@api @auth-api
Feature: Authentication API
  Validates login, logout, and session endpoints

  Background:
    Given the API is accessible

  Scenario: Login with valid credentials returns 200
    When I log in via the API as "frodo_baggins" with password "fellowship123"
    Then the response status should be 200
    And the response body should have property "user"
    And the response body should have property "user.id"
    And the response body should have property "user.username"

  Scenario: Login with invalid credentials returns 401
    When I log in via the API as "invalid_user" with password "wrongpassword"
    Then the response status should be 401

  Scenario: Protected endpoints require authentication
    When I try to create a quest without being logged in
    Then the response status should be 401

  Scenario: Session endpoint returns current user when authenticated
    Given I am authenticated as "samwise_gamgee"
    When I GET "/api/auth/me"
    Then the response status should be 200
    And the response body should have property "username"

  Scenario: Logout clears session
    Given I am authenticated as "aragorn"
    When I log out via the API
    Then the response status should be less than 300
    When I try to create a quest without being logged in
    Then the response status should be 401

  @cors
  Scenario: CORS preflight is allowed for login endpoint
    When I send OPTIONS to "/api/auth/login" with CORS origin "http://localhost:3000"
    Then the response should be successful
    And the CORS response headers should allow method "POST"