Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions .claude/test-cases/OAuthGithubLogin.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# OAuth — GitHub Login — Test Cases

**Location:** Login page & Invitation signup → "Or Continue With" → GitHub · **Last updated:** 2026-06-11

> **Status legend:** ⏳ Pending · ✅ Pass · ❌ Fail · ⚠️ Blocked · 🔄 Flaky

---

## Provider App Setup (do this once before testing)

**Console:** https://github.com/settings/developers → **OAuth Apps → New OAuth App**

| Setting | Value (local dev) |
|---|---|
| Homepage URL | `http://localhost:8080` |
| Authorization callback URL | `http://localhost:8080` (the SPA reads `?code=` on return) |
| Flow | Full-page redirect to `https://github.com/login/oauth/authorize` |

Copy the **Client ID** and generate a **Client secret**, then set:

| File | Variable | Value |
|---|---|---|
| root `.env` | `GITHUB_CLIENT_ID` | the client id |
| root `.env` | `GITHUB_CLIENT_SECRET` | the client secret |
| root `.env` | `GITHUB_BASE_OAUTH_URL` | `https://github.com/login/oauth` |
| root `.env` | `GITHUB_OAUTH_REQUIRED` | `true` (requires server-side verify via GitHub `/user`) |
| `frontend/.env` | `VUE_APP_GITHUB_CLIENT_ID` | the **same** client id |
| `frontend/.env` | `VUE_APP_GITHUB_BASE_OAUTH_URL` | `https://github.com/login/oauth` |
| `frontend/.env` | `VUE_APP_IS_GITHUB_LOGIN` | `true` |

**Endpoints exercised:** `POST /api/v1/github/access-token` (code→token), `POST /api/v2/auth/login` (verify + session), `POST /api/v2/github-signup` (new user via invitation). GitHub identity is read from `https://api.github.com/user` + `/user/emails`.
**Restart** both servers after editing env (frontend env is build-time).

---

## Configuration & Visibility

| ID | Title | Precondition | Steps | Expected Result | Actual Result | Status |
|--------|------------------------------------------------|-----------------------------------------------|------------------------------------------------------------------|------------------------------------------------------------------------|---------------|--------|
| GHL_001 | Button hidden when disabled | `VUE_APP_IS_GITHUB_LOGIN='false'` | 1. Open the Login page | No GitHub button shown | | ⏳ |
| GHL_002 | Button shows when enabled | Flag `'true'` + client id set; servers restarted | 1. Open the Login page | GitHub button appears under the "Or Continue With" divider | | ⏳ |

## Login & Signup

| ID | Title | Precondition | Steps | Expected Result | Actual Result | Status |
|--------|------------------------------------------------|-----------------------------------------------|------------------------------------------------------------------|------------------------------------------------------------------------|---------------|--------|
| GHL_003 | Existing user logs in with GitHub | A verified user whose email matches the GitHub primary email | 1. Click GitHub 2. Authorize on GitHub 3. Get redirected back | Returns to the app logged in; the `?code=` is cleared from the URL | | ⏳ |
| GHL_004 | New user signs up via invitation | An open company invitation for the GitHub email | 1. Open invitation link 2. Click GitHub 3. Authorize | Account created (email pre-verified) then auto-logged-in | | ⏳ |
| GHL_005 | Primary verified email is used | GitHub account with multiple emails | 1. Log in with GitHub | The primary, verified GitHub email is the one matched/created | | ⏳ |

## Security / Verification

| ID | Title | Precondition | Steps | Expected Result | Actual Result | Status |
|--------|------------------------------------------------|-----------------------------------------------|------------------------------------------------------------------|------------------------------------------------------------------------|---------------|--------|
| GHL_006 | accessToken verification enforced | `GITHUB_OAUTH_REQUIRED='true'` | 1. Attempt login without a valid GitHub access token | Rejected ("accessToken is required" / verification failed); no session | | ⏳ |
| GHL_007 | Blocked email cannot log in | Auth record `isBlocked = true` | 1. Click GitHub and authorize that account | Rejected with the "email has been blocked" message | | ⏳ |

## Coexistence

| ID | Title | Precondition | Steps | Expected Result | Actual Result | Status |
|--------|------------------------------------------------|-----------------------------------------------|------------------------------------------------------------------|------------------------------------------------------------------------|---------------|--------|
| GHL_008 | GitHub & GitLab don't collide on redirect | Both GitHub and GitLab enabled | 1. Start a GitHub login and complete it | Only the GitHub handler processes the `?code=` (GitLab ignores it); login succeeds | | ⏳ |

---

**Total:** 8 test cases · **All status:** ⏳ Pending
70 changes: 70 additions & 0 deletions .claude/test-cases/OAuthGitlabLogin.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# OAuth — GitLab Login — Test Cases

**Location:** Login page & Invitation signup → "Or Continue With" → GitLab · **Last updated:** 2026-06-11

> **Status legend:** ⏳ Pending · ✅ Pass · ❌ Fail · ⚠️ Blocked · 🔄 Flaky

---

## Provider App Setup (do this once before testing)

**Console:** https://gitlab.com/-/profile/applications → **Add new application**

| Setting | Value (local dev) |
|---|---|
| Redirect URI | `http://localhost:8080` (exact — no trailing slash) |
| Scopes | ✅ `read_user` |
| Confidential | ✅ Yes (the secret is used server-side) |
| Flow | Full-page redirect to `https://gitlab.com/oauth/authorize` (`response_type=code`) |

Copy the **Application ID** and **Secret**, then set:

| File | Variable | Value |
|---|---|---|
| root `.env` | `GITLAB_CLIENT_ID` | the application id |
| root `.env` | `GITLAB_CLIENT_SECRET` | the secret |
| root `.env` | `GITLAB_BASE_OAUTH_URL` | `https://gitlab.com/oauth` |
| root `.env` | `GITLAB_BASE_API_URL` | `https://gitlab.com/api/v4` (identity verify `/user`) |
| root `.env` | `GITLAB_OAUTH_REQUIRED` | `true` (requires server-side verify via GitLab `/user`) |
| `frontend/.env` | `VUE_APP_GITLAB_CLIENT_ID` | the **same** application id |
| `frontend/.env` | `VUE_APP_GITLAB_BASE_OAUTH_URL` | `https://gitlab.com/oauth` |
| `frontend/.env` | `VUE_APP_IS_GITLAB_LOGIN` | `true` |

**Endpoints exercised:** `POST /api/v1/gitlab/access-token` (code→token, sends `redirectUri`), `POST /api/v2/auth/login` (verify + session), `POST /api/v2/gitlab-signup` (new user via invitation). GitLab identity is read from `https://gitlab.com/api/v4/user`.
**Self-managed GitLab:** change the host in `GITLAB_BASE_OAUTH_URL` / `GITLAB_BASE_API_URL` / `VUE_APP_GITLAB_BASE_OAUTH_URL`.
**Restart** both servers after editing env (frontend env is build-time).

---

## Configuration & Visibility

| ID | Title | Precondition | Steps | Expected Result | Actual Result | Status |
|--------|------------------------------------------------|-----------------------------------------------|------------------------------------------------------------------|------------------------------------------------------------------------|---------------|--------|
| GLL_001 | Button hidden when disabled | `VUE_APP_IS_GITLAB_LOGIN='false'` | 1. Open the Login page | No GitLab button shown | | ⏳ |
| GLL_002 | Button shows when enabled | Flag `'true'` + client id set; servers restarted | 1. Open the Login page | GitLab (tanuki) button appears under the "Or Continue With" divider | | ⏳ |

## Login & Signup

| ID | Title | Precondition | Steps | Expected Result | Actual Result | Status |
|--------|------------------------------------------------|-----------------------------------------------|------------------------------------------------------------------|------------------------------------------------------------------------|---------------|--------|
| GLL_003 | Existing user logs in with GitLab | A verified user whose email matches the GitLab account | 1. Click GitLab 2. Authorize on GitLab 3. Get redirected back | Returns to the app logged in; the `?code=` is cleared from the URL | | ⏳ |
| GLL_004 | New user signs up via invitation | An open company invitation for the GitLab email | 1. Open invitation link 2. Click GitLab 3. Authorize | Account created (email pre-verified) then auto-logged-in | | ⏳ |
| GLL_005 | gitlabId linked on first login | First GitLab login for an existing email user | 1. Complete GLL_003 once | The user's auth record now carries the gitlabId | | ⏳ |

## Security / Verification

| ID | Title | Precondition | Steps | Expected Result | Actual Result | Status |
|--------|------------------------------------------------|-----------------------------------------------|------------------------------------------------------------------|------------------------------------------------------------------------|---------------|--------|
| GLL_006 | accessToken verification enforced | `GITLAB_OAUTH_REQUIRED='true'` | 1. Attempt login without a valid GitLab access token | Rejected ("accessToken is required" / verification failed); no session | | ⏳ |
| GLL_007 | Blocked email cannot log in | Auth record `isBlocked = true` | 1. Click GitLab and authorize that account | Rejected with the "email has been blocked" message | | ⏳ |

## Coexistence

| ID | Title | Precondition | Steps | Expected Result | Actual Result | Status |
|--------|------------------------------------------------|-----------------------------------------------|------------------------------------------------------------------|------------------------------------------------------------------------|---------------|--------|
| GLL_008 | GitLab & GitHub don't collide on redirect | Both GitLab and GitHub enabled | 1. Start a GitLab login and complete it | Only the GitLab handler processes the `?code=` (GitHub ignores it); login succeeds | | ⏳ |
| GLL_009 | All three providers visible together | Google + GitHub + GitLab all enabled | 1. Open the Login page | All three buttons render in one row under the divider | | ⏳ |

---

**Total:** 9 test cases · **All status:** ⏳ Pending
58 changes: 58 additions & 0 deletions .claude/test-cases/OAuthGoogleLogin.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# OAuth — Google Login — Test Cases

**Location:** Login page & Invitation signup → "Or Continue With" → Google · **Last updated:** 2026-06-11

> **Status legend:** ⏳ Pending · ✅ Pass · ❌ Fail · ⚠️ Blocked · 🔄 Flaky

---

## Provider App Setup (do this once before testing)

**Console:** https://console.cloud.google.com/apis/credentials → **Create Credentials → OAuth client ID → Web application**

| Setting | Value (local dev) |
|---|---|
| Authorized JavaScript origins | `http://localhost:8080` (your `WEBURL` in prod) |
| Flow | GSI popup (`initCodeClient`, `ux_mode: popup`) — no redirect URI needed |

Copy the **Client ID** and **Client secret**, then set:

| File | Variable | Value |
|---|---|---|
| root `.env` | `GOOGLE_CLIENT_ID` | the client id |
| root `.env` | `GOOGLE_CLIENT_SECRET` | the client secret |
| root `.env` | `GOOGLE_OAUTH_URL` | `https://oauth2.googleapis.com/token` |
| root `.env` | `GOOGLE_OAUTH_REQUIRED` | `true` (rejects logins that fail id-token verification) |
| `frontend/.env` | `VUE_APP_GOOGLE_CLIENT_ID` | the **same** client id |
| `frontend/.env` | `VUE_APP_IS_GOOGLE_LOGIN` | `true` |

**Endpoints exercised:** `POST /api/v1/google/access-token` (code→token), `POST /api/v2/auth/login` (verify + session), `POST /api/v2/google-signup` (new user via invitation).
**Restart** both servers after editing env (frontend env is build-time).

---

## Configuration & Visibility

| ID | Title | Precondition | Steps | Expected Result | Actual Result | Status |
|--------|------------------------------------------------|-----------------------------------------------|------------------------------------------------------------------|------------------------------------------------------------------------|---------------|--------|
| GGL_001 | Button hidden when disabled | `VUE_APP_IS_GOOGLE_LOGIN='false'` | 1. Open the Login page | No Google button; "Or Continue With" divider hidden if no other provider | | ⏳ |
| GGL_002 | Button shows when enabled | Flag `'true'` + client id set; servers restarted | 1. Open the Login page | Google button appears under the "Or Continue With" divider | | ⏳ |

## Login & Signup

| ID | Title | Precondition | Steps | Expected Result | Actual Result | Status |
|--------|------------------------------------------------|-----------------------------------------------|------------------------------------------------------------------|------------------------------------------------------------------------|---------------|--------|
| GGL_003 | Existing user logs in with Google | A verified user whose email matches a Google account | 1. Click Google 2. Pick the account in the popup | Popup closes; user is logged in and lands in the app (company selected) | | ⏳ |
| GGL_004 | New user signs up via invitation | An open company invitation for the Google email | 1. Open the invitation link 2. Click Google 3. Pick account | Account created (email pre-verified), then auto-logged-in | | ⏳ |
| GGL_005 | googleId linked on first login | First Google login for an existing email user | 1. Complete GGL_003 once | The user's auth record now carries the googleId (subsequent logins skip linking) | | ⏳ |

## Security / Verification

| ID | Title | Precondition | Steps | Expected Result | Actual Result | Status |
|--------|------------------------------------------------|-----------------------------------------------|------------------------------------------------------------------|------------------------------------------------------------------------|---------------|--------|
| GGL_006 | Unverified id-token is rejected | `GOOGLE_OAUTH_REQUIRED='true'` | 1. Attempt a login where the id-token can't be verified (wrong/expired token) | Login rejected with a clear error; no session issued | | ⏳ |
| GGL_007 | Blocked email cannot log in | A user whose auth record `isBlocked = true` | 1. Click Google and pick that account | Rejected with the "email has been blocked" message | | ⏳ |

---

**Total:** 7 test cases · **All status:** ⏳ Pending
Loading
Loading