Operations
Auth Gating
Generated
This page is generated from qa/operations/specs/auth-gating.md — the source of truth. Edit the spec, not this page.
Last run: not yet recorded (run the replay suite to populate status).
Overview
The operator cockpit is gated to Spectral staff with the operations organization
role. Every route runs the JWKS-local gate: unauthenticated visitors are sent to
the dev sign-in, authenticated non-operators to a forbidden screen, and operators
through to the cockpit. Getting this wrong either locks staff out or exposes the
operator surface — so it is the first thing to verify.
Preconditions
- The stack is running in replay mode at the operations base URL.
- The seeded operator (
operator@spectral.local,organization_role=operations) exists. SPECTRAL_OPERATOR_PASSWORDis set for the credentials auth fixture.
Scenarios
1. Unauthenticated visitor is redirected to sign-in
- With no session cookie, navigate to the cockpit home
/ - Expected: Redirected to
/auth/login; the sign-in form is visible (email + password fields, “Sign in” button).
2. Operator signs in and reaches the cockpit
- Navigate to
/auth/login - Enter the seeded operator email and password
- Submit the sign-in form
- Expected: Redirected into the cockpit; the persistent left rail is visible with the “Rulesets” and “Review queue” destinations and a sign-out control.
3. Signed-in operator can sign out
- While signed in, activate the sign-out control in the rail
- Expected: The session is cleared and the visitor is returned to
/auth/login.
4. Direct navigation to a deep route while unauthenticated
- With no session, navigate directly to
/worlds - Expected: Redirected to
/auth/loginrather than rendering the worlds list.
5. Invalid credentials are rejected
- On
/auth/login, enter the operator email with a wrong password and submit - Expected: An inline sign-in error is shown; the operator is not signed in and stays on the sign-in form.
Test Data
| Label | Value | Notes |
|---|---|---|
| Operator email | operator@spectral.local | Seeded by cold_start_seed |
| Operator password | (env SPECTRAL_OPERATOR_PASSWORD) | Never hard-coded |
| Wrong password | not-the-password | Drives scenario 5 |