# Security Tests

### NFT-SEC-01: Malformed multipart payload handling

**Summary**: Verify that the service handles malformed multipart requests without crashing.
**Traces to**: AC-API-2 (security)

**Steps**:

| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | Send `POST /detect` with truncated multipart body (missing boundary) | 400 or 422 — not 500 |
| 2 | Send `POST /detect` with Content-Type: multipart but no file part | 400 — empty image |
| 3 | `GET /health` after malformed requests | Service is still healthy |

**Pass criteria**: All malformed requests return 4xx. Service remains operational.

---

### NFT-SEC-02: Oversized request body

**Summary**: Verify system behavior when an extremely large file is uploaded.
**Traces to**: RESTRICT-OP-4

**Steps**:

| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | Send `POST /detect` with a 500 MB random file | Error response (413, 400, or timeout) — not OOM crash |
| 2 | `GET /health` | Service is still running |

**Pass criteria**: Service does not crash or run out of memory. Returns an error or times out gracefully.

---

### NFT-SEC-03: JWT token is forwarded without modification

**Summary**: Verify that the Authorization header is forwarded to the Annotations service as-is.
**Traces to**: AC-API-3

**Steps**:

| Step | Consumer Action | Expected Response |
|------|----------------|------------------|
| 1 | `POST /detect/test-media-sec` with `Authorization: Bearer test-jwt-123` and `x-refresh-token: refresh-456` | `{"status": "started"}` |
| 2 | After processing, query mock-annotations `GET /mock/annotations` | Recorded request contains `Authorization: Bearer test-jwt-123` header |

**Pass criteria**: Exact token received by mock-annotations matches what the consumer sent.