# Slice 1 Testing Checklist
## Comprehensive Testing Guide for Admin → Vendor Creation → Vendor Login

Use this checklist to verify that Slice 1 is working correctly before moving to Slice 2.

## 🎯 Testing Overview

This checklist covers:
- ✅ Backend API functionality
- ✅ Frontend user interface
- ✅ Database integrity
- ✅ Security and authentication
- ✅ Vendor isolation
- ✅ Error handling

---

## 1️⃣ Backend API Tests

### Authentication Endpoints

#### Test: Admin Login
```bash
curl -X POST http://localhost:8000/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"admin123"}'
```

**Expected Response**:
```json
{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGc...",
  "token_type": "bearer",
  "expires_in": 1800,
  "user": {
    "id": 1,
    "username": "admin",
    "email": "admin@platform.com",
    "role": "admin",
    "is_active": true
  }
}
```

- [ ] Response status is 200
- [ ] Token is returned
- [ ] User role is "admin"
- [ ] Token is valid JWT format

#### Test: Invalid Login
```bash
curl -X POST http://localhost:8000/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"wrongpassword"}'
```

**Expected Response**:
```json
{
  "detail": "Incorrect username or password"
}
```

- [ ] Response status is 401 or 400
- [ ] Error message is returned
- [ ] No token is provided

#### Test: Get Current User
```bash
TOKEN="your_admin_token_here"
curl -X GET http://localhost:8000/api/v1/auth/me \
  -H "Authorization: Bearer $TOKEN"
```

**Expected Response**:
```json
{
  "id": 1,
  "username": "admin",
  "email": "admin@platform.com",
  "role": "admin",
  "is_active": true,
  "created_at": "2025-01-15T10:00:00",
  "updated_at": "2025-01-15T10:00:00"
}
```

- [ ] Response status is 200
- [ ] User details are correct
- [ ] Timestamps are present

### Vendor Management Endpoints

#### Test: Create Vendor
```bash
TOKEN="your_admin_token_here"
curl -X POST http://localhost:8000/api/v1/admin/vendors \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "vendor_code": "TESTVENDOR",
    "name": "Test Vendor Store",
    "subdomain": "testvendor",
    "owner_email": "owner@testvendor.com",
    "description": "Test vendor for verification"
  }'
```

**Expected Response**:
```json
{
  "id": 1,
  "vendor_code": "TESTVENDOR",
  "subdomain": "testvendor",
  "name": "Test Vendor Store",
  "owner_user_id": 2,
  "owner_email": "owner@testvendor.com",
  "owner_username": "testvendor_owner",
  "temporary_password": "Xy7$mK9p!Qz2",
  "is_active": true,
  "is_verified": true,
  "created_at": "2025-01-15T10:05:00"
}
```

- [ ] Response status is 200 or 201
- [ ] Vendor is created with uppercase code
- [ ] Owner user is created
- [ ] Temporary password is generated
- [ ] Vendor is auto-verified

#### Test: Duplicate Vendor Code
```bash
# Try to create vendor with same code
TOKEN="your_admin_token_here"
curl -X POST http://localhost:8000/api/v1/admin/vendors \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "vendor_code": "TESTVENDOR",
    "name": "Another Store",
    "subdomain": "anothershop",
    "owner_email": "another@test.com"
  }'
```

**Expected Response**:
```json
{
  "detail": "Vendor with code 'TESTVENDOR' already exists"
}
```

- [ ] Response status is 400 or 409
- [ ] Appropriate error message
- [ ] No vendor is created

#### Test: Get All Vendors
```bash
TOKEN="your_admin_token_here"
curl -X GET http://localhost:8000/api/v1/admin/vendors \
  -H "Authorization: Bearer $TOKEN"
```

**Expected Response**:
```json
{
  "vendors": [
    {
      "id": 1,
      "vendor_code": "TESTVENDOR",
      "name": "Test Vendor Store",
      "subdomain": "testvendor",
      "is_active": true,
      "is_verified": true
    }
  ],
  "total": 1,
  "skip": 0,
  "limit": 100
}
```

- [ ] Response status is 200
- [ ] Vendor list is returned
- [ ] Pagination info is included

#### Test: Admin Dashboard Stats
```bash
TOKEN="your_admin_token_here"
curl -X GET http://localhost:8000/api/v1/admin/dashboard \
  -H "Authorization: Bearer $TOKEN"
```

**Expected Response**:
```json
{
  "platform": {
    "name": "Multi-Tenant Ecommerce Platform",
    "version": "1.0.0"
  },
  "users": {
    "total_users": 2,
    "active_users": 2,
    "inactive_users": 0
  },
  "vendors": {
    "total_vendors": 1,
    "active_vendors": 1,
    "verified_vendors": 1
  },
  "recent_vendors": [],
  "recent_imports": []
}
```

- [ ] Response status is 200
- [ ] Statistics are accurate
- [ ] Recent lists are arrays

### Authorization Tests

#### Test: Non-Admin Cannot Access Admin Endpoints
```bash
# First login as vendor owner
curl -X POST http://localhost:8000/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"testvendor_owner","password":"[temp_password]"}'

# Try to access admin endpoint
VENDOR_TOKEN="vendor_token_here"
curl -X GET http://localhost:8000/api/v1/admin/vendors \
  -H "Authorization: Bearer $VENDOR_TOKEN"
```

**Expected Response**:
```json
{
  "detail": "Admin privileges required"
}
```

- [ ] Response status is 403
- [ ] Access is denied
- [ ] Appropriate error message

#### Test: Unauthenticated Access Denied
```bash
curl -X GET http://localhost:8000/api/v1/admin/vendors
```

**Expected Response**:
```json
{
  "detail": "Authorization header required"
}
```

- [ ] Response status is 401
- [ ] No data is returned

---

## 2️⃣ Frontend UI Tests

### Admin Login Page

**URL**: `http://localhost:8000/static/admin/login.html`

#### Test: Page Loads Correctly
- [ ] Page loads without errors
- [ ] Login form is visible
- [ ] Username and password fields present
- [ ] Submit button is enabled
- [ ] No console errors (F12)

#### Test: Successful Admin Login
1. Enter username: `admin`
2. Enter password: `admin123`
3. Click "Sign In"

**Expected**:
- [ ] Button shows loading spinner
- [ ] Success message appears
- [ ] Redirects to `/static/admin/dashboard.html`
- [ ] No console errors

#### Test: Failed Login
1. Enter username: `admin`
2. Enter password: `wrongpassword`
3. Click "Sign In"

**Expected**:
- [ ] Error message displayed
- [ ] Form fields highlighted
- [ ] No redirect occurs
- [ ] Can retry login

#### Test: Form Validation
1. Leave username empty
2. Click "Sign In"

**Expected**:
- [ ] Error message for username
- [ ] Form doesn't submit
- [ ] Field is highlighted

### Admin Dashboard

**URL**: `http://localhost:8000/static/admin/dashboard.html`

#### Test: Dashboard Loads
- [ ] Page loads successfully
- [ ] Admin username displayed in header
- [ ] Logout button visible
- [ ] Navigation sidebar present
- [ ] Stats cards show numbers
- [ ] No console errors

#### Test: Statistics Display
- [ ] Total Vendors count is correct
- [ ] Total Users count is correct
- [ ] Active users count matches
- [ ] Verified vendors count matches
- [ ] All stats are numbers (not "-" or "undefined")

#### Test: Navigation
1. Click "Vendors" in sidebar

**Expected**:
- [ ] View changes to vendors list
- [ ] Nav item is highlighted
- [ ] Page doesn't reload

#### Test: Logout
1. Click "Logout" button
2. Confirm logout

**Expected**:
- [ ] Confirmation dialog appears
- [ ] Token is removed from localStorage
- [ ] Redirects to `/static/admin/login.html`

### Vendor Creation Page

**URL**: `http://localhost:8000/static/admin/vendors.html`

#### Test: Form Validation
1. Try to submit empty form

**Expected**:
- [ ] Required field errors shown
- [ ] Form doesn't submit

2. Enter invalid vendor code (lowercase)

**Expected**:
- [ ] Input auto-converts to uppercase

3. Enter invalid subdomain (uppercase)

**Expected**:
- [ ] Input auto-converts to lowercase

4. Enter invalid email

**Expected**:
- [ ] Browser validation catches it

#### Test: Create Vendor Successfully
1. Fill form:
   - Vendor Code: `DEMOSTORE`
   - Name: `Demo Store`
   - Subdomain: `demostore`
   - Owner Email: `owner@demostore.com`
2. Click "Create Vendor"

**Expected**:
- [ ] Loading spinner appears
- [ ] Success message displayed
- [ ] Credentials card shows:
  - [ ] Vendor Code
  - [ ] Subdomain
  - [ ] Owner Username
  - [ ] Owner Email
  - [ ] Temporary Password
  - [ ] Login URL
- [ ] Form is hidden
- [ ] Can create another vendor

#### Test: Duplicate Vendor Handling
1. Try to create vendor with existing code

**Expected**:
- [ ] Error message displayed
- [ ] Form stays visible
- [ ] Can fix and retry

### Vendor Login Page

**URL**: `http://localhost:8000/vendor/demostore/login`

#### Test: Vendor Context Detection
- [ ] Page loads correctly
- [ ] Vendor name displayed: "demostore"
- [ ] Form is visible
- [ ] No "Vendor Not Found" message

#### Test: Invalid Vendor URL
**URL**: `http://localhost:8000/vendor/nonexistent/login`

**Expected**:
- [ ] "Vendor Not Found" message
- [ ] Form is hidden
- [ ] Back button visible

#### Test: Vendor Owner Login
1. Enter username from creation: `demostore_owner`
2. Enter temporary password
3. Click "Sign In"

**Expected**:
- [ ] Loading spinner
- [ ] Success message
- [ ] Redirects to vendor dashboard
- [ ] No console errors

### Vendor Dashboard

**URL**: Redirect after login

#### Test: Dashboard Display
- [ ] Page loads successfully
- [ ] Shows "DEMOSTORE Dashboard"
- [ ] Username displayed
- [ ] Vendor info card shows:
  - [ ] Vendor Code: DEMOSTORE
  - [ ] Owner email
  - [ ] Active/Verified badges
  - [ ] Context detection info
- [ ] "Coming in Slice 2" message visible

#### Test: Vendor Context Display
- [ ] Correct subdomain shown
- [ ] Context method displayed (path or subdomain)
- [ ] No errors in console

---

## 3️⃣ Database Tests

### Check Table Creation

```sql
-- Connect to database
psql -U postgres -d multitenant_ecommerce

-- List all tables
\dt

-- Expected tables:
-- users, vendors, roles, vendor_users
```

- [ ] All required tables exist
- [ ] No missing tables

### Check Admin User

```sql
SELECT id, username, email, role, is_active 
FROM users 
WHERE role = 'admin';
```

**Expected**:
```
 id | username |       email       | role  | is_active
----+----------+-------------------+-------+-----------
  1 | admin    | admin@platform.com| admin | t
```

- [ ] Admin user exists
- [ ] Role is "admin"
- [ ] Is active

### Check Vendor Creation

```sql
SELECT id, vendor_code, subdomain, name, owner_user_id, is_active, is_verified
FROM vendors
WHERE vendor_code = 'DEMOSTORE';
```

**Expected**:
```
 id | vendor_code | subdomain | name       | owner_user_id | is_active | is_verified
----+-------------+-----------+------------+---------------+-----------+-------------
  1 | DEMOSTORE   | demostore | Demo Store | 2             | t         | t
```

- [ ] Vendor exists
- [ ] Vendor code is uppercase
- [ ] Subdomain is lowercase
- [ ] Owner user ID is set
- [ ] Is active and verified

### Check Owner User Creation

```sql
SELECT id, username, email, role, is_active
FROM users
WHERE email = 'owner@demostore.com';
```

**Expected**:
```
 id | username         | email               | role | is_active
----+------------------+---------------------+------+-----------
  2 | demostore_owner  | owner@demostore.com | user | t
```

- [ ] Owner user exists
- [ ] Username follows pattern
- [ ] Email is correct
- [ ] Role is "user" (not admin)
- [ ] Is active

### Check Default Roles

```sql
SELECT id, name, vendor_id
FROM roles
WHERE vendor_id = (SELECT id FROM vendors WHERE vendor_code = 'DEMOSTORE')
ORDER BY name;
```

**Expected**:
```
 id | name    | vendor_id
----+---------+-----------
  1 | Editor  | 1
  2 | Manager | 1
  3 | Owner   | 1
  4 | Viewer  | 1
```

- [ ] All 4 default roles created
- [ ] Roles linked to correct vendor
- [ ] Names are correct

### Check Data Isolation

```sql
-- Create second vendor via API, then check isolation

SELECT v.vendor_code, u.username, u.email
FROM vendors v
JOIN users u ON v.owner_user_id = u.id
ORDER BY v.id;
```

**Expected**:
- [ ] Each vendor has unique owner
- [ ] No shared users between vendors
- [ ] Owner relationships are correct

---

## 4️⃣ Security Tests

### Password Hashing

```sql
SELECT username, hashed_password
FROM users
WHERE username IN ('admin', 'demostore_owner');
```

- [ ] Passwords are hashed (not plain text)
- [ ] Hashes start with "$2b$" (bcrypt)
- [ ] Each hash is unique

### JWT Token Validation

```javascript
// In browser console after login:
const token = localStorage.getItem('admin_token');
const parts = token.split('.');
const payload = JSON.parse(atob(parts[1]));
console.log(payload);
```

**Expected**:
```json
{
  "sub": "1",
  "username": "admin",
  "email": "admin@platform.com",
  "role": "admin",
  "exp": 1705320000,
  "iat": 1705318200
}
```

- [ ] Token has 3 parts (header.payload.signature)
- [ ] Payload contains user info
- [ ] Expiration time is set
- [ ] Role is included

### Authorization Boundary

Test that vendors cannot access each other's data:

1. Login as owner of DEMOSTORE
2. Try to access DEMOSTORE2 dashboard

**Expected**:
- [ ] Access denied or context mismatch
- [ ] No data from other vendor visible

---

## 5️⃣ Error Handling Tests

### Test Invalid URLs

1. Visit: `http://localhost:8000/vendor//login` (empty subdomain)

**Expected**:
- [ ] Handled gracefully
- [ ] No server error
- [ ] User-friendly message

2. Visit: `http://localhost:8000/vendor/invalid-shop-name/login`

**Expected**:
- [ ] "Vendor Not Found" message
- [ ] No error 500
- [ ] Can navigate back

### Test Network Errors

1. Stop the backend server
2. Try to login from frontend

**Expected**:
- [ ] Error message displayed
- [ ] No infinite loading
- [ ] Can retry

### Test Database Errors

1. Stop PostgreSQL
2. Try to access API endpoint

**Expected**:
- [ ] 503 Service Unavailable or similar
- [ ] Error logged on server
- [ ] No data corruption

---

## 6️⃣ Performance Tests

### Page Load Times

- [ ] Admin login page loads < 1 second
- [ ] Dashboard loads < 2 seconds
- [ ] Vendor creation completes < 3 seconds

### API Response Times

```bash
# Measure API response time
time curl -X GET http://localhost:8000/api/v1/admin/vendors \
  -H "Authorization: Bearer $TOKEN"
```

- [ ] Most endpoints respond < 500ms
- [ ] Dashboard stats < 1 second
- [ ] Vendor creation < 2 seconds

---

## 7️⃣ Cross-Browser Tests

Test in multiple browsers:

- [ ] Chrome: All features work
- [ ] Firefox: All features work
- [ ] Safari: All features work
- [ ] Edge: All features work

---

## ✅ Final Verification

### Complete Flow Test

1. **Admin Login**:
   - [ ] Login successful
   - [ ] Dashboard displays

2. **Create Vendor**:
   - [ ] Form validates correctly
   - [ ] Vendor created successfully
   - [ ] Credentials displayed

3. **Vendor Login**:
   - [ ] Can access vendor login page
   - [ ] Login with generated credentials
   - [ ] Dashboard displays

4. **Verify Isolation**:
   - [ ] Cannot access other vendor's data
   - [ ] Context detection works
   - [ ] Database shows proper relationships

5. **Admin Management**:
   - [ ] Can see all vendors
   - [ ] Can verify/unverify vendors
   - [ ] Statistics are accurate

### Sign-off Checklist

Before moving to Slice 2, confirm:

- [ ] All backend API tests pass
- [ ] All frontend UI tests pass
- [ ] All database integrity checks pass
- [ ] All security tests pass
- [ ] Error handling works correctly
- [ ] Performance is acceptable
- [ ] Multi-browser compatibility confirmed
- [ ] Documentation is complete
- [ ] Code is committed to version control

---

## 🎉 Congratulations!

If all tests pass, **Slice 1 is complete and production-ready**!

You can now confidently move to **Slice 2: Vendor Imports Products from Letzshop**.