azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-04-22 13:06:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-189] [AZ-190] [AZ-191] [AZ-192] [AZ-193] [AZ-194] [AZ-195] Add e2e blackbox test suite

Browse Source 
Made-with: Cursor
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-04-16 06:25:36 +03:00
parent 1b38e888e1
commit d320d6dd59
98 changed files with 6883 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/02_tasks/done/AZ-194_security_tests.md
+80
View File
@@ -0,0 +1,80 @@
# Security Blackbox Tests
**Task**: AZ-194_security_tests
**Name**: Security Blackbox Tests
**Description**: Implement security tests: unauthenticated access, non-admin access, password exposure, expired JWT, encryption uniqueness, disabled user
**Complexity**: 3 points
**Dependencies**: AZ-189_test_infrastructure, AZ-190_auth_tests
**Component**: Blackbox Tests
**Tracker**: AZ-194
**Epic**: AZ-188
## Problem
Authorization boundaries and security properties have no automated verification. A misconfigured endpoint could expose data or allow unauthorized access.
## Outcome
- All protected endpoints reject unauthenticated requests (NFT-SEC-01)
- Non-admin users cannot access admin endpoints (NFT-SEC-02)
- Password hashes are not exposed in API responses (NFT-SEC-03)
- Expired JWT tokens are rejected (NFT-SEC-04)
- Different users get different encrypted content (NFT-SEC-05)
- Disabled users cannot login (NFT-SEC-06)
## Scope
### Included
- Authentication boundary tests (all protected endpoints)
- Authorization boundary tests (admin-only endpoints)
- Data exposure tests (password hash)
- Token expiration tests
- Encryption uniqueness verification
- Disabled account access
### Excluded
- CORS testing (browser-enforced)
- SQL injection (covered by ORM parameterization)
## Acceptance Criteria
**AC-1: Unauthenticated access blocked**
Given no JWT token
When any protected endpoint is called
Then HTTP 401
**AC-2: Non-admin blocked from admin endpoints**
Given Operator-role JWT
When admin endpoints (POST /users, PUT /users/role, DELETE /users) are called
Then HTTP 403
**AC-3: No password in response**
Given ApiAdmin JWT
When GET /users is called
Then no user object contains passwordHash or password field
**AC-4: Expired token rejected**
Given a JWT with exp in the past
When any protected endpoint is called
Then HTTP 401
**AC-5: Per-user encryption**
Given two users with different credentials and hardware
When both download the same resource
Then encrypted outputs differ
**AC-6: Disabled user blocked**
Given a disabled user account
When POST /login is called
Then login fails (HTTP 409 or 403)
## Blackbox Tests
| AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
|--------|------------------------|-------------|-------------------|----------------|
| AC-1 | No JWT | 6 protected endpoints | All HTTP 401 | — |
| AC-2 | Operator JWT | 4 admin endpoints | All HTTP 403 | — |
| AC-3 | Admin JWT | GET /users response | No password fields | — |
| AC-4 | Expired JWT | GET /users | HTTP 401 | — |
| AC-5 | Two users, same file | Download both | Different ciphertext | — |
| AC-6 | Disabled user | POST /login | Rejected | — |