orion/docs/__Dev-Slice1/slice1_testing_checklist.md

Slice 1 Testing Checklist

Comprehensive Testing Guide for Admin → Vendor Creation → Vendor Login

Use this checklist to verify that Slice 1 is working correctly before moving to Slice 2.

🎯 Testing Overview

This checklist covers:

• ✅ Backend API functionality
• ✅ Frontend user interface
• ✅ Database integrity
• ✅ Security and authentication
• ✅ Vendor isolation
• ✅ Error handling

---

1️⃣ Backend API Tests

Authentication Endpoints

Test: Admin Login

curl -X POST http://localhost:8000/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"admin123"}'

Expected Response:

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGc...",
  "token_type": "bearer",
  "expires_in": 1800,
  "user": {
    "id": 1,
    "username": "admin",
    "email": "admin@platform.com",
    "role": "admin",
    "is_active": true
  }
}

• Response status is 200
• Token is returned
• User role is "admin"
• Token is valid JWT format

Test: Invalid Login

curl -X POST http://localhost:8000/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"wrongpassword"}'

Expected Response:

{
  "detail": "Incorrect username or password"
}

• Response status is 401 or 400
• Error message is returned
• No token is provided

Test: Get Current User

TOKEN="your_admin_token_here"
curl -X GET http://localhost:8000/api/v1/auth/me \
  -H "Authorization: Bearer $TOKEN"

Expected Response:

{
  "id": 1,
  "username": "admin",
  "email": "admin@platform.com",
  "role": "admin",
  "is_active": true,
  "created_at": "2025-01-15T10:00:00",
  "updated_at": "2025-01-15T10:00:00"
}

• Response status is 200
• User details are correct
• Timestamps are present

Vendor Management Endpoints

Test: Create Vendor

TOKEN="your_admin_token_here"
curl -X POST http://localhost:8000/api/v1/admin/vendors \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "vendor_code": "TESTVENDOR",
    "name": "Test Vendor Store",
    "subdomain": "testvendor",
    "owner_email": "owner@testvendor.com",
    "description": "Test vendor for verification"
  }'

Expected Response:

{
  "id": 1,
  "vendor_code": "TESTVENDOR",
  "subdomain": "testvendor",
  "name": "Test Vendor Store",
  "owner_user_id": 2,
  "owner_email": "owner@testvendor.com",
  "owner_username": "testvendor_owner",
  "temporary_password": "Xy7$mK9p!Qz2",
  "is_active": true,
  "is_verified": true,
  "created_at": "2025-01-15T10:05:00"
}

• Response status is 200 or 201
• Vendor is created with uppercase code
• Owner user is created
• Temporary password is generated
• Vendor is auto-verified

Test: Duplicate Vendor Code

# Try to create vendor with same code
TOKEN="your_admin_token_here"
curl -X POST http://localhost:8000/api/v1/admin/vendors \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "vendor_code": "TESTVENDOR",
    "name": "Another Store",
    "subdomain": "anothershop",
    "owner_email": "another@test.com"
  }'

Expected Response:

{
  "detail": "Vendor with code 'TESTVENDOR' already exists"
}

• Response status is 400 or 409
• Appropriate error message
• No vendor is created

Test: Get All Vendors

TOKEN="your_admin_token_here"
curl -X GET http://localhost:8000/api/v1/admin/vendors \
  -H "Authorization: Bearer $TOKEN"

Expected Response:

{
  "vendors": [
    {
      "id": 1,
      "vendor_code": "TESTVENDOR",
      "name": "Test Vendor Store",
      "subdomain": "testvendor",
      "is_active": true,
      "is_verified": true
    }
  ],
  "total": 1,
  "skip": 0,
  "limit": 100
}

• Response status is 200
• Vendor list is returned
• Pagination info is included

Test: Admin Dashboard Stats

TOKEN="your_admin_token_here"
curl -X GET http://localhost:8000/api/v1/admin/dashboard \
  -H "Authorization: Bearer $TOKEN"

Expected Response:

{
  "platform": {
    "name": "Multi-Tenant Ecommerce Platform",
    "version": "1.0.0"
  },
  "users": {
    "total_users": 2,
    "active_users": 2,
    "inactive_users": 0
  },
  "vendors": {
    "total_vendors": 1,
    "active_vendors": 1,
    "verified_vendors": 1
  },
  "recent_vendors": [],
  "recent_imports": []
}

• Response status is 200
• Statistics are accurate
• Recent lists are arrays

Authorization Tests

Test: Non-Admin Cannot Access Admin Endpoints

# First login as vendor owner
curl -X POST http://localhost:8000/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"testvendor_owner","password":"[temp_password]"}'

# Try to access admin endpoint
VENDOR_TOKEN="vendor_token_here"
curl -X GET http://localhost:8000/api/v1/admin/vendors \
  -H "Authorization: Bearer $VENDOR_TOKEN"

Expected Response:

{
  "detail": "Admin privileges required"
}

• Response status is 403
• Access is denied
• Appropriate error message

Test: Unauthenticated Access Denied

curl -X GET http://localhost:8000/api/v1/admin/vendors

Expected Response:

{
  "detail": "Authorization header required"
}

• Response status is 401
• No data is returned

---

2️⃣ Frontend UI Tests

Admin Login Page

URL: http://localhost:8000/static/admin/login.html

Test: Page Loads Correctly

• Page loads without errors
• Login form is visible
• Username and password fields present
• Submit button is enabled
• No console errors (F12)

Test: Successful Admin Login

1. Enter username: admin
2. Enter password: admin123
3. Click "Sign In"

Expected:

• Button shows loading spinner
• Success message appears
• Redirects to /static/admin/dashboard.html
• No console errors

Test: Failed Login

1. Enter username: admin
2. Enter password: wrongpassword
3. Click "Sign In"

Expected:

• Error message displayed
• Form fields highlighted
• No redirect occurs
• Can retry login

Test: Form Validation

1. Leave username empty
2. Click "Sign In"

Expected:

• Error message for username
• Form doesn't submit
• Field is highlighted

Admin Dashboard

URL: http://localhost:8000/static/admin/dashboard.html

Test: Dashboard Loads

• Page loads successfully
• Admin username displayed in header
• Logout button visible
• Navigation sidebar present
• Stats cards show numbers
• No console errors

Test: Statistics Display

• Total Vendors count is correct
• Total Users count is correct
• Active users count matches
• Verified vendors count matches
• All stats are numbers (not "-" or "undefined")

Test: Navigation

1. Click "Vendors" in sidebar

Expected:

• View changes to vendors list
• Nav item is highlighted
• Page doesn't reload

Test: Logout

1. Click "Logout" button
2. Confirm logout

Expected:

• Confirmation dialog appears
• Token is removed from localStorage
• Redirects to /static/admin/login.html

Vendor Creation Page

URL: http://localhost:8000/static/admin/vendors.html

Test: Form Validation

1. Try to submit empty form

Expected:

• Required field errors shown
• Form doesn't submit

2. Enter invalid vendor code (lowercase)

Expected:

• Input auto-converts to uppercase

3. Enter invalid subdomain (uppercase)

Expected:

• Input auto-converts to lowercase

4. Enter invalid email

Expected:

• Browser validation catches it

Test: Create Vendor Successfully

1. Fill form:
   • Vendor Code: DEMOSTORE
   • Name: Demo Store
   • Subdomain: demostore
   • Owner Email: owner@demostore.com
2. Click "Create Vendor"

Expected:

• Loading spinner appears
• Success message displayed
• Credentials card shows:
  • Vendor Code
  • Subdomain
  • Owner Username
  • Owner Email
  • Temporary Password
  • Login URL
• Form is hidden
• Can create another vendor

Test: Duplicate Vendor Handling

1. Try to create vendor with existing code

Expected:

• Error message displayed
• Form stays visible
• Can fix and retry

Vendor Login Page

URL: http://localhost:8000/vendor/demostore/login

Test: Vendor Context Detection

• Page loads correctly
• Vendor name displayed: "demostore"
• Form is visible
• No "Vendor Not Found" message

Test: Invalid Vendor URL

URL: http://localhost:8000/vendor/nonexistent/login

Expected:

• "Vendor Not Found" message
• Form is hidden
• Back button visible

Test: Vendor Owner Login

1. Enter username from creation: demostore_owner
2. Enter temporary password
3. Click "Sign In"

Expected:

• Loading spinner
• Success message
• Redirects to vendor dashboard
• No console errors

Vendor Dashboard

URL: Redirect after login

Test: Dashboard Display

• Page loads successfully
• Shows "DEMOSTORE Dashboard"
• Username displayed
• Vendor info card shows:
  • Vendor Code: DEMOSTORE
  • Owner email
  • Active/Verified badges
  • Context detection info
• "Coming in Slice 2" message visible

Test: Vendor Context Display

• Correct subdomain shown
• Context method displayed (path or subdomain)
• No errors in console

---

3️⃣ Database Tests

Check Table Creation

-- Connect to database
psql -U postgres -d multitenant_ecommerce

-- List all tables
\dt

-- Expected tables:
-- users, vendors, roles, vendor_users

• All required tables exist
• No missing tables

Check Admin User

SELECT id, username, email, role, is_active 
FROM users 
WHERE role = 'admin';

Expected:

 id | username |       email       | role  | is_active
----+----------+-------------------+-------+-----------
  1 | admin    | admin@platform.com| admin | t

• Admin user exists
• Role is "admin"
• Is active

Check Vendor Creation

SELECT id, vendor_code, subdomain, name, owner_user_id, is_active, is_verified
FROM vendors
WHERE vendor_code = 'DEMOSTORE';

Expected:

 id | vendor_code | subdomain | name       | owner_user_id | is_active | is_verified
----+-------------+-----------+------------+---------------+-----------+-------------
  1 | DEMOSTORE   | demostore | Demo Store | 2             | t         | t

• Vendor exists
• Vendor code is uppercase
• Subdomain is lowercase
• Owner user ID is set
• Is active and verified

Check Owner User Creation

SELECT id, username, email, role, is_active
FROM users
WHERE email = 'owner@demostore.com';

Expected:

 id | username         | email               | role | is_active
----+------------------+---------------------+------+-----------
  2 | demostore_owner  | owner@demostore.com | user | t

• Owner user exists
• Username follows pattern
• Email is correct
• Role is "user" (not admin)
• Is active

Check Default Roles

SELECT id, name, vendor_id
FROM roles
WHERE vendor_id = (SELECT id FROM vendors WHERE vendor_code = 'DEMOSTORE')
ORDER BY name;

Expected:

 id | name    | vendor_id
----+---------+-----------
  1 | Editor  | 1
  2 | Manager | 1
  3 | Owner   | 1
  4 | Viewer  | 1

• All 4 default roles created
• Roles linked to correct vendor
• Names are correct

Check Data Isolation

-- Create second vendor via API, then check isolation

SELECT v.vendor_code, u.username, u.email
FROM vendors v
JOIN users u ON v.owner_user_id = u.id
ORDER BY v.id;

Expected:

• Each vendor has unique owner
• No shared users between vendors
• Owner relationships are correct

---

4️⃣ Security Tests

Password Hashing

SELECT username, hashed_password
FROM users
WHERE username IN ('admin', 'demostore_owner');

• Passwords are hashed (not plain text)
• Hashes start with "$2b$" (bcrypt)
• Each hash is unique

JWT Token Validation

// In browser console after login:
const token = localStorage.getItem('admin_token');
const parts = token.split('.');
const payload = JSON.parse(atob(parts[1]));
console.log(payload);

Expected:

{
  "sub": "1",
  "username": "admin",
  "email": "admin@platform.com",
  "role": "admin",
  "exp": 1705320000,
  "iat": 1705318200
}

• Token has 3 parts (header.payload.signature)
• Payload contains user info
• Expiration time is set
• Role is included

Authorization Boundary

Test that vendors cannot access each other's data:

1. Login as owner of DEMOSTORE
2. Try to access DEMOSTORE2 dashboard

Expected:

• Access denied or context mismatch
• No data from other vendor visible

---

5️⃣ Error Handling Tests

Test Invalid URLs

1. Visit: http://localhost:8000/vendor//login (empty subdomain)

Expected:

• Handled gracefully
• No server error
• User-friendly message

2. Visit: http://localhost:8000/vendor/invalid-shop-name/login

Expected:

• "Vendor Not Found" message
• No error 500
• Can navigate back

Test Network Errors

1. Stop the backend server
2. Try to login from frontend

Expected:

• Error message displayed
• No infinite loading
• Can retry

Test Database Errors

1. Stop PostgreSQL
2. Try to access API endpoint

Expected:

• 503 Service Unavailable or similar
• Error logged on server
• No data corruption

---

6️⃣ Performance Tests

Page Load Times

• Admin login page loads < 1 second
• Dashboard loads < 2 seconds
• Vendor creation completes < 3 seconds

API Response Times

# Measure API response time
time curl -X GET http://localhost:8000/api/v1/admin/vendors \
  -H "Authorization: Bearer $TOKEN"

• Most endpoints respond < 500ms
• Dashboard stats < 1 second
• Vendor creation < 2 seconds

---

7️⃣ Cross-Browser Tests

Test in multiple browsers:

• Chrome: All features work
• Firefox: All features work
• Safari: All features work
• Edge: All features work

---

✅ Final Verification

Complete Flow Test

1. Admin Login:

   • Login successful
   • Dashboard displays

2. Create Vendor:

   • Form validates correctly
   • Vendor created successfully
   • Credentials displayed

3. Vendor Login:

   • Can access vendor login page
   • Login with generated credentials
   • Dashboard displays

4. Verify Isolation:

   • Cannot access other vendor's data
   • Context detection works
   • Database shows proper relationships

5. Admin Management:

   • Can see all vendors
   • Can verify/unverify vendors
   • Statistics are accurate

Sign-off Checklist

Before moving to Slice 2, confirm:

• All backend API tests pass
• All frontend UI tests pass
• All database integrity checks pass
• All security tests pass
• Error handling works correctly
• Performance is acceptable
• Multi-browser compatibility confirmed
• Documentation is complete
• Code is committed to version control

---

🎉 Congratulations!

If all tests pass, Slice 1 is complete and production-ready!

You can now confidently move to Slice 2: Vendor Imports Products from Letzshop.