managarten/QA_TESTING_CHECKLIST.md

# QA Testing Checklist: Authentication & Credit System

**Quick Reference for QA Engineers**
**Version:** 1.0
**Last Updated:** 2025-11-25

---

## Pre-Testing Setup

### Environment Verification
- [ ] Development environment configured
- [ ] Test user accounts created (test+user1@manacore.com, test+user2@manacore.com)
- [ ] Mock payment gateway configured (no real charges)
- [ ] Database seeded with test data
- [ ] Browser DevTools / React Native Debugger ready

### Test Data
```javascript
Test Users:
- test+user1@manacore.com (password: Test123!@#, credits: 1000)
- test+user2@manacore.com (password: Test123!@#, credits: 0)
- test+b2b@manacore.com (password: Test123!@#, B2B account)

Credit Packages:
- Small: 100 credits for €4.99
- Medium: 500 credits for €19.99
- Large: 1000 credits for €34.99
```

---

## Authentication Testing Checklist

### Registration Flow
- [ ] **New User Registration (Email/Password)**
  - Valid email and strong password → Account created
  - Weak password → Error message with requirements
  - Duplicate email → "Email already in use" error
  - Invalid email format → Validation error
  - Network timeout → Retry mechanism works

- [ ] **Google Sign-In**
  - First-time user → Account created with Google profile
  - Returning user → Logged into existing account
  - Invalid token → Error message
  - Email conflict → Account linking

- [ ] **Apple Sign-In**
  - First-time user → Account created
  - Private relay email → Handled correctly
  - Returning user → Logged in successfully

### Login Flow
- [ ] **Successful Login**
  - Valid credentials → Logged in, tokens stored
  - User redirected to home screen
  - Credit balance visible

- [ ] **Failed Login**
  - Invalid password → "Invalid credentials" error
  - Non-existent email → "Invalid credentials" error
  - Email not verified → "Email not verified" error

- [ ] **Session Persistence**
  - Close app completely
  - Reopen app → User still logged in
  - No re-login required

### Logout Flow
- [ ] **Standard Logout**
  - Click logout button
  - Tokens cleared from storage
  - User redirected to login screen
  - Old tokens no longer work (401 error on API calls)

- [ ] **Logout with Network Failure**
  - Disable network
  - Click logout
  - Local tokens still cleared
  - User marked as logged out in UI

### Token Refresh
- [ ] **Automatic Token Refresh**
  - Wait for token to expire (or manually expire)
  - Make API call
  - Verify automatic refresh triggered
  - API call succeeds after refresh
  - No user interaction required

- [ ] **Concurrent Refresh Prevention**
  - Trigger 5 API calls simultaneously with expired token
  - Verify only 1 refresh request sent
  - All 5 API calls succeed after refresh

- [ ] **Refresh Token Expired**
  - Manually expire refresh token
  - Attempt to refresh
  - User logged out with "Session expired" message

### Multi-Device Login
- [ ] **Login on Multiple Devices**
  - Login on iOS device
  - Login on Android device (same user)
  - Login on web browser (same user)
  - All devices have valid sessions
  - Token refresh on one device doesn't affect others

### Password Reset
- [ ] **Request Password Reset**
  - Enter email, click "Forgot Password"
  - Reset email received within 5 minutes
  - Click link in email
  - Reset password successfully
  - Login with new password

- [ ] **Rate Limiting**
  - Request password reset 3 times rapidly
  - 4th request blocked with "Too many attempts" message

---

## Credit System Testing Checklist

### Credit Purchase
- [ ] **Successful Purchase (Mock)**
  - Select 100 credit package
  - Initiate checkout
  - Complete mock payment
  - Verify balance increased by 100
  - Transaction visible in history

- [ ] **Failed Payment**
  - Initiate purchase
  - Simulate declined card
  - Verify no credits added
  - User notified of failure
  - Retry option available

- [ ] **Duplicate Webhook (Idempotency)**
  - Complete successful purchase
  - Replay same webhook
  - Verify credits not double-added
  - Balance remains correct

### Credit Balance
- [ ] **Balance Check**
  - Call `/auth/credits` endpoint
  - Verify balance matches database
  - Response time < 500ms

- [ ] **Cross-App Visibility**
  - Login to Memoro app
  - Check credit balance
  - Login to Maerchenzauber app (same user)
  - Verify same balance displayed
  - Real-time sync (< 1 second)

- [ ] **Negative Balance Prevention**
  - User has 5 credits
  - Attempt operation requiring 10 credits
  - Operation blocked with "Insufficient credits" error
  - Balance unchanged

### Credit Consumption
- [ ] **Standard Deduction**
  - User has 100 credits
  - Perform operation costing 10 credits (e.g., create story)
  - Verify validation before operation
  - Operation completes successfully
  - Credits deducted (balance = 90)
  - Transaction logged

- [ ] **Failed Operation (No Charge)**
  - User has 100 credits
  - Validation passes
  - Operation fails (simulate AI service error)
  - Verify NO credits deducted
  - Balance still 100
  - User can retry

- [ ] **Concurrent Deduction**
  - User has 100 credits
  - Trigger 3 operations simultaneously (30 credits each)
  - All 3 operations complete successfully
  - Total deducted: 90 credits
  - Final balance: 10 credits
  - No over-deduction or under-deduction

- [ ] **Insufficient Balance During Concurrent Operations**
  - User has 10 credits
  - Trigger 2 operations simultaneously (8 credits each)
  - First operation succeeds (balance → 2)
  - Second operation fails with "Insufficient credits"
  - User refunded if pre-charged

### Credit Refund
- [ ] **Failed Operation Refund**
  - Credits deducted for operation
  - Operation fails after deduction
  - Refund process triggered
  - Credits restored to balance
  - Transaction marked "refunded"

### Transaction History
- [ ] **View Transaction History**
  - Navigate to transaction history page
  - All transactions displayed chronologically
  - Each entry shows: Date, Operation, Amount, Balance
  - Pagination works for large histories

---

## Integration Testing Checklist

### Mobile Apps
- [ ] **iOS App (Memoro)**
  - Register account
  - Tokens stored in iOS Keychain (SecureStore)
  - Close and reopen app → Session persists
  - Make API call → Authentication succeeds
  - Background token refresh works

- [ ] **Android App (Memoro)**
  - Register account
  - Tokens stored in Android Keystore (SecureStore)
  - Close and reopen app → Session persists
  - Make API call → Authentication succeeds
  - Background token refresh works

### Web Apps
- [ ] **SvelteKit Web (Memoro)**
  - Register account
  - Tokens stored in localStorage
  - Refresh browser page → Session persists
  - Protected routes accessible
  - Token refresh works

- [ ] **Cross-Browser Testing**
  - Test in Chrome, Safari, Firefox, Edge
  - All browsers work identically
  - Token refresh consistent across browsers

### Cross-App Integration
- [ ] **Memoro to Maerchenzauber**
  - Login to Memoro
  - Open Maerchenzauber (same device)
  - Verify authentication state
  - Check credit balance synchronized

- [ ] **Multi-App Credit Consumption**
  - User has 100 credits
  - Consume 30 credits in Memoro
  - Check balance in Maerchenzauber → 70 credits
  - Consume 20 credits in Maerchenzauber
  - Check balance in both apps → 50 credits

### Payment Gateway (RevenueCat)
- [ ] **iOS Purchase Flow**
  - Login to iOS app
  - Navigate to subscription page
  - Purchase 100 credits
  - Complete Apple Pay transaction
  - Verify webhook received
  - Credits added to account

- [ ] **Android Purchase Flow**
  - Login to Android app
  - Purchase credits
  - Complete Google Play transaction
  - Verify webhook and credit update

- [ ] **Web Purchase Flow**
  - Login to web app
  - Purchase credits via Stripe
  - Complete payment
  - Verify webhook and credit update

---

## Security Testing Checklist

### Authentication Security
- [ ] **SQL Injection Prevention**
  - Test login with payloads: `admin'--`, `' OR '1'='1`, `'; DROP TABLE users;--`
  - All attempts rejected with 400/401
  - No database queries executed

- [ ] **JWT Token Manipulation**
  - Obtain valid token
  - Modify claims (user ID, role, credits)
  - Submit modified token
  - Request rejected with 401

- [ ] **Token Expiration Enforcement**
  - Obtain valid token
  - Wait for expiration
  - Use expired token → 401 error
  - Automatic refresh triggered

- [ ] **Brute Force Protection**
  - Attempt login with wrong password 5 times
  - 6th attempt blocked with 429 status
  - Lockout duration: 15 minutes

- [ ] **Password Storage**
  - Access database directly
  - Verify password hashed (bcrypt/Argon2)
  - No plaintext passwords

### Credit Security
- [ ] **Balance Tampering**
  - Attempt to modify balance via API manipulation
  - Modify client-side storage
  - All attempts rejected
  - Balance unchanged

- [ ] **Unauthorized Deduction**
  - User A attempts to deduct credits from User B
  - Forge JWT with different user ID
  - All attempts fail with 401/403

- [ ] **Replay Attack**
  - Capture valid webhook
  - Replay webhook multiple times
  - Only first processed
  - No double-crediting

### Rate Limiting
- [ ] **API Rate Limiting**
  - Make 100 API requests in 1 minute
  - Verify rate limit enforced (429 after limit)
  - Retry-After header provided

---

## Performance Testing Checklist

### Load Testing
- [ ] **Concurrent User Logins**
  - Simulate 1000 users logging in concurrently
  - 95% of requests complete in < 2 seconds
  - Success rate > 99%
  - No server crashes

- [ ] **Token Refresh Under Load**
  - 500 users with expired tokens make API calls
  - All refreshes succeed
  - Avg response time < 1 second
  - No request timeouts

- [ ] **Credit Balance Checks at Scale**
  - 2000 users checking balance simultaneously
  - Query time < 50ms
  - Database connection pool stable

### Stress Testing
- [ ] **Credit Deduction Stress**
  - 100 users each perform 50 operations (5000 total)
  - All operations complete successfully
  - No over-deductions or under-deductions
  - Final balances reconcile

---

## Acceptance Criteria Validation

### Authentication System
- [ ] User can register in < 3 seconds
- [ ] User can login in < 2 seconds
- [ ] Token refresh is automatic
- [ ] User stays logged in for 30 days
- [ ] Password reset email arrives within 5 minutes
- [ ] Multi-device login works (up to 5 devices)
- [ ] 99.9% uptime

### Credit System
- [ ] Balance updates within 1 second of purchase
- [ ] Deduction only after operation succeeds
- [ ] Failed operations never charge
- [ ] Balance visible across apps in < 1 second
- [ ] Transaction history available for 24 months
- [ ] No race conditions allow negative balance
- [ ] Refunds processed within 1 hour

### Integration
- [ ] Mobile apps support iOS 14+ and Android 10+
- [ ] Web works on Chrome, Safari, Firefox, Edge
- [ ] RevenueCat purchase completes in < 30 seconds
- [ ] API response time < 500ms (95%)
- [ ] Cross-app auth works seamlessly

### Security
- [ ] No plaintext passwords
- [ ] JWT secured with RS256
- [ ] Rate limiting prevents brute force
- [ ] SQL injection blocked 100%
- [ ] 0 critical/high XSS vulnerabilities
- [ ] Penetration test: No critical issues

### Performance
- [ ] 1000 concurrent users supported
- [ ] 99th percentile response < 3 seconds
- [ ] Token refresh < 2 seconds
- [ ] Credit balance check < 100ms
- [ ] Scalable to 10M users

---

## Bug Reporting

### When to File a Bug
- Any test case fails
- Security vulnerability discovered
- Performance below targets
- Unexpected behavior
- Inconsistent cross-platform behavior

### Bug Report Template
```markdown
**Title:** [Brief description]
**Severity:** Critical / High / Medium / Low
**Environment:** Dev / Staging / Production
**Device/Browser:** [Details]

**Steps to Reproduce:**
1. [Step 1]
2. [Step 2]

**Expected:** [What should happen]
**Actual:** [What actually happens]

**Screenshots/Logs:** [Attach evidence]
**Related Test Case:** TC-XXX-XXX-XXX
```

### Severity Guidelines
- **Critical:** System crash, data loss, security breach, payment failure
- **High:** Feature broken, workaround difficult, affects many users
- **Medium:** Feature partially broken, workaround available
- **Low:** Minor issue, cosmetic, affects few users

---

## Post-Testing

### Test Summary Report
- [ ] Total test cases executed
- [ ] Pass/Fail/Blocked count
- [ ] Critical bugs found
- [ ] Performance metrics captured
- [ ] Security issues identified
- [ ] Recommendations for release

### Sign-Off Criteria
- [ ] All P0 test cases passed
- [ ] 0 critical bugs open
- [ ] < 3 high priority bugs open
- [ ] Performance targets met
- [ ] Security scan clean
- [ ] Stakeholder approval

---

## Quick Links

- **Full Test Strategy:** `/TESTING_STRATEGY_AUTH_CREDITS.md`
- **Executive Summary:** `/TESTING_STRATEGY_EXECUTIVE_SUMMARY.md`
- **Developer Auth Testing Guide:** `maerchenzauber/apps/mobile/AUTH_TESTING_GUIDE.md`
- **Credit System Documentation:** `manadeck/CREDIT_SYSTEM.md`
- **Shared Auth Package:** `packages/shared-auth/README.md`

---

**Happy Testing!**

*For questions or issues, contact the QA lead or refer to the full testing strategy document.*