arcodange/dance-lessons-coach
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

🧪 test: add JWT secret rotation BDD scenarios and step implementations #12

Merged
arcodange merged 72 commits from feature/jwt-secret-rotation into main 2026-04-11 17:56:47 +02:00
Conversation 3 Commits 72 Files Changed 66 +123 -35
1 changed files with 123 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 58d2187acf - Show all commits

158
bdd_implementation_plan.md
View File

@@ -1,44 +1,132 @@
Pending BDD Tests Implementation Plan # BDD Implementation Plan for dance-lessons-coach
Current Status: ## Current Status
- 54 scenarios total - **Total Scenarios**: 54
- 30 scenarios passing - **Passing**: 30 (55%)
- 24 scenarios pending - **Pending**: 24 (44%)
- 0 scenarios undefined - **Undefined**: 0 (0%)
- **Total Steps**: 361
- **Passing Steps**: 183
- **Pending Steps**: 24
- **Skipped Steps**: 154
Implementation Plan: ## Priority Order for Step Function Implementation
1. **JWT Secret Rotation Tests** (High Priority) ### 🔴 CRITICAL PRIORITY (Blockers for core functionality)
- Token validation with multiple valid secrets 1. **JWT Secret Management**
- Secret rotation scenarios - `theServerIsRunningWithMultipleJWTSecrets()` - Setup multiple secrets
- Graceful rotation during retention period - `iShouldReceiveAValidJWTTokenSignedWithThePrimarySecret()` - Primary secret validation
- `iValidateAJWTTokenSignedWithTheSecondarySecret()` - Secondary secret validation
- `iAddANewSecondaryJWTSecretToTheServer()` - Secret addition
- `iAddANewSecondaryJWTSecretAndRotateToIt()` - Secret rotation
2. **JWT Secret Retention Tests** (High Priority) ### 🟡 HIGH PRIORITY (Core JWT functionality)
- Automatic cleanup of expired secrets 2. **JWT Retention & Cleanup**
- Secret retention based on TTL factor - `theDefaultJWTTTLIsHours()` - TTL configuration
- Maximum retention period enforcement - `theRetentionFactorIs()` - Retention factor setup
- Cleanup frequency configuration - `theMaximumRetentionIsHours()` - Max retention limits
- `iAddASecondaryJWTSecretWithHourExpiration()` - Expiring secrets
- `iWaitForTheRetentionPeriodToElapse()` - Time simulation
- `theExpiredSecondarySecretShouldBeAutomaticallyRemoved()` - Auto-cleanup
- `thePrimarySecretShouldRemainActive()` - Primary secret protection
3. **User Authentication Tests** (Medium Priority) 3. **JWT Validation & Authentication**
- Successful user authentication - `aUserExistsWithPassword()` - User setup
- Failed authentication scenarios - `iAuthenticateWithUsernameAndPassword()` - Login functionality
- Admin authentication - `theAuthenticationShouldBeSuccessful()` - Success validation
- User registration - `iShouldReceiveAValidJWTToken()` - Token generation
- Password reset functionality - `iValidateTheReceivedJWTToken()` - Token validation
- `theTokenShouldBeValid()` - Token verification
- `itShouldContainTheCorrectUserID()` - Claims validation
4. **Configuration & Monitoring Tests** (Medium Priority) ### 🟢 MEDIUM PRIORITY (Extended functionality)
- Configuration validation 4. **User Management**
- Metrics for secret retention - `iRegisterANewUserWithPassword()` - User registration
- Log masking for security - `theRegistrationShouldBeSuccessful()` - Registration validation
- Monitoring and alerting - `iShouldBeAbleToAuthenticateWithTheNewCredentials()` - Post-registration auth
- `iAuthenticateAsAdminWithMasterPassword()` - Admin access
- `theTokenShouldContainAdminClaims()` - Admin privileges
Next Steps: 5. **Password Reset**
- `iAmAuthenticatedAsAdmin()` - Admin context
- `iRequestPasswordResetForUser()` - Reset initiation
- `thePasswordResetShouldBeAllowed()` - Reset authorization
- `theUserShouldBeFlaggedForPasswordReset()` - Reset state
- `iCompletePasswordResetForWithNewPassword()` - Reset completion
- `iShouldBeAbleToAuthenticateWithTheNewPassword()` - Post-reset validation
1. Implement JWT secret rotation logic in the authentication service ### 🔵 LOW PRIORITY (Edge cases & monitoring)
2. Add JWT secret retention and cleanup functionality 6. **Configuration & Validation**
3. Implement user authentication and registration endpoints - `iSetRetentionFactorTo()` - Dynamic configuration
4. Add configuration validation and monitoring - `iTryToStartTheServer()` - Server validation
5. Implement step definitions for pending scenarios - `iShouldReceiveConfigurationValidationError()` - Error handling
6. Run full test suite to verify all scenarios pass - `theErrorShouldMention()` - Error message validation
Estimated Time: 2-3 days 7. **Monitoring & Metrics**
- `iHaveEnabledPrometheusMetrics()` - Metrics setup
- `iShouldSeeMetricIncrement()` - Metric validation
- `iShouldSeeMetricDecrease()` - Metric changes
- `iShouldSeeHistogramUpdate()` - Histogram metrics
8. **Security & Logging**
- `iAddANewJWTSecret()` - Secret addition with masking
- `theLogsShouldShowMaskedSecret()` - Log validation
- `theLogsShouldNotExposeTheFullSecret()` - Security validation
9. **Performance & Scalability**
- `iHaveJWTSecrets()` - Bulk secret management
- `ofThemAreExpired()` - Expiration tracking
- `itShouldCompleteWithinMilliseconds()` - Performance validation
- `andNotImpactServerPerformance()` - Performance monitoring
10. **Advanced Features**
- `iEnableAuditLogging()` - Audit trail setup
- `iShouldSeeAuditLogEntryWithEventType()` - Audit validation
- `iAuthenticateAndReceiveTokenA()` - Token tracking
- `iRefreshMyTokenDuringRetentionPeriod()` - Token refresh
- `iShouldReceiveNewTokenB()` - New token validation
- `andTokenAShouldStillBeValidUntilRetentionExpires()` - Concurrent validation
- `givenASecurityIncidentRequiresImmediateRotation()` - Emergency rotation
- `iRotateToANewPrimarySecret()` - Emergency secret rotation
- `oldTokensShouldBeInvalidatedImmediately()` - Emergency invalidation
- `andNewTokensShouldUseTheEmergencySecret()` - Emergency token generation
- `andCleanupShouldRemoveCompromisedSecrets()` - Emergency cleanup
## Implementation Strategy
### Phase 1: Core JWT Infrastructure (2-3 days)
- Implement JWT secret management and rotation
- Add retention policy and cleanup functionality
- Create basic authentication endpoints
- Implement core step definitions
### Phase 2: User Management (1-2 days)
- Implement user registration and authentication
- Add password reset functionality
- Implement admin authentication
- Add user-related step definitions
### Phase 3: Monitoring & Security (1 day)
- Add Prometheus metrics integration
- Implement log masking for security
- Add audit logging
- Implement monitoring step definitions
### Phase 4: Edge Cases & Testing (1 day)
- Implement remaining edge case handlers
- Add performance validation
- Complete all step definitions
- Run full test suite validation
## Estimation
- **Total Effort**: 5-7 days
- **Critical Path**: 2-3 days (JWT core functionality)
- **Full Completion**: 1 week
## Success Criteria
- All 54 scenarios passing
- 0 undefined steps
- 0 pending steps
- Full test coverage of JWT secret rotation and retention
- Complete user authentication workflow
- Comprehensive monitoring and security features