dance-lessons-coach

arcodange/dance-lessons-coach

Fork 0

Commit Graph

Author	SHA1	Message	Date
Gabriel Radureau	418aaeaf95	🧪 test(bdd): admin metadata endpoint security property — no secret leak Activates a new @critical @admin-introspection scenario in features/jwt/jwt_secret_retention.feature that exercises the GET /api/v1/admin/jwt/secrets endpoint added in PR #51. The scenario asserts the SECURITY-CRITICAL property: the metadata endpoint exposes structure (count + per-secret is_primary, age, fingerprint) WITHOUT leaking secret values. If a future change accidentally adds the secret value to the response, this test fails loud: SECURITY: response leaked the secret value "test-secret-do-not-leak..." Specifically, the BDD asserts: - After adding a secondary secret with a known value, GET returns 200 - The response contains 2 secrets in count - The response does NOT contain the secret value anywhere - Every entry has a non-empty SHA-256 fingerprint 4 new step definitions added to pkg/bdd/steps/jwt_retention_steps.go: - iAddASecondaryJWTSecretNamed (parameterised by secret value) - iRequestTheJWTSecretsMetadataEndpoint - theMetadataShouldContainNSecrets - theMetadataShouldNotContainTheSecretValue (the security check) - everySecretInTheMetadataShouldHaveASHA256Fingerprint Tests: - Scenario passes via @admin-introspection tag filter. - Full BDD suite (auth/config/greet/health/info/jwt) green. The pre-existing @todo scenarios (Multiple secrets with different ages, Cleanup frequency configuration, etc.) remain @todo — they require arbitrary timestamp setup or manual cleanup triggers that aren't exposed via API, by design. Documented as future test-infrastructure work.	2026-05-05 09:55:52 +02:00
Gabriel Radureau	5eec64e5e8	🧪 test: add JWT secret rotation BDD scenarios and step implementations (#12 ) All checks were successful CI/CD Pipeline / Build Docker Cache (push) Successful in 9s Details CI/CD Pipeline / CI Pipeline (push) Successful in 4m15s Details CI/CD Pipeline / Trigger Docker Push (push) Has been skipped Details ✨ merge: implement JWT secret rotation with BDD scenario isolation - Implement JWT secret rotation mechanism (closes #8) - Add per-scenario state isolation for BDD tests (closes #14) - Validate password reset workflow via BDD tests (closes #7) - Fix port conflicts in test validation - Add state tracer for debugging test execution - Document BDD isolation strategies in ADR 0025 - Fix PostgreSQL configuration environment variables Generated by Mistral Vibe. Co-Authored-By: Mistral Vibe <vibe@mistral.ai> Co-authored-by: Gabriel Radureau <arcodange@gmail.com> Co-committed-by: Gabriel Radureau <arcodange@gmail.com>	2026-04-11 17:56:45 +02:00

Author

SHA1

Message

Date

Gabriel Radureau

418aaeaf95

🧪 test(bdd): admin metadata endpoint security property — no secret leak

Activates a new @critical @admin-introspection scenario in
features/jwt/jwt_secret_retention.feature that exercises the GET
/api/v1/admin/jwt/secrets endpoint added in PR #51.

The scenario asserts the SECURITY-CRITICAL property: the metadata
endpoint exposes structure (count + per-secret is_primary, age,
fingerprint) WITHOUT leaking secret values. If a future change
accidentally adds the secret value to the response, this test fails
loud:
  SECURITY: response leaked the secret value "test-secret-do-not-leak..."

Specifically, the BDD asserts:
- After adding a secondary secret with a known value, GET returns 200
- The response contains 2 secrets in count
- The response does NOT contain the secret value anywhere
- Every entry has a non-empty SHA-256 fingerprint

4 new step definitions added to pkg/bdd/steps/jwt_retention_steps.go:
- iAddASecondaryJWTSecretNamed (parameterised by secret value)
- iRequestTheJWTSecretsMetadataEndpoint
- theMetadataShouldContainNSecrets
- theMetadataShouldNotContainTheSecretValue (the security check)
- everySecretInTheMetadataShouldHaveASHA256Fingerprint

Tests:
- Scenario passes via @admin-introspection tag filter.
- Full BDD suite (auth/config/greet/health/info/jwt) green.

The pre-existing @todo scenarios (Multiple secrets with different ages,
Cleanup frequency configuration, etc.) remain @todo — they require
arbitrary timestamp setup or manual cleanup triggers that aren't
exposed via API, by design. Documented as future test-infrastructure
work.

2026-05-05 09:55:52 +02:00

Gabriel Radureau

5eec64e5e8

🧪 test: add JWT secret rotation BDD scenarios and step implementations (#12 )

CI/CD Pipeline / Build Docker Cache (push) Successful in 9s

Details

CI/CD Pipeline / CI Pipeline (push) Successful in 4m15s

Details

CI/CD Pipeline / Trigger Docker Push (push) Has been skipped

Details

✨ merge: implement JWT secret rotation with BDD scenario isolation

- Implement JWT secret rotation mechanism (closes #8)
- Add per-scenario state isolation for BDD tests (closes #14)
- Validate password reset workflow via BDD tests (closes #7)
- Fix port conflicts in test validation
- Add state tracer for debugging test execution
- Document BDD isolation strategies in ADR 0025
- Fix PostgreSQL configuration environment variables

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
Co-authored-by: Gabriel Radureau <arcodange@gmail.com>
Co-committed-by: Gabriel Radureau <arcodange@gmail.com>

2026-04-11 17:56:45 +02:00

2 Commits