41 lines
1.6 KiB
Gherkin
41 lines
1.6 KiB
Gherkin
@api @auth-api
|
|
Feature: Authentication API
|
|
Validates login, logout, and session endpoints
|
|
|
|
Background:
|
|
Given the API is accessible
|
|
|
|
Scenario: Login with valid credentials returns 200
|
|
When I log in via the API as "frodo_baggins" with password "fellowship123"
|
|
Then the response status should be 200
|
|
And the response body should have property "user"
|
|
And the response body should have property "user.id"
|
|
And the response body should have property "user.username"
|
|
|
|
Scenario: Login with invalid credentials returns 401
|
|
When I log in via the API as "invalid_user" with password "wrongpassword"
|
|
Then the response status should be 401
|
|
|
|
Scenario: Protected endpoints require authentication
|
|
When I try to create a quest without being logged in
|
|
Then the response status should be 401
|
|
|
|
Scenario: Session endpoint returns current user when authenticated
|
|
Given I am authenticated as "samwise_gamgee"
|
|
When I GET "/api/auth/me"
|
|
Then the response status should be 200
|
|
And the response body should have property "username"
|
|
|
|
Scenario: Logout clears session
|
|
Given I am authenticated as "aragorn"
|
|
When I log out via the API
|
|
Then the response status should be less than 300
|
|
When I try to create a quest without being logged in
|
|
Then the response status should be 401
|
|
|
|
@cors
|
|
Scenario: CORS preflight is allowed for login endpoint
|
|
When I send OPTIONS to "/api/auth/login" with CORS origin "http://localhost:3000"
|
|
Then the response should be successful
|
|
And the CORS response headers should allow method "POST"
|