# Auth Testing Playbook

## MongoDB Verification
```
mongosh
use test_database
db.users.find({role: "admin"}).pretty()
db.users.findOne({role: "admin"}, {password_hash: 1})
```
Verify:
- bcrypt hash starts with `$2b$`
- indexes exist on users.email (unique), login_attempts.identifier, password_reset_tokens.expires_at (TTL)

## API Testing (use external URL via REACT_APP_BACKEND_URL)
```
API_URL=$(grep REACT_APP_BACKEND_URL /app/frontend/.env | cut -d '=' -f2)

# Register
curl -c cookies.txt -X POST "$API_URL/api/auth/register" \
  -H "Content-Type: application/json" \
  -d '{"email":"trader@test.com","password":"Test123!","name":"Trader"}'

# Login
curl -c cookies.txt -X POST "$API_URL/api/auth/login" \
  -H "Content-Type: application/json" \
  -d '{"email":"admin@cryptoeditorial.id","password":"Admin123!"}'

# Me (uses cookies)
curl -b cookies.txt "$API_URL/api/auth/me"

# Logout
curl -b cookies.txt -X POST "$API_URL/api/auth/logout"
```

## Auth Endpoints
- POST /api/auth/register
- POST /api/auth/login
- POST /api/auth/logout
- GET /api/auth/me
- POST /api/auth/refresh
- POST /api/auth/forgot-password
- POST /api/auth/reset-password

## Brute Force
5 failed attempts (per ip:email) -> 15 min lockout. Cleared on successful login.