@authentication
Feature: Authentication and User Management

  Background:
    Given the Fellowship SUT is running
    And I navigate to the "login page"

  Scenario: User can log in with valid credentials
    When I log in with username "frodo_baggins" and password "fellowship123"
    Then I should be redirected to the dashboard
    And the dashboard should display a personalized greeting for "Frodo"

  Scenario: User sees error on invalid credentials
    When I log in with username "invalid_user" and password "wrongpassword"
    Then I should see an error message containing "Invalid credentials"

  Scenario: User can sign up with new credentials
    When I navigate to the signup page
    And I sign up with username "newuser" and password "newpass123"
    Then I should be logged in as "newuser"
    And I should land on the dashboard

  Scenario: Session persists after page refresh
    When I log in with username "samwise_gamgee" and password "fellowship123"
    And I am on the dashboard
    And I refresh the page
    Then I should still be logged in
    And the dashboard should be loaded

  Scenario: User can log out
    When I log in with username "aragorn" and password "fellowship123"
    And I am on the dashboard
    And I click the logout button
    Then I should be redirected to the login page
    And the session should be cleared

  Scenario: Protected actions are blocked for unauthenticated users
    When I try to create a quest without being logged in
    Then I should receive an unauthorized error

  @cors
  Scenario: CORS preflight is allowed for login endpoint
    When I verify CORS preflight for the login endpoint
    Then the response should allow POST requests
    And the response should include proper CORS headers