Oleksandr Bezdieniezhnykh
2.1 KiB
Authentication Blackbox Tests
Task: AZ-190_auth_tests Name: Auth Blackbox Tests Description: Implement blackbox tests for login, JWT validation, and authentication error handling Complexity: 3 points Dependencies: AZ-189_test_infrastructure Component: Blackbox Tests Tracker: AZ-190 Epic: AZ-188
Problem
The login and JWT authentication flows have no automated test coverage. Regressions in credential validation or token generation would go undetected.
Outcome
- Login with valid credentials returns a JWT token (FT-P-01)
- JWT token contains correct issuer, audience, and lifetime claims (FT-P-03)
- Login with unknown email returns error code 10 (FT-N-01)
- Login with wrong password returns error code 30 (FT-N-02)
Scope
Included
- Login endpoint positive and negative scenarios
- JWT token structure and claims validation
Excluded
- Token refresh (not implemented)
- Rate limiting on login (not implemented)
Acceptance Criteria
AC-1: Successful login Given a seed user exists When POST /login is called with valid credentials Then HTTP 200 is returned with a non-empty JWT token
AC-2: JWT claims Given a valid JWT token from login When the token payload is decoded Then iss = "AzaionApi", aud = "Annotators/OrangePi/Admins", exp ≈ iat + 4 hours (± 60s)
AC-3: Unknown email Given no user with the specified email exists When POST /login is called Then HTTP 409 is returned with ExceptionEnum code 10
AC-4: Wrong password Given a user exists with a different password When POST /login is called with wrong password Then HTTP 409 is returned with ExceptionEnum code 30
Blackbox Tests
| AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
|---|---|---|---|---|
| AC-1 | Seed admin user | POST /login valid | HTTP 200, token present | — |
| AC-2 | JWT from AC-1 | Decode token claims | iss, aud, exp correct | — |
| AC-3 | No matching user | POST /login unknown email | HTTP 409, code 10 | — |
| AC-4 | Seed user, wrong password | POST /login wrong pass | HTTP 409, code 30 | — |