@nextsparkjs/theme-default 0.1.0-beta.1 → 0.1.0-beta.101

package/tests/cypress/e2e/uat/_core/auth/registration-control-open.cy.ts

@@ -0,0 +1,131 @@
+/// <reference types="cypress" />
+
+import * as allure from 'allure-cypress'
+
+/**
+ * Registration Control Tests - Open Mode
+ *
+ * Verifies registration mode enforcement when mode is 'open'.
+ * Tests: signup accessibility, login page elements, API signup allowed.
+ *
+ * These tests detect the current registration mode and skip if not 'open'.
+ */
+describe('Registration Control - Open Mode', {
+  tags: ['@uat', '@feat-auth', '@security', '@regression']
+}, () => {
+  const TEST_PASSWORD = Cypress.env('TEST_PASSWORD') || 'Test1234'
+
+  before(() => {
+    // Detect registration mode by checking if /signup is accessible (not redirected)
+    cy.request({
+      url: '/signup',
+      followRedirect: false,
+      failOnStatusCode: false,
+    }).then((response) => {
+      // In open mode, /signup returns 200 (not a redirect)
+      // In domain-restricted or invitation-only (with existing team), it redirects (307/308)
+      if (response.status >= 300 && response.status < 400) {
+        // Not open mode — skip all tests in this suite
+        Cypress.runner.stop()
+      }
+      // Additionally verify that the login page shows a signup link (confirms open mode)
+    })
+  })
+
+  beforeEach(() => {
+    allure.epic('UAT')
+    allure.feature('Registration Control')
+    cy.clearCookies()
+    cy.clearLocalStorage()
+  })
+
+  describe('REG_OPEN_001: Signup page is accessible in open mode', () => {
+    it('should show the signup form without redirecting', () => {
+      allure.story('Signup Accessibility')
+      allure.severity('critical')
+
+      cy.log('1. Visit /signup')
+      cy.visit('/signup')
+
+      cy.log('2. Should stay on /signup (no redirect)')
+      cy.url().should('include', '/signup')
+
+      cy.log('3. Signup form should be visible')
+      cy.get('form').should('exist')
+    })
+  })
+
+  describe('REG_OPEN_002: Login page shows email login and signup link', () => {
+    it('should show email login form and signup link', () => {
+      allure.story('Login Page Visibility')
+      allure.severity('critical')
+
+      cy.log('1. Visit /login')
+      cy.visit('/login')
+
+      cy.log('2. Email login should be available')
+      // Either the form is visible directly, or a "show email" toggle exists
+      cy.get('body').then(($body) => {
+        if ($body.find('[data-cy="auth.login.showEmail"]').length) {
+          cy.get('[data-cy="auth.login.showEmail"]').click()
+        }
+      })
+      cy.get('[data-cy="auth.login.form"]').should('exist')
+
+      cy.log('3. Signup link should be visible')
+      cy.get('[data-cy="auth.login.signupLink"]').should('be.visible')
+    })
+  })
+
+  describe('REG_OPEN_003: API allows email signup in open mode', () => {
+    it('should allow new user registration via email', () => {
+      allure.story('API Signup Allowed')
+      allure.severity('critical')
+
+      const uniqueEmail = `test-open-${Date.now()}@test-cypress.dev`
+
+      cy.log(`1. POST /api/auth/sign-up/email with new user: ${uniqueEmail}`)
+      cy.request({
+        method: 'POST',
+        url: '/api/auth/sign-up/email',
+        body: {
+          name: 'Test Open Mode User',
+          email: uniqueEmail,
+          password: TEST_PASSWORD,
+        },
+        failOnStatusCode: false,
+      }).then((response) => {
+        cy.log(`Response status: ${response.status}`)
+        // Open mode should allow signup (200) or require email verification (200 with token)
+        // Should NOT be 403 (blocked)
+        expect(response.status).to.not.eq(403)
+        expect(response.status).to.be.oneOf([200, 201])
+      })
+    })
+  })
+
+  describe('REG_OPEN_004: Existing user can login with email+password', () => {
+    it('should allow existing user to sign in via API', () => {
+      allure.story('Existing User Login')
+      allure.severity('critical')
+
+      cy.log('1. POST /api/auth/sign-in/email with existing user')
+      cy.request({
+        method: 'POST',
+        url: '/api/auth/sign-in/email',
+        body: {
+          email: Cypress.env('OWNER_EMAIL') || 'carlos.mendoza@nextspark.dev',
+          password: TEST_PASSWORD,
+        },
+        failOnStatusCode: false,
+      }).then((response) => {
+        cy.log(`Response status: ${response.status}`)
+        expect(response.status).to.eq(200)
+      })
+    })
+  })
+
+  after(() => {
+    cy.log('Registration control (open mode) tests completed')
+  })
+})

package/tests/cypress/e2e/uat/_core/auth/registration-control.cy.ts

@@ -0,0 +1,140 @@
+/// <reference types="cypress" />
+
+import * as allure from 'allure-cypress'
+
+import { DEFAULT_THEME_USERS } from '../../../../src/session-helpers'
+
+/**
+ * Registration Control Tests
+ *
+ * Verifies registration mode enforcement in domain-restricted mode (default theme).
+ * Tests: signup redirect, login page visibility, API blocking, existing user login.
+ */
+describe('Registration Control - Domain Restricted Mode', {
+  tags: ['@uat', '@feat-auth', '@security', '@regression']
+}, () => {
+  const TEST_PASSWORD = Cypress.env('TEST_PASSWORD') || 'Test1234'
+
+  beforeEach(() => {
+    allure.epic('UAT')
+    allure.feature('Registration Control')
+    cy.clearCookies()
+    cy.clearLocalStorage()
+  })
+
+  describe('REG_001: Signup page redirects in domain-restricted mode', () => {
+    it('should redirect /signup to /login', () => {
+      allure.story('Signup Redirect')
+      allure.severity('critical')
+
+      cy.log('1. Visit /signup')
+      cy.visit('/signup', { failOnStatusCode: false })
+
+      cy.log('2. Should redirect to /login')
+      cy.url().should('include', '/login')
+    })
+  })
+
+  describe('REG_002: Login page hides email login in domain-restricted mode', () => {
+    it('should show Google button but hide email login options', () => {
+      allure.story('Login Page Visibility')
+      allure.severity('critical')
+
+      cy.log('1. Visit /login')
+      cy.visit('/login')
+
+      cy.log('2. Google sign-in button should be visible')
+      cy.get('[data-cy="auth.login.googleSignin"]').should('be.visible')
+
+      cy.log('3. "Show email" link should NOT exist')
+      cy.get('[data-cy="auth.login.showEmail"]').should('not.exist')
+
+      cy.log('4. Email form should NOT exist')
+      cy.get('[data-cy="auth.login.form"]').should('not.exist')
+
+      cy.log('5. Signup link should NOT exist')
+      cy.get('[data-cy="auth.login.signupLink"]').should('not.exist')
+    })
+  })
+
+  describe('REG_003: API blocks email signup in domain-restricted mode', () => {
+    it('should return 403 for email signup attempt', () => {
+      allure.story('API Signup Blocking')
+      allure.severity('critical')
+
+      cy.log('1. POST /api/auth/sign-up/email with new user data')
+      cy.request({
+        method: 'POST',
+        url: '/api/auth/sign-up/email',
+        body: {
+          name: 'Test New User',
+          email: 'newuser@unauthorized-domain.com',
+          password: 'TestPassword123',
+        },
+        failOnStatusCode: false,
+      }).then((response) => {
+        cy.log(`Response status: ${response.status}`)
+        expect(response.status).to.eq(403)
+      })
+    })
+  })
+
+  describe('REG_004: API blocks alternative signup endpoints', () => {
+    it('should block signup via alternative endpoints', () => {
+      allure.story('API Signup Blocking')
+      allure.severity('normal')
+
+      const signupPayload = {
+        name: 'Test New User',
+        email: 'newuser@unauthorized-domain.com',
+        password: 'TestPassword123',
+      }
+
+      const endpoints = [
+        '/api/auth/sign-up/email',
+        '/api/auth/sign-up/credentials',
+      ]
+
+      endpoints.forEach((endpoint) => {
+        cy.log(`Testing: POST ${endpoint}`)
+        cy.request({
+          method: 'POST',
+          url: endpoint,
+          body: signupPayload,
+          failOnStatusCode: false,
+        }).then((response) => {
+          cy.log(`${endpoint} → ${response.status}`)
+          // Should be blocked (403 or 404 for non-existent endpoints)
+          expect(response.status).to.be.oneOf([403, 404, 422])
+        })
+      })
+    })
+  })
+
+  describe('REG_005: Existing user can still login with email+password', () => {
+    it('should allow existing user to sign in via API', () => {
+      allure.story('Existing User Login')
+      allure.severity('critical')
+
+      const existingUser = DEFAULT_THEME_USERS.OWNER
+
+      cy.log(`1. POST /api/auth/sign-in/email with existing user: ${existingUser}`)
+      cy.request({
+        method: 'POST',
+        url: '/api/auth/sign-in/email',
+        body: {
+          email: existingUser,
+          password: TEST_PASSWORD,
+        },
+        failOnStatusCode: false,
+      }).then((response) => {
+        cy.log(`Response status: ${response.status}`)
+        expect(response.status).to.eq(200)
+      })
+    })
+  })
+
+  after(() => {
+    cy.log('Registration control tests completed')
+  })
+})

package/tests/cypress/e2e/uat/_core/auth/team-roles/admin-login.bdd.md

@@ -0,0 +1,225 @@
+---
+feature: Admin Team Role Permissions
+priority: critical
+tags: [auth, team-role, admin, permissions, security]
+grepTags: [uat, feat-auth, team-role, admin]
+coverage: 6
+---
+
+# Admin Team Role Permissions
+
+> Tests for Admin team role permissions and access control. Admin has full CRUD access to entities but limited team settings and no billing management. Cannot access app-role areas.
+
+## @test ADMIN-PERM-001: Admin Dashboard Access
+
+### Metadata
+- **Priority:** Critical
+- **Type:** Smoke
+- **Tags:** admin, dashboard, navigation
+- **Grep:** `@smoke`
+
+```gherkin:en
+Scenario: Admin can access dashboard with full navigation
+
+Given I am logged in as Admin (james.wilson@nextspark.dev)
+When I visit /dashboard
+Then the dashboard container should be visible
+And I should see navigation for customers
+And I should see navigation for tasks
+```
+
+```gherkin:es
+Scenario: Admin puede acceder al dashboard con navegacion completa
+
+Given estoy logueado como Admin (james.wilson@nextspark.dev)
+When visito /dashboard
+Then el contenedor del dashboard deberia estar visible
+And deberia ver navegacion a customers
+And deberia ver navegacion a tasks
+```
+
+### Expected Results
+- Dashboard loads correctly
+- Navigation items visible
+- No entity restrictions
+
+---
+
+## @test ADMIN-PERM-002: Admin Full Entity Access
+
+### Metadata
+- **Priority:** Critical
+- **Type:** Smoke
+- **Tags:** admin, customers, crud
+- **Grep:** `@smoke`
+
+```gherkin:en
+Scenario: Admin has full CRUD access to customers
+
+Given I am logged in as Admin (james.wilson@nextspark.dev)
+When I visit /customers
+Then the create button should be visible
+And the entity list should be visible
+```
+
+```gherkin:es
+Scenario: Admin tiene acceso CRUD completo a customers
+
+Given estoy logueado como Admin (james.wilson@nextspark.dev)
+When visito /customers
+Then el boton de crear deberia estar visible
+And la lista de entidades deberia estar visible
+```
+
+### Expected Results
+- Full CRUD access to entities
+- Create button visible
+- Edit/Delete available
+
+---
+
+## @test ADMIN-PERM-003: Admin Settings Access
+
+### Metadata
+- **Priority:** High
+- **Type:** Regression
+- **Tags:** admin, settings
+
+```gherkin:en
+Scenario: Admin can access settings with limited options
+
+Given I am logged in as Admin (james.wilson@nextspark.dev)
+When I visit /settings
+Then the settings container should be visible
+And the profile tab should be visible
+```
+
+```gherkin:es
+Scenario: Admin puede acceder a settings con opciones limitadas
+
+Given estoy logueado como Admin (james.wilson@nextspark.dev)
+When visito /settings
+Then el contenedor de settings deberia estar visible
+And la pestana de perfil deberia estar visible
+```
+
+### Expected Results
+- Settings accessible
+- Profile management available
+- Some team settings may be restricted
+
+---
+
+## @test ADMIN-PERM-004: Admin Billing Restricted Access
+
+### Metadata
+- **Priority:** High
+- **Type:** Regression
+- **Tags:** admin, billing, restricted
+
+```gherkin:en
+Scenario: Admin has view-only or no access to billing
+
+Given I am logged in as Admin (james.wilson@nextspark.dev)
+When I visit /billing
+Then I should have view-only access or be redirected
+```
+
+```gherkin:es
+Scenario: Admin tiene acceso solo lectura o sin acceso a billing
+
+Given estoy logueado como Admin (james.wilson@nextspark.dev)
+When visito /billing
+Then deberia tener acceso solo lectura o ser redirigido
+```
+
+### Expected Results
+- Either view-only billing access
+- Or redirect to dashboard
+- No upgrade/payment buttons if accessible
+
+---
+
+## @test ADMIN-PERM-005: Admin Cannot Access Sector7
+
+### Metadata
+- **Priority:** High
+- **Type:** Security
+- **Tags:** admin, sector7, blocked
+
+```gherkin:en
+Scenario: Admin is blocked from Sector7
+
+Given I am logged in as Admin (james.wilson@nextspark.dev)
+When I attempt to visit /sector7
+Then I should be redirected away from /sector7
+```
+
+```gherkin:es
+Scenario: Admin no puede acceder a Sector7
+
+Given estoy logueado como Admin (james.wilson@nextspark.dev)
+When intento visitar /sector7
+Then deberia ser redirigido fuera de /sector7
+```
+
+### Expected Results
+- Access denied to Sector7
+- Redirect to dashboard
+
+---
+
+## @test ADMIN-PERM-006: Admin Cannot Access Dev Zone
+
+### Metadata
+- **Priority:** High
+- **Type:** Security
+- **Tags:** admin, dev-zone, blocked
+
+```gherkin:en
+Scenario: Admin is blocked from Dev Zone
+
+Given I am logged in as Admin (james.wilson@nextspark.dev)
+When I attempt to visit /dev
+Then I should be redirected away from /dev
+```
+
+```gherkin:es
+Scenario: Admin no puede acceder a Dev Zone
+
+Given estoy logueado como Admin (james.wilson@nextspark.dev)
+When intento visitar /dev
+Then deberia ser redirigido fuera de /dev
+```
+
+### Expected Results
+- Access denied to Dev Zone
+- Redirect to dashboard
+
+---
+
+## UI Elements
+
+| Element | Selector | Description |
+|---------|----------|-------------|
+| Dashboard Container | `[data-cy="dashboard-container"]` | Main dashboard container |
+| Customers Nav | `[data-cy="sidebar-nav-customers"]` | Customers navigation item |
+| Tasks Nav | `[data-cy="sidebar-nav-tasks"]` | Tasks navigation item |
+| Create Button | `[data-cy="entity-create-button"]` | Entity create button |
+| Entity List | `[data-cy="entity-list-container"]` | Entity list container |
+| Settings Container | `[data-cy="settings-container"]` | Settings page container |
+| Profile Tab | `[data-cy="settings-tab-profile"]` | Profile settings tab |
+| Billing Container | `[data-cy="billing-container"]` | Billing page container |
+
+---
+
+## Summary
+
+| Test ID | Block | Description | Tags |
+|---------|-------|-------------|------|
+| ADMIN-PERM-001 | Access | Dashboard with navigation | `@smoke` |
+| ADMIN-PERM-002 | Access | Full CRUD to customers | `@smoke` |
+| ADMIN-PERM-003 | Access | Settings with limits | |
+| ADMIN-PERM-004 | Restricted | View-only billing | |
+| ADMIN-PERM-005 | Blocked | Cannot access Sector7 | |
+| ADMIN-PERM-006 | Blocked | Cannot access Dev Zone | |

package/tests/cypress/e2e/uat/_core/auth/team-roles/admin-login.cy.ts

@@ -0,0 +1,148 @@
+/// <reference types="cypress" />
+
+/**
+ * Admin Team Role Login Tests
+ *
+ * Tests the Admin team role login and specific permissions:
+ * - Full CRUD access to entities
+ * - Limited team settings access (cannot delete team)
+ * - No billing access (owner only)
+ * - Member management (limited)
+ * - Cannot access /dev or /superadmin (app roles only)
+ *
+ * Note: Basic login is tested in login-logout.cy.ts
+ * This file focuses on Admin-specific permissions and restrictions.
+ *
+ * Tags: @uat, @feat-auth, @team-role, @admin
+ */
+
+import * as allure from 'allure-cypress'
+
+import { loginAsDefaultAdmin, DEFAULT_THEME_USERS } from '../../../../src/session-helpers'
+import { DashboardPOM } from '../../../../src/features/DashboardPOM'
+import { SettingsPOM } from '../../../../src/features/SettingsPOM'
+import { BillingPOM } from '../../../../src/features/BillingPOM'
+import { SuperadminPOM } from '../../../../src/features/SuperadminPOM'
+import { DevAreaPOM } from '../../../../src/features/DevAreaPOM'
+
+describe('Authentication - Admin Team Role Permissions', {
+  tags: ['@uat', '@feat-auth', '@team-role', '@admin']
+}, () => {
+  const dashboard = DashboardPOM.create()
+  const settings = SettingsPOM.create()
+  const billing = BillingPOM.create()
+  const sector7 = SuperadminPOM.create()
+  const devArea = DevAreaPOM.create()
+
+  beforeEach(() => {
+    allure.epic('Authentication')
+    allure.feature('Team Roles')
+    allure.story('Admin Permissions')
+    loginAsDefaultAdmin()
+  })
+
+  describe('ADMIN-PERM-001: Admin Dashboard Access', { tags: '@smoke' }, () => {
+    it('should access dashboard with full navigation', { tags: '@smoke' }, () => {
+      allure.severity('critical')
+
+      // 1. Visit dashboard and wait for it to load
+      dashboard.visitDashboard()
+      dashboard.waitForDashboard()
+
+      // 2. Validate sidebar navigation items
+      dashboard.assertEntityNavVisible('customers')
+      dashboard.assertEntityNavVisible('tasks')
+
+      cy.log(`✅ Admin dashboard access verified (${DEFAULT_THEME_USERS.ADMIN})`)
+    })
+  })
+
+  describe('ADMIN-PERM-002: Admin Full Entity Access', { tags: '@smoke' }, () => {
+    it('should have full CRUD access to customers', { tags: '@smoke' }, () => {
+      allure.severity('critical')
+
+      // 1. Navigate to customers
+      dashboard.visitEntity('customers')
+      dashboard.waitForEntityPage('customers')
+
+      // 2. Validate create button is visible (Admin can create)
+      dashboard.assertEntityAddButtonVisible('customers')
+
+      // 3. Validate table is visible
+      dashboard.assertEntityPageVisible('customers')
+
+      cy.log('✅ Admin has full CRUD access to customers')
+    })
+  })
+
+  describe('ADMIN-PERM-003: Admin Settings Access', () => {
+    it('should access settings page with limited options', () => {
+      allure.severity('high')
+
+      // 1. Navigate to settings
+      settings.visitSettings()
+      settings.waitForSettings()
+
+      // 2. Validate settings page is accessible
+      settings.assertSettingsVisible()
+
+      // 3. Validate profile nav is visible
+      settings.assertNavItemVisible('profile')
+
+      cy.log('✅ Admin can access settings')
+    })
+  })
+
+  describe('ADMIN-PERM-004: Admin Billing Restricted Access', () => {
+    it('should have view-only or no access to billing', () => {
+      allure.severity('high')
+
+      // 1. Navigate to billing
+      billing.visitBilling()
+
+      // 2. Check access - Admin may have view-only or redirected
+      cy.url().then((url) => {
+        if (url.includes('/billing')) {
+          // If accessible, billing container should be visible
+          billing.getBillingMain().should('be.visible')
+          cy.log('✅ Admin has view-only billing access')
+        } else {
+          // If redirected, that's also valid
+          cy.log('✅ Admin correctly redirected from billing')
+        }
+      })
+    })
+  })
+
+  describe('ADMIN-PERM-005: Admin Cannot Access Superadmin', () => {
+    it('should be redirected when trying to access /superadmin', () => {
+      allure.severity('high')
+
+      // 1. Attempt to visit Superadmin
+      cy.visit('/superadmin', { timeout: 60000, failOnStatusCode: false })
+
+      // 2. Should be redirected
+      sector7.assertAccessDenied()
+
+      cy.log('✅ Admin correctly blocked from Superadmin')
+    })
+  })
+
+  describe('ADMIN-PERM-006: Admin Cannot Access Dev Zone', () => {
+    it('should be redirected when trying to access /dev', () => {
+      allure.severity('high')
+
+      // 1. Attempt to visit Dev Zone
+      devArea.attemptToVisitDev()
+
+      // 2. Should be redirected
+      devArea.assertRedirectedToDashboard()
+
+      cy.log('✅ Admin correctly blocked from Dev Zone')
+    })
+  })
+
+  after(() => {
+    cy.log('✅ Admin team role tests completed')
+  })
+})