🧪 test: add comprehensive BDD test suite for user authentication

Added BDD test scenarios covering: - User registration with validation - Successful and failed authentication - Admin authentication with master password - JWT token generation and validation - Password reset workflow - Edge cases and error handling BDD Features: - 20+ authentication scenarios - JWT validation edge cases - Password reset security scenarios - Input validation tests - Error response verification BDD Infrastructure: - Step definitions for authentication workflows - Test server with user management endpoints - JWT parsing and validation utilities - Common step patterns for reuse Generated by Mistral Vibe. Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
2026-04-09 00:25:48 +02:00
parent 52a4ce4139
commit a17eebc8f2
11 changed files with 1171 additions and 106 deletions
--- a/pkg/bdd/steps/steps.go
+++ b/pkg/bdd/steps/steps.go
@@ -2,108 +2,82 @@ package steps

 import (
 	"dance-lessons-coach/pkg/bdd/testserver"
-	"fmt"
-	"strings"

 	"github.com/cucumber/godog"
 )

 // StepContext holds the test client and implements all step definitions
 type StepContext struct {
-	client *testserver.Client
+	client      *testserver.Client
+	greetSteps  *GreetSteps
+	healthSteps *HealthSteps
+	authSteps   *AuthSteps
+	commonSteps *CommonSteps
 }

 // NewStepContext creates a new step context
 func NewStepContext(client *testserver.Client) *StepContext {
-	return &StepContext{client: client}
+	return &StepContext{
+		client:      client,
+		greetSteps:  NewGreetSteps(client),
+		healthSteps: NewHealthSteps(client),
+		authSteps:   NewAuthSteps(client),
+		commonSteps: NewCommonSteps(client),
+	}
 }

 // InitializeAllSteps registers all step definitions for the BDD tests
 func InitializeAllSteps(ctx *godog.ScenarioContext, client *testserver.Client) {
 	sc := NewStepContext(client)

-	ctx.Step(`^I request a greeting for "([^"]*)"$`, sc.iRequestAGreetingFor)
-	ctx.Step(`^I request the default greeting$`, sc.iRequestTheDefaultGreeting)
-	ctx.Step(`^I request the health endpoint$`, sc.iRequestTheHealthEndpoint)
-	ctx.Step(`^the response should be "{\\"([^"]*)":\\"([^"]*)"}"$`, sc.theResponseShouldBe)
-	ctx.Step(`^the server is running$`, sc.theServerIsRunning)
-	ctx.Step(`^the server is running with v2 enabled$`, sc.theServerIsRunningWithV2Enabled)
-	ctx.Step(`^I send a POST request to v2 greet with name "([^"]*)"$`, sc.iSendPOSTRequestToV2GreetWithName)
-	ctx.Step(`^I send a POST request to v2 greet with invalid JSON "([^"]*)"$`, sc.iSendPOSTRequestToV2GreetWithInvalidJSON)
-	ctx.Step(`^the response should contain error "([^"]*)"$`, sc.theResponseShouldContainError)
-}
-
-func (sc *StepContext) iRequestAGreetingFor(name string) error {
-	return sc.client.Request("GET", fmt.Sprintf("/api/v1/greet/%s", name), nil)
-}
-
-func (sc *StepContext) iRequestTheDefaultGreeting() error {
-	return sc.client.Request("GET", "/api/v1/greet/", nil)
-}
-
-func (sc *StepContext) iRequestTheHealthEndpoint() error {
-	return sc.client.Request("GET", "/api/health", nil)
-}
-
-func (sc *StepContext) theResponseShouldBe(arg1, arg2 string) error {
-	// The regex captures the full JSON from the feature file, including quotes
-	// We need to extract just the key and value without the surrounding quotes and backslashes
-
-	// Remove the surrounding quotes and backslashes
-	cleanArg1 := strings.Trim(arg1, `"\`)
-	cleanArg2 := strings.Trim(arg2, `"\`)
-
-	// Build the expected JSON string
-	expected := fmt.Sprintf(`{"%s":"%s"}`, cleanArg1, cleanArg2)
-
-	return sc.client.ExpectResponseBody(expected)
-}
-
-func (sc *StepContext) theServerIsRunning() error {
-	// Actually verify the server is running by checking the readiness endpoint
-	return sc.client.Request("GET", "/api/ready", nil)
-}
-
-func (sc *StepContext) theServerIsRunningWithV2Enabled() error {
-	// Verify the server is running and v2 is enabled by checking v2 endpoint exists
-	// First check server is running
-	if err := sc.client.Request("GET", "/api/ready", nil); err != nil {
-		return err
-	}
-
-	// Check if v2 endpoint is available (should return 405 Method Not Allowed for GET, which means endpoint exists)
-	// If v2 is disabled, this will return 404
-	resp, err := sc.client.CustomRequest("GET", "/api/v2/greet", nil)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	// If we get 405, v2 is enabled (endpoint exists but doesn't allow GET)
-	// If we get 404, v2 is disabled
-	if resp.StatusCode == 404 {
-		return fmt.Errorf("v2 endpoint not available - v2 feature flag not enabled")
-	}
-
-	return nil
-}
-
-func (sc *StepContext) iSendPOSTRequestToV2GreetWithName(name string) error {
-	// Create JSON request body
-	requestBody := map[string]string{"name": name}
-	return sc.client.Request("POST", "/api/v2/greet", requestBody)
-}
-
-func (sc *StepContext) iSendPOSTRequestToV2GreetWithInvalidJSON(invalidJSON string) error {
-	// Send raw invalid JSON
-	return sc.client.Request("POST", "/api/v2/greet", invalidJSON)
-}
-
-func (sc *StepContext) theResponseShouldContainError(expectedError string) error {
-	// Check if the response contains the expected error
-	body := string(sc.client.GetLastBody())
-	if !strings.Contains(body, expectedError) {
-		return fmt.Errorf("expected response to contain error %q, got %q", expectedError, body)
-	}
-	return nil
+	// Greet steps
+	ctx.Step(`^I request a greeting for "([^"]*)"$`, sc.greetSteps.iRequestAGreetingFor)
+	ctx.Step(`^I request the default greeting$`, sc.greetSteps.iRequestTheDefaultGreeting)
+	ctx.Step(`^I send a POST request to v2 greet with name "([^"]*)"$`, sc.greetSteps.iSendPOSTRequestToV2GreetWithName)
+	ctx.Step(`^I send a POST request to v2 greet with invalid JSON "([^"]*)"$`, sc.greetSteps.iSendPOSTRequestToV2GreetWithInvalidJSON)
+	ctx.Step(`^the server is running with v2 enabled$`, sc.greetSteps.theServerIsRunningWithV2Enabled)
+
+	// Health steps
+	ctx.Step(`^I request the health endpoint$`, sc.healthSteps.iRequestTheHealthEndpoint)
+	ctx.Step(`^the server is running$`, sc.healthSteps.theServerIsRunning)
+
+	// Auth steps
+	ctx.Step(`^a user "([^"]*)" exists with password "([^"]*)"$`, sc.authSteps.aUserExistsWithPassword)
+	ctx.Step(`^I authenticate with username "([^"]*)" and password "([^"]*)"$`, sc.authSteps.iAuthenticateWithUsernameAndPassword)
+	ctx.Step(`^the authentication should be successful$`, sc.authSteps.theAuthenticationShouldBeSuccessful)
+	ctx.Step(`^I should receive a valid JWT token$`, sc.authSteps.iShouldReceiveAValidJWTToken)
+	ctx.Step(`^the authentication should fail$`, sc.authSteps.theAuthenticationShouldFail)
+	ctx.Step(`^I authenticate as admin with master password "([^"]*)"$`, sc.authSteps.iAuthenticateAsAdminWithMasterPassword)
+	ctx.Step(`^the token should contain admin claims$`, sc.authSteps.theTokenShouldContainAdminClaims)
+	ctx.Step(`^I register a new user "([^"]*)" with password "([^"]*)"$`, sc.authSteps.iRegisterANewUserWithPassword)
+	ctx.Step(`^the registration should be successful$`, sc.authSteps.theRegistrationShouldBeSuccessful)
+	ctx.Step(`^I should be able to authenticate with the new credentials$`, sc.authSteps.iShouldBeAbleToAuthenticateWithTheNewCredentials)
+	ctx.Step(`^I am authenticated as admin$`, sc.authSteps.iAmAuthenticatedAsAdmin)
+	ctx.Step(`^I request password reset for user "([^"]*)"$`, sc.authSteps.iRequestPasswordResetForUser)
+	ctx.Step(`^the password reset should be allowed$`, sc.authSteps.thePasswordResetShouldBeAllowed)
+	ctx.Step(`^the user should be flagged for password reset$`, sc.authSteps.theUserShouldBeFlaggedForPasswordReset)
+	ctx.Step(`^I complete password reset for "([^"]*)" with new password "([^"]*)"$`, sc.authSteps.iCompletePasswordResetForWithNewPassword)
+	ctx.Step(`^I should be able to authenticate with the new password$`, sc.authSteps.iShouldBeAbleToAuthenticateWithTheNewPassword)
+	ctx.Step(`^a user "([^"]*)" exists and is flagged for password reset$`, sc.authSteps.aUserExistsAndIsFlaggedForPasswordReset)
+	ctx.Step(`^the password reset should be successful$`, sc.authSteps.thePasswordResetShouldBeSuccessful)
+	ctx.Step(`^the password reset should fail$`, sc.authSteps.thePasswordResetShouldFail)
+	ctx.Step(`^the registration should fail$`, sc.authSteps.theRegistrationShouldFail)
+	ctx.Step(`^the authentication should fail with validation error$`, sc.authSteps.theAuthenticationShouldFailWithValidationError)
+
+	// JWT edge case steps
+	ctx.Step(`^I use an expired JWT token for authentication$`, sc.authSteps.iUseAnExpiredJWTTokenForAuthentication)
+	ctx.Step(`^I use a JWT token signed with wrong secret for authentication$`, sc.authSteps.iUseAJWTTokenSignedWithWrongSecretForAuthentication)
+	ctx.Step(`^I use a malformed JWT token for authentication$`, sc.authSteps.iUseAMalformedJWTTokenForAuthentication)
+
+	// JWT validation steps
+	ctx.Step(`^I validate the received JWT token$`, sc.authSteps.iValidateTheReceivedJWTToken)
+	ctx.Step(`^the token should be valid$`, sc.authSteps.theTokenShouldBeValid)
+	ctx.Step(`^it should contain the correct user ID$`, sc.authSteps.itShouldContainTheCorrectUserID)
+	ctx.Step(`^I should receive a different JWT token$`, sc.authSteps.iShouldReceiveADifferentJWTToken)
+	ctx.Step(`^I authenticate with username "([^"]*)" and password "([^"]*)" again$`, sc.authSteps.iAuthenticateWithUsernameAndPasswordAgain)
+
+	// Common steps
+	ctx.Step(`^the response should be "{\\"([^"]*)":\\"([^"]*)"}"$`, sc.commonSteps.theResponseShouldBe)
+	ctx.Step(`^the response should contain error "([^"]*)"$`, sc.commonSteps.theResponseShouldContainError)
+	ctx.Step(`^the status code should be (\d+)$`, sc.commonSteps.theStatusCodeShouldBe)
 }