Files
arnes/spec/bdd/features/auth/logout.feature
rikrdo 3ff9b70e4c refactor: complete bootstrap of ARNES agent harness framework
- Add complete agent harness structure with 8 roles (leader, triager, architect, implementer, reviewer, security, qa, documenter)
- Implement strict workflow with 9 stages and mandatory gates
- Add comprehensive verification script and runtime status tracking
- Create artifact-based evidence system with contracts and schemas
- Add agent policy matrix with permissions and anti-cheat rules
- Include test suite (44 tests passing) and CI-ready structure
- Add documentation: README, HOWTO, CHECKPOINTS, templates
- Configure model routing policies and token-aware task assignment
- Add BDD/SDD specification guides and feature templates
- Include starter pack for quick project onboarding

All verification checks pass. Framework ready for production use.
2026-05-17 23:25:35 +02:00

58 lines
1.9 KiB
Gherkin

@F-004 @auth @logout
Feature: User Logout
Background:
Given the user "alice@example.com" exists with password "SecurePass123!"
And I am authenticated as "alice@example.com"
@positive
Scenario: Successful logout invalidates current session
Given my current access token is valid
When I logout
Then I should receive confirmation
And my session should be marked as revoked
And my access token should no longer be valid
@positive
Scenario: Logout with refresh token also invalidates access
Given I have a valid refresh token
When I logout
Then both access and refresh tokens should be invalid
And I should not be able to get new access token with refresh
@positive
Scenario: Logout all sessions for user
Given I am logged in from device "desktop"
And I am logged in from device "mobile"
When I logout from all devices
Then all my sessions should be invalidated
And I should not be able to use any previous token
@negative
Scenario: Using token after logout returns unauthorized
Given I previously logged in successfully
And I have logged out
When I try to use my old access token
Then I should receive 401 Unauthorized
And I should not have access to protected resources
@negative
Scenario: Logout with invalid token does nothing
Given I have an invalid/expired token
When I attempt to logout
Then logout should not fail
But no session should be affected
@security
Scenario: Concurrent logout requests are handled correctly
Given my session is valid
When I send multiple logout requests simultaneously
Then only one logout operation should occur
And token should be invalidated only once
@smoke
Scenario: Logout endpoint returns 200 on success
Given I am authenticated as "alice@example.com"
When I send POST request to "/api/v1/auth/logout"
Then response should be 200 OK
And response should indicate success