Add failing Behat scenarios for feedbackInfo session bleed-through (#1795)

feedbackInfo (the debug context shown on SAML error pages) was stored globally in the session. This caused two bugs:

1. Info from a failed auth flow could bleed into a subsequent unrelated error because storeFeedbackInfo() merged new data on top of old.

2. currentServiceProvider and currentIdentityProvider were never cleared after a successful login, so an early error after a completed auth would still show the SP/IdP from that auth.

These two scenarios are added as failing tests to document the expected behaviour before the fix is in place.

Author: johanib

src/OpenConext/EngineBlockFunctionalTestingBundle/Features/ClearErrorMessages.feature

@@ -419,6 +419,49 @@ Feature:
     Then I should see "Unknown key id"
      And I should see "Key ID: does-not-exist"
 
+  Scenario: feedbackInfo from a previous failed authentication should not bleed into a subsequent unrelated error
+    # First auth: causes an error that writes IdP info into feedbackInfo in the session.
+    Given the IdP is configured to always return Responses with StatusCode Responder/RequestDenied
+     When I log in at "Dummy SP"
+      And I pass through EngineBlock
+      And I pass through the IdP
+     Then I should see "Identity Provider error"
+      And I should see "IdP:"
+    # Second auth: causes an error that has no IdP context.
+    # The stale IdP info from the previous error must NOT appear on this error page.
+     When I log in at "Unconnected SP"
+     Then I should see "No organisations found"
+      And I should not see "IdP:"
+
+  Scenario: Global session context from a completed login should not appear in a subsequent unrelated error
+    When I log in at "Dummy SP"
+     And I pass through EngineBlock
+     And I pass through the IdP
+     And I give my consent
+     And I pass through EngineBlock
+    # Auth is now complete. An early error (before any SAML request is parsed) must not show
+    # SP/IdP context that leaked from the completed auth into the session.
+    When I post data "{}" to Engineblock URL "/authentication/idp/single-sign-on"
+    Then I should see "The parameter \"SAMLRequest\" is missing on the SAML SSO request"
+     And I should not see "IdP:"
+     And I should not see "SP:"
+
+  Scenario: A previous failed auth's feedback context survives a subsequent successful login
+    # Flow A: an error that has SP context but no IdP context.
+    When I log in at "Unconnected SP"
+    Then I should see "No organisations found"
+     And I should see "SP:"
+    # Flow B: a completely different, successful auth.
+    When I log in at "Dummy SP"
+     And I pass through EngineBlock
+     And I pass through the IdP
+     And I give my consent
+     And I pass through EngineBlock
+    # Navigate back to flow A's error page (as if via back button or bookmarked URL).
+    # Flow A's SP context must still be readable from the session.
+    When I go to Engineblock URL "/authentication/feedback/no-idps"
+    Then I should see "SP:"
+
 #  Scenario: I try an unsolicited login (at EB) but mess up by not specifying a location
 #  Scenario: I try an unsolicited login (at EB) but mess up by not specifying a binding
 #  Scenario: I try an unsolicited login (at EB) but mess up by not specifying an invalid index