azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-04-22 11:36:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
07045de98bc07d8653d3c01f88e70b31746ede85
admin/_docs/02_document/tests/security-tests.md
T
Oleksandr Bezdieniezhnykh d320d6dd59 [AZ-189] [AZ-190] [AZ-191] [AZ-192] [AZ-193] [AZ-194] [AZ-195] Add e2e blackbox test suite 
Made-with: Cursor
2026-04-16 06:25:36 +03:00

105 lines
3.1 KiB
Markdown
Raw Blame History

# Security Tests
### NFT-SEC-01: Unauthenticated Access to Protected Endpoints
**Summary**: All protected endpoints reject requests without JWT token.
**Traces to**: AC-18
**Steps**:
| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | GET /users (no JWT) | HTTP 401 |
| 2 | POST /resources/get (no JWT) | HTTP 401 |
| 3 | POST /resources/check (no JWT) | HTTP 401 |
| 4 | GET /resources/get-installer (no JWT) | HTTP 401 |
| 5 | PUT /users/role (no JWT) | HTTP 401 |
| 6 | DELETE /users (no JWT) | HTTP 401 |
**Pass criteria**: All endpoints return HTTP 401 for unauthenticated requests
---
### NFT-SEC-02: Non-Admin Access to Admin Endpoints
**Summary**: Non-ApiAdmin users cannot access admin-only endpoints.
**Traces to**: AC-9
**Steps**:
| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | Login as Operator role user | HTTP 200, JWT token |
| 2 | POST /users (register) with Operator JWT | HTTP 403 |
| 3 | PUT /users/role with Operator JWT | HTTP 403 |
| 4 | PUT /users/enable with Operator JWT | HTTP 403 |
| 5 | DELETE /users with Operator JWT | HTTP 403 |
**Pass criteria**: All admin endpoints return HTTP 403 for non-admin users
---
### NFT-SEC-03: Password Not Returned in User List
**Summary**: User list endpoint does not expose password hashes.
**Traces to**: AC-17
**Steps**:
| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | GET /users with ApiAdmin JWT | HTTP 200, JSON array |
| 2 | Inspect each user object in response | No `passwordHash` or `password` field present |
**Pass criteria**: Password hash is never included in API responses
---
### NFT-SEC-04: Expired JWT Token Rejection
**Summary**: Expired JWT tokens are rejected.
**Traces to**: AC-4, AC-18
**Steps**:
| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | Craft a JWT with `exp` set to past timestamp (same signing key) | Token string |
| 2 | GET /users with expired JWT | HTTP 401 |
**Pass criteria**: Expired token returns HTTP 401
---
### NFT-SEC-05: Encryption Key Uniqueness
**Summary**: Different users produce different encryption keys for the same resource.
**Traces to**: AC-19
**Steps**:
| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | Upload test file | HTTP 200 |
| 2 | Download encrypted file as User A | Encrypted bytes A |
| 3 | Download same file as User B (different credentials + hardware) | Encrypted bytes B |
| 4 | Compare encrypted bytes A and B | Different |
**Pass criteria**: Encrypted outputs differ between users
---
### NFT-SEC-06: Disabled User Cannot Login
**Summary**: A disabled user account cannot authenticate.
**Traces to**: AC-9
**Steps**:
| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | Register user, disable via PUT /users/enable | HTTP 200 |
| 2 | Attempt POST /login with disabled user credentials | HTTP 409 or HTTP 403 |
**Pass criteria**: Disabled user cannot obtain a JWT token
Reference in New Issue View Git Blame Copy Permalink