# Health & Authentication Tests

**Task**: 02_test_health_auth
**Name**: Health & Authentication Tests
**Description**: Implement blackbox tests for health, status, and login endpoints (positive and negative scenarios)
**Complexity**: 3 points
**Dependencies**: 01_test_infrastructure
**Component**: Blackbox Tests
**Tracker**: pending
**Epic**: pending

## Problem

The loader has no test coverage for its health and authentication endpoints. These are the most basic verification points for service liveness and user access.

## Outcome

- Health endpoint test passes (FT-P-01)
- Status endpoint tests pass — unauthenticated and authenticated (FT-P-02, FT-P-03 step 2)
- Login positive test passes (FT-P-03)
- Login negative tests pass — invalid credentials and missing fields (FT-N-01, FT-N-02)

## Scope

### Included
- FT-P-01: Health endpoint returns healthy
- FT-P-02: Status reports unauthenticated state
- FT-P-03: Login with valid credentials (including authenticated status check)
- FT-N-01: Login with invalid credentials
- FT-N-02: Login with missing fields

### Excluded
- Resource download/upload tests
- Unlock workflow tests

## Acceptance Criteria

**AC-1: Health returns 200**
Given the loader is running
When GET /health is called
Then HTTP 200 with body `{"status": "healthy"}`

**AC-2: Status shows unauthenticated before login**
Given the loader is running with no prior login
When GET /status is called
Then HTTP 200 with `authenticated: false`

**AC-3: Login succeeds with valid credentials**
Given the mock API accepts test credentials
When POST /login with valid email/password
Then HTTP 200 with `{"status": "ok"}`

**AC-4: Login fails with invalid credentials**
Given the mock API rejects test credentials
When POST /login with wrong email/password
Then HTTP 401

**AC-5: Login rejects empty body**
Given the loader is running
When POST /login with empty JSON
Then HTTP 422

## Blackbox Tests

| AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
|--------|------------------------|-------------|-------------------|----------------|
| AC-1 | Loader running | GET /health | 200, {"status": "healthy"} | NFT-PERF-01 |
| AC-2 | No prior login | GET /status | 200, authenticated=false | — |
| AC-3 | Mock API accepts creds | POST /login valid | 200, status ok | NFT-PERF-02 |
| AC-4 | Mock API rejects creds | POST /login invalid | 401 | — |
| AC-5 | — | POST /login empty | 422 | — |