jramos/cve-dashboard
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

[Feature]: User Authentication #4

New Issue
Closed
opened 2026-01-28 13:32:11 -07:00 by jramos · 2 comments
jramos commented 2026-01-28 13:32:11 -07:00
Owner
Copy Link

Is your feature request related to a problem?

Problem:
Anyone with network access can view, add, or modify CVE records. There's no way to restrict access or know who made changes.

Describe the solution you'd like

Solution:
Implement a login system with role-based access:

  • Admin - Full access (add, edit, delete CVEs and users)
  • Editor - Add and edit CVEs, upload documents
  • Viewer - Read-only access

Describe alternatives you've considered

Alternatives:

  • Basic HTTP authentication (simple but limited)
  • OAuth with external provider (complex, overkill for internal tool)

Additional context

Context:
Foundation for audit logging. Assign to v1.1 milestone.

### Is your feature request related to a problem? **Problem:** Anyone with network access can view, add, or modify CVE records. There's no way to restrict access or know who made changes. ### Describe the solution you'd like **Solution:** Implement a login system with role-based access: - **Admin** - Full access (add, edit, delete CVEs and users) - **Editor** - Add and edit CVEs, upload documents - **Viewer** - Read-only access ### Describe alternatives you've considered **Alternatives:** - Basic HTTP authentication (simple but limited) - OAuth with external provider (complex, overkill for internal tool) ### Additional context **Context:** Foundation for audit logging. Assign to v1.1 milestone.
jramos added this to the Release v1.1 milestone 2026-01-28 13:32:11 -07:00
jramos added this to the Version 1.1 Release project 2026-01-28 14:00:17 -07:00
jramos moved this to In Progress in Version 1.1 Release on 2026-01-28 14:00:59 -07:00
jramos added reference feature/login 2026-01-28 14:02:13 -07:00
jramos commented 2026-01-28 14:02:24 -07:00
Author
Owner
Copy Link

Initial Admin Account

  • Username: admin
  • Password: admin123
  • Created automatically by setup.js
  • User should change password after first login

Implementation Order

  1. Backend auth core - middleware, auth routes, protect existing routes
  2. Database migration - add users/sessions tables, create default admin (admin/admin123)
  3. Frontend auth - AuthContext, LoginForm, update API calls with credentials
  4. Role-based UI - hide/show buttons based on role
  5. User management - admin panel for managing users

Verification

  1. Start servers, verify redirect to login
  2. Login as admin, verify full access
  3. Create editor user, verify can add CVEs but not delete
  4. Create viewer user, verify read-only access
  5. Test logout, verify session cleared
  6. Test expired session handling
Initial Admin Account - Username: admin - Password: admin123 - Created automatically by setup.js - User should change password after first login Implementation Order 1. Backend auth core - middleware, auth routes, protect existing routes 2. Database migration - add users/sessions tables, create default admin (admin/admin123) 3. Frontend auth - AuthContext, LoginForm, update API calls with credentials 4. Role-based UI - hide/show buttons based on role 5. User management - admin panel for managing users Verification 1. Start servers, verify redirect to login 2. Login as admin, verify full access 3. Create editor user, verify can add CVEs but not delete 4. Create viewer user, verify read-only access 5. Test logout, verify session cleared 6. Test expired session handling
jramos commented 2026-01-28 15:07:43 -07:00
Author
Owner
Copy Link

Authentication Feature - Test Cases

Feature Branch: feature/login
Date: 2026-01-28
Tester: _______________

Pre-Test Setup

  • Backend server running on port 3001
  • Frontend server running on port 3000
  • Database has been set up with node setup.js
  • Can access http://[SERVER_IP]:3000 in browser

1. Login Page Display

# Test Case Expected Result Pass/Fail
1.1 Navigate to app URL when not logged in Login page displays
1.2 Login page shows username field Field is visible and editable
1.3 Login page shows password field Field is visible and editable
1.4 Login page shows "Sign In" button Button is visible
1.5 Default credentials hint is shown Shows "admin / admin123"

2. Login Functionality

# Test Case Expected Result Pass/Fail
2.1 Login with valid credentials (admin/admin123) Redirects to dashboard
2.2 Login with invalid username Shows "Invalid username or password"
2.3 Login with invalid password Shows "Invalid username or password"
2.4 Login with empty username Form validation prevents submit
2.5 Login with empty password Form validation prevents submit
2.6 Press Enter in password field Submits form (same as clicking Sign In)

3. Session Persistence

# Test Case Expected Result Pass/Fail
3.1 Refresh page after login Stays logged in, dashboard displays
3.2 Open new browser tab to same URL Already logged in
3.3 Close browser, reopen, navigate to app Still logged in (within 24hrs)

4. Logout

# Test Case Expected Result Pass/Fail
4.1 Click user menu in header Dropdown menu appears
4.2 Click "Sign Out" in dropdown Returns to login page
4.3 After logout, try to access dashboard URL directly Redirects to login page
4.4 After logout, check browser cookies session_id cookie is cleared

5. User Menu Display

# Test Case Expected Result Pass/Fail
5.1 User menu shows username Displays "admin"
5.2 User menu shows role Displays "admin" role
5.3 User menu dropdown shows email Shows admin@localhost
5.4 Admin user sees "Manage Users" option Option is visible

6. Role-Based UI - Admin Role

Login as: admin/admin123

# Test Case Expected Result Pass/Fail
6.1 "Add CVE/Vendor" button in header Visible
6.2 "Upload Document" button on CVE records Visible
6.3 "Delete" button on documents Visible
6.4 "Manage Users" in user menu Visible
6.5 Can open User Management panel Panel opens

7. User Management (Admin)

Login as: admin/admin123

# Test Case Expected Result Pass/Fail
7.1 Open User Management panel Shows list of users
7.2 Click "Add User" button Add user form appears
7.3 Create user: editor1 / editor1@test.com / password123 / Editor User created successfully
7.4 Create user: viewer1 / viewer1@test.com / password123 / Viewer User created successfully
7.5 Edit existing user (change email) Changes saved
7.6 Toggle user active status Status changes
7.7 Delete a user (not self) User deleted
7.8 Try to delete own account Error: "Cannot delete your own account"
7.9 Try to deactivate own account Error: "Cannot deactivate your own account"
7.10 Try to remove own admin role Error: "Cannot remove your own admin role"
7.11 Create duplicate username Error: "Username or email already exists"

8. Role-Based UI - Editor Role

Logout and login as: editor1/password123

# Test Case Expected Result Pass/Fail
8.1 "Add CVE/Vendor" button in header Visible
8.2 "Upload Document" button on CVE records Visible
8.3 "Delete" button on documents NOT visible
8.4 "Manage Users" in user menu NOT visible
8.5 Can add a new CVE CVE created successfully
8.6 Can upload a document Document uploaded successfully

9. Role-Based UI - Viewer Role

Logout and login as: viewer1/password123

# Test Case Expected Result Pass/Fail
9.1 "Add CVE/Vendor" button in header NOT visible
9.2 "Upload Document" button on CVE records NOT visible
9.3 "Delete" button on documents NOT visible
9.4 "Manage Users" in user menu NOT visible
9.5 Can view CVE list CVEs display correctly
9.6 Can view documents (click View) Documents accessible
9.7 Can use Quick CVE Status Check Search works
9.8 Can use filters (vendor, severity) Filters work

10. Deactivated User

As admin, deactivate viewer1 account

# Test Case Expected Result Pass/Fail
10.1 Try to login as deactivated user Error: "Account is disabled"
10.2 Reactivate user (as admin) User can login again

11. Error Handling

# Test Case Expected Result Pass/Fail
11.1 Stop backend, try to login Shows "Failed to fetch" or connection error
11.2 Backend returns 500 error Error message displayed to user

Sign-Off

Role Name Date Signature
Tester
Developer

Notes / Issues Found:

Final Status: [ ] PASS [ ] FAIL

# Authentication Feature - Test Cases **Feature Branch:** feature/login **Date:** 2026-01-28 **Tester:** _______________ --- ## Pre-Test Setup - [x] Backend server running on port 3001 - [x] Frontend server running on port 3000 - [x] Database has been set up with `node setup.js` - [x] Can access http://[SERVER_IP]:3000 in browser --- ## 1. Login Page Display | # | Test Case | Expected Result | Pass/Fail | |---|-----------|-----------------|-----------| | 1.1 | Navigate to app URL when not logged in | Login page displays | | | 1.2 | Login page shows username field | Field is visible and editable | | | 1.3 | Login page shows password field | Field is visible and editable | | | 1.4 | Login page shows "Sign In" button | Button is visible | | | 1.5 | Default credentials hint is shown | Shows "admin / admin123" | | --- ## 2. Login Functionality | # | Test Case | Expected Result | Pass/Fail | |---|-----------|-----------------|-----------| | 2.1 | Login with valid credentials (admin/admin123) | Redirects to dashboard | | | 2.2 | Login with invalid username | Shows "Invalid username or password" | | | 2.3 | Login with invalid password | Shows "Invalid username or password" | | | 2.4 | Login with empty username | Form validation prevents submit | | | 2.5 | Login with empty password | Form validation prevents submit | | | 2.6 | Press Enter in password field | Submits form (same as clicking Sign In) | | --- ## 3. Session Persistence | # | Test Case | Expected Result | Pass/Fail | |---|-----------|-----------------|-----------| | 3.1 | Refresh page after login | Stays logged in, dashboard displays | | | 3.2 | Open new browser tab to same URL | Already logged in | | | 3.3 | Close browser, reopen, navigate to app | Still logged in (within 24hrs) | | --- ## 4. Logout | # | Test Case | Expected Result | Pass/Fail | |---|-----------|-----------------|-----------| | 4.1 | Click user menu in header | Dropdown menu appears | | | 4.2 | Click "Sign Out" in dropdown | Returns to login page | | | 4.3 | After logout, try to access dashboard URL directly | Redirects to login page | | | 4.4 | After logout, check browser cookies | session_id cookie is cleared | | --- ## 5. User Menu Display | # | Test Case | Expected Result | Pass/Fail | |---|-----------|-----------------|-----------| | 5.1 | User menu shows username | Displays "admin" | | | 5.2 | User menu shows role | Displays "admin" role | | | 5.3 | User menu dropdown shows email | Shows admin@localhost | | | 5.4 | Admin user sees "Manage Users" option | Option is visible | | --- ## 6. Role-Based UI - Admin Role *Login as: admin/admin123* | # | Test Case | Expected Result | Pass/Fail | |---|-----------|-----------------|-----------| | 6.1 | "Add CVE/Vendor" button in header | Visible | | | 6.2 | "Upload Document" button on CVE records | Visible | | | 6.3 | "Delete" button on documents | Visible | | | 6.4 | "Manage Users" in user menu | Visible | | | 6.5 | Can open User Management panel | Panel opens | | --- ## 7. User Management (Admin) *Login as: admin/admin123* | # | Test Case | Expected Result | Pass/Fail | |---|-----------|-----------------|-----------| | 7.1 | Open User Management panel | Shows list of users | | | 7.2 | Click "Add User" button | Add user form appears | | | 7.3 | Create user: editor1 / editor1@test.com / password123 / Editor | User created successfully | | | 7.4 | Create user: viewer1 / viewer1@test.com / password123 / Viewer | User created successfully | | | 7.5 | Edit existing user (change email) | Changes saved | | | 7.6 | Toggle user active status | Status changes | | | 7.7 | Delete a user (not self) | User deleted | | | 7.8 | Try to delete own account | Error: "Cannot delete your own account" | | | 7.9 | Try to deactivate own account | Error: "Cannot deactivate your own account" | | | 7.10 | Try to remove own admin role | Error: "Cannot remove your own admin role" | | | 7.11 | Create duplicate username | Error: "Username or email already exists" | | --- ## 8. Role-Based UI - Editor Role *Logout and login as: editor1/password123* | # | Test Case | Expected Result | Pass/Fail | |---|-----------|-----------------|-----------| | 8.1 | "Add CVE/Vendor" button in header | Visible | | | 8.2 | "Upload Document" button on CVE records | Visible | | | 8.3 | "Delete" button on documents | NOT visible | | | 8.4 | "Manage Users" in user menu | NOT visible | | | 8.5 | Can add a new CVE | CVE created successfully | | | 8.6 | Can upload a document | Document uploaded successfully | | --- ## 9. Role-Based UI - Viewer Role *Logout and login as: viewer1/password123* | # | Test Case | Expected Result | Pass/Fail | |---|-----------|-----------------|-----------| | 9.1 | "Add CVE/Vendor" button in header | NOT visible | | | 9.2 | "Upload Document" button on CVE records | NOT visible | | | 9.3 | "Delete" button on documents | NOT visible | | | 9.4 | "Manage Users" in user menu | NOT visible | | | 9.5 | Can view CVE list | CVEs display correctly | | | 9.6 | Can view documents (click View) | Documents accessible | | | 9.7 | Can use Quick CVE Status Check | Search works | | | 9.8 | Can use filters (vendor, severity) | Filters work | | --- ## 10. Deactivated User *As admin, deactivate viewer1 account* | # | Test Case | Expected Result | Pass/Fail | |---|-----------|-----------------|-----------| | 10.1 | Try to login as deactivated user | Error: "Account is disabled" | | | 10.2 | Reactivate user (as admin) | User can login again | | --- ## 11. Error Handling | # | Test Case | Expected Result | Pass/Fail | |---|-----------|-----------------|-----------| | 11.1 | Stop backend, try to login | Shows "Failed to fetch" or connection error | | | 11.2 | Backend returns 500 error | Error message displayed to user | | --- ## Sign-Off | Role | Name | Date | Signature | |------|------|------|-----------| | Tester | | | | | Developer | | | | ### Notes / Issues Found: ``` ``` ### Final Status: [ ] PASS [ ] FAIL
jramos added a new dependency 2026-01-28 15:17:56 -07:00
#5 [Feature]: Audit Logging
jramos moved this to Done in Version 1.1 Release on 2026-01-28 17:01:41 -07:00
Sign in to join this conversation.
feature/login
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone Release v1.1
Projects
Clear projects
No project Version 1.1 Release
Assignees
Clear assignees
jramos
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Blocks
#5 [Feature]: Audit Logging
jramos/cve-dashboard
Reference: jramos/cve-dashboard#4
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?