Oleksandr Bezdieniezhnykh
3.1 KiB
Security Tests
NFT-SEC-01: Unauthenticated Access to Protected Endpoints
Summary: All protected endpoints reject requests without JWT token. Traces to: AC-18
Steps:
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | GET /users (no JWT) | HTTP 401 |
| 2 | POST /resources/get (no JWT) | HTTP 401 |
| 3 | POST /resources/check (no JWT) | HTTP 401 |
| 4 | GET /resources/get-installer (no JWT) | HTTP 401 |
| 5 | PUT /users/role (no JWT) | HTTP 401 |
| 6 | DELETE /users (no JWT) | HTTP 401 |
Pass criteria: All endpoints return HTTP 401 for unauthenticated requests
NFT-SEC-02: Non-Admin Access to Admin Endpoints
Summary: Non-ApiAdmin users cannot access admin-only endpoints. Traces to: AC-9
Steps:
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Login as Operator role user | HTTP 200, JWT token |
| 2 | POST /users (register) with Operator JWT | HTTP 403 |
| 3 | PUT /users/role with Operator JWT | HTTP 403 |
| 4 | PUT /users/enable with Operator JWT | HTTP 403 |
| 5 | DELETE /users with Operator JWT | HTTP 403 |
Pass criteria: All admin endpoints return HTTP 403 for non-admin users
NFT-SEC-03: Password Not Returned in User List
Summary: User list endpoint does not expose password hashes. Traces to: AC-17
Steps:
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | GET /users with ApiAdmin JWT | HTTP 200, JSON array |
| 2 | Inspect each user object in response | No passwordHash or password field present |
Pass criteria: Password hash is never included in API responses
NFT-SEC-04: Expired JWT Token Rejection
Summary: Expired JWT tokens are rejected. Traces to: AC-4, AC-18
Steps:
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Craft a JWT with exp set to past timestamp (same signing key) |
Token string |
| 2 | GET /users with expired JWT | HTTP 401 |
Pass criteria: Expired token returns HTTP 401
NFT-SEC-05: Encryption Key Uniqueness
Summary: Different users produce different encryption keys for the same resource. Traces to: AC-19
Steps:
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Upload test file | HTTP 200 |
| 2 | Download encrypted file as User A | Encrypted bytes A |
| 3 | Download same file as User B (different credentials + hardware) | Encrypted bytes B |
| 4 | Compare encrypted bytes A and B | Different |
Pass criteria: Encrypted outputs differ between users
NFT-SEC-06: Disabled User Cannot Login
Summary: A disabled user account cannot authenticate. Traces to: AC-9
Steps:
| Step | Consumer Action | Expected Response |
|---|---|---|
| 1 | Register user, disable via PUT /users/enable | HTTP 200 |
| 2 | Attempt POST /login with disabled user credentials | HTTP 409 or HTTP 403 |
Pass criteria: Disabled user cannot obtain a JWT token