Customer
Auth Gating
Generated
This page is generated from qa/customer/specs/auth-gating.md — the source of truth. Edit the spec, not this page.
Last run: not yet recorded (run the replay suite to populate status).
Overview
The customer dashboard is gated to authenticated customer-org members. The route
gate sends unauthenticated visitors to sign-in and authenticated-but-unauthorized
visitors to a forbidden screen; customers reach the dashboard. A customer with
domain memberships but no workspace selection lands on the All-workspaces portfolio at
/ — never the forbidden screen; only a membership-less session is forbidden.
This protects the per-tenant decision surfaces.
Preconditions
- The stack is running in replay mode at the customer base URL.
- The seeded QA customer (
qa-customer@spectral.local) exists with org membership (seeded bytools/dev/qa_fixtures.py). SPECTRAL_QA_CUSTOMER_PASSWORDis set for the credentials auth fixture.
Scenarios
1. Unauthenticated visitor is sent to sign-in
- With no session, navigate to the dashboard home
/ - Expected: Redirected to
/auth/login; the “Sign in to Spectral” heading is visible.
2. Customer signs in and reaches the dashboard
- Navigate to
/auth/login, enter the seeded customer email + password, submit - Expected: The customer dashboard renders: the All-workspaces portfolio landing, with the top chrome’s workspace dropdown present.
3. Deep route requires auth
- With no session, navigate directly to
/decisions - Expected: Redirected to
/auth/loginrather than rendering the decisions surface.
4. Forbidden screen for an authenticated non-customer
- Visit
/auth/forbidden - Expected: An access-denied screen renders (the gate’s 403 target).
5. Memberships without a selection land on the portfolio, not forbidden
- Sign in with a fresh browser context (no persisted workspace selection), navigate to
/ - Expected: The All-workspaces portfolio landing renders at
/; the session is NOT bounced to/auth/forbidden.
Test Data
| Label | Value | Notes |
|---|---|---|
| Customer email | qa-customer@spectral.local | Seeded by qa_fixtures |
| Customer password | (env SPECTRAL_QA_CUSTOMER_PASSWORD) | Never hard-coded |