# Security Tests Blackbox security assertions against the SPA's observable surface: token storage discipline, refresh cookie attributes, RBAC route gating, credentials flag, secrets-in-source checks, destructive-action policy, dependency hygiene. These complement the server's RBAC and the suite's security_approach (`_docs/00_problem/security_approach.md`); they do NOT replace server-side enforcement (O4). ### NFT-SEC-01: Bearer is never written to `localStorage` or `sessionStorage` **Traces to**: AC-02, O2 **Profile**: static + e2e **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Static code-search on `src/` and `mission-planner/src/` for `localStorage.|sessionStorage.` near `bearer|token|accessToken` | `match_count == 0` | | 2 | E2E: complete a login; inspect `localStorage` and `sessionStorage` keys | neither contains the bearer value | **Pass criteria**: row 04 — `match_count == 0`; runtime storage does not contain the bearer. **Expected result source**: `results_report.md` row 04. --- ### NFT-SEC-02: `document.cookie` does not expose the refresh token **Traces to**: AC-03 **Profile**: e2e + static **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Static code-search for `document.cookie` reads against `refreshToken|refresh-cookie` | `match_count == 0` (row 05) | | 2 | E2E: complete login; read `document.cookie` from page context | returned string does NOT contain the refresh-token value (row 06) | **Pass criteria**: rows 05 + 06. **Expected result source**: `results_report.md` rows 05, 06. --- ### NFT-SEC-03: Refresh cookie attributes — `Secure`, `HttpOnly`, `SameSite=Strict` **Traces to**: AC-03, E3, O5 **Profile**: e2e **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Login via `POST /api/admin/auth/login` against the suite stack | `Set-Cookie` header returned | | 2 | Inspect header value | matches regex `Secure;.*HttpOnly;.*SameSite=Strict` (case-insensitive, attribute-order-tolerant) | **Pass criteria**: row 07 — regex match. **Notes**: this is a server-contract assertion; the UI test exists as defence-in-depth so a suite regression is caught before it lands in production. **Expected result source**: `results_report.md` row 07. --- ### NFT-SEC-04: `credentials: 'include'` is set on every authenticated fetch **Traces to**: AC-01, O3 **Profile**: fast (apiClient wrapper) + e2e (live capture) **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Issue an authenticated request via `apiClient` | RequestInit captured | | 2 | Inspect | `credentials === 'include'` (row 01) | | 3 | Repeat for the bootstrap refresh | same (row 02 — `quarantined` until Step 4 bootstrap fix) | **Pass criteria**: rows 01 + 02. **Expected result source**: `results_report.md` rows 01, 02. --- ### NFT-SEC-05: `/admin` route blocks non-admins client-side (defence in depth) **Traces to**: AC-22 **Profile**: e2e — `quarantined` until role-gate is added (Step 4 / Step 8) **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Log in as `op_alice` (Operator, no admin role) | session active | | 2 | Navigate to `/admin` | URL changes | | 3 | Inspect final URL + DOM | URL is `/flights`; `` NOT mounted | **Pass criteria**: row 08. **Notes**: server-side RBAC is authoritative; the UI gate is a usability + leakage layer. **Expected result source**: `results_report.md` row 08. --- ### NFT-SEC-06: `/settings` route gate is applied per RBAC **Traces to**: AC-22 **Profile**: e2e — `quarantined` **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Log in as user without SETTINGS permission | session active | | 2 | Navigate to `/settings` | URL changes | | 3 | Inspect | URL is `/flights`; `` NOT mounted | **Pass criteria**: row 10. **Expected result source**: `results_report.md` row 10. --- ### NFT-SEC-07: `alert()` is forbidden anywhere in the SPA **Traces to**: AC-14, O10 **Profile**: static **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Regex sweep `src/` and `mission-planner/src/` for `\balert\(` | `match_count == 0` | **Pass criteria**: row 50. **Expected result source**: `results_report.md` row 50. --- ### NFT-SEC-08: ConfirmDialog gates every destructive action **Traces to**: AC-14, AC-30, O10 **Profile**: fast **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | For each destructive surface in `_docs/ui_design/` (class delete, user deactivate, dataset bulk-overwrite, etc.) | sequence checked | | 2 | Confirm sequence on click → before any HTTP fires | dialog present (row 51) | | 3 | On Confirm in class-delete flow → exactly one DELETE to `^/api/admin/classes/[0-9]+$` | (row 49) | **Pass criteria**: rows 49 + 51. **Expected result source**: `results_report.md` rows 49, 51. --- ### NFT-SEC-09: OpenWeatherMap API key is not shipped in source or bundle **Traces to**: AC-20, P10 **Profile**: static (source) + static (bundle) **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Regex sweep `src/` and `mission-planner/src/` for the literal current OWM key value | `match_count == 0` (row 63) | | 2 | Regex sweep for `appid=` and `api_key=` literal occurrences in source URLs | `match_count == 0` (row 63) | | 3 | Scan `dist/**/*.js` post-build for the literal key | `match_count == 0` (Phase 3 may downgrade to "until Step 4 fix") | **Pass criteria**: row 63. **Status**: `quarantined` for source check until Step 4 fix; the bundle-scan check passes immediately for `src/` (mission-planner not bundled, AC-31). **Expected result source**: `results_report.md` row 63. --- ### NFT-SEC-10: No in-browser ML libs **Traces to**: AC-N2 **Profile**: static **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Parse `package.json` and `mission-planner/package.json` dependencies | dependency lists | | 2 | Match against `^(onnxruntime|@?tensorflow(?:js)?(?:/.*)?|tflite|coreml|tfjs|@huggingface/.*|transformers\.js)$` | zero matches | **Pass criteria**: row 92. **Expected result source**: `results_report.md` row 92. --- ### NFT-SEC-11: No response-signature / JOSE libs on the request path **Traces to**: AC-N4 **Profile**: static **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Parse `package.json` dependencies | list | | 2 | Match against `^(jsrsasign|tweetnacl|@noble/.*|jose)$` | zero matches | **Pass criteria**: row 94. **Expected result source**: `results_report.md` row 94. --- ### NFT-SEC-12: No service worker — offline mode is explicitly absent **Traces to**: AC-N3 **Profile**: e2e **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Load the SPA in a fresh browser context | app boots | | 2 | Read `navigator.serviceWorker.getRegistrations()` | empty array | **Pass criteria**: row 93 — no service worker registered. **Expected result source**: `results_report.md` row 93. --- ### NFT-SEC-13: Dropped legacy features are not present in source **Traces to**: AC-N5 **Profile**: static **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Regex sweep `src/` and `mission-planner/src/` for `SoundDetections|DroneMaintenance` | `match_count == 0` | **Pass criteria**: row 95. **Expected result source**: `results_report.md` row 95. --- ### NFT-SEC-14: Anti-criterion AC-N1 — no concurrent-edit reconciliation surfaces **Traces to**: AC-N1 **Profile**: e2e + static **Steps**: | Step | Consumer Action | Expected Response | |------|----------------|------------------| | 1 | Open the same annotation in two browser sessions; edit both | both save individually | | 2 | Inspect each session's DOM | no merge UI; no presence indicator | **Pass criteria**: row 91. **Notes**: this is an anti-criterion — the test enforces that the feature is NOT silently added. **Expected result source**: `results_report.md` row 91.