blob: 46d62369bd8608f189a289ceecb240d369bdba9e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
End-user interactive login
=============================================================================
We will be implementing the full [OpenId Connect authorization code
flow][] later on, but currently this is a tiny, insufficiently secure
subset of that. It's just enough for us to have some form of login, to
set up a continuous delivery pipeline for it, and to start building
the full thing.
FIXME: Explain the login process here, with sequence diagram.
SCENARIO end-user interactive login
GIVEN a Qvisqve configuration for "https://qvisqve"
AND Qvisqve configuration has user account tomjon with password hunter2
AND Qvisqve configuration has application facade
... with callback url https://facade/callback
AND a running Qvisqve instance
User goes to the login URL and gets a login page.
WHEN browser requests GET /login
THEN HTTP status code is 200 OK
AND Content-Type is text/html
AND body has an HTML form with field username
AND body has an HTML form with field password
WHEN browser requests POST /auth, with form values
... username=tomjon and password=wrong
THEN HTTP status code is 401 Unauthorized
WHEN browser requests POST /auth, with form values
... username=tomjon and password=hunter2
THEN HTTP status code is 302 Found
AND HTTP Location header is https://facade/callback?code=123
WHEN facade requests POST /token, with
... form values grant_type=authorization_code and code=123
THEN HTTP status code is 200 OK
AND Content-Type is application/json
AND JSON body has field access_token
AND JSON body has field token_type, with value Bearer
AND JSON body has field expires_in
FINALLY Qvisqve is stopped
|