Gabriel Radureau
5eec64e5e8
✨ merge: implement JWT secret rotation with BDD scenario isolation - Implement JWT secret rotation mechanism (closes #8) - Add per-scenario state isolation for BDD tests (closes #14) - Validate password reset workflow via BDD tests (closes #7) - Fix port conflicts in test validation - Add state tracer for debugging test execution - Document BDD isolation strategies in ADR 0025 - Fix PostgreSQL configuration environment variables Generated by Mistral Vibe. Co-Authored-By: Mistral Vibe <vibe@mistral.ai> Co-authored-by: Gabriel Radureau <arcodange@gmail.com> Co-committed-by: Gabriel Radureau <arcodange@gmail.com>
54 lines
2.9 KiB
Gherkin
54 lines
2.9 KiB
Gherkin
# features/jwt_secret_rotation.feature
|
|
Feature: JWT Secret Rotation
|
|
As a system administrator
|
|
I want to rotate JWT secrets without disrupting users
|
|
So that we can maintain security while ensuring continuous service
|
|
|
|
Scenario: Authentication with multiple valid JWT secrets
|
|
Given the server is running with multiple JWT secrets
|
|
And a user "multiuser" exists with password "testpass123"
|
|
When I authenticate with username "multiuser" and password "testpass123"
|
|
Then the authentication should be successful
|
|
And I should receive a valid JWT token signed with the primary secret
|
|
|
|
Scenario: Token validation with multiple valid secrets
|
|
Given the server is running with multiple JWT secrets
|
|
And a user "tokenuser" exists with password "testpass123"
|
|
When I authenticate with username "tokenuser" and password "testpass123"
|
|
Then the authentication should be successful
|
|
And I should receive a valid JWT token
|
|
When I validate a JWT token signed with the secondary secret
|
|
Then the token should be valid
|
|
And it should contain the correct user ID
|
|
|
|
Scenario: Secret rotation - adding new secret while keeping old one valid
|
|
Given the server is running with primary JWT secret
|
|
And a user "rotateuser" exists with password "testpass123"
|
|
When I authenticate with username "rotateuser" and password "testpass123"
|
|
Then the authentication should be successful
|
|
And I should receive a valid JWT token signed with the primary secret
|
|
When I add a new secondary JWT secret to the server
|
|
And I authenticate with username "rotateuser" and password "testpass123" again
|
|
Then the authentication should be successful
|
|
And I should receive a valid JWT token signed with the new secondary secret
|
|
When I validate the old JWT token signed with primary secret
|
|
Then the token should still be valid
|
|
|
|
Scenario: Token rejection after secret expiration
|
|
Given the server is running with primary and expired secondary JWT secrets
|
|
When I use a JWT token signed with the expired secondary secret for authentication
|
|
Then the authentication should fail
|
|
And the response should contain error "invalid_token"
|
|
|
|
Scenario: Graceful secret rotation with user continuity
|
|
Given the server is running with primary JWT secret
|
|
And a user "gracefuluser" exists with password "testpass123"
|
|
When I authenticate with username "gracefuluser" and password "testpass123"
|
|
Then the authentication should be successful
|
|
And I should receive a valid JWT token signed with the primary secret
|
|
When I add a new secondary JWT secret and rotate to it
|
|
And I use the old JWT token signed with primary secret
|
|
Then the token should still be valid during retention period
|
|
When I authenticate with username "gracefuluser" and password "testpass123" after rotation
|
|
Then the authentication should be successful
|
|
And I should receive a valid JWT token signed with the new secondary secret |