{ "ursId": "URS-001", "title": "Secure Login with Unique User Credentials", "timestamp": "2026-04-21T05:55:47.219Z", "durationMs": 88857, "config": { "inboxUrl": "http://localhost:60677", "dbHost": "localhost", "dbPort": 60678, "dbName": "cc_repinbox_dev" }, "setup": { "status": "pass" }, "scenarios": [ { "name": "Step 1: Login page loads correctly", "status": "pass", "description": "Step 1: Login page loads correctly", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-01-login-page.png" ], "explanation": "The system presents a login form with email and password fields and a password reset link. This confirms the authentication entry point is functional and that all users are directed to credential-based login rather than any unauthenticated route." }, { "name": "Step 2: Valid login - Distributor user", "status": "pass", "description": "Step 2: Valid login - Distributor user", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-02-distributor-logged-in.png" ], "explanation": "A distributor user authenticates successfully with correct credentials. The system validates the credentials, creates a session, and redirects the user to the authenticated application. This demonstrates that valid credentials grant access as required by URS-001.", "expectedAuditActions": [ "user_log:user:login" ] }, { "name": "Step 3: Valid login - Manufacturer user", "status": "pass", "description": "Step 3: Valid login - Manufacturer user", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-03-manufacturer-logged-in.png" ], "explanation": "A manufacturer-type user authenticates successfully, confirming that the secure credential flow handles multiple organization types uniformly. No special path exists for different org types.", "expectedAuditActions": [ "user_log:user:login" ] }, { "name": "Step 4: Valid login - Admin user", "status": "pass", "description": "Step 4: Valid login - Admin user", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-04-admin-logged-in.png" ], "explanation": "An admin user authenticates successfully, confirming that all system roles use the same credential-based authentication mechanism.", "expectedAuditActions": [ "user_log:user:login" ] }, { "name": "Step 5: Invalid credentials - Wrong password", "status": "pass", "description": "Step 5: Invalid credentials - Wrong password", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-05-wrong-password-error.png" ], "explanation": "Attempting to log in with a valid registered email but an incorrect password is rejected. The system returns a generic error message and keeps the user on the login page. The exact error text is captured for comparison in Step 6 to verify protection against email enumeration." }, { "name": "Step 6: Invalid credentials - Non-existent email", "status": "pass", "description": "Step 6: Invalid credentials - Non-existent email", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-06-nonexistent-email-error.png" ], "explanation": "Attempting to log in with an email address that has never been registered returns the exact same error message as Step 5. Identical responses for wrong-password and unknown-email requests prevent attackers from determining whether a given email address exists in the system." }, { "name": "Step 6b: Locked account - inactive user cannot login", "status": "pass", "description": "Step 6b: Locked account - inactive user cannot login", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-06b-locked-account-error.png" ], "explanation": "A user whose organization membership has been deactivated is blocked from logging in even when submitting the correct credentials. This confirms that deactivating a user account takes effect immediately and that credential validity alone is insufficient for access." }, { "name": "Step 7: Empty field validation", "status": "pass", "description": "Step 7: Empty field validation", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-07-empty-both-fields.png", "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-07-empty-password.png" ], "explanation": "Submitting the login form with empty fields triggers validation errors before any server request is made, displaying field-level messages such as \"Invalid email\" and \"Password is required\". This confirms that required-field enforcement provides clear feedback and prevents malformed requests." }, { "name": "Step 8: Session security - Cookie verification", "status": "pass", "description": "Step 8: Session security - Cookie verification", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-08-session-security.png" ], "explanation": "After successful login the session cookie attributes are inspected. The httpOnly flag confirms that JavaScript cannot read the token, mitigating XSS-based session theft. The SameSite=Lax setting blocks cross-site request forgery. Cookie evidence is written to session-cookie-evidence.json." }, { "name": "Step 9: Session isolation - Multiple users", "status": "pass", "description": "Step 9: Session isolation - Multiple users", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-09-session-a-distributor.png", "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-09-session-b-admin.png" ], "explanation": "Two users log in simultaneously in separate browser contexts (equivalent to separate incognito windows) and each receives a distinct, non-overlapping session token. This confirms that sessions are fully isolated and one user's session cannot be used to access another user's account." }, { "name": "Step 10: Logout and session termination", "status": "pass", "description": "Step 10: Logout and session termination", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-10-before-logout.png", "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-10-after-logout.png", "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/screenshots/step-10-protected-route-redirect.png" ], "explanation": "A logged-in user opens the sidebar user menu and clicks Logout. The server invalidates the session, clears the session cookie, and redirects the browser. A subsequent attempt to access /inbox confirms that the session can no longer authenticate: the user is redirected to login." } ], "dbValidations": [ { "name": "Demo users exist", "query": "SELECT id, email, name, created_at\n FROM users\n WHERE email IN (\n 'alex.admin@zurimed.com',\n 'mark.manufacturer@zurimed.com',\n 'dan.distributor@stellartech.com',\n 'demo.user@zurimed.com'\n )\n ORDER BY email", "status": "pass", "rows": [ { "id": "f6a7b8c9-d0e1-2345-f123-456789012345", "email": "alex.admin@zurimed.com", "name": "Alex Admin", "created_at": "2026-04-21T03:36:14.401Z" }, { "id": "c3d4e5f6-a7b8-9012-cdef-123456789012", "email": "dan.distributor@stellartech.com", "name": "Dan Distributor", "created_at": "2026-04-21T03:36:14.401Z" }, { "id": "e5f6a7b8-c9d0-1234-ef12-345678901234", "email": "demo.user@zurimed.com", "name": "Demo User", "created_at": "2026-04-21T03:36:14.401Z" }, { "id": "d4e5f6a7-b8c9-0123-def1-234567890123", "email": "mark.manufacturer@zurimed.com", "name": "Mark Manufacturer", "created_at": "2026-04-21T03:36:14.401Z" } ], "assertion": "All 4 demo users should exist in the users table" }, { "name": "No duplicate emails", "query": "SELECT email, COUNT(*) as count\n FROM users\n GROUP BY email\n HAVING COUNT(*) > 1", "status": "pass", "rows": [], "assertion": "No email address should appear more than once in the users table" }, { "name": "Passwords are hashed", "query": "SELECT id, email,\n LEFT(password_hash, 10) as hash_prefix,\n password_hash LIKE '$argon2id$%' as is_argon2\n FROM users\n WHERE email IN (\n 'alex.admin@zurimed.com',\n 'mark.manufacturer@zurimed.com',\n 'dan.distributor@stellartech.com',\n 'demo.user@zurimed.com'\n )\n ORDER BY email", "status": "pass", "rows": [ { "id": "f6a7b8c9-d0e1-2345-f123-456789012345", "email": "alex.admin@zurimed.com", "hash_prefix": "$argon2id$", "is_argon2": true }, { "id": "c3d4e5f6-a7b8-9012-cdef-123456789012", "email": "dan.distributor@stellartech.com", "hash_prefix": "$argon2id$", "is_argon2": true }, { "id": "e5f6a7b8-c9d0-1234-ef12-345678901234", "email": "demo.user@zurimed.com", "hash_prefix": "$argon2id$", "is_argon2": true }, { "id": "d4e5f6a7-b8c9-0123-def1-234567890123", "email": "mark.manufacturer@zurimed.com", "hash_prefix": "$argon2id$", "is_argon2": true } ], "assertion": "All password hashes should use Argon2id algorithm (not plaintext)" }, { "name": "Recent sessions created", "query": "SELECT s.id as session_id, u.email, s.created_at, s.expires_at\n FROM session s\n JOIN users u ON s.user_id = u.id\n WHERE u.email IN (\n 'alex.admin@zurimed.com',\n 'mark.manufacturer@zurimed.com',\n 'dan.distributor@stellartech.com'\n )\n AND s.created_at > NOW() - INTERVAL '10 minutes'\n ORDER BY s.created_at DESC\n LIMIT 10", "status": "pass", "rows": [ { "session_id": "ef993f23ccc4fc7388ed5fdb8d9a240be989be2e51c672ac3f91905f2f2ad664", "email": "alex.admin@zurimed.com", "created_at": "2026-04-21T05:57:01.667Z", "expires_at": "2026-05-21T05:57:01.665Z" }, { "session_id": "5fdd8f4dd4559e6c32352e841d56d505328018441bf1fed8497d0c851ab75b9a", "email": "dan.distributor@stellartech.com", "created_at": "2026-04-21T05:57:00.544Z", "expires_at": "2026-05-21T05:57:00.540Z" }, { "session_id": "fddfaf9216b071eaf03f800640dc181098c6d6ae0b5c19b2abf468e7e84db816", "email": "alex.admin@zurimed.com", "created_at": "2026-04-21T05:56:53.178Z", "expires_at": "2026-05-21T05:56:53.174Z" }, { "session_id": "c3364fd44f7445ac9ebbe3384e78e1f766b96a90e8b287a15859c17d6b1d10d5", "email": "alex.admin@zurimed.com", "created_at": "2026-04-21T05:56:10.207Z", "expires_at": "2026-05-21T05:56:10.205Z" }, { "session_id": "de32ec1c03bca6eae56a28decca6ed88a8ab083479d45246d2d6997542f26ca8", "email": "mark.manufacturer@zurimed.com", "created_at": "2026-04-21T05:56:03.372Z", "expires_at": "2026-05-21T05:56:03.370Z" }, { "session_id": "f020a4191c6ed13273bd9d24df24065f86b1433d8ef736f57806fe99791e1f30", "email": "dan.distributor@stellartech.com", "created_at": "2026-04-21T05:55:56.485Z", "expires_at": "2026-05-21T05:55:56.478Z" } ], "assertion": "Sessions should have been created within the last 10 minutes for users who logged in during the test" }, { "name": "Locked user is inactive", "query": "SELECT u.email, om.active, om.organization_id\n FROM organization_members om\n JOIN users u ON om.user_id = u.id\n WHERE u.email = 'demo.user@zurimed.com'", "status": "pass", "rows": [ { "email": "demo.user@zurimed.com", "active": false, "organization_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }, { "email": "demo.user@zurimed.com", "active": false, "organization_id": "b2c3d4e5-f6a7-8901-bcde-f12345678901" }, { "email": "demo.user@zurimed.com", "active": false, "organization_id": "6763fc17-7da1-47e3-851e-8f4fac570dc6" } ], "assertion": "demo.user@zurimed.com should have inactive org membership (locked account)" }, { "name": "Global email uniqueness", "query": "SELECT COUNT(DISTINCT email) as unique_emails, COUNT(*) as total_users\n FROM users\n WHERE email IS NOT NULL", "status": "pass", "rows": [ { "unique_emails": "12", "total_users": "12" } ], "assertion": "Every user should have a unique email address" } ], "overallStatus": "pass", "outputDir": "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z", "auditStartTime": "2026-04-21T05:55:45.235Z", "auditEventEvidence": [ { "createdAt": "2026-04-21T05:55:56.492Z", "eventType": "user_log", "action": "user:login", "userEmail": "dan.distributor@stellartech.com", "userId": "c3d4e5f6-a7b8-9012-cdef-123456789012", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "dan.distributor@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-21T05:56:03.381Z", "eventType": "user_log", "action": "user:login", "userEmail": "mark.manufacturer@zurimed.com", "userId": "d4e5f6a7-b8c9-0123-def1-234567890123", "organizationName": "ZuriMED", "organizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "objectId": null, "secondaryObjectId": null, "payload": { "email": "mark.manufacturer@zurimed.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-21T05:56:10.213Z", "eventType": "user_log", "action": "user:login", "userEmail": "alex.admin@zurimed.com", "userId": "f6a7b8c9-d0e1-2345-f123-456789012345", "organizationName": "ZuriMED", "organizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "objectId": null, "secondaryObjectId": null, "payload": { "email": "alex.admin@zurimed.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-21T05:56:36.526Z", "eventType": "user_log", "action": "user:login_deactivated", "userEmail": "demo.user@zurimed.com", "userId": "e5f6a7b8-c9d0-1234-ef12-345678901234", "organizationName": "ZuriMED", "organizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "objectId": null, "secondaryObjectId": null, "payload": { "email": "demo.user@zurimed.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-21T05:56:53.197Z", "eventType": "user_log", "action": "user:login", "userEmail": "alex.admin@zurimed.com", "userId": "f6a7b8c9-d0e1-2345-f123-456789012345", "organizationName": "ZuriMED", "organizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "objectId": null, "secondaryObjectId": null, "payload": { "email": "alex.admin@zurimed.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-21T05:57:00.555Z", "eventType": "user_log", "action": "user:login", "userEmail": "dan.distributor@stellartech.com", "userId": "c3d4e5f6-a7b8-9012-cdef-123456789012", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "dan.distributor@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-21T05:57:01.671Z", "eventType": "user_log", "action": "user:login", "userEmail": "alex.admin@zurimed.com", "userId": "f6a7b8c9-d0e1-2345-f123-456789012345", "organizationName": "ZuriMED", "organizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "objectId": null, "secondaryObjectId": null, "payload": { "email": "alex.admin@zurimed.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-21T05:57:08.556Z", "eventType": "user_log", "action": "user:login", "userEmail": "alex.admin@zurimed.com", "userId": "f6a7b8c9-d0e1-2345-f123-456789012345", "organizationName": "ZuriMED", "organizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "objectId": null, "secondaryObjectId": null, "payload": { "email": "alex.admin@zurimed.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" } ], "auditQuery": "SELECT\n ae.created_at,\n ae.event_type,\n ae.action,\n ae.user_id,\n u.email AS user_email,\n ae.organization_id,\n o.name AS organization_name,\n ae.object_id,\n ae.secondary_object_id,\n ae.payload,\n ae.route,\n ae.trace_id\n FROM audit_events ae\n LEFT JOIN users u ON u.id = ae.user_id\n LEFT JOIN organizations o ON o.id = ae.organization_id\n WHERE ae.created_at >= $1\n AND ae.organization_id = ANY($2::uuid[])\n ORDER BY ae.created_at ASC", "videoPaths": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/videos/step-01-login-page.webm", "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/videos/step-02-valid-login-distributor.webm", "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/videos/step-03-valid-login-manufacturer.webm", "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/videos/step-04-valid-login-admin.webm", "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/videos/step-05-wrong-password.webm", "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/videos/step-06-nonexistent-email.webm", "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/videos/step-06b-locked-account.webm", "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/videos/step-07-empty-fields.webm", "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/videos/step-08-session-security.webm", "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/videos/step-09-session-isolation-a.webm", "/Users/jason/projects/casecohort/code/validation_test_results/urs-001-secure-login/2026-04-21T05-55-47-218Z/videos/step-10-logout.webm" ] }