✨ feat(bdd): magic-link BDD scenarios + bcrypt overflow fix (ADR-0028 Phase A.5) (#63)

Co-authored-by: Gabriel Radureau <arcodange@gmail.com> Co-committed-by: Gabriel Radureau <arcodange@gmail.com>
2026-05-05 11:44:41 +02:00
parent f39acf5de5
commit 9072b3e246
6 changed files with 220 additions and 6 deletions
--- a/features/auth/magic_link.feature
+++ b/features/auth/magic_link.feature
@@ -0,0 +1,34 @@
+@magic-link
+Feature: Passwordless magic-link sign-in
+  As a user without a password
+  I want to sign in by clicking a link sent to my email
+  So I can access the system without typing a password
+
+  Scenario: Happy path - request, receive, consume
+    Given the server is running
+    And I have an email address for this scenario
+    When I request a magic link for my email
+    Then I should receive an email with subject "Your sign-in link"
+    And the email contains a magic link token
+    When I consume the magic link token
+    Then the consume should succeed and return a JWT
+
+  Scenario: Token cannot be consumed twice
+    Given the server is running
+    And I have an email address for this scenario
+    When I request a magic link for my email
+    And the email contains a magic link token
+    When I consume the magic link token
+    Then the consume should succeed and return a JWT
+    When I consume the magic link token
+    Then the consume should fail with 401
+
+  Scenario: Missing token returns 400
+    Given the server is running
+    When I consume an empty magic link token
+    Then the response should have status 400
+
+  Scenario: Unknown token returns 401
+    Given the server is running
+    When I consume an unknown magic link token
+    Then the consume should fail with 401