curo/kite
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test(02): complete UAT — 10 passed, 6 issues, 2 blocked

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
curo1305
2026-05-31 20:21:16 +02:00
parent 8cc46a8d8d
commit 33697f2713
1 changed files with 168 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.planning/phases/02-users-authentication/02-UAT.md
+168
View File
@@ -0,0 +1,168 @@
---
status: complete
phase: 02-users-authentication
source: [02-01-SUMMARY.md, 02-02-SUMMARY.md, 02-03-SUMMARY.md, 02-04-SUMMARY.md, 02-05-SUMMARY.md]
started: 2026-05-31T00:00:00Z
updated: 2026-05-31T00:00:00Z
---
## Current Test
[testing complete]
## Tests
### 1. Cold Start Smoke Test
expected: Kill any running server/service. Clear ephemeral state (temp DBs, caches, lock files). Start the application from scratch (docker compose up). Services boot without errors, Alembic migrations (including 0002_add_backup_codes_and_password_must_change) run cleanly, Redis connects, admin bootstrap completes, and a basic API call (GET /api/auth/me → 401) returns a live response.
result: pass
### 2. User Registration
expected: Navigate to /register. Fill in email + password. Password strength bar shows 4 segments as password gets stronger. Submit form. Account is created and you are redirected to login (or logged in). No localStorage/sessionStorage entries for the token.
result: pass
### 3. Login (Email & Password)
expected: Navigate to /login. Enter email and password. On success, you are redirected to the app (or /dashboard). If you try to access a protected route while logged out, you are redirected to /login?redirect=<original-path>.
result: pass
### 4. Login (TOTP — 3-step flow)
expected: With a TOTP-enrolled account, log in: step 1 = enter password, step 2 = enter 6-digit TOTP code from authenticator app. On correct code, you are signed in. An invalid code shows an error without signing you in.
result: issue
reported: "I don't see an option to activate or setup a 2FA method."
severity: major
### 5. Login with Backup Code
expected: On the TOTP step of login, click "Use a backup code instead". Enter one of your 10 backup codes. Login succeeds. That backup code cannot be reused on a second attempt.
result: blocked
blocked_by: prior-phase
reason: "Backup codes are issued during TOTP enrollment, which is blocked by the missing 2FA setup option (test 4 issue)"
### 6. Auth Wall (Route Guard)
expected: While logged out, navigate directly to a protected route (e.g., /account or /admin). You are redirected to /login?redirect=<that-path>. After logging in, you are sent back to the original destination.
result: issue
reported: "Yes but I do see the sidebar everytime when I login. I do not want to the sidebar on the login page and I do not want to leak this information of the previous logged in user when noone is logged in."
severity: major
### 7. Logout
expected: Click sign-out (from sidebar or account page). Session is cleared (no more auth), you are redirected to /login. Attempting to use the old access token returns 401.
result: issue
reported: "I am logged out right now but I still see the sidebar, which is not a desired behaviour."
severity: major
### 8. Change Password
expected: Go to account settings (/account). Enter current password and a new strong password. On success, a confirmation message appears. Logging in again with the new password works; old password is rejected.
result: pass
### 9. TOTP Enrollment
expected: On /account, click to enable 2FA. Step 1: an otpauth:// link (or QR image) and manual secret are shown — open in authenticator app. Step 2: enter the 6-digit code from the app to verify. Step 3: 10 backup codes are displayed in a 2-column grid with a "Copy all" button. An acknowledgment checkbox gates the "Enable 2FA" button. After enabling, account shows 2FA is active.
result: issue
reported: "I don't see a QR-Code, the security key doesn't work (could be misspelled though) and the link opens Passwords on my Mac which I don't use but I suppose it does work."
severity: major
### 10. Disable TOTP
expected: On /account with 2FA active, click to disable. An inline confirmation block appears ("Disable 2FA? …"). Confirm: 2FA is removed and the enrollment section reappears. Cancel: nothing changes.
result: blocked
blocked_by: prior-phase
reason: "Blocked by test 9 — cannot disable TOTP without first successfully enrolling (secret display issue prevents enrollment)"
### 11. Password Reset Request
expected: Navigate to /password-reset. Enter any email (even one that doesn't exist). The page always shows a success-like message ("If an account exists…") — no enumeration of valid emails. A real email account receives the reset link.
result: pass
### 12. Password Reset (New Password)
expected: Click the reset link from email. You arrive at a new-password form. Enter a strong new password. On submit, password is updated and you are NOT automatically logged in — you must go to /login and sign in manually with the new password.
result: pass
### 13. Sign Out All Devices
expected: On /account, click "Sign out all devices". A confirmation dialog appears. On confirm, all active sessions are revoked. You are signed out of the current session too and redirected to /login.
result: pass
### 14. Admin: User List
expected: Sign in as an admin. Navigate to /admin. The Users tab shows a table of all registered users with their email, role, and status. Non-admin users do not see the Admin link in the sidebar and get a 403/redirect if they try to visit /admin directly.
result: issue
reported: "I can navigate to the /admin site as a non-admin user and I do see all tabs but no options or no info is available."
severity: major
### 15. Admin: Create User
expected: In the Admin Users tab, click the create-user form. Fill in email; a temporary password is auto-generated (copy button available). Submit. The new user appears in the table. When that user logs in for the first time with the temp password, they are prompted to change it (password_must_change flow).
result: issue
reported: "I cannot create a new user. If I try it (as admin user) I get the error code 'HTTP 500' in the creation box."
severity: blocker
### 16. Admin: Deactivate User
expected: In the Admin Users tab, click Deactivate for a user. An inline confirmation row appears showing "Deactivate [email]? They will lose access…" with Keep and Deactivate buttons. Confirming deactivates the user (status changes). The sole admin cannot be deactivated (should show an error).
result: pass
### 17. Admin: Quota Management
expected: Navigate to the Quotas tab in the admin panel. Each user's quota is shown in MB with a usage %. Clicking edit on a row lets you change the limit. If you set the limit below current usage, an amber warning appears but the change is still saved.
result: pass
### 18. Admin: AI Config
expected: Navigate to the AI Config tab in the admin panel. Each user has a provider dropdown and model input. Selecting a different provider and saving shows a brief "Saved" confirmation flash. The change persists on reload.
result: pass
## Summary
total: 18
passed: 10
issues: 6
pending: 0
skipped: 0
blocked: 2
## Gaps
- truth: "TOTP enrollment option is visible in account settings, allowing users to set up 2FA before testing TOTP login"
status: failed
reason: "User reported: I don't see an option to activate or setup a 2FA method."
severity: major
test: 4
artifacts: []
missing: []
- truth: "Auth/login pages use AuthLayout (no sidebar, no user identity) so previously logged-in user info is never shown on public pages"
status: failed
reason: "User reported: I do see the sidebar every time when I login. I do not want the sidebar on the login page and I do not want to leak this information of the previous logged in user when no one is logged in. Confirmed again on logout: sidebar still visible while logged out."
severity: major
test: 6
artifacts: []
missing: []
- truth: "After logout, the sidebar (including user identity footer) is no longer visible — user is on the login page with AuthLayout only"
status: failed
reason: "User reported: I am logged out right now but I still see the sidebar, which is not a desired behaviour."
severity: major
test: 7
artifacts: []
missing: []
- truth: "TOTP enrollment flow: no QR code required (otpauth:// link + manual secret is acceptable), but the manual secret must be valid and correctly rendered so users can add it to an authenticator app"
status: failed
reason: "User reported: no QR code visible (expected — known MVP stub), security key doesn't work (possibly misspelled in display), otpauth:// link opens macOS Passwords app (expected behavior on Mac)."
severity: major
test: 9
artifacts: []
missing: []
- truth: "Account settings (/account) is presented as a tab within a unified Settings page, not a standalone route"
status: failed
reason: "User requested: account page should be a tab inside a settings page (UX improvement)"
severity: minor
test: 9
artifacts: []
missing: []
- truth: "Non-admin users are blocked from /admin (redirected or shown 403); the Admin link is hidden in the sidebar for non-admins"
status: failed
reason: "User reported: can navigate to /admin as a non-admin user; all tabs visible but no data shown (backend blocks data but frontend does not block the route)"
severity: major
test: 14
artifacts: []
missing: []
- truth: "Admin can create a new user via the Users tab form — POST /api/admin/users returns 201 and the new user appears in the table"
status: failed
reason: "User reported: cannot create a new user as admin; form returns HTTP 500 error."
severity: blocker
test: 15
artifacts: []
missing: []