azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-04-22 22:26:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
34eba48b4577b06bb295b1e7b979f05746bf62b7
admin/_docs/02_tasks/done/AZ-194_security_tests.md
T
Oleksandr Bezdieniezhnykh d320d6dd59 [AZ-189] [AZ-190] [AZ-191] [AZ-192] [AZ-193] [AZ-194] [AZ-195] Add e2e blackbox test suite 
Made-with: Cursor
2026-04-16 06:25:36 +03:00

2.6 KiB
Raw Blame History

Security Blackbox Tests

Task: AZ-194_security_tests Name: Security Blackbox Tests Description: Implement security tests: unauthenticated access, non-admin access, password exposure, expired JWT, encryption uniqueness, disabled user Complexity: 3 points Dependencies: AZ-189_test_infrastructure, AZ-190_auth_tests Component: Blackbox Tests Tracker: AZ-194 Epic: AZ-188

Problem

Authorization boundaries and security properties have no automated verification. A misconfigured endpoint could expose data or allow unauthorized access.

Outcome

  • All protected endpoints reject unauthenticated requests (NFT-SEC-01)
  • Non-admin users cannot access admin endpoints (NFT-SEC-02)
  • Password hashes are not exposed in API responses (NFT-SEC-03)
  • Expired JWT tokens are rejected (NFT-SEC-04)
  • Different users get different encrypted content (NFT-SEC-05)
  • Disabled users cannot login (NFT-SEC-06)

Scope

Included

  • Authentication boundary tests (all protected endpoints)
  • Authorization boundary tests (admin-only endpoints)
  • Data exposure tests (password hash)
  • Token expiration tests
  • Encryption uniqueness verification
  • Disabled account access

Excluded

  • CORS testing (browser-enforced)
  • SQL injection (covered by ORM parameterization)

Acceptance Criteria

AC-1: Unauthenticated access blocked Given no JWT token When any protected endpoint is called Then HTTP 401

AC-2: Non-admin blocked from admin endpoints Given Operator-role JWT When admin endpoints (POST /users, PUT /users/role, DELETE /users) are called Then HTTP 403

AC-3: No password in response Given ApiAdmin JWT When GET /users is called Then no user object contains passwordHash or password field

AC-4: Expired token rejected Given a JWT with exp in the past When any protected endpoint is called Then HTTP 401

AC-5: Per-user encryption Given two users with different credentials and hardware When both download the same resource Then encrypted outputs differ

AC-6: Disabled user blocked Given a disabled user account When POST /login is called Then login fails (HTTP 409 or 403)

Blackbox Tests

AC Ref Initial Data/Conditions What to Test Expected Behavior NFR References
AC-1 No JWT 6 protected endpoints All HTTP 401
AC-2 Operator JWT 4 admin endpoints All HTTP 403
AC-3 Admin JWT GET /users response No password fields
AC-4 Expired JWT GET /users HTTP 401
AC-5 Two users, same file Download both Different ciphertext
AC-6 Disabled user POST /login Rejected
Reference in New Issue View Git Blame Copy Permalink