# Authentication Blackbox Tests

**Task**: AZ-190_auth_tests
**Name**: Auth Blackbox Tests
**Description**: Implement blackbox tests for login, JWT validation, and authentication error handling
**Complexity**: 3 points
**Dependencies**: AZ-189_test_infrastructure
**Component**: Blackbox Tests
**Tracker**: AZ-190
**Epic**: AZ-188

## Problem

The login and JWT authentication flows have no automated test coverage. Regressions in credential validation or token generation would go undetected.

## Outcome

- Login with valid credentials returns a JWT token (FT-P-01)
- JWT token contains correct issuer, audience, and lifetime claims (FT-P-03)
- Login with unknown email returns error code 10 (FT-N-01)
- Login with wrong password returns error code 30 (FT-N-02)

## Scope

### Included
- Login endpoint positive and negative scenarios
- JWT token structure and claims validation

### Excluded
- Token refresh (not implemented)
- Rate limiting on login (not implemented)

## Acceptance Criteria

**AC-1: Successful login**
Given a seed user exists
When POST /login is called with valid credentials
Then HTTP 200 is returned with a non-empty JWT token

**AC-2: JWT claims**
Given a valid JWT token from login
When the token payload is decoded
Then iss = "AzaionApi", aud = "Annotators/OrangePi/Admins", exp ≈ iat + 4 hours (± 60s)

**AC-3: Unknown email**
Given no user with the specified email exists
When POST /login is called
Then HTTP 409 is returned with ExceptionEnum code 10

**AC-4: Wrong password**
Given a user exists with a different password
When POST /login is called with wrong password
Then HTTP 409 is returned with ExceptionEnum code 30

## Blackbox Tests

| AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
|--------|------------------------|-------------|-------------------|----------------|
| AC-1 | Seed admin user | POST /login valid | HTTP 200, token present | — |
| AC-2 | JWT from AC-1 | Decode token claims | iss, aud, exp correct | — |
| AC-3 | No matching user | POST /login unknown email | HTTP 409, code 10 | — |
| AC-4 | Seed user, wrong password | POST /login wrong pass | HTTP 409, code 30 | — |