@magic-link
Feature: Passwordless magic-link sign-in
  As a user without a password
  I want to sign in by clicking a link sent to my email
  So I can access the system without typing a password

  Scenario: Happy path - request, receive, consume
    Given the server is running
    And I have an email address for this scenario
    When I request a magic link for my email
    Then I should receive an email with subject "Your sign-in link"
    And the email contains a magic link token
    When I consume the magic link token
    Then the consume should succeed and return a JWT

  Scenario: Token cannot be consumed twice
    Given the server is running
    And I have an email address for this scenario
    When I request a magic link for my email
    And the email contains a magic link token
    When I consume the magic link token
    Then the consume should succeed and return a JWT
    When I consume the magic link token
    Then the consume should fail with 401

  Scenario: Missing token returns 400
    Given the server is running
    When I consume an empty magic link token
    Then the response should have status 400

  Scenario: Unknown token returns 401
    Given the server is running
    When I consume an unknown magic link token
    Then the consume should fail with 401