Skip to content
GitHub
Customer

Auth Gating

Generated

This page is generated from qa/customer/specs/auth-gating.md — the source of truth. Edit the spec, not this page.

Last run: not yet recorded (run the replay suite to populate status).

Overview

The customer dashboard is gated to authenticated customer-org members. The route gate sends unauthenticated visitors to sign-in and authenticated-but-unauthorized visitors to a forbidden screen; customers reach the dashboard. A customer with domain memberships but no workspace selection lands on the All-workspaces portfolio at / — never the forbidden screen; only a membership-less session is forbidden. This protects the per-tenant decision surfaces.

Preconditions

  • The stack is running in replay mode at the customer base URL.
  • The seeded QA customer (qa-customer@spectral.local) exists with org membership (seeded by tools/dev/qa_fixtures.py).
  • SPECTRAL_QA_CUSTOMER_PASSWORD is set for the credentials auth fixture.

Scenarios

1. Unauthenticated visitor is sent to sign-in

  • With no session, navigate to the dashboard home /
  • Expected: Redirected to /auth/login; the “Sign in to Spectral” heading is visible.

2. Customer signs in and reaches the dashboard

  • Navigate to /auth/login, enter the seeded customer email + password, submit
  • Expected: The customer dashboard renders: the All-workspaces portfolio landing, with the top chrome’s workspace dropdown present.

3. Deep route requires auth

  • With no session, navigate directly to /decisions
  • Expected: Redirected to /auth/login rather than rendering the decisions surface.

4. Forbidden screen for an authenticated non-customer

  • Visit /auth/forbidden
  • Expected: An access-denied screen renders (the gate’s 403 target).

5. Memberships without a selection land on the portfolio, not forbidden

  • Sign in with a fresh browser context (no persisted workspace selection), navigate to /
  • Expected: The All-workspaces portfolio landing renders at /; the session is NOT bounced to /auth/forbidden.

Test Data

LabelValueNotes
Customer emailqa-customer@spectral.localSeeded by qa_fixtures
Customer password(env SPECTRAL_QA_CUSTOMER_PASSWORD)Never hard-coded