11 KiB
11 KiB
Test Scenarios - Route Protection (Function 8)
Test Setup
Test Users
// Admin user
{
email: "admin@hotel.com",
password: "Admin@123",
role: "admin"
}
// Customer user
{
email: "customer@hotel.com",
password: "Customer@123",
role: "customer"
}
// Staff user
{
email: "staff@hotel.com",
password: "Staff@123",
role: "staff"
}
Test Case 1: ProtectedRoute - Unauthenticated User
Objective
Verify that unauthenticated users cannot access protected routes.
Steps
- Open browser (incognito mode)
- Navigate to
http://localhost:5173/dashboard
Expected Result
- ✅ Redirected to
/login - ✅ URL shows
/login - ✅ Login form displayed
- ✅ No error in console
- ✅ Location state contains
from: '/dashboard'
Actual Result
- Pass
- Fail (describe issue):
Test Case 2: ProtectedRoute - Authenticated User
Objective
Verify that authenticated users can access protected routes.
Steps
- Login as customer (
customer@hotel.com/Customer@123) - Navigate to
http://localhost:5173/dashboard
Expected Result
- ✅ Dashboard page displayed successfully
- ✅ URL shows
/dashboard - ✅ No redirect to login
- ✅ Navbar shows user info
- ✅ Logout button visible
Actual Result
- Pass
- Fail (describe issue):
Test Case 3: ProtectedRoute - Redirect After Login
Objective
Verify that users are redirected back to original page after login.
Steps
- Logout (if logged in)
- Navigate to
http://localhost:5173/bookings(protected) - Should redirect to
/login - Login with valid credentials
- Observe redirect behavior
Expected Result
- ✅ Step 2: Redirected to
/login - ✅ Step 4: Login successful
- ✅ Step 5: Redirected back to
/bookings(original page) - ✅ URL shows
/bookings - ✅ BookingListPage displayed
Actual Result
- Pass
- Fail (describe issue):
Test Case 4: AdminRoute - Unauthenticated User
Objective
Verify that unauthenticated users cannot access admin routes.
Steps
- Open browser (incognito mode)
- Navigate to
http://localhost:5173/admin
Expected Result
- ✅ Redirected to
/login - ✅ URL shows
/login - ✅ Login form displayed
- ✅ Location state contains
from: '/admin'
Actual Result
- Pass
- Fail (describe issue):
Test Case 5: AdminRoute - Customer User
Objective
Verify that non-admin users (customer) cannot access admin routes.
Steps
- Login as customer (
customer@hotel.com/Customer@123) - Navigate to
http://localhost:5173/admin
Expected Result
- ✅ Redirected to
/(homepage) - ✅ URL shows
/ - ✅ Homepage displayed
- ✅ No admin content visible
- ✅ Toast message: "Access denied" (optional)
Actual Result
- Pass
- Fail (describe issue):
Test Case 6: AdminRoute - Staff User
Objective
Verify that staff users cannot access admin routes.
Steps
- Login as staff (
staff@hotel.com/Staff@123) - Navigate to
http://localhost:5173/admin
Expected Result
- ✅ Redirected to
/(homepage) - ✅ URL shows
/ - ✅ Homepage displayed
- ✅ No admin content visible
Actual Result
- Pass
- Fail (describe issue):
Test Case 7: AdminRoute - Admin User
Objective
Verify that admin users can access admin routes.
Steps
- Login as admin (
admin@hotel.com/Admin@123) - Navigate to
http://localhost:5173/admin
Expected Result
- ✅ Admin dashboard displayed
- ✅ URL shows
/adminor/admin/dashboard - ✅ Admin sidebar visible
- ✅ Admin navigation menu visible
- ✅ Can access all admin sub-routes:
/admin/users/admin/rooms/admin/bookings/admin/payments/admin/services/admin/promotions/admin/banners/admin/reports/admin/settings
Actual Result
- Pass
- Fail (describe issue):
Test Case 8: Loading State - Slow Network
Objective
Verify that loading state is displayed during auth check.
Steps
- Open DevTools → Network tab
- Set throttling to "Slow 3G"
- Refresh page at protected route
- Observe loading behavior
Expected Result
- ✅ Loading spinner displayed
- ✅ Text "Loading..." or "Authenticating..." visible
- ✅ No flash of redirect
- ✅ Smooth transition after loading
Actual Result
- Pass
- Fail (describe issue):
Test Case 9: Token Expiration
Objective
Verify that expired tokens are handled correctly.
Steps
- Login successfully
- Manually modify token in localStorage to invalid value:
localStorage.setItem('token', 'invalid-token') - Navigate to protected route
/dashboard - Observe behavior
Expected Result
- ✅ Redirected to
/login - ✅ Toast message: "Session expired" (optional)
- ✅ Location state saved
- ✅ Can login again successfully
Actual Result
- Pass
- Fail (describe issue):
Test Case 10: Direct URL Access - Admin
Objective
Verify that direct URL access to admin routes is blocked for non-admin.
Steps
- Login as customer
- Type in address bar:
http://localhost:5173/admin/users - Press Enter
Expected Result
- ✅ Redirected to
/(homepage) - ✅ Cannot access admin/users
- ✅ No admin content visible
Actual Result
- Pass
- Fail (describe issue):
Test Case 11: Nested Admin Routes
Objective
Verify that all nested admin routes are protected.
Steps
- Login as admin
- Navigate to each admin route:
/admin/dashboard/admin/users/admin/rooms/admin/bookings/admin/payments/admin/services/admin/promotions/admin/banners/admin/reports/admin/settings
Expected Result
- ✅ All routes accessible
- ✅ Each page displays correctly
- ✅ No errors in console
- ✅ Admin layout consistent
Actual Result
- Pass
- Fail (describe issue):
Test Case 12: Public Routes Access
Objective
Verify that public routes are accessible without authentication.
Steps
- Logout (if logged in)
- Navigate to public routes:
/(homepage)/rooms/about/login/register/forgot-password
Expected Result
- ✅ All public routes accessible
- ✅ No redirect to login
- ✅ Pages display correctly
- ✅ No errors in console
Actual Result
- Pass
- Fail (describe issue):
Test Case 13: Logout Behavior
Objective
Verify that logout clears auth and redirects properly.
Steps
- Login as any user
- Navigate to protected route
/dashboard - Click logout button
- Observe behavior
Expected Result
- ✅ User logged out
- ✅ Token removed from localStorage
- ✅ userInfo removed from localStorage
- ✅ Redirected to
/or/login - ✅ Navbar shows "Login" button
- ✅ Cannot access protected routes anymore
Actual Result
- Pass
- Fail (describe issue):
Test Case 14: Multiple Tabs - Logout Sync
Objective
Verify that logout in one tab affects other tabs.
Steps
- Login in Tab 1
- Open Tab 2 with same site
- Logout in Tab 1
- Switch to Tab 2
- Try to access protected route
Expected Result
- ✅ Tab 2 detects logout
- ✅ Redirected to login
- ✅ Auth state synced across tabs
Actual Result
- Pass
- Fail (describe issue):
Test Case 15: Browser Refresh - Auth Persistence
Objective
Verify that auth state persists after browser refresh.
Steps
- Login successfully
- Navigate to protected route
/dashboard - Press F5 (refresh)
- Observe behavior
Expected Result
- ✅ User still logged in
- ✅ Dashboard displays correctly
- ✅ No redirect to login
- ✅ userInfo still available
- ✅ Token still in localStorage
Actual Result
- Pass
- Fail (describe issue):
Test Case 16: Role Change Detection
Objective
Verify that role changes are detected and enforced.
Steps
- Login as admin
- Access
/admin/dashboardsuccessfully - Manually change role in localStorage:
const user = JSON.parse(localStorage.getItem('userInfo')) user.role = 'customer' localStorage.setItem('userInfo', JSON.stringify(user)) - Refresh page
- Try to access
/admin
Expected Result
- ✅ Redirected to
/(homepage) - ✅ Cannot access admin routes
- ✅ Role validation working
Actual Result
- Pass
- Fail (describe issue):
Test Case 17: 404 Route
Objective
Verify that non-existent routes show 404 page.
Steps
- Navigate to
http://localhost:5173/non-existent-route
Expected Result
- ✅ 404 page displayed
- ✅ "404 - Page not found" message
- ✅ URL shows
/non-existent-route - ✅ No errors in console
Actual Result
- Pass
- Fail (describe issue):
Test Case 18: Remember Me Feature
Objective
Verify that "Remember Me" extends token duration.
Steps
- Login with "Remember Me" checked
- Check token expiry in localStorage
- Close browser
- Reopen browser after 1 day
- Navigate to protected route
Expected Result
- ✅ User still logged in (if < 7 days)
- ✅ No need to login again
- ✅ Token valid
Actual Result
- Pass
- Fail (describe issue):
Performance Tests
Test Case 19: Route Navigation Speed
Steps
- Login as user
- Navigate between routes:
/dashboard→/bookings→/profile→/rooms
- Measure navigation time
Expected Result
- ✅ Navigation < 200ms
- ✅ No flickering
- ✅ Smooth transitions
Actual Result
- Pass
- Fail (describe issue):
Security Tests
Test Case 20: XSS in Route Params
Steps
- Navigate to
/reset-password/<script>alert('xss')</script> - Observe behavior
Expected Result
- ✅ No alert popup
- ✅ Script not executed
- ✅ Token treated as string
Actual Result
- Pass
- Fail (describe issue):
Summary
| Test Case | Status | Notes |
|---|---|---|
| TC-01: ProtectedRoute - Unauth | ⏳ | |
| TC-02: ProtectedRoute - Auth | ⏳ | |
| TC-03: Redirect After Login | ⏳ | |
| TC-04: AdminRoute - Unauth | ⏳ | |
| TC-05: AdminRoute - Customer | ⏳ | |
| TC-06: AdminRoute - Staff | ⏳ | |
| TC-07: AdminRoute - Admin | ⏳ | |
| TC-08: Loading State | ⏳ | |
| TC-09: Token Expiration | ⏳ | |
| TC-10: Direct URL - Admin | ⏳ | |
| TC-11: Nested Admin Routes | ⏳ | |
| TC-12: Public Routes | ⏳ | |
| TC-13: Logout | ⏳ | |
| TC-14: Multi-tab Sync | ⏳ | |
| TC-15: Refresh Persistence | ⏳ | |
| TC-16: Role Change | ⏳ | |
| TC-17: 404 Route | ⏳ | |
| TC-18: Remember Me | ⏳ | |
| TC-19: Performance | ⏳ | |
| TC-20: XSS Security | ⏳ |
Overall Status: ⏳ Pending Testing
How to Run Tests
Manual Testing
# 1. Start server
cd server
npm run dev
# 2. Start client
cd client
npm run dev
# 3. Open browser
http://localhost:5173
# 4. Follow test cases above
Automated Testing (Optional - Future)
# Install testing dependencies
npm install --save-dev @testing-library/react @testing-library/jest-dom @testing-library/user-event
# Run tests
npm test
Bug Report Template
### Bug: [Short description]
**Test Case**: TC-XX
**Steps to Reproduce**:
1. Step 1
2. Step 2
3. Step 3
**Expected**: [What should happen]
**Actual**: [What actually happened]
**Environment**:
- Browser: Chrome 120
- OS: Windows 11
- Node: v18.17.0
**Screenshots**: [Attach if applicable]
**Console Errors**: [Copy-paste errors]
**Priority**: High/Medium/Low