# Security Tests

### NFT-SEC-01: Unauthenticated Access to Protected Endpoints

**Summary**: All protected endpoints reject requests without JWT token.
**Traces to**: AC-18

**Steps**:

| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | GET /users (no JWT) | HTTP 401 |
| 2 | POST /resources/get (no JWT) | HTTP 401 |
| 3 | POST /resources/check (no JWT) | HTTP 401 |
| 4 | GET /resources/get-installer (no JWT) | HTTP 401 |
| 5 | PUT /users/role (no JWT) | HTTP 401 |
| 6 | DELETE /users (no JWT) | HTTP 401 |

**Pass criteria**: All endpoints return HTTP 401 for unauthenticated requests

---

### NFT-SEC-02: Non-Admin Access to Admin Endpoints

**Summary**: Non-ApiAdmin users cannot access admin-only endpoints.
**Traces to**: AC-9

**Steps**:

| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | Login as Operator role user | HTTP 200, JWT token |
| 2 | POST /users (register) with Operator JWT | HTTP 403 |
| 3 | PUT /users/role with Operator JWT | HTTP 403 |
| 4 | PUT /users/enable with Operator JWT | HTTP 403 |
| 5 | DELETE /users with Operator JWT | HTTP 403 |

**Pass criteria**: All admin endpoints return HTTP 403 for non-admin users

---

### NFT-SEC-03: Password Not Returned in User List

**Summary**: User list endpoint does not expose password hashes.
**Traces to**: AC-17

**Steps**:

| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | GET /users with ApiAdmin JWT | HTTP 200, JSON array |
| 2 | Inspect each user object in response | No `passwordHash` or `password` field present |

**Pass criteria**: Password hash is never included in API responses

---

### NFT-SEC-04: Expired JWT Token Rejection

**Summary**: Expired JWT tokens are rejected.
**Traces to**: AC-4, AC-18

**Steps**:

| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | Craft a JWT with `exp` set to past timestamp (same signing key) | Token string |
| 2 | GET /users with expired JWT | HTTP 401 |

**Pass criteria**: Expired token returns HTTP 401

---

### NFT-SEC-05: Encryption Key Uniqueness

**Summary**: Different users produce different encryption keys for the same resource.
**Traces to**: AC-19

**Steps**:

| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | Upload test file | HTTP 200 |
| 2 | Download encrypted file as User A | Encrypted bytes A |
| 3 | Download same file as User B (different credentials + hardware) | Encrypted bytes B |
| 4 | Compare encrypted bytes A and B | Different |

**Pass criteria**: Encrypted outputs differ between users

---

### NFT-SEC-06: Disabled User Cannot Login

**Summary**: A disabled user account cannot authenticate.
**Traces to**: AC-9

**Steps**:

| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | Register user, disable via PUT /users/enable | HTTP 200 |
| 2 | Attempt POST /login with disabled user credentials | HTTP 409 or HTTP 403 |

**Pass criteria**: Disabled user cannot obtain a JWT token