText = "usp_DeleteUserAccount";
+            command.CommandType = CommandType.StoredProcedure;
+
+            AddParameter(command, "@UserAccountId", id);
+            await command.ExecuteNonQueryAsync();
+        }
+
+        public async Task<Domain.Core.Entities.UserAccount?> GetByUsernameAsync(string username)
+        {
+            await using var connection = await CreateConnection();
+            await using var command = connection.CreateCommand();
+            command.CommandText = "usp_GetUserAccountByUsername";
+            command.CommandType = CommandType.StoredProcedure;
+
+            AddParameter(command, "@Username", username);
+
+            await using var reader = await command.ExecuteReaderAsync();
+            return await reader.ReadAsync() ? MapToEntity(reader) : null;
+        }
+
+        public async Task<Domain.Core.Entities.UserAccount?> GetByEmailAsync(string email)
+        {
+            await using var connection = await CreateConnection();
+            await using var command = connection.CreateCommand();
+            command.CommandText = "usp_GetUserAccountByEmail";
+            command.CommandType = CommandType.StoredProcedure;
+
+            AddParameter(command, "@Email", email);
+
+            await using var reader = await command.ExecuteReaderAsync();
+            return await reader.ReadAsync() ? MapToEntity(reader) : null;
+        }
+
+        protected override Domain.Core.Entities.UserAccount MapToEntity(DbDataReader reader)
+        {
+            return new Domain.Core.Entities.UserAccount
+            {
+                UserAccountId = reader.GetGuid(reader.GetOrdinal("UserAccountId")),
+                Username = reader.GetString(reader.GetOrdinal("Username")),
+                FirstName = reader.GetString(reader.GetOrdinal("FirstName")),
+                LastName = reader.GetString(reader.GetOrdinal("LastName")),
+                Email = reader.GetString(reader.GetOrdinal("Email")),
+                CreatedAt = reader.GetDateTime(reader.GetOrdinal("CreatedAt")),
+                UpdatedAt = reader.IsDBNull(reader.GetOrdinal("UpdatedAt"))
+                    ? null
+                    : reader.GetDateTime(reader.GetOrdinal("UpdatedAt")),
+                DateOfBirth = reader.GetDateTime(reader.GetOrdinal("DateOfBirth")),
+                Timer = reader.IsDBNull(reader.GetOrdinal("Timer"))
+                    ? null
+                    : (byte[])reader["Timer"]
+            };
+        }
+
+        private static void AddParameter(DbCommand command, string name, object? value)
+        {
+            var p = command.CreateParameter();
+            p.ParameterName = name;
+            p.Value = value ?? DBNull.Value;
+            command.Parameters.Add(p);
+        }
+    }
+}

src/Core/Infrastructure/Infrastructure.Repository/Repository.Core/Repository.Core.csproj

@@ -0,0 +1,20 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <RootNamespace>Repository.Core</RootNamespace>
+  </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Data.SqlClient" Version="6.1.3" />
+    <PackageReference
+      Include="Microsoft.SqlServer.Types"
+      Version="160.1000.6"
+    />
+    <PackageReference Include="System.Data.SqlClient" Version="4.9.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="8.0.0" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\..\..\Domain\Domain.csproj" />
+  </ItemGroup>
+</Project>

src/Core/Infrastructure/Infrastructure.Repository/Repository.Core/Sql/DefaultSqlConnectionFactory.cs

@@ -0,0 +1,46 @@
+using System.Data.Common;
+using Microsoft.Data.SqlClient;
+using Microsoft.Extensions.Configuration;
+
+
+namespace Repository.Core.Sql
+{
+    public class DefaultSqlConnectionFactory(IConfiguration configuration) : ISqlConnectionFactory
+    {
+        private readonly string _connectionString = GetConnectionString(configuration);
+
+        private static string GetConnectionString(IConfiguration configuration)
+        {
+            // Check for full connection string first
+            var fullConnectionString = Environment.GetEnvironmentVariable("DB_CONNECTION_STRING");
+            if (!string.IsNullOrEmpty(fullConnectionString))
+            {
+                return fullConnectionString;
+            }
+
+            // Try to build from individual environment variables (preferred method for Docker)
+            try
+            {
+                return SqlConnectionStringHelper.BuildConnectionString();
+            }
+            catch (InvalidOperationException)
+            {
+                // Fall back to configuration-based connection string if env vars are not set
+                var connString = configuration.GetConnectionString("Default");
+                if (!string.IsNullOrEmpty(connString))
+                {
+                    return connString;
+                }
+
+                throw new InvalidOperationException(
+                    "Database connection string not configured. Set DB_CONNECTION_STRING or DB_SERVER, DB_NAME, DB_USER, DB_PASSWORD env vars or ConnectionStrings:Default."
+                );
+            }
+        }
+
+        public DbConnection CreateConnection()
+        {
+            return new SqlConnection(_connectionString);
+        }
+    }
+}

src/Core/Infrastructure/Infrastructure.Repository/Repository.Core/Sql/ISqlConnectionFactory.cs

@@ -0,0 +1,9 @@
+using System.Data.Common;
+
+namespace Repository.Core.Sql
+{
+    public interface ISqlConnectionFactory
+    {
+        DbConnection CreateConnection();
+    }
+}

src/Core/Infrastructure/Infrastructure.Repository/Repository.Core/Sql/SqlConnectionStringHelper.cs

@@ -0,0 +1,50 @@
+using Microsoft.Data.SqlClient;
+
+namespace Repository.Core.Sql
+{
+    public static class SqlConnectionStringHelper
+    {
+        /// <summary>
+        /// Builds a SQL Server connection string from environment variables.
+        /// Expects DB_SERVER, DB_NAME, DB_USER, DB_PASSWORD, and DB_TRUST_SERVER_CERTIFICATE.
+        /// </summary>
+        /// <param name="databaseName">Optional override for the database name. If null, uses DB_NAME env var.</param>
+        /// <returns>A properly formatted SQL Server connection string.</returns>
+        public static string BuildConnectionString(string? databaseName = null)
+        {
+            var server = Environment.GetEnvironmentVariable("DB_SERVER")
+                ?? throw new InvalidOperationException("DB_SERVER environment variable is not set");
+
+            var dbName = databaseName
+                ?? Environment.GetEnvironmentVariable("DB_NAME")
+                ?? throw new InvalidOperationException("DB_NAME environment variable is not set");
+
+            var user = Environment.GetEnvironmentVariable("DB_USER")
+                ?? throw new InvalidOperationException("DB_USER environment variable is not set");
+
+            var password = Environment.GetEnvironmentVariable("DB_PASSWORD")
+                ?? throw new InvalidOperationException("DB_PASSWORD environment variable is not set");
+
+            var builder = new SqlConnectionStringBuilder
+            {
+                DataSource = server,
+                InitialCatalog = dbName,
+                UserID = user,
+                Password = password,
+                TrustServerCertificate = true,
+                Encrypt = true
+            };
+
+            return builder.ConnectionString;
+        }
+
+        /// <summary>
+        /// Builds a connection string to the master database using environment variables.
+        /// </summary>
+        /// <returns>A connection string for the master database.</returns>
+        public static string BuildMasterConnectionString()
+        {
+            return BuildConnectionString("master");
+        }
+    }
+}

src/Core/Infrastructure/Infrastructure.Repository/Repository.Tests/Auth/AuthRepository.test.cs

@@ -0,0 +1,219 @@
+using Apps72.Dev.Data.DbMocker;
+using Repository.Core.Repositories.Auth;
+using FluentAssertions;
+using Repository.Tests.Database;
+using System.Data;
+
+namespace Repository.Tests.Auth;
+
+public class AuthRepositoryTest
+{
+    private static AuthRepository CreateRepo(MockDbConnection conn)
+        => new(new TestConnectionFactory(conn));
+
+    [Fact]
+    public async Task RegisterUserAsync_CreatesUserWithCredential_ReturnsUserAccount()
+    {
+        var expectedUserId = Guid.NewGuid();
+        var conn = new MockDbConnection();
+
+        conn.Mocks
+            .When(cmd => cmd.CommandText == "USP_RegisterUser")
+            .ReturnsTable(MockTable.WithColumns(("UserAccountId", typeof(Guid)))
+                .AddRow(expectedUserId));
+
+        var repo = CreateRepo(conn);
+        var result = await repo.RegisterUserAsync(
+            username: "testuser",
+            firstName: "Test",
+            lastName: "User",
+            email: "test@example.com",
+            dateOfBirth: new DateTime(1990, 1, 1),
+            passwordHash: "hashedpassword123"
+        );
+
+        result.Should().NotBeNull();
+        result.UserAccountId.Should().Be(expectedUserId);
+        result.Username.Should().Be("testuser");
+        result.FirstName.Should().Be("Test");
+        result.LastName.Should().Be("User");
+        result.Email.Should().Be("test@example.com");
+        result.DateOfBirth.Should().Be(new DateTime(1990, 1, 1));
+    }
+
+    [Fact]
+    public async Task GetUserByEmailAsync_ReturnsUser_WhenExists()
+    {
+        var userId = Guid.NewGuid();
+        var conn = new MockDbConnection();
+
+        conn.Mocks
+            .When(cmd => cmd.CommandText == "usp_GetUserAccountByEmail")
+            .ReturnsTable(MockTable.WithColumns(
+                ("UserAccountId", typeof(Guid)),
+                ("Username", typeof(string)),
+                ("FirstName", typeof(string)),
+                ("LastName", typeof(string)),
+                ("Email", typeof(string)),
+                ("CreatedAt", typeof(DateTime)),
+                ("UpdatedAt", typeof(DateTime?)),
+                ("DateOfBirth", typeof(DateTime)),
+                ("Timer", typeof(byte[]))
+            ).AddRow(
+                userId,
+                "emailuser",
+                "Email",
+                "User",
+                "emailuser@example.com",
+                DateTime.UtcNow,
+                null,
+                new DateTime(1990, 5, 15),
+                null
+            ));
+
+        var repo = CreateRepo(conn);
+        var result = await repo.GetUserByEmailAsync("emailuser@example.com");
+
+        result.Should().NotBeNull();
+        result!.UserAccountId.Should().Be(userId);
+        result.Username.Should().Be("emailuser");
+        result.Email.Should().Be("emailuser@example.com");
+        result.FirstName.Should().Be("Email");
+        result.LastName.Should().Be("User");
+    }
+
+    [Fact]
+    public async Task GetUserByEmailAsync_ReturnsNull_WhenNotExists()
+    {
+        var conn = new MockDbConnection();
+
+        conn.Mocks
+            .When(cmd => cmd.CommandText == "usp_GetUserAccountByEmail")
+            .ReturnsTable(MockTable.Empty());
+
+        var repo = CreateRepo(conn);
+        var result = await repo.GetUserByEmailAsync("nonexistent@example.com");
+
+        result.Should().BeNull();
+    }
+
+    [Fact]
+    public async Task GetUserByUsernameAsync_ReturnsUser_WhenExists()
+    {
+        var userId = Guid.NewGuid();
+        var conn = new MockDbConnection();
+
+        conn.Mocks
+            .When(cmd => cmd.CommandText == "usp_GetUserAccountByUsername")
+            .ReturnsTable(MockTable.WithColumns(
+                ("UserAccountId", typeof(Guid)),
+                ("Username", typeof(string)),
+                ("FirstName", typeof(string)),
+                ("LastName", typeof(string)),
+                ("Email", typeof(string)),
+                ("CreatedAt", typeof(DateTime)),
+                ("UpdatedAt", typeof(DateTime?)),
+                ("DateOfBirth", typeof(DateTime)),
+                ("Timer", typeof(byte[]))
+            ).AddRow(
+                userId,
+                "usernameuser",
+                "Username",
+                "User",
+                "username@example.com",
+                DateTime.UtcNow,
+                null,
+                new DateTime(1985, 8, 20),
+                null
+            ));
+
+        var repo = CreateRepo(conn);
+        var result = await repo.GetUserByUsernameAsync("usernameuser");
+
+        result.Should().NotBeNull();
+        result!.UserAccountId.Should().Be(userId);
+        result.Username.Should().Be("usernameuser");
+        result.Email.Should().Be("username@example.com");
+    }
+
+    [Fact]
+    public async Task GetUserByUsernameAsync_ReturnsNull_WhenNotExists()
+    {
+        var conn = new MockDbConnection();
+
+        conn.Mocks
+            .When(cmd => cmd.CommandText == "usp_GetUserAccountByUsername")
+            .ReturnsTable(MockTable.Empty());
+
+        var repo = CreateRepo(conn);
+        var result = await repo.GetUserByUsernameAsync("nonexistent");
+
+        result.Should().BeNull();
+    }
+
+    [Fact]
+    public async Task GetActiveCredentialByUserAccountIdAsync_ReturnsCredential_WhenExists()
+    {
+        var userId = Guid.NewGuid();
+        var credentialId = Guid.NewGuid();
+        var conn = new MockDbConnection();
+
+        conn.Mocks
+            .When(cmd => cmd.CommandText == "USP_GetActiveUserCredentialByUserAccountId")
+            .ReturnsTable(MockTable.WithColumns(
+                ("UserCredentialId", typeof(Guid)),
+                ("UserAccountId", typeof(Guid)),
+                ("Hash", typeof(string)),
+                ("CreatedAt", typeof(DateTime)),
+                ("Timer", typeof(byte[]))
+            ).AddRow(
+                credentialId,
+                userId,
+                "hashed_password_value",
+                DateTime.UtcNow,
+                null
+            ));
+
+        var repo = CreateRepo(conn);
+        var result = await repo.GetActiveCredentialByUserAccountIdAsync(userId);
+
+        result.Should().NotBeNull();
+        result!.UserCredentialId.Should().Be(credentialId);
+        result.UserAccountId.Should().Be(userId);
+        result.Hash.Should().Be("hashed_password_value");
+    }
+
+    [Fact]
+    public async Task GetActiveCredentialByUserAccountIdAsync_ReturnsNull_WhenNotExists()
+    {
+        var userId = Guid.NewGuid();
+        var conn = new MockDbConnection();
+
+        conn.Mocks
+            .When(cmd => cmd.CommandText == "USP_GetActiveUserCredentialByUserAccountId")
+            .ReturnsTable(MockTable.Empty());
+
+        var repo = CreateRepo(conn);
+        var result = await repo.GetActiveCredentialByUserAccountIdAsync(userId);
+
+        result.Should().BeNull();
+    }
+
+    [Fact]
+    public async Task RotateCredentialAsync_ExecutesSuccessfully()
+    {
+        var userId = Guid.NewGuid();
+        var newPasswordHash = "new_hashed_password";
+        var conn = new MockDbConnection();
+
+        conn.Mocks
+            .When(cmd => cmd.CommandText == "USP_RotateUserCredential")
+            .ReturnsScalar(1);
+
+        var repo = CreateRepo(conn);
+
+        // Should not throw
+        var act = async () => await repo.RotateCredentialAsync(userId, newPasswordHash);
+        await act.Should().NotThrowAsync();
+    }
+}

src/Core/Infrastructure/Infrastructure.Repository/Repository.Tests/Dockerfile

@@ -0,0 +1,15 @@
+FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
+ARG BUILD_CONFIGURATION=Release
+WORKDIR /src
+COPY ["Domain/Domain.csproj", "Domain/"]
+COPY ["Infrastructure/Infrastructure.Repository/Repository.Core/Repository.Core.csproj", "Infrastructure/Infrastructure.Repository/Repository.Core/"]
+COPY ["Infrastructure/Infrastructure.Repository/Repository.Tests/Repository.Tests.csproj", "Infrastructure/Infrastructure.Repository/Repository.Tests/"]
+RUN dotnet restore "Infrastructure/Infrastructure.Repository/Repository.Tests/Repository.Tests.csproj"
+COPY . .
+WORKDIR "/src/Infrastructure/Infrastructure.Repository/Repository.Tests"
+RUN dotnet build "./Repository.Tests.csproj" -c $BUILD_CONFIGURATION -o /app/build
+
+FROM build AS final
+RUN mkdir -p /app/test-results
+WORKDIR /src/Infrastructure/Infrastructure.Repository/Repository.Tests
+ENTRYPOINT ["dotnet", "test", "./Repository.Tests.csproj", "-c", "Release", "--logger", "trx;LogFileName=/app/test-results/repository-tests.trx"]

src/Core/Infrastructure/Infrastructure.Repository/Repository.Tests/Repository.Tests.csproj

@@ -0,0 +1,31 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <IsPackable>false</IsPackable>
+    <RootNamespace>Repository.Tests</RootNamespace>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="coverlet.collector" Version="6.0.2" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
+    <PackageReference Include="Moq" Version="4.20.72" />
+    <PackageReference Include="xunit" Version="2.9.2" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2" />
+    <PackageReference Include="FluentAssertions" Version="6.9.0" />
+    <PackageReference Include="DbMocker" Version="1.26.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration" Version="9.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="9.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="9.0.0" />
+    <PackageReference Include="Microsoft.Data.SqlClient" Version="6.1.3" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <Using Include="Xunit" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Repository.Core\Repository.Core.csproj" />
+  </ItemGroup>
+</Project>

src/Core/Infrastructure/Infrastructure.Repository/Repository.Tests/UserAccount/UserAccountRepository.test.cs

@@ -0,0 +1,119 @@
+using Apps72.Dev.Data.DbMocker;
+using Repository.Core.Repositories.UserAccount;
+using FluentAssertions;
+using Repository.Tests.Database;
+
+namespace Repository.Tests.UserAccount;
+
+public class UserAccountRepositoryTest
+{
+    private static UserAccountRepository CreateRepo(MockDbConnection conn)
+        => new(new TestConnectionFactory(conn));
+
+    [Fact]
+    public async Task GetByIdAsync_ReturnsRow_Mapped()
+    {
+        var conn = new MockDbConnection();
+        conn.Mocks
+            .When(cmd => cmd.CommandText == "usp_GetUserAccountById")
+            .ReturnsTable(MockTable.WithColumns(
+                ("UserAccountId", typeof(Guid)),
+                ("Username", typeof(string)),
+                ("FirstName", typeof(string)),
+                ("LastName", typeof(string)),
+                ("Email", typeof(string)),
+                ("CreatedAt", typeof(DateTime)),
+                ("UpdatedAt", typeof(DateTime?)),
+                ("DateOfBirth", typeof(DateTime)),
+                ("Timer", typeof(byte[]))
+            ).AddRow(Guid.Parse("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"),
+                "yerb", "Aaron", "Po", "aaronpo@example.com",
+                new DateTime(2020, 1, 1), null,
+                new DateTime(1990, 1, 1), null));
+
+        var repo = CreateRepo(conn);
+        var result = await repo.GetByIdAsync(Guid.Parse("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"));
+
+        result.Should().NotBeNull();
+        result!.Username.Should().Be("yerb");
+        result.Email.Should().Be("aaronpo@example.com");
+    }
+
+    [Fact]
+    public async Task GetAllAsync_ReturnsMultipleRows()
+    {
+        var conn = new MockDbConnection();
+        conn.Mocks
+            .When(cmd => cmd.CommandText == "usp_GetAllUserAccounts")
+            .ReturnsTable(MockTable.WithColumns(
+                    ("UserAccountId", typeof(Guid)),
+                    ("Username", typeof(string)),
+                    ("FirstName", typeof(string)),
+                    ("LastName", typeof(string)),
+                    ("Email", typeof(string)),
+                    ("CreatedAt", typeof(DateTime)),
+                    ("UpdatedAt", typeof(DateTime?)),
+                    ("DateOfBirth", typeof(DateTime)),
+                    ("Timer", typeof(byte[]))
+                ).AddRow(Guid.NewGuid(), "a", "A", "A", "a@example.com", DateTime.UtcNow, null, DateTime.UtcNow.Date,
+                    null)
+                .AddRow(Guid.NewGuid(), "b", "B", "B", "b@example.com", DateTime.UtcNow, null, DateTime.UtcNow.Date,
+                    null));
+
+        var repo = CreateRepo(conn);
+        var results = (await repo.GetAllAsync(null, null)).ToList();
+        results.Should().HaveCount(2);
+        results.Select(r => r.Username).Should().BeEquivalentTo(new[] { "a", "b" });
+    }
+
+
+    [Fact]
+    public async Task GetByUsername_ReturnsRow()
+    {
+        var conn = new MockDbConnection();
+        conn.Mocks
+            .When(cmd => cmd.CommandText == "usp_GetUserAccountByUsername")
+            .ReturnsTable(MockTable.WithColumns(
+                ("UserAccountId", typeof(Guid)),
+                ("Username", typeof(string)),
+                ("FirstName", typeof(string)),
+                ("LastName", typeof(string)),
+                ("Email", typeof(string)),
+                ("CreatedAt", typeof(DateTime)),
+                ("UpdatedAt", typeof(DateTime?)),
+                ("DateOfBirth", typeof(DateTime)),
+                ("Timer", typeof(byte[]))
+            ).AddRow(Guid.NewGuid(), "lookupuser", "L", "U", "lookup@example.com", DateTime.UtcNow, null,
+                DateTime.UtcNow.Date, null));
+
+        var repo = CreateRepo(conn);
+        var result = await repo.GetByUsernameAsync("lookupuser");
+        result.Should().NotBeNull();
+        result!.Email.Should().Be("lookup@example.com");
+    }
+
+    [Fact]
+    public async Task GetByEmail_ReturnsRow()
+    {
+        var conn = new MockDbConnection();
+        conn.Mocks
+            .When(cmd => cmd.CommandText == "usp_GetUserAccountByEmail")
+            .ReturnsTable(MockTable.WithColumns(
+                ("UserAccountId", typeof(Guid)),
+                ("Username", typeof(string)),
+                ("FirstName", typeof(string)),
+                ("LastName", typeof(string)),
+                ("Email", typeof(string)),
+                ("CreatedAt", typeof(DateTime)),
+                ("UpdatedAt", typeof(DateTime?)),
+                ("DateOfBirth", typeof(DateTime)),
+                ("Timer", typeof(byte[]))
+            ).AddRow(Guid.NewGuid(), "byemail", "B", "E", "byemail@example.com", DateTime.UtcNow, null,
+                DateTime.UtcNow.Date, null));
+
+        var repo = CreateRepo(conn);
+        var result = await repo.GetByEmailAsync("byemail@example.com");
+        result.Should().NotBeNull();
+        result!.Username.Should().Be("byemail");
+    }
+}