# Security Blackbox Tests

**Task**: AZ-194_security_tests
**Name**: Security Blackbox Tests
**Description**: Implement security tests: unauthenticated access, non-admin access, password exposure, expired JWT, encryption uniqueness, disabled user
**Complexity**: 3 points
**Dependencies**: AZ-189_test_infrastructure, AZ-190_auth_tests
**Component**: Blackbox Tests
**Tracker**: AZ-194
**Epic**: AZ-188

## Problem

Authorization boundaries and security properties have no automated verification. A misconfigured endpoint could expose data or allow unauthorized access.

## Outcome

- All protected endpoints reject unauthenticated requests (NFT-SEC-01)
- Non-admin users cannot access admin endpoints (NFT-SEC-02)
- Password hashes are not exposed in API responses (NFT-SEC-03)
- Expired JWT tokens are rejected (NFT-SEC-04)
- Different users get different encrypted content (NFT-SEC-05)
- Disabled users cannot login (NFT-SEC-06)

## Scope

### Included
- Authentication boundary tests (all protected endpoints)
- Authorization boundary tests (admin-only endpoints)
- Data exposure tests (password hash)
- Token expiration tests
- Encryption uniqueness verification
- Disabled account access

### Excluded
- CORS testing (browser-enforced)
- SQL injection (covered by ORM parameterization)

## Acceptance Criteria

**AC-1: Unauthenticated access blocked**
Given no JWT token
When any protected endpoint is called
Then HTTP 401

**AC-2: Non-admin blocked from admin endpoints**
Given Operator-role JWT
When admin endpoints (POST /users, PUT /users/role, DELETE /users) are called
Then HTTP 403

**AC-3: No password in response**
Given ApiAdmin JWT
When GET /users is called
Then no user object contains passwordHash or password field

**AC-4: Expired token rejected**
Given a JWT with exp in the past
When any protected endpoint is called
Then HTTP 401

**AC-5: Per-user encryption**
Given two users with different credentials and hardware
When both download the same resource
Then encrypted outputs differ

**AC-6: Disabled user blocked**
Given a disabled user account
When POST /login is called
Then login fails (HTTP 409 or 403)

## Blackbox Tests

| AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
|--------|------------------------|-------------|-------------------|----------------|
| AC-1 | No JWT | 6 protected endpoints | All HTTP 401 | — |
| AC-2 | Operator JWT | 4 admin endpoints | All HTTP 403 | — |
| AC-3 | Admin JWT | GET /users response | No password fields | — |
| AC-4 | Expired JWT | GET /users | HTTP 401 | — |
| AC-5 | Two users, same file | Download both | Different ciphertext | — |
| AC-6 | Disabled user | POST /login | Rejected | — |