Rafael Manso

• -API server is running on BASE_API
• -No existing user with the test email

1. 1.Send POST request to /api/auth/register with name, email, and password fields
2. 2.Use Faker.js to generate a unique email and valid password (> 6 chars)

HTTP 201. Response body contains user object with id, name, email. No password field exposed.

• -A user account with 'duplicate@papito.dev' already exists

1. 1.Send POST /api/auth/register with the pre-existing email address
2. 2.Use a different name and password for the payload

HTTP 409 Conflict. Error message indicates the email is already registered.

• -A registered user exists in the database with known credentials

1. 1.Send POST /api/auth/login with the registered email and correct password
2. 2.Parse the response body for the access_token field

HTTP 200. Response includes access_token (JWT). Token is non-empty string and can be used in Authorization header for subsequent requests.

• -User is authenticated with a valid JWT token
• -Token is sent as Bearer token in Authorization header

1. 1.Authenticate via POST /api/auth/login to obtain token
2. 2.Send POST /api/links with { url: 'https://example.com' } using the token

HTTP 201. Response body contains shortened link object with id, originalUrl, shortCode, and userId.

• -No active session or token

1. 1.Send POST /api/links with a valid URL payload
2. 2.Omit the Authorization header entirely

HTTP 401 Unauthorized. No link is created in the database.

• -User has created at least one link in the system

1. 1.Create a link using authenticated POST /api/links
2. 2.Send DELETE /api/links/:id using the same user's token

HTTP 200. Link is removed from the database. Subsequent GET returns 404.

• -No link with the specified ID exists in the database

1. 1.Send DELETE request to /api/links/999999 with a valid but non-owner token

HTTP 404 Not Found. Meaningful error message returned.

• -User A and User B each have at least one link
• -Each user has their own valid JWT token

1. 1.User A authenticates and gets their token
2. 2.User B authenticates and gets their token
3. 3.User B sends DELETE request for User A's link ID using User B's token

HTTP 403 Forbidden. User B cannot delete User A's links. OWASP A01:2021 classification.

• -API server is running

1. 1.Send GET request to /health without any headers

HTTP 200. Response body contains status: 'ok' or equivalent uptime/health indicator.

• -TheInternet app is deployed and accessible
• -Valid test account exists (tomsmith / SuperSecretPassword!)

1. 1.Navigate to the login page
2. 2.Fill in username field with 'tomsmith'
3. 3.Fill in password field with 'SuperSecretPassword!'
4. 4.Click the Login button

URL changes to the secure area. Page displays a success message or secure content confirming the user is logged in.

• -TheInternet app is deployed

1. 1.Navigate to the login page
2. 2.Enter a valid username but wrong password
3. 3.Click the Login button

Error message is displayed (e.g., 'Your password is invalid!'). User remains on the login page. No redirect occurs.

• -TheInternet app is deployed

1. 1.Navigate to the login page
2. 2.Leave both username and password fields empty
3. 3.Attempt to click Login

Browser-native validation prevents form submission, OR server returns validation error. No empty credentials reach the backend.

• -User is currently logged in to a secure area

1. 1.Log in with valid credentials
2. 2.Click the Logout button

Session is cleared. URL returns to the login page. Direct navigation to the previous secure area redirects to login.

• -No active session or user is logged out

1. 1.Attempt to navigate directly to the secure area URL (e.g., /secure)
2. 2.Verify no session cookie is present

Server redirects to login page. No secure content is rendered without valid session.

• -User is authenticated and on the prompts dashboard

1. 1.Click the 'New Prompt' button
2. 2.Fill in title, content, description, and assign tags
3. 3.Click 'Save'

Prompt appears in the list immediately. Toast notification confirms creation. All fields are stored correctly.

• -At least 3 prompts exist with different tags
• -User is on the prompts dashboard

1. 1.Click on a tag pill (e.g., 'qa-automation') to filter
2. 2.Observe the filtered list

Only prompts containing the selected tag are shown. Clear filter option resets the view. Prompt count updates accordingly.

• -At least one prompt exists in the list

1. 1.Click the delete icon on a prompt

Confirmation dialog appears. User can cancel or confirm. On confirm, prompt is removed and removed from list.

• -At least one prompt exists

1. 1.Click the Export button
2. 2.Select 'JSON' format
3. 3.Confirm download

Browser downloads a .json file. File is valid JSON and contains all prompt data including nested tags and metadata.