Oleksandr Bezdieniezhnykh
3a925b9b0f
- Deleted the `POST /resources/get/{dataFolder?}` and `GET /resources/get-installer` endpoints as part of the architectural shift towards simplified resource management.
- Removed associated methods and configurations, including `ResourcesService.GetEncryptedResource`, `ResourcesService.GetInstaller`, and related properties in `ResourcesConfig`.
- Cleaned up environment variables and configuration files to reflect the removal of installer-related settings.
- Eliminated the `GetResourceRequest` DTO and its validator, along with the `WrongResourceName` error code.
- Updated documentation to clarify the changes in resource handling and the retirement of per-user file encryption.
Co-authored-by: Cursor <cursoragent@cursor.com>
3.3 KiB
Security Tests
NFT-SEC-01: Unauthenticated Access to Protected Endpoints
Summary: All protected endpoints reject requests without JWT token. Traces to: AC-18
Steps:
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | GET /users (no JWT) | HTTP 401 |
| 2 | POST /resources/{folder} upload (no JWT) | HTTP 401 |
| 3 | GET /resources/list/{folder} (no JWT) | HTTP 401 |
| 4 | PUT /users/{email}/set-role/{role} (no JWT) | HTTP 401 |
| 5 | DELETE /users/{email} (no JWT) | HTTP 401 |
| 6 | POST /classes (no JWT) | HTTP 401 |
Pass criteria: All remaining protected endpoints return HTTP 401 for unauthenticated requests.
Earlier revisions of this scenario also covered
POST /resources/get,POST /resources/check, andGET /resources/get-installer. Those endpoints were removed (AZ-197 / cycle 2) and now return 404 — see FT-N-15 (AZ-197 routes) and FT-N-16 (cycle-2 routes) inblackbox-tests.md.
NFT-SEC-02: Non-Admin Access to Admin Endpoints
Summary: Non-ApiAdmin users cannot access admin-only endpoints. Traces to: AC-9
Steps:
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Login as Operator role user | HTTP 200, JWT token |
| 2 | POST /users (register) with Operator JWT | HTTP 403 |
| 3 | PUT /users/role with Operator JWT | HTTP 403 |
| 4 | PUT /users/enable with Operator JWT | HTTP 403 |
| 5 | DELETE /users with Operator JWT | HTTP 403 |
Pass criteria: All admin endpoints return HTTP 403 for non-admin users
NFT-SEC-03: Password Not Returned in User List
Summary: User list endpoint does not expose password hashes. Traces to: AC-17
Steps:
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | GET /users with ApiAdmin JWT | HTTP 200, JSON array |
| 2 | Inspect each user object in response | No passwordHash or password field present |
Pass criteria: Password hash is never included in API responses
NFT-SEC-04: Expired JWT Token Rejection
Summary: Expired JWT tokens are rejected. Traces to: AC-4, AC-18
Steps:
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Craft a JWT with exp set to past timestamp (same signing key) |
Token string |
| 2 | GET /users with expired JWT | HTTP 401 |
Pass criteria: Expired token returns HTTP 401
NFT-SEC-05: Encryption Key Uniqueness — OBSOLETE (cycle 2, 2026-05-14)
The POST /resources/get/{dataFolder?} endpoint that this test exercised was removed along with Security.GetApiEncryptionKey / EncryptTo / DecryptTo and ResourcesService.GetEncryptedResource. Per-user resource encryption is no longer part of the system. ID retained for traceability stability; do not regenerate the spec body until a full /test-spec rerun.
NFT-SEC-06: Disabled User Cannot Login
Summary: A disabled user account cannot authenticate. Traces to: AC-9
Steps:
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Register user, disable via PUT /users/enable | HTTP 200 |
| 2 | Attempt POST /login with disabled user credentials | HTTP 409 or HTTP 403 |
Pass criteria: Disabled user cannot obtain a JWT token