Authentication - Login and Token Issuance

[najuna-brian]

Description

Verifies that the login endpoint accepts valid credentials, returns a properly structured JWT token and refresh token, and that the issued token can be used to authenticate subsequent API requests.

Steps

1. Ensure the Synkronus server is running and the admin user exists
2. Send a POST request to /auth/login with a valid username and password:

   { "username": "admin", "password": "your-password" }

3. Inspect the response body - verify it contains the fields token, refreshToken, and expiresAt
4. Note the value of expiresAt - confirm it is a future timestamp
5. Copy the token value
6. Send a GET request to /users using the token as a Bearer header:
   Authorization: Bearer <token>
7. Verify the response is 200 OK and returns the users list
8. Attempt the same /users request with a deliberately malformed token (e.g. change one character)
9. Verify the response is 401 Unauthorized

Expected Result

A valid login returns 200 OK with token, refreshToken, and expiresAt in the response body. The issued token successfully authenticates the /users endpoint. A malformed token is rejected with 401. No passwords or secrets appear in the response body.

Actual Result

(To be filled during testing)

Priority

High