Authentication Tests

18 tests verify API key validation, JWT token handling, and OAuth2 flows.

OpenAPI Security Schemes

Authentication methods are defined in OpenAPI security schemes:

# openapi.yaml
components:
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT

security:
  - ApiKeyAuth: []
  # Global: All endpoints require API key

AUTH-001PASS

Valid API Key

Sample Request

curl -H "X-API-Key: sk-valid-api-key-123" http://localhost:8080/users

Expected Response

HTTP/1.1 200 OK

Requests with valid API keys are authenticated and processed.

AUTH-002BLOCKED

Missing API Key

Sample Request

curl http://localhost:8080/users

Expected Response

HTTP/1.1 401 Unauthorized
WWW-Authenticate: ApiKey

{"error": "Missing authentication", "required": "X-API-Key header"}

Requests without required authentication headers are rejected with 401 Unauthorized.

AUTH-003BLOCKED

Invalid API Key

Sample Request

curl -H "X-API-Key: invalid-key" http://localhost:8080/users

Expected Response

HTTP/1.1 401 Unauthorized

Invalid API keys are rejected. The error message does not reveal whether the key exists.

AUTH-005BLOCKED

Expired JWT Token

Sample Request

curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." http://localhost:8080/users

Expected Response

{"error": "Token expired", "code": "JWT_EXPIRED"}

JWT tokens are validated for expiration. Expired tokens are rejected.

AUTH-008BLOCKED

JWT with invalid signature

Attack Attempt

# Token signed with wrong key

Expected Response

{"error": "Invalid token signature", "code": "JWT_INVALID_SIGNATURE"}

JWTs signed with invalid keys or tampered tokens are detected and rejected.