@F-004 @auth @login Feature: User Login Background: Given the user "alice@example.com" exists with password "SecurePass123!" @positive Scenario: Successful login with valid credentials Given I have valid email "alice@example.com" and password "SecurePass123!" When I attempt to login Then I should receive an access token And the access token should contain user_id claim And the access token should contain email claim And the access token should not be expired @positive Scenario: Login returns refresh token Given I have valid credentials for "alice@example.com" When I login successfully Then I should receive a refresh token And the refresh token should be different from access token And the refresh token should have longer expiration @positive Scenario: Login email is case-insensitive Given a user exists with email "bob@test.com" and password "TestPass99!" When I login with email "BOB@TEST.COM" and password "TestPass99!" Then login should be successful @negative Scenario: Login with wrong password Given I have email "alice@example.com" and password "WrongPassword123!" When I attempt to login Then I should receive error "Credenciales inválidas" And I should not receive any token @negative Scenario: Login with nonexistent user Given I have email "nonexistent@test.com" and password "AnyPass123!" When I attempt to login Then I should receive error "Credenciales inválidas" And I should not receive any token @negative Scenario: Login with empty password Given I have email "alice@example.com" and empty password When I attempt to login Then I should receive validation error And I should not receive any token @negative Scenario: Login with invalid email format Given I have email "not-an-email" and password "ValidPass123!" When I attempt to login Then I should receive validation error And I should not receive any token @security @rate-limit Scenario: Login blocked after 10 failed attempts Given I have email "alice@example.com" and password "WrongPassword!" When I attempt to login 10 times with wrong password Then account should be temporarily locked And next login attempt should return error "Cuenta bloqueada" @smoke Scenario: Login endpoint responds with JSON Given I have valid credentials for "alice@example.com" When I send a POST request to "/api/v1/auth/login" Then response should be JSON format And response should have correct content-type header