xTr1m/GameList
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden auth validation against null request fields

Browse Source
This commit is contained in:
Frank Tovar
2026-02-08 21:48:07 +01:00
parent acffbc199d
commit d2ab8a676f
5 changed files with 36 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
TESTS.md
View File

@@ -33,6 +33,7 @@ stateDiagram-v2
### 1) Authentication & Identity
- Register success (player, admin key path) issues cookie, trims fields, stores normalized username, hashes password.
- Register rejects missing/long username, weak password policy violations, missing display name, duplicate username, bad admin key, >24 chars username, >16 display name.
- Register/login null payload fields fail closed with `400` (no `500` on malformed JSON bodies).
- Bootstrap-admin key path only works until the owner account exists; bootstrap admin is marked as owner.
- Database uniqueness guard enforces single owner row (`IsOwner=true`) even if writes bypass endpoint-level checks.
- `/api/auth/options` reports owner presence for registration UI behavior.