Skip to content
GitHub
Operations

Auth Gating

Generated

This page is generated from qa/operations/specs/auth-gating.md — the source of truth. Edit the spec, not this page.

Last run: not yet recorded (run the replay suite to populate status).

Overview

The operator cockpit is gated to Spectral staff with the operations organization role. Every route runs the JWKS-local gate: unauthenticated visitors are sent to the dev sign-in, authenticated non-operators to a forbidden screen, and operators through to the cockpit. Getting this wrong either locks staff out or exposes the operator surface — so it is the first thing to verify.

Preconditions

  • The stack is running in replay mode at the operations base URL.
  • The seeded operator (operator@spectral.local, organization_role=operations) exists.
  • SPECTRAL_OPERATOR_PASSWORD is set for the credentials auth fixture.

Scenarios

1. Unauthenticated visitor is redirected to sign-in

  • With no session cookie, navigate to the cockpit home /
  • Expected: Redirected to /auth/login; the sign-in form is visible (email + password fields, “Sign in” button).

2. Operator signs in and reaches the cockpit

  • Navigate to /auth/login
  • Enter the seeded operator email and password
  • Submit the sign-in form
  • Expected: Redirected into the cockpit; the persistent left rail is visible with the “Rulesets” and “Review queue” destinations and a sign-out control.

3. Signed-in operator can sign out

  • While signed in, activate the sign-out control in the rail
  • Expected: The session is cleared and the visitor is returned to /auth/login.

4. Direct navigation to a deep route while unauthenticated

  • With no session, navigate directly to /worlds
  • Expected: Redirected to /auth/login rather than rendering the worlds list.

5. Invalid credentials are rejected

  • On /auth/login, enter the operator email with a wrong password and submit
  • Expected: An inline sign-in error is shown; the operator is not signed in and stays on the sign-in form.

Test Data

LabelValueNotes
Operator emailoperator@spectral.localSeeded by cold_start_seed
Operator password(env SPECTRAL_OPERATOR_PASSWORD)Never hard-coded
Wrong passwordnot-the-passwordDrives scenario 5