# Security Tests ### NFT-SEC-01: Unauthenticated Access to Protected Endpoints **Summary**: All protected endpoints reject requests without JWT token. **Traces to**: AC-18 **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | GET /users (no JWT) | HTTP 401 | | 2 | POST /resources/{folder} upload (no JWT) | HTTP 401 | | 3 | GET /resources/list/{folder} (no JWT) | HTTP 401 | | 4 | PUT /users/{email}/set-role/{role} (no JWT) | HTTP 401 | | 5 | DELETE /users/{email} (no JWT) | HTTP 401 | | 6 | POST /classes (no JWT) | HTTP 401 | **Pass criteria**: All remaining protected endpoints return HTTP 401 for unauthenticated requests. > Earlier revisions of this scenario also covered `POST /resources/get`, `POST /resources/check`, and `GET /resources/get-installer`. Those endpoints were removed (AZ-197 / cycle 2) and now return 404 — see FT-N-15 (AZ-197 routes) and FT-N-16 (cycle-2 routes) in `blackbox-tests.md`. --- ### NFT-SEC-02: Non-Admin Access to Admin Endpoints **Summary**: Non-ApiAdmin users cannot access admin-only endpoints. **Traces to**: AC-9 **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Login as Operator role user | HTTP 200, JWT token | | 2 | POST /users (register) with Operator JWT | HTTP 403 | | 3 | PUT /users/role with Operator JWT | HTTP 403 | | 4 | PUT /users/enable with Operator JWT | HTTP 403 | | 5 | DELETE /users with Operator JWT | HTTP 403 | **Pass criteria**: All admin endpoints return HTTP 403 for non-admin users --- ### NFT-SEC-03: Password Not Returned in User List **Summary**: User list endpoint does not expose password hashes. **Traces to**: AC-17 **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | GET /users with ApiAdmin JWT | HTTP 200, JSON array | | 2 | Inspect each user object in response | No `passwordHash` or `password` field present | **Pass criteria**: Password hash is never included in API responses --- ### NFT-SEC-04: Expired JWT Token Rejection **Summary**: Expired JWT tokens are rejected. **Traces to**: AC-4, AC-18 **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Craft a JWT with `exp` set to past timestamp (same signing key) | Token string | | 2 | GET /users with expired JWT | HTTP 401 | **Pass criteria**: Expired token returns HTTP 401 --- ### NFT-SEC-05: Encryption Key Uniqueness — OBSOLETE (cycle 2, 2026-05-14) The `POST /resources/get/{dataFolder?}` endpoint that this test exercised was removed along with `Security.GetApiEncryptionKey` / `EncryptTo` / `DecryptTo` and `ResourcesService.GetEncryptedResource`. Per-user resource encryption is no longer part of the system. ID retained for traceability stability; do not regenerate the spec body until a full `/test-spec` rerun. --- ### NFT-SEC-06: Disabled User Cannot Login **Summary**: A disabled user account cannot authenticate. **Traces to**: AC-9 **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Register user, disable via PUT /users/enable | HTTP 200 | | 2 | Attempt POST /login with disabled user credentials | HTTP 409 or HTTP 403 | **Pass criteria**: Disabled user cannot obtain a JWT token