🧪 test: add JWT secret rotation BDD scenarios and step implementations (#12)

✨ merge: implement JWT secret rotation with BDD scenario isolation

- Implement JWT secret rotation mechanism (closes #8)
- Add per-scenario state isolation for BDD tests (closes #14)
- Validate password reset workflow via BDD tests (closes #7)
- Fix port conflicts in test validation
- Add state tracer for debugging test execution
- Document BDD isolation strategies in ADR 0025
- Fix PostgreSQL configuration environment variables

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
Co-authored-by: Gabriel Radureau <arcodange@gmail.com>
Co-committed-by: Gabriel Radureau <arcodange@gmail.com>

features/auth/auth_test.go

@@ -0,0 +1,16 @@
+package auth
+
+import (
+	"testing"
+
+	"dance-lessons-coach/pkg/bdd/testsetup"
+)
+
+func TestAuthBDD(t *testing.T) {
+	config := testsetup.NewFeatureConfig("auth", "progress", false)
+	suite := testsetup.CreateTestSuite(t, config, "dance-lessons-coach BDD Tests - Auth Feature")
+
+	if suite.Run() != 0 {
+		t.Fatal("non-zero status returned, failed to run auth BDD tests")
+	}
+}

features/auth/user_authentication.feature

@@ -0,0 +1,152 @@
+# features/user_authentication.feature
+Feature: User Authentication
+  As a user
+  I want to authenticate with the system
+  So I can access personalized features
+
+  Scenario: Successful user authentication
+    Given the server is running
+    And a user "testuser" exists with password "testpass123"
+    When I authenticate with username "testuser" and password "testpass123"
+    Then the authentication should be successful
+    And I should receive a valid JWT token
+
+  Scenario: Failed authentication with wrong password
+    Given the server is running
+    And a user "testuser" exists with password "testpass123"
+    When I authenticate with username "testuser" and password "wrongpassword"
+    Then the authentication should fail
+    And the response should contain error "invalid_credentials"
+
+  Scenario: Failed authentication with non-existent user
+    Given the server is running
+    When I authenticate with username "nonexistent" and password "somepassword"
+    Then the authentication should fail
+    And the response should contain error "invalid_credentials"
+
+  Scenario: Admin authentication with master password
+    Given the server is running
+    When I authenticate as admin with master password "admin123"
+    Then the authentication should be successful
+    And I should receive a valid JWT token
+    And the token should contain admin claims
+
+  Scenario: User registration
+    Given the server is running
+    When I register a new user "newuser_" with password "newpass123"
+    Then the registration should be successful
+    And I should be able to authenticate with the new credentials
+
+  Scenario: Password reset request by admin
+    Given the server is running
+    And a user "resetuser" exists with password "oldpass123"
+    And I am authenticated as admin
+    When I request password reset for user "resetuser"
+    Then the password reset should be allowed
+    And the user should be flagged for password reset
+
+  Scenario: User completes password reset
+    Given the server is running
+    And a user "resetuser" exists and is flagged for password reset
+    When I complete password reset for "resetuser" with new password "newpass123"
+    Then the password reset should be successful
+    And I should be able to authenticate with the new password
+
+  Scenario: Failed password reset for non-existent user
+    Given the server is running
+    When I request password reset for user "nonexistent"
+    Then the password reset should fail
+    And the response should contain error "server_error"
+
+  Scenario: Failed password reset completion for non-existent user
+    Given the server is running
+    When I complete password reset for "nonexistent" with new password "newpass123"
+    Then the password reset should fail
+    And the response should contain error "server_error"
+
+  Scenario: Failed password reset completion for user not flagged
+    Given the server is running
+    And a user "normaluser" exists with password "oldpass123"
+    When I complete password reset for "normaluser" with new password "newpass123"
+    Then the password reset should fail
+    And the response should contain error "server_error"
+
+  Scenario: Failed registration with existing username
+    Given the server is running
+    And a user "existinguser" exists with password "testpass123"
+    When I register a new user "existinguser" with password "newpass123"
+    Then the registration should fail
+    And the response should contain error "user_exists"
+    And the status code should be 409
+
+  Scenario: Failed registration with invalid username
+    Given the server is running
+    When I register a new user "ab" with password "validpass123"
+    Then the registration should fail
+    And the status code should be 400
+
+  Scenario: Failed registration with invalid password
+    Given the server is running
+    When I register a new user "validuser" with password "short"
+    Then the registration should fail
+    And the status code should be 400
+
+  Scenario: Failed authentication with empty username
+    Given the server is running
+    When I authenticate with username "" and password "somepassword"
+    Then the authentication should fail with validation error
+    And the status code should be 400
+
+  Scenario: Failed authentication with empty password
+    Given the server is running
+    When I authenticate with username "someuser" and password ""
+    Then the authentication should fail with validation error
+    And the status code should be 400
+
+  Scenario: Failed admin authentication with wrong password
+    Given the server is running
+    When I authenticate as admin with master password "wrongadmin"
+    Then the authentication should fail
+    And the response should contain error "invalid_credentials"
+
+  Scenario: Multiple consecutive authentications
+    Given the server is running
+    And a user "multiuser" exists with password "testpass123"
+    When I authenticate with username "multiuser" and password "testpass123"
+    Then the authentication should be successful
+    And I should receive a valid JWT token
+    When I authenticate with username "multiuser" and password "testpass123" again
+    Then the authentication should be successful
+    And I should receive a different JWT token
+
+  Scenario: JWT token validation
+    Given the server is running
+    And a user "tokenuser" exists with password "testpass123"
+    When I authenticate with username "tokenuser" and password "testpass123"
+    Then the authentication should be successful
+    And I should receive a valid JWT token
+    When I validate the received JWT token
+    Then the token should be valid
+    And it should contain the correct user ID
+
+  Scenario: Authentication with expired JWT token
+    Given the server is running
+    And a user "expireduser" exists with password "testpass123"
+    When I authenticate with username "expireduser" and password "testpass123"
+    Then the authentication should be successful
+    And I should receive a valid JWT token
+    When I use an expired JWT token for authentication
+    Then the authentication should fail
+    And the response should contain error "invalid_token"
+
+  Scenario: Authentication with JWT token signed with wrong secret
+    Given the server is running
+    When I use a JWT token signed with wrong secret for authentication
+    Then the authentication should fail
+    And the response should contain error "invalid_token"
+
+  Scenario: Authentication with malformed JWT token
+    Given the server is running
+    When I use a malformed JWT token for authentication
+    Then the authentication should fail
+    And the response should contain error "invalid_token"