Problem
Protected routes rely on JWT validation via auth middleware, but edge cases for expired tokens, signature tampering, and missing auth headers are partially untested.
Scope
Add comprehensive security tests for:
- Missing JWT:
- No Authorization header → 401 Unauthorized
- Authorization: 'Bearer' (no token) → 401
- Authorization: 'NotBearer token' → 401
- JWT signature validation:
- Valid signature (signed with correct secret) → passes
- Tampered payload (claims modified) → 401 Signature invalid
- Wrong secret (signed with different key) → 401
- Unsigned (alg: 'none') → 401
- JWT expiration:
- exp claim in future → valid
- exp in past (token expired) → 401 with clear message
- No exp claim → should either reject or use default TTL
- exp timestamp in wrong format → 401
- JWT claims:
- walletAddress claim present and valid Stellar address → extract it
- walletAddress missing → 401
- iss (issuer) validated against config
- iat (issued at) reasonable (not in future)
- Authorization by role:
- Buyer can only access trades as buyer
- Seller can only access trades as seller
- Stranger (neither buyer nor seller) → 403 Forbidden
- Admin pubkeys (if any) have extra permissions
Acceptance Criteria
- All 20+ JWT validation scenarios tested
- JWT middleware enforces on all /trades, /auth, /manifest, /evidence routes
- Token refresh flow tested (if implemented)
- Logout invalidates token (Redis blacklist tested)
- Rate limiting tested on /auth endpoints (10/15min)
Estimated Effort
Medium (2-3 half-days)
Problem
Protected routes rely on JWT validation via auth middleware, but edge cases for expired tokens, signature tampering, and missing auth headers are partially untested.
Scope
Add comprehensive security tests for:
Acceptance Criteria
Estimated Effort
Medium (2-3 half-days)