USER STORY

Module: M-AUTH-01 - Dang nhap & Xac thuc (OrangeHRM) Generated: 2026-06-04 16:53:52 Input: 00-context.md Pipeline step: 03

Upstream Issues

Issue ID	Source	Description	Handling
UI-001	01-module-map	F-AUTH-014 Session timeout duoc them trong 01 nhung feature list goc chi den F-AUTH-013.	Giu F-AUTH-014 vi 01 da khai bao va prompt hien tai bat buoc cover session timeout.
UI-002	01-module-map	BR-AUTH-015 va BR-AUTH-016 duoc dung trong 01 nhung khong co trong context goc.	Dung cho session timeout/logout, danh dau la upstream issue.
UI-003	Current prompt	Input mau Product List, Customer, Seller la template.	Bo qua mau; dung M-AUTH-01 OrangeHRM theo Context.
UI-004	Previous output 02	02 dung validation HTTP 400, nhung current step yeu cau validation = 422 theo R5 focus.	Step 03 dung 422 cho validation trong AC/Edge/Gherkin.

AS A Anonymous User
I WANT TO mo trang login OrangeHRM
SO THAT toi co the bat dau dang nhap hoac di toi forgot password

0. MODE SELECTION

Item	Value
Selected mode	LIGHTWEIGHT
Ly do chon mode	UI entry point don gian, khong doi DB write, khong can auth.
Scope note	Chi cover hien thi login page va cac control co ban.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Anonymous User	Mo `/web/index.php/auth/login`	Request login page duoc gui.
2	System	Render login page	Hien logo OrangeHRM, username, password, login button, forgot password link.
3	Anonymous User	Xem form	Co the nhap credential hoac chon forgot password.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System	Ghi chu
Xem login page	Yes	No	No	No	No	No	Authenticated user khong can login page.
Submit credentials	Yes	No	No	No	No	No	Xu ly o US-AUTH-005/006.

ABAC conditions:

Session state rule: Neu user da co Active session, login page co the redirect ve landing theo role (D-10).
Audit/security rule: Khong log password khi page load.

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	Login page load thanh cong	Anonymous User mo login URL	System load public login page	HTTP 200; hien username, password, login button, forgot password link	Public endpoint khong can auth	High	TC-US-AUTH-001-001
AC-02	Login page co field label accessible	Page render	System gan label/placeholder cho input	Screen reader doc duoc username/password	Accessibility note	Medium	TC-US-AUTH-001-002
AC-03	Authenticated user mo login page	User co Active session mo login URL	System kiem tra session va role	Redirect theo role landing (D-10)	Role redirect default (D-10)	Medium	TC-US-AUTH-001-003

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	Login page route unavailable	Network	P0	Return INTERNAL_ERROR 500 hoac maintenance page, khong expose stack trace	Screenshot + response
E2	Mobile viewport	Boundary	P2	Form khong overlap, input va button van thao tac duoc	Mobile screenshot
E3	Authenticated session da het han	Security	P1	Redirect login page va session chuyen Expired (D-09)	Session record

5. GHERKIN SCENARIOS

GH-US-AUTH-001-001 Happy path

Scenario: Anonymous User views login page
  Given Anonymous User has no active session
  When the user opens "/web/index.php/auth/login"
  Then the system returns HTTP 200
  And the page displays username, password, login button, and forgot password link

GH-US-AUTH-001-002 Edge case

Scenario: Active session opens login page
  Given Employee User has an Active session
  When the user opens "/web/index.php/auth/login"
  Then the system redirects the user according to role landing rule D-10

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-001-001	Authenticated user mo login page nen redirect hay hien login?	Anh huong AC-03	P2	PO	TBC

7. DEFINITION OF DONE

AC chinh pass tren moi truong target.
UI behavior dung theo expected result.
Khong phat sinh regression o forgot password link va login submit.
Evidence screenshot duoc dinh kem neu team yeu cau.

US-AUTH-002: Nhap username va password

AS A Anonymous User
I WANT TO nhap username va password vao login form
SO THAT toi co the submit thong tin dang nhap

0. MODE SELECTION

Item	Value
Selected mode	STANDARD
Ly do chon mode	Co password input va validation UI, nhung chua validate credential/DB.
Scope note	Chi cover nhap input, mask password va client-side readiness.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Anonymous User	Click username field	Field focus nhan input.
2	Anonymous User	Nhap username	System hien text username theo input.
3	Anonymous User	Nhap password	System mask password.
4	System	Enable submit khi user thao tac	Login button san sang submit neu form khong loading.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System	Ghi chu
Nhap username	Yes	No	No	No	No	No	Public login form.
Nhap password	Yes	No	No	No	No	No	Password khong duoc log.
Doc raw password	No	No	No	No	No	No	System chi xu ly transient input.

ABAC conditions:

Field visibility rule: Password phai hien thi dang masked theo mac dinh.
Security rule: Browser/client khong ghi raw password vao log, analytics, URL.

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	User nhap username	Type vao username	System nhan text	Username hien dung gia tri user nhap, toi da 40 ky tu	username max 40	High	TC-US-AUTH-002-001
AC-02	User nhap password	Type vao password	System mask input	Password khong hien raw text tren UI	password max 64	High	TC-US-AUTH-002-002
AC-03	User submit trong luc loading	Click login nhieu lan	System disable button khi processing	Khong tao duplicate submit	N/A	Medium	TC-US-AUTH-002-003
AC-04	Input vuot gioi han	Paste username > 40 hoac password > 64	System validate field	Return validation error 422 khi submit	R5 validation = 422	Medium	TC-US-AUTH-002-004

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	Username > 40 ky tu	Boundary	P1	Submit bi tu choi voi 422 va message `Required` hoac max length [TBC]	Request + screenshot
E2	Password > 64 ky tu	Boundary	P1	Submit bi tu choi voi 422	Request + screenshot
E3	Double click Login	Concurrency	P2	Chi mot request validate duoc gui	Network trace
E4	Password autocomplete	Security	P2	Khong expose password trong URL/log	Browser trace

5. GHERKIN SCENARIOS

GH-US-AUTH-002-001 Happy path

Scenario: Anonymous User enters login fields
  Given the login page is loaded
  When the user enters username "admin" and password "admin123"
  Then the username field contains "admin"
  And the password field masks the entered password

GH-US-AUTH-002-002 Error

Scenario: Username exceeds maximum length
  Given the login page is loaded
  When the user submits a username longer than 40 characters
  Then the system rejects the request with HTTP 422
  And the validation result identifies the username field

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-002-001	Thong diep max length chinh xac cho username/password la gi?	Anh huong UI validation	P2	UX/PO	TBC

7. DEFINITION OF DONE

Tat ca AC pass tren staging/UAT.
Test case duoc tao va link voi US ID.
UI validation va API validation nhat quan.
Khong log raw password.

US-AUTH-003: Validate required fields

AS A Anonymous User
I WANT TO duoc bao khi username hoac password bi bo trong
SO THAT toi biet can bo sung thong tin truoc khi dang nhap

0. MODE SELECTION

Item	Value
Selected mode	STANDARD
Ly do chon mode	Validation bat buoc, co API/UI behavior ro rang.
Scope note	Khong validate credential dung/sai.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Anonymous User	De trong username hoac password	Form co missing required field.
2	Anonymous User	Click Login	Request validation duoc kich hoat.
3	System	Validate required fields	Tra ve loi field-level.
4	Anonymous User	Xem loi	Biet field nao can nhap.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System	Ghi chu
Validate required username/password	Yes	No	No	No	No	Yes	Public login validation.
Record LoginAttempt	No	No	No	No	No	TBC	Required-field failure co log hay khong TBC.

ABAC conditions:

Security rule: Required-field validation khong can lookup UserAccount.
Audit rule: Neu co log, khong log raw password.

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	Username trong	Submit form password co gia tri, username trong	System validate username required	HTTP 422; hien `Required` tai username	BR-AUTH-001, R5 validation 422	High	TC-US-AUTH-003-001
AC-02	Password trong	Submit form username co gia tri, password trong	System validate password required	HTTP 422; hien `Required` tai password	BR-AUTH-002, R5 validation 422	High	TC-US-AUTH-003-002
AC-03	Ca hai field trong	Submit form rong	System validate ca hai field	HTTP 422; hien `Required` cho username va password	BR-AUTH-001/002	High	TC-US-AUTH-003-003
AC-04	Required validation khong tiet lo account	Submit username trong	System khong lookup account	Khong hien `Invalid credentials`	Security	Medium	TC-US-AUTH-003-004

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	Username chi co space	Boundary	P1	Trim va xem la empty, return 422	Request + UI
E2	Password chi co space	Boundary	P1	TBC: chap nhan raw password hay xem invalid; neu empty sau trim thi 422	Request
E3	Missing JSON/form field	Data	P1	Return 422 va field error	API response
E4	Validation response schema sai	Data	P2	QA log defect neu khong map field	API response

5. GHERKIN SCENARIOS

GH-US-AUTH-003-001 Happy path validation

Scenario: Username is required
  Given the login page is loaded
  When the user submits an empty username and a non-empty password
  Then the system returns HTTP 422
  And the username field displays "Required"

GH-US-AUTH-003-002 Error

Scenario: Password is required
  Given the login page is loaded
  When the user submits username "admin" and an empty password
  Then the system returns HTTP 422
  And the password field displays "Required"

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-003-001	Required-field failure co can ghi LoginAttempt khong?	Anh huong audit/test DB	P2	Tech Lead	TBC
OQ-US-AUTH-003-002	Password co trim whitespace truoc validation khong?	Anh huong edge case	P2	Security Lead	TBC

7. DEFINITION OF DONE

Tat ca AC pass tren staging/UAT.
Test case duoc tao va link voi US ID.
API error schema dung R5 validation 422.
Khong log raw password.

US-AUTH-004: Validate username case-insensitive

AS A Anonymous User
I WANT TO username duoc xu ly khong phan biet hoa thuong
SO THAT toi van dang nhap duoc neu nhap sai casing

0. MODE SELECTION

Item	Value
Selected mode	STANDARD
Ly do chon mode	Co xu ly lookup UserAccount va rule normalization (D-01).
Scope note	Chi cover username normalization, khong cover password success flow day du.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Anonymous User	Nhap username voi casing khac ban ghi	Form nhan username.
2	Anonymous User	Submit password hop le	Login validation bat dau.
3	System	Normalize username	Lookup cung UserAccount bat ke casing (D-01).
4	System	Tiep tuc validate password	Tra ket qua login theo credential.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System	Ghi chu
Submit username	Yes	No	No	No	No	No	Public.
Normalize username	No	No	No	No	No	Yes	System-only.
Lookup UserAccount	No	No	No	No	No	Yes	Theo D-01.

ABAC conditions:

Username normalization rule: Admin, ADMIN, admin map ve cung account (D-01).
Security rule: Khong hien username canonical neu credential sai.

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	Username lowercase dung	Submit `admin`	Lookup normalized username	Tim thay account `admin`	D-01	High	TC-US-AUTH-004-001
AC-02	Username uppercase	Submit `ADMIN`	Normalize truoc lookup	Tim thay cung account nhu `admin` (D-01)	D-01	High	TC-US-AUTH-004-002
AC-03	Username mixed case + password sai	Submit `AdMiN` wrong password	Normalize username, validate password	Return INVALID_CREDENTIALS 401, khong tiet lo casing	D-01/D-02	High	TC-US-AUTH-004-003
AC-04	Duplicate username khac casing trong DB	Import/test data co `admin` va `ADMIN`	Unique constraint case-insensitive	Khong cho tao duplicate [TBC - Tech Lead]	D-01	Medium	TC-US-AUTH-004-004

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	Leading/trailing spaces	Boundary	P2	Trim username truoc normalize [TBC]	Request
E2	Unicode casing	Data	P2	TBC; username max String 40, expected ASCII-like test data	Request
E3	Duplicate case variant exists	Data	P1	System khong login vao account khong xac dinh; log defect/data issue	DB evidence
E4	Username khong ton tai	Security	P1	Generic `Invalid credentials`, HTTP 401	Response

5. GHERKIN SCENARIOS

GH-US-AUTH-004-001 Happy path

Scenario: Username casing is ignored
  Given UserAccount username "admin" exists and is Enabled
  When Anonymous User submits username "ADMIN" with a valid password
  Then the system resolves the same account as username "admin" according to D-01

GH-US-AUTH-004-002 Error

Scenario: Mixed case username with wrong password
  Given UserAccount username "admin" exists
  When Anonymous User submits username "AdMiN" with a wrong password
  Then the system returns HTTP 401
  And the UI displays "Invalid credentials"

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-004-001	Username co trim whitespace truoc normalize khong?	Anh huong test edge	P2	PO/Tech Lead	TBC
OQ-US-AUTH-004-002	Unique username co enforce case-insensitive o DB khong?	Anh huong data integrity	P1	Tech Lead	TBC

7. DEFINITION OF DONE

Tat ca AC pass tren staging/UAT.
Username normalization test co automation.
API/DB lookup behavior duoc verify.
Khong expose canonical username trong loi.

US-AUTH-005: Validate credential dung

AS A Anonymous User
I WANT TO dang nhap bang username va password hop le
SO THAT toi co the truy cap OrangeHRM theo role duoc gan

0. MODE SELECTION

Item	Value
Selected mode	HIGH_RISK
Ly do chon mode	Core authentication, PII, session, role, audit va security-sensitive.
Scope note	Cover valid credential, account status, session creation, OTP/expiry decision.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Anonymous User	Submit username/password hop le	System nhan request validate.
2	System	Validate required fields va normalize username	Request hop le.
3	System	Kiem tra password hash, account status, employee status	Account du dieu kien login.
4	System	Kiem tra expiry va 2FA	Redirect change password, OTP Required, hoac tao session.
5	System	Resolve role landing	User duoc redirect theo role (D-10).
6	System	Log login attempt success	LoginAttempt result = Success.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System	Ghi chu
Submit credentials	Yes	No	No	No	No	No	Public endpoint.
Validate password hash	No	No	No	No	No	Yes	Raw password khong luu.
Create AuthSession	No	No	No	No	No	Yes	Sau credential/account hop le.
Role redirect	No	Yes	Yes	Yes	Yes	Yes	Theo D-10.

ABAC conditions:

Account status rule: Disabled account bi deny login (D-12).
Employee status rule: Terminated employee bi deny login (D-12).
Password expiry rule: Password > 30 ngay redirect change password, Global Admin exception (D-05).
Audit/security rule: Log success/failure LoginAttempt, khong log raw password.

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	Active user credential hop le	POST `/validate`	Validate username/password hash, status Enabled, not locked	Session tao hoac OTP Required neu 2FA bat (D-08)	BR-AUTH-003/004/013	High	TC-US-AUTH-005-001
AC-02	Role redirect sau login	Login thanh cong va khong can OTP	System doc role assignment	Redirect Admin -> Admin module, ESS -> My Info, no role -> Dashboard (D-10)	BR-AUTH-014	High	TC-US-AUTH-005-002
AC-03	Password expired	Credential hop le, password_expires_at < now	System check expiry	Redirect change password, tru Global Admin (D-05)	BR-AUTH-007	High	TC-US-AUTH-005-003
AC-04	Success login audit	Login accepted	System tao LoginAttempt Success	LoginAttempt co username_submitted, result Success, attempted_at	Audit logging	Medium	TC-US-AUTH-005-004
AC-05	Disabled/terminated account	Credential dung nhung account disabled/employee terminated	System deny login	HTTP 401 va display `Invalid credentials` theo generic denial (D-12)	BR-AUTH-010	High	TC-US-AUTH-005-005

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	Password hash compare fail do corrupt hash	Data	P0	Deny login 401, log security error khong expose stack trace	API + log
E2	Role lookup unavailable	Network	P1	Khong grant unauthorized access; return 500 hoac redirect Dashboard [TBC]	API + log
E3	Account locked_until future	Security	P0	Return ACCOUNT_LOCKED 423	API
E4	2FA bat buoc	Security	P0	Khong tao full authenticated session truoc OTP verified (D-08)	Session DB
E5	Login success audit fail	Security	P1	Auth decision TBC; audit failure must be visible to ops	Log evidence

5. GHERKIN SCENARIOS

GH-US-AUTH-005-001 Happy path

Scenario: Active user logs in with valid credential
  Given UserAccount "admin" is Enabled and not locked
  And the submitted password matches the stored password hash
  When Anonymous User posts username "admin" and password "admin123" to "/web/index.php/auth/validate"
  Then the system accepts the credential
  And the user is sent to OTP Required or role landing according to D-08 and D-10

GH-US-AUTH-005-002 Security

Scenario: Disabled account cannot login with valid credential
  Given UserAccount "disabledUser" has status Disabled
  When Anonymous User submits the correct password
  Then the system returns HTTP 401
  And the UI displays "Invalid credentials" according to D-12

GH-US-AUTH-005-003 Edge case

Scenario: Password expired after valid credential
  Given Employee User has password_expires_at in the past
  When the user submits a valid credential
  Then the system redirects the user to change password according to D-05

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-005-001	Neu role lookup fail sau credential hop le thi return 500 hay Dashboard fallback?	Anh huong security va AC	P1	Tech Lead	TBC
OQ-US-AUTH-005-002	Audit failure co block login khong?	Anh huong reliability/security	P1	Security Lead	TBC
OQ-US-AUTH-005-003	2FA co bat trong moi truong test khong?	Anh huong expected result	P1	System Admin	TBC

7. DEFINITION OF DONE

Tat ca AC va edge cases pass tren staging/UAT.
RBAC/ABAC test du role lien quan, co evidence.
Security scenario pass, khong expose credential/account state trai quy dinh.
LoginAttempt success/failure duoc verify neu audit enabled.
API error schema dung chuan chung.
RTM updated: US linked voi feature, AC, API, DB, test case.

US-AUTH-006: Validate credential sai

AS A Anonymous User
I WANT TO nhan loi khi username hoac password khong dung
SO THAT toi biet dang nhap that bai nhung he thong khong tiet lo thong tin nhay cam

0. MODE SELECTION

Item	Value
Selected mode	HIGH_RISK
Ly do chon mode	Security-critical: invalid credential, brute-force counter, audit, lockout/captcha trigger.
Scope note	Cover sai credential va tac dong failed_login_count.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Anonymous User	Submit username/password sai	Request validate duoc gui.
2	System	Validate format va lookup normalized username	Neu user ton tai, chuan bi password check.
3	System	Password mismatch hoac username khong ton tai	Deny login voi generic message.
4	System	Tang failed_login_count neu user match	Co the trigger lockout/captcha.
5	System	Log LoginAttempt Failed	Audit co result Failed va failure_reason.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System	Ghi chu
Submit invalid credential	Yes	No	No	No	No	No	Public endpoint.
Increment failed count	No	No	No	No	No	Yes	Neu match account.
View failure reason	No	No	No	No	No	Yes	UI chi hien generic.
View audit	No	No	No	HR Admin	Global Admin	Yes	Theo quyen admin/report TBC.

ABAC conditions:

Error disclosure rule: UI hien Invalid credentials, khong noi username hay password sai (D-02).
Lockout rule: Sau 5 failed attempts, account locked 30 phut, Global Admin exception (D-03).
Captcha rule: Sau 5 failed attempts, captcha xuat hien lan tiep theo (D-04).

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	Password sai cho user ton tai	POST `/validate`	Compare password hash fail	HTTP 401; UI `Invalid credentials` (D-02)	BR-AUTH-005	High	TC-US-AUTH-006-001
AC-02	Username khong ton tai	POST `/validate`	Lookup fail	HTTP 401; UI `Invalid credentials`, khong account enumeration (D-02)	BR-AUTH-005	High	TC-US-AUTH-006-002
AC-03	Failed count tang	Wrong password cho account Enabled	System tang failed_login_count	failed_login_count +1 va LoginAttempt Failed	BR-AUTH-008	High	TC-US-AUTH-006-003
AC-04	Threshold reached	Failed count dat 5	System apply policy	Account locked 30 phut (D-03) va captcha required lan tiep theo (D-04)	BR-AUTH-008/009	High	TC-US-AUTH-006-004
AC-05	Validation missing field	Username/password missing	Required validation	HTTP 422, khong tang failed_login_count	R5 validation 422	Medium	TC-US-AUTH-006-005

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	5 failed attempts dong thoi	Concurrency	P0	failed_login_count va lockout update atomically	DB before/after
E2	Username khong ton tai lap lai	Security	P1	Generic 401, log username_submitted, khong tao UserAccount	API + DB
E3	Global Admin failed attempts	Security	P1	D-03 exception TBC: khong lock Global Admin, van log attempts	DB + log
E4	Failed audit write	Security	P1	Auth denial van xay ra; audit failure duoc log ops [TBC]	Log
E5	User da locked tiep tuc submit	Security	P0	Return 423, khong reset lockout	API

5. GHERKIN SCENARIOS

GH-US-AUTH-006-001 Happy path error

Scenario: Wrong password is denied
  Given UserAccount "admin" is Enabled and not locked
  When Anonymous User submits username "admin" and an incorrect password
  Then the system returns HTTP 401
  And the UI displays "Invalid credentials" according to D-02

GH-US-AUTH-006-002 Security

Scenario: Unknown username does not reveal account existence
  Given no UserAccount exists for username "unknown"
  When Anonymous User submits username "unknown" and any password
  Then the system returns HTTP 401
  And the UI displays the same "Invalid credentials" message

GH-US-AUTH-006-003 Edge case

Scenario: Fifth failed attempt triggers security policy
  Given UserAccount "employee1" has 4 consecutive failed login attempts
  When Anonymous User submits a wrong password
  Then the system records the fifth failed attempt
  And the account is locked for 30 minutes according to D-03
  And captcha is required on the next login according to D-04

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-006-001	Failed attempts cho username khong ton tai co can rate-limit theo IP khong?	Brute-force protection	P1	Security Lead	TBC
OQ-US-AUTH-006-002	Global Admin failed attempt co tang counter khong neu khong lock?	Test policy	P2	Security Lead	TBC
OQ-US-AUTH-006-003	Audit write failure co block response khong?	Reliability	P1	Tech Lead	TBC

7. DEFINITION OF DONE

Tat ca AC va edge cases pass tren staging/UAT.
Lockout/captcha counter behavior co automation.
Security scenario pass, khong expose account existence.
Audit log dung neu requirement co log.
Data consistency duoc verify voi concurrent failed attempts.

AS A Anonymous User
I WANT TO dang nhap bang demo credential admin / admin123
SO THAT lop training co the truy cap OrangeHRM demo

0. MODE SELECTION

Item	Value
Selected mode	STANDARD
Ly do chon mode	Training credential co rule rieng (D-11), co auth impact nhung scope hep.
Scope note	Chi ap dung training/demo environment.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Anonymous User	Nhap `admin` va `admin123`	Credential demo duoc submit.
2	System	Validate theo demo credential	Neu environment ho tro, credential hop le (D-11).
3	System	Ap dung policy con lai	Check status, OTP, expiry, role redirect.
4	System	Redirect	User vao landing theo role.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System	Ghi chu
Submit demo credential	Yes	No	No	No	No	No	Public demo only.
Accept demo credential	No	No	No	No	No	Yes	Theo D-11.
Access after login	No	Theo role	Theo role	Theo role	Theo role	Yes	Theo assigned role.

ABAC conditions:

Environment rule: Demo credential chi nen bat trong training/demo, khong mac dinh cho production.
Security rule: Van phai ap dung account status, session, role redirect.

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	Demo credential dung	Submit `admin`/`admin123`	System validate demo credential	Login accepted trong training environment (D-11)	BR-AUTH-003	High	TC-US-AUTH-007-001
AC-02	Demo username casing khac	Submit `ADMIN`/`admin123`	Normalize username	Login accepted neu same account va D-01/D-11	D-01/D-11	Medium	TC-US-AUTH-007-002
AC-03	Demo password sai	Submit `admin`/wrong	Password validation fail	HTTP 401; `Invalid credentials` (D-02)	BR-AUTH-005	High	TC-US-AUTH-007-003
AC-04	Demo account disabled	Demo account status Disabled	System check status	Deny login theo D-12	D-12	High	TC-US-AUTH-007-004

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	Public demo reset data	Data	P1	Instructor verify credential truoc buoi hoc	Evidence login
E2	Demo credential dung nhung 2FA bat	Security	P1	Show OTP Required theo D-08	UI
E3	Demo credential dung nhung expired password	Security	P1	Redirect change password tru Global Admin theo D-05	UI
E4	Demo disabled	Security	P0	Deny generic 401 theo D-12	API

5. GHERKIN SCENARIOS

GH-US-AUTH-007-001 Happy path

Scenario: Login with demo credential
  Given the training environment supports demo credential D-11
  When Anonymous User submits username "admin" and password "admin123"
  Then the system accepts the credential
  And applies OTP, expiry, and role redirect policies

GH-US-AUTH-007-002 Error

Scenario: Demo password is incorrect
  Given username "admin" exists
  When Anonymous User submits password "wrong"
  Then the system returns HTTP 401
  And the UI displays "Invalid credentials"

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-007-001	Demo account role trong test data la Global Admin hay HR Admin?	Anh huong redirect expected	P1	Instructor	TBC
OQ-US-AUTH-007-002	Demo credential co duoc bat trong local training build khong?	Anh huong test setup	P1	Instructor	TBC

7. DEFINITION OF DONE

Tat ca AC pass tren staging/UAT.
Instructor verify demo credential truoc lop.
Test case link voi US ID.
Khong bo qua status/expiry/2FA policy cho demo account.

US-AUTH-008: Hien thi invalid credentials message

AS A Anonymous User
I WANT TO thay thong bao Invalid credentials khi dang nhap sai
SO THAT toi hieu dang nhap that bai ma he thong khong tiet lo thong tin tai khoan

0. MODE SELECTION

Item	Value
Selected mode	HIGH_RISK
Ly do chon mode	Error disclosure trong auth co rui ro user enumeration.
Scope note	Cover UI/API message cho invalid credential va disabled/terminated generic denial.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Anonymous User	Submit credential sai	System validate va deny.
2	System	Chon generic error	Khong tiet lo username/password/account state.
3	System	Return response	HTTP 401 va message `Invalid credentials`.
4	Anonymous User	Xem loi	Biet can thu lai credential.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System	Ghi chu
Xem generic login error	Yes	No	No	No	No	No	Public UI.
Xem internal failure reason	No	No	No	HR Admin TBC	Global Admin TBC	Yes	UI login khong hien.
Log failure reason	No	No	No	No	No	Yes	Audit/internal only.

ABAC conditions:

Error disclosure rule: Invalid username, invalid password, disabled account, terminated employee phai hien generic display (D-02/D-12).
Field visibility rule: failure_reason khong hien cho Anonymous User.

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	Wrong password	Submit existing username + wrong password	Credential fail	HTTP 401; UI `Invalid credentials` (D-02)	BR-AUTH-005	High	TC-US-AUTH-008-001
AC-02	Unknown username	Submit unknown username	Account lookup fail	HTTP 401; same UI `Invalid credentials` (D-02)	BR-AUTH-005	High	TC-US-AUTH-008-002
AC-03	Disabled account	Submit valid credential for Disabled account	Account status deny	HTTP 401; UI `Invalid credentials` (D-12)	BR-AUTH-010	High	TC-US-AUTH-008-003
AC-04	Required field	Submit empty username/password	Field validation	HTTP 422; field message `Required`, not generic credential	R5 validation 422	Medium	TC-US-AUTH-008-004
AC-05	Internal reason stored	Login denied	System records failure_reason internally	User-visible response still generic	Security/audit	Medium	TC-US-AUTH-008-005

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	Unknown username vs wrong password timing	Security	P1	Responses should not materially expose account existence [TBC]	Timing test
E2	Disabled account	Security	P0	Generic `Invalid credentials`	API
E3	Terminated employee linked account	Security	P0	Generic `Invalid credentials`	API
E4	Localization missing	Data	P2	Default English `Invalid credentials` displayed	UI
E5	Error banner overlaps fields	Boundary	P2	Error visible, accessible, no overlap	Screenshot

5. GHERKIN SCENARIOS

GH-US-AUTH-008-001 Happy path error

Scenario: Wrong password shows generic invalid credentials
  Given UserAccount "admin" exists
  When Anonymous User submits username "admin" with an incorrect password
  Then the system returns HTTP 401
  And the login page displays "Invalid credentials" according to D-02

GH-US-AUTH-008-002 Security

Scenario: Disabled account does not reveal disabled status
  Given UserAccount "user1" has status Disabled
  When Anonymous User submits the correct password
  Then the system returns HTTP 401
  And the login page displays "Invalid credentials" according to D-12

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-008-001	Co can timing equalization cho unknown username vs wrong password khong?	Security test	P1	Security Lead	TBC
OQ-US-AUTH-008-002	HR Admin co duoc xem failure_reason o UI admin khong?	Admin support scope	P2	PO	TBC

7. DEFINITION OF DONE

Tat ca AC va edge cases pass tren staging/UAT.
Security scenario pass, khong expose account state.
UI error accessible va khong overlap.
API error schema dung chuan chung.

AS A HR Admin or Global Admin
I WANT TO duoc redirect toi Admin module sau khi login thanh cong
SO THAT toi vao dung khu vuc quan tri duoc phan quyen

0. MODE SELECTION

Item	Value
Selected mode	HIGH_RISK
Ly do chon mode	Role-based redirect va admin access la RBAC/security-sensitive.
Scope note	Cover redirect sau session/OTP hop le, khong cover noi dung Admin module.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	HR Admin/Global Admin	Login thanh cong	System co user_account_id.
2	System	Load UserRoleAssignment	Admin role duoc nhan dien.
3	System	Resolve landing	Target la Admin module (D-10).
4	System	Redirect	Admin vao Admin module voi Active session.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System	Ghi chu
Admin landing redirect	No	No	No	Yes	Yes	Yes	Theo D-10.
Access Admin module	No	No	No	Yes	Yes	Yes	Protected endpoint/page.
View HR Administration	No	No	No	Yes	Yes	No	Permission matrix.

ABAC conditions:

Role assignment rule: User must have HR Admin or Global Admin role.
Session rule: Redirect chi sau Active session hoac OTP verified.
Audit/security rule: Role redirect decision should be traceable in auth/session logs [TBC].

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	HR Admin login success	Credential accepted	System detects HR Admin role	Redirect to Admin module (D-10)	BR-AUTH-014	High	TC-US-AUTH-009-001
AC-02	Global Admin login success	Credential accepted	System detects Global Admin role	Redirect to Admin module (D-10)	BR-AUTH-014	High	TC-US-AUTH-009-002
AC-03	Employee role cannot admin redirect	Employee login success	System detects ESS role	Redirect My Info, not Admin module (D-10)	BR-AUTH-014	High	TC-US-AUTH-009-003
AC-04	Admin module direct access without session	Anonymous User opens Admin URL	System checks session	HTTP 401 or redirect login	Auth required	High	TC-US-AUTH-009-004
AC-05	Role lookup failure	Admin login success but role service fails	System fails closed	No unauthorized Admin access; return 500 or Dashboard [TBC]	Security	High	TC-US-AUTH-009-005

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	User has both HR Admin and ESS	Permission	P1	Admin role takes admin landing [TBC]	Role setup + redirect
E2	Role assignment missing	Data	P1	Redirect Dashboard per D-10	UI
E3	Session expires during redirect	Security	P1	Redirect login, no Admin access	Network trace
E4	Unauthorized direct Admin URL	Permission	P0	401/403, no admin data	Response
E5	Role service unavailable	Network	P0	Fail closed	Logs

5. GHERKIN SCENARIOS

GH-US-AUTH-009-001 Happy path

Scenario: HR Admin is redirected to Admin module
  Given HR Admin has a valid credential and assigned admin role
  When the user completes login
  Then the system redirects the user to the Admin module according to D-10
  And the session status is Active

GH-US-AUTH-009-002 Security

Scenario: Employee cannot access Admin module directly
  Given Employee User has no admin role
  When the user opens an Admin module URL
  Then the system denies access with HTTP 403 or redirects according to auth policy
  And no admin data is returned

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-009-001	Neu user co multiple roles, landing priority la role nao?	Redirect expected	P1	PO	TBC
OQ-US-AUTH-009-002	Role lookup fail nen 500 hay Dashboard fallback?	Security behavior	P1	Tech Lead	TBC

7. DEFINITION OF DONE

Tat ca AC va edge cases pass tren staging/UAT.
RBAC/ABAC test du Employee, HR Admin, Global Admin.
Security scenario pass, khong expose admin data.
RTM updated voi role redirect test cases.

AS A Employee User
I WANT TO duoc redirect toi My Info sau khi login thanh cong
SO THAT toi vao dung khu vuc self-service cua minh

0. MODE SELECTION

Item	Value
Selected mode	HIGH_RISK
Ly do chon mode	Role-based redirect va session access co RBAC/ABAC.
Scope note	Cover ESS landing, khong cover chi tiet My Info module.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Employee User	Login thanh cong	Active session duoc tao.
2	System	Load role assignment	ESS/Employee role duoc nhan dien.
3	System	Resolve landing	Target la My Info (D-10).
4	Employee User	Vao My Info	Chi xem du lieu theo quyen self-service.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System	Ghi chu
ESS landing redirect	No	Yes	TBC	No	No	Yes	Employee -> My Info theo D-10.
Access own My Info	No	Yes	Yes	Yes	Yes	No	Theo permission matrix/module khac.
Access Admin module	No	No	No	Yes	Yes	No	Employee bi deny.

ABAC conditions:

Role assignment rule: ESS/Employee role maps to My Info (D-10).
Ownership rule: Employee self-service data phai thuoc own employee record.
Session rule: Landing chi khi session Active.

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	Employee login success	Credential accepted	System detects ESS/Employee role	Redirect to My Info (D-10)	BR-AUTH-014	High	TC-US-AUTH-010-001
AC-02	Employee tries Admin URL	Employee Active session opens Admin URL	System enforces RBAC	HTTP 403, no admin data	Permission matrix	High	TC-US-AUTH-010-002
AC-03	Password expired	Employee valid credential expired password	System checks expiry before landing	Redirect change password (D-05)	BR-AUTH-007	High	TC-US-AUTH-010-003
AC-04	OTP required	Password valid and 2FA enabled	System requires OTP before landing	OTP screen, no My Info until verified (D-08)	BR-AUTH-013	High	TC-US-AUTH-010-004

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	Employee role missing	Data	P1	Redirect Dashboard per D-10	UI
E2	Employee terminated	Security	P0	Deny login generic 401 theo D-12	API
E3	Session expired before My Info	Security	P1	Redirect login	Network
E4	Multiple roles Employee + Supervisor	Permission	P2	Landing target TBC	Role setup
E5	My Info dependency unavailable	Network	P2	Auth session remains, target page handles error [TBC]	UI

5. GHERKIN SCENARIOS

GH-US-AUTH-010-001 Happy path

Scenario: Employee is redirected to My Info
  Given Employee User has a valid credential and ESS role
  When the user completes login
  Then the system redirects the user to My Info according to D-10
  And the session status is Active

GH-US-AUTH-010-002 Security

Scenario: Employee cannot open Admin module
  Given Employee User has an Active session and no admin role
  When the user opens an Admin module URL
  Then the system returns HTTP 403
  And no admin data is displayed

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-010-001	Supervisor co land My Info hay Dashboard?	Anh huong shared role logic	P2	PO	TBC
OQ-US-AUTH-010-002	Multiple role priority cho ESS + Supervisor la gi?	Redirect test	P2	PO	TBC

7. DEFINITION OF DONE

Tat ca AC va edge cases pass tren staging/UAT.
RBAC/ABAC test Employee vs Admin.
Security scenario pass, khong expose Admin data.
RTM updated voi feature F-AUTH-013.

US-AUTH-011: Redirect Dashboard khi khong co role

AS A Authenticated User
I WANT TO duoc redirect toi Dashboard khi khong co role duoc gan
SO THAT toi van co landing mac dinh voi quyen gioi han

0. MODE SELECTION

Item	Value
Selected mode	STANDARD
Ly do chon mode	Role fallback co RBAC impact nhung scope hep va default da ro (D-10).
Scope note	Khong dinh nghia chi tiet quyen Dashboard.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Authenticated User	Login thanh cong	System co user account.
2	System	Lookup role assignment	Khong tim thay role.
3	System	Apply fallback	Redirect Dashboard (D-10).
4	System	Enforce limited permission	User khong vao duoc module can role.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	No-role User	System
Dashboard landing	No	Yes	Yes	Yes	Yes	Yes	Yes
Admin access	No	No	No	Yes	Yes	No	Yes
My Info access	No	Yes	TBC	TBC	TBC	TBC	Yes

ABAC conditions:

Fallback rule: Neu khong co role, redirect Dashboard voi quyen gioi han (D-10).
Security rule: Fallback khong duoc grant permission mac dinh khong ro.

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	User login success khong co role	Role lookup returns empty	System apply fallback	Redirect Dashboard (D-10)	BR-AUTH-014	High	TC-US-AUTH-011-001
AC-02	No-role user mo Admin	Active session no role opens Admin	System checks permission	HTTP 403	Permission matrix	High	TC-US-AUTH-011-002
AC-03	Role lookup error	Role service fail	System khong grant admin/ESS	Fail closed hoac Dashboard TBC	Security	Medium	TC-US-AUTH-011-003
AC-04	Session expired	No-role user inactive timeout	System expires session	Redirect login (D-09)	Session timeout	Medium	TC-US-AUTH-011-004

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	Empty role assignment	Data	P1	Dashboard fallback	UI
E2	Corrupt role assignment	Data	P1	Fail closed, no privileged access	DB/API
E3	Direct protected URL	Permission	P0	403	Response
E4	Dashboard unavailable	Network	P2	Auth remains active; page handles error [TBC]	UI

5. GHERKIN SCENARIOS

GH-US-AUTH-011-001 Happy path

Scenario: User without role is redirected to Dashboard
  Given a valid UserAccount has no UserRoleAssignment
  When the user completes login
  Then the system redirects the user to Dashboard according to D-10

GH-US-AUTH-011-002 Security

Scenario: User without role cannot access Admin module
  Given a no-role user has an Active session
  When the user opens an Admin URL
  Then the system returns HTTP 403
  And no admin data is returned

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-011-001	No-role Dashboard co nhung widget nao?	UAT scope	P2	PO	TBC
OQ-US-AUTH-011-002	Role lookup technical error co khac empty role khong?	Security behavior	P1	Tech Lead	TBC

7. DEFINITION OF DONE

Tat ca AC pass tren staging/UAT.
RBAC verify no-role khong vao Admin.
Gherkin co test manual/automation.
RTM updated.

US-AUTH-028: Validate OTP hop le

AS A Anonymous User
I WANT TO nhap OTP hop le sau khi password dung
SO THAT toi hoan tat two-factor authentication va vao OrangeHRM

0. MODE SELECTION

Item	Value
Selected mode	HIGH_RISK
Ly do chon mode	Complexity L, 2FA, secret key, session gate, security-sensitive.
Scope note	Cover OTP validation hop le; setup 2FA device out of scope.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Anonymous User	Submit username/password hop le	System tao OTP Required state (D-08).
2	Anonymous User	Nhap otp_code	OTP validation request duoc gui.
3	System	Load active TwoFactorAuthDevice	Secret hop le va device Active.
4	System	Validate OTP	OTP dung va chua het han.
5	System	Mark OTP verified	Tao/hoan tat AuthSession va role redirect.
6	System	Log verification	last_verified_at duoc cap nhat.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System	Ghi chu
Submit OTP challenge	Yes	No	No	No	No	No	User chua full authenticated.
Read secret_key	No	No	No	No	No	Yes	Secret confidential.
Verify OTP	No	No	No	No	No	Yes	Theo active device.
Create full AuthSession	No	No	No	No	No	Yes	Sau OTP valid.

ABAC conditions:

2FA mandatory rule: Password hop le thi tat ca user phai nhap OTP (D-08).
Device status rule: Chi Active TwoFactorAuthDevice duoc dung.
Session rule: Khong cap full authenticated access truoc khi OTP verified.
Audit/security rule: Log OTP success/failure without storing raw otp_code.

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	OTP hop le	Submit otp_code dung cho active challenge	System validate TOTP/OTP	OTP accepted; session Active; redirect theo role (D-08/D-10)	BR-AUTH-013/014	High	TC-US-AUTH-028-001
AC-02	Missing OTP	Submit empty otp_code	System validate required	HTTP 422; `OTP code is required`	R5 validation 422	High	TC-US-AUTH-028-002
AC-03	Device inactive	OTP dung nhung device Disabled	System deny verification	HTTP 401; OTP failed, no full session	Device status	High	TC-US-AUTH-028-003
AC-04	OTP replay	Submit same OTP after verified/used window	System detect invalid/replay [TBC]	Deny OTP; no duplicate session	Security	High	TC-US-AUTH-028-004
AC-05	OTP success audit	OTP accepted	System update last_verified_at	TwoFactorAuthDevice.last_verified_at updated	Audit/security	Medium	TC-US-AUTH-028-005
AC-06	Authenticator dependency unavailable	Verify OTP khi dependency/service fail	System cannot validate	HTTP 503 DEPENDENCY_UNAVAILABLE [TBC]	Dependency handling	High	TC-US-AUTH-028-006

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	OTP expired	Security	P0	Deny OTP, no full session	API + session DB
E2	OTP wrong nhieu lan	Security	P0	Deny; failed challenge count/rate limit TBC	API + log
E3	No active device	Data	P0	Deny or fallback TBC, khong bypass 2FA	API
E4	Clock drift	Boundary	P1	Accept/deny theo tolerance TBC	Time-based test
E5	Concurrent valid OTP submits	Concurrency	P1	Chi mot session/challenge duoc accepted [TBC]	Session DB
E6	Raw otp_code logging	Security	P0	Khong log raw OTP	Log review

5. GHERKIN SCENARIOS

GH-US-AUTH-028-001 Happy path

Scenario: Valid OTP completes two-factor authentication
  Given Anonymous User has passed password validation
  And the user has an Active TwoFactorAuthDevice
  When the user submits a valid otp_code
  Then the system verifies OTP according to D-08
  And creates an Active session
  And redirects the user according to D-10

GH-US-AUTH-028-002 Error

Scenario: Missing OTP is rejected
  Given Anonymous User is on OTP Verification screen
  When the user submits an empty otp_code
  Then the system returns HTTP 422
  And the UI displays "OTP code is required"

GH-US-AUTH-028-003 Security

Scenario: Disabled OTP device cannot verify login
  Given the user's TwoFactorAuthDevice status is Disabled
  When the user submits an OTP generated from that device
  Then the system denies verification
  And no full authenticated session is created

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-028-001	OTP expiry window va clock drift tolerance la bao nhieu?	Test OTP valid/expired	P1	Security Lead	TBC
OQ-US-AUTH-028-002	Co rate limit OTP failed attempts khong?	Brute-force protection	P0	Security Lead	TBC
OQ-US-AUTH-028-003	Neu user khong co active device thi fallback la gi?	Login availability	P1	PO/Security Lead	TBC
OQ-US-AUTH-028-004	OTP challenge/session intermediate entity co can them vao data model khong?	DB design	P1	Tech Lead	TBC

7. DEFINITION OF DONE

Tat ca AC va edge cases pass tren staging/UAT.
RBAC/ABAC test du role lien quan, co evidence.
Security scenario pass, khong bypass 2FA.
Raw OTP/secret khong bi log.
API error schema dung chuan chung.
NFR va dependency failure path duoc verify.
PO/BA/QA/Security sign-off truoc release.

US-AUTH-032: Logout active session

AS A Authenticated User
I WANT TO logout khoi session hien tai
SO THAT toi ket thuc truy cap OrangeHRM an toan

0. MODE SELECTION

Item	Value
Selected mode	HIGH_RISK
Ly do chon mode	Session security, protected access, audit.
Scope note	Cover own-session logout cho Employee/Supervisor/HR Admin/Global Admin.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Authenticated User	Click Logout	POST `/web/index.php/auth/logout` duoc gui.
2	System	Validate Active session	Session owner hop le.
3	System	Mark session LoggedOut	AuthSession.status = LoggedOut.
4	System	Redirect login page	User khong con truy cap protected page.
5	System	Log logout event [TBC]	Audit trace co neu enabled.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System	Ghi chu
Logout own session	No	Yes	Yes	Yes	Yes	Yes	Auth required.
Logout other user session	No	No	No	TBC	TBC	Yes	ABAC session ownership.
Mark AuthSession LoggedOut	No	No	No	No	No	Yes	System-only.

ABAC conditions:

Session ownership rule: User chi logout own session, tru admin session management neu duoc approve.
Session state rule: LoggedOut session khong duoc dung cho protected APIs.
Audit/security rule: Logout event nen log user_account_id, session_id, timestamp, khong log sensitive input.

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	Authenticated user logout	POST `/logout` voi Active session	System validate session owner	Session status = LoggedOut; redirect login	BR-AUTH-016	High	TC-US-AUTH-032-001
AC-02	Protected access sau logout	User opens protected page after logout	System checks session	HTTP 401/redirect login; no protected data	Session security	High	TC-US-AUTH-032-002
AC-03	Logout without session	Anonymous POST `/logout`	System rejects	HTTP 401 or redirect login [TBC]	Auth required	Medium	TC-US-AUTH-032-003
AC-04	Double logout	Same session logout twice	System handles idempotently [TBC]	No reactivation; final state LoggedOut	Session consistency	Medium	TC-US-AUTH-032-004
AC-05	Logout audit	Logout success	System records logout/security event [TBC]	Audit contains session/user/time	Audit	Medium	TC-US-AUTH-032-005

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	Session already expired	Security	P1	Redirect login; keep Expired or LoggedOut per policy TBC	DB
E2	CSRF/missing token	Security	P0	Reject logout request if CSRF required [TBC]	API
E3	Concurrent logout and protected call	Concurrency	P1	Protected call after logout must fail	Trace
E4	Audit write fail	Security	P1	Logout still invalidates session; audit failure visible to ops [TBC]	Log
E5	Logout other session	Permission	P0	Deny unless admin session management approved	API

5. GHERKIN SCENARIOS

GH-US-AUTH-032-001 Happy path

Scenario: Authenticated user logs out
  Given Employee User has an Active session
  When the user posts to "/web/index.php/auth/logout"
  Then the system marks the AuthSession as LoggedOut
  And redirects the user to the login page

GH-US-AUTH-032-002 Security

Scenario: Logged out session cannot access protected page
  Given Employee User has logged out
  When the same session requests a protected OrangeHRM page
  Then the system returns HTTP 401 or redirects to login
  And no protected data is returned

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-032-001	Logout co yeu cau CSRF token khong?	Security/API test	P1	Tech Lead	TBC
OQ-US-AUTH-032-002	Double logout expected idempotent hay 401?	Test expected	P2	PO/Tech Lead	TBC
OQ-US-AUTH-032-003	Logout event co bat buoc audit log khong?	Audit DoD	P2	Security Lead	TBC

7. DEFINITION OF DONE

Tat ca AC va edge cases pass tren staging/UAT.
Session invalidation duoc verify bang protected route.
RBAC/ABAC session ownership test co evidence.
Security scenario pass, no protected data after logout.

US-AUTH-033: Expire session after inactivity

AS A System
I WANT TO expire session khi user khong hoat dong qua timeout
SO THAT OrangeHRM giam rui ro truy cap tu session bi bo quen

0. MODE SELECTION

Item	Value
Selected mode	HIGH_RISK
Ly do chon mode	Session security, protected access, inactivity timeout.
Scope note	Timeout duration la configurable va can confirm (D-09).

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Authenticated User	Khong hoat dong	last_activity_at khong duoc cap nhat.
2	System	Kiem tra request tiep theo hoac scheduler	So sanh now voi expires_at/timeout.
3	System	Timeout reached	Mark AuthSession Expired.
4	System	Deny protected access	Redirect login/session expired state.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System	Ghi chu
Maintain active session	No	Yes	Yes	Yes	Yes	Yes	Khi chua timeout.
Expire inactive session	No	No	No	No	No	Yes	System-only.
Access after expiry	No	No	No	No	No	No	Must deny.

ABAC conditions:

Timeout rule: Session het han neu inactivity vuot timeout cau hinh (D-09).
Privileged session rule: Global Admin/HR Admin cung phai bi timeout (D-09).
Security rule: Expired session khong the duoc reactivate bang protected request.

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	Session inactive qua timeout	Next request after inactivity	System compares last_activity_at/expires_at	AuthSession.status = Expired; redirect login (D-09)	Session timeout	High	TC-US-AUTH-033-001
AC-02	Protected API after timeout	Expired session calls protected API	System denies	HTTP 401, no protected data	Auth required	High	TC-US-AUTH-033-002
AC-03	Admin session timeout	HR Admin/Global Admin inactive	Same timeout policy	Admin session expires (D-09)	D-09	High	TC-US-AUTH-033-003
AC-04	Active request before timeout	User activity before expires_at	System updates activity	Session remains Active	Activity update	Medium	TC-US-AUTH-033-004
AC-05	Timeout config missing	Security config unavailable	System uses safe default [TBC]	No unlimited session	Security config	Medium	TC-US-AUTH-033-005

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	Clock skew server	Boundary	P1	Timeout calculation consistent using server time	Logs
E2	Concurrent request at expiry boundary	Concurrency	P1	Deterministic session state, no unauthorized access	Trace
E3	Session already LoggedOut	Security	P1	Remains LoggedOut, not Expired-to-Active	DB
E4	Config value null/invalid	Data	P1	Safe default or fail closed [TBC]	Config test
E5	Remember-me absent	Security	P2	No extended session introduced	UI/API

5. GHERKIN SCENARIOS

GH-US-AUTH-033-001 Happy path

Scenario: Inactive session expires
  Given Employee User has an Active session
  And the session last_activity_at is older than the configured timeout
  When the user requests a protected page
  Then the system marks the session as Expired according to D-09
  And redirects the user to the login page

GH-US-AUTH-033-002 Security

Scenario: Expired admin session cannot access Admin module
  Given HR Admin has an Expired session
  When the session requests the Admin module
  Then the system returns HTTP 401
  And no admin data is returned

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-033-001	Timeout duration chinh xac la bao nhieu phut?	Test setup	P1	Tech Lead	TBC
OQ-US-AUTH-033-002	Expiry duoc xu ly lazy on request hay scheduler?	Test approach	P2	Tech Lead	TBC
OQ-US-AUTH-033-003	Config invalid thi safe default la gi?	Security behavior	P1	Security Lead	TBC

7. DEFINITION OF DONE

Tat ca AC va edge cases pass tren staging/UAT.
RBAC/ABAC test du admin va employee sessions.
Expired session khong access protected data.
NFR/session timeout threshold duoc verify.

AS A Authenticated User
I WANT TO duoc dua ve login page khi session expired
SO THAT toi biet can dang nhap lai

0. MODE SELECTION

Item	Value
Selected mode	STANDARD
Ly do chon mode	UI/API behavior sau timeout, security lien quan nhung phu thuoc US-AUTH-033.
Scope note	Khong tinh timeout, chi cover redirect/message.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Authenticated User	Request protected page bang Expired session	Request bi check session.
2	System	Detect Expired session	Deny protected access.
3	System	Redirect login	Login page hien message session expired [TBC].
4	User	Login lai	Flow login bat dau lai.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System
Access protected page with Expired session	No	No	No	No	No	Enforce
View login again CTA	Yes	Yes	Yes	Yes	Yes	No
Reuse expired session	No	No	No	No	No	No

ABAC conditions:

Expired session rule: Session status Expired khong duoc access protected route (D-09).
Error disclosure rule: Message khong expose protected resource details.

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	Expired session opens protected UI	GET protected page	System detects Expired	Redirect login page (D-09)	Session timeout	High	TC-US-AUTH-034-001
AC-02	Expired session calls protected API	API request	System rejects	HTTP 401, no protected payload	Auth required	High	TC-US-AUTH-034-002
AC-03	Login page message	Redirect after expiry	System renders feedback	Shows `Session expired` or login again CTA [TBC]	UX note	Medium	TC-US-AUTH-034-003
AC-04	User logs in again	Submit valid credential after expiry	System creates new session	New Active session, old remains Expired	Session consistency	High	TC-US-AUTH-034-004

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	Expired session with stale CSRF token	Security	P1	Redirect/401, no protected action	API
E2	Browser back after expiry	Security	P1	Cached protected page not usable for actions	Browser test
E3	Multiple tabs	Concurrency	P2	All protected requests from expired session fail	Trace
E4	Message not configured	Data	P2	Login page still displays normally	UI

5. GHERKIN SCENARIOS

GH-US-AUTH-034-001 Happy path

Scenario: Expired UI session redirects to login
  Given Employee User has an Expired session
  When the user opens a protected OrangeHRM page
  Then the system redirects the user to the login page according to D-09
  And no protected page content is displayed

GH-US-AUTH-034-002 Error

Scenario: Expired API session is unauthorized
  Given HR Admin has an Expired session
  When the session calls a protected API
  Then the system returns HTTP 401
  And the response does not include protected data

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-034-001	Session expired message text chinh xac la gi?	UI test	P2	UX/PO	TBC
OQ-US-AUTH-034-002	Browser cache policy cho protected pages la gi?	Security test	P1	Tech Lead	TBC

7. DEFINITION OF DONE

Tat ca AC pass tren staging/UAT.
Gherkin/scenario chinh co manual hoac automation.
Protected route sau expiry khong tra data.
RTM updated.

US-AUTH-035: Cap nhat last activity cua session

AS A System
I WANT TO cap nhat last_activity_at khi user co hoat dong hop le
SO THAT session timeout duoc tinh chinh xac

0. MODE SELECTION

Item	Value
Selected mode	STANDARD
Ly do chon mode	Session DB update va timeout correctness, nhung khong phai action UI rieng.
Scope note	Cover protected request activity tracking.

1. BUSINESS FLOW

Step	Actor/System	Action	Outcome
1	Authenticated User	Goi protected page/API	Request co session.
2	System	Validate session Active	Request duoc phep.
3	System	Update last_activity_at/expires_at	Timeout window duoc gia han theo config.
4	System	Tra protected response	User tiep tuc su dung he thong.

2. ACCESS CONTROL - RBAC / ABAC

Data Field / Action	Anonymous User	Employee	Supervisor	HR Admin	Global Admin	System
Protected activity	No	Yes	Yes	Yes	Yes	Validate
Update last_activity_at	No	No	No	No	No	Yes
Update expired session activity	No	No	No	No	No	No

ABAC conditions:

Session state rule: Chi Active session moi duoc update activity.
Timeout rule: Activity update phai phuc vu timeout cau hinh (D-09).
Security rule: Request bi deny khong duoc lam expired/logged-out session song lai.

3. ACCEPTANCE CRITERIA

AC ID	Scenario / Condition	Trigger	Processing Logic	Expected Result	Validation Rule	Test Priority	Test ID
AC-01	Active session protected request	User request protected page	System validates Active	last_activity_at updated to current server time	D-09	High	TC-US-AUTH-035-001
AC-02	expires_at refresh	Activity accepted	System recalculates expiry	expires_at = last_activity_at + timeout [TBC]	D-09	Medium	TC-US-AUTH-035-002
AC-03	Expired session request	Expired session sends request	System denies	HTTP 401; last_activity_at not updated	Session security	High	TC-US-AUTH-035-003
AC-04	LoggedOut session request	LoggedOut session sends request	System denies	HTTP 401; status remains LoggedOut	Session security	High	TC-US-AUTH-035-004

4. EDGE CASES & ERROR HANDLING

#	Case	Type	Severity	Expected Behavior	Test Evidence
E1	Concurrent requests	Concurrency	P2	last_activity_at final value is latest accepted request	DB
E2	DB update failure	Data	P1	Protected response TBC; failure logged	Log
E3	Static asset request	Boundary	P2	TBC whether it updates activity	Network
E4	Server time skew	Boundary	P1	Uses server time consistently	Logs

5. GHERKIN SCENARIOS

GH-US-AUTH-035-001 Happy path

Scenario: Active session activity is updated
  Given Employee User has an Active session
  When the user requests a protected page
  Then the system updates AuthSession.last_activity_at according to D-09
  And the protected page is returned

GH-US-AUTH-035-002 Error

Scenario: Expired session activity is not refreshed
  Given Employee User has an Expired session
  When the session requests a protected page
  Then the system returns HTTP 401
  And AuthSession.last_activity_at is not updated

6. OPEN QUESTIONS

ID	Question	Impact	Severity	Owner	Decision
OQ-US-AUTH-035-001	Static assets co tinh la user activity khong?	Timeout behavior	P2	Tech Lead	TBC
OQ-US-AUTH-035-002	DB activity update fail co block protected response khong?	Reliability	P1	Tech Lead	TBC
OQ-US-AUTH-035-003	expires_at co refresh moi request hay tinh tu timeout config runtime?	Test data	P2	Tech Lead	TBC

7. DEFINITION OF DONE

Tat ca AC pass tren staging/UAT.
Session DB update co test.
Expired/LoggedOut session khong duoc refresh.
RTM updated.

BACKLOG STORIES - cac US Should/Could chua viet full

US-AUTH-012: Dieu huong toi forgot password

AS A / I WANT / SO THAT: AS A Anonymous User I WANT TO click forgot password link SO THAT toi co the mo password recovery page.
Mode du kien: LIGHTWEIGHT.
AC tom tat:
- Link forgot password hien tren login page.
- Click link redirect toi /web/index.php/auth/requestPasswordResetCode.
- Forgot Password page tra HTTP 200.
- Cancel/back link quay ve login page [TBC].
Open Questions: Text link chinh xac la gi?

US-AUTH-013: Submit email reset password

AS A / I WANT / SO THAT: AS A Anonymous User I WANT TO submit email da dang ky SO THAT toi nhan reset password link.
Mode du kien: STANDARD.
AC tom tat:
- Email empty/invalid return HTTP 422 va message Please enter a valid email address.
- Email ton tai tao PasswordResetToken Active.
- Token het han sau 24 gio theo context.
- SMTP gui reset email thanh cong thi UI hien reset sent.
- SMTP fail return dependency error 503 [TBC].
Open Questions: Recovery identifier la email hay username? SMTP failure message la gi?

US-AUTH-014: Hien thi account not found

AS A / I WANT / SO THAT: AS A Anonymous User I WANT TO nhan thong bao khi email khong ton tai SO THAT toi biet recovery khong thanh cong theo training rule.
Mode du kien: STANDARD.
AC tom tat:
- Unknown email return ACCOUNT_NOT_FOUND 404 theo context/training seed (D-07).
- UI hien account not found [TBC exact text].
- Khong tao PasswordResetToken.
- Login flow khong bi anh huong.
Open Questions: Requirement nay co duoc chap nhan duoi security review hay la defect seed?

US-AUTH-015: Mo reset password bang token hop le

AS A / I WANT / SO THAT: AS A Anonymous User I WANT TO mo reset link hop le SO THAT toi co the nhap password moi.
Mode du kien: STANDARD.
AC tom tat:
- Token Active va chua het han tra reset password page HTTP 200.
- Token expired/used bi tu choi.
- Token lookup dung token_hash, khong luu raw token.
- Reset page hien new_password va confirm_password.
Open Questions: Token expired response code/message la gi?

US-AUTH-016: Luu password moi va confirm password

AS A / I WANT / SO THAT: AS A Anonymous User I WANT TO luu password moi SO THAT toi khoi phuc truy cap tai khoan.
Mode du kien: STANDARD.
AC tom tat:
- new_password < 6 ky tu return HTTP 422 (D-06).
- confirm_password khong khop return HTTP 422.
- Token hop le cap nhat password_hash, password_changed_at, password_expires_at.
- Token status chuyen Used va used_at duoc set.
- Raw password khong duoc luu.
Open Questions: Password policy training 6 ky tu hay OrangeHRM standard 8 ky tu?

AS A System I WANT TO dem failed login lien tiep SO THAT co the apply lockout/captcha.
Mode du kien: STANDARD.
AC tom tat:
- Wrong password cho user match tang failed_login_count +1.
- Login thanh cong reset failed_login_count ve 0 [TBC].
- Required-field 422 khong tang failed_login_count.
- LoginAttempt Failed duoc ghi.
Open Questions: Unknown username co dem theo IP/device khong?

US-AUTH-018: Khoa account sau threshold

AS A System I WANT TO khoa account sau 5 failed attempts SO THAT giam brute-force.
Mode du kien: STANDARD.
AC tom tat:
- Failed count dat 5 set locked_until = now + 30 phut (D-03).
- Locked account login return HTTP 423 ACCOUNT_LOCKED.
- Global Admin duoc exception theo D-03.
- HR Admin/Global Admin co the unlock theo permission.
Open Questions: Failed count reset sau unlock hay sau 30 phut?

AS A Locked User I WANT TO dang nhap lai sau 30 phut SO THAT tai khoan co the hoat dong tro lai.
Mode du kien: STANDARD.
AC tom tat:
- Sau locked_until qua, valid credential duoc validate lai.
- Neu password dung, lockout cleared [TBC].
- Neu password sai, failed_count handling theo policy.
- Disabled account van bi deny.
Open Questions: Unlock tu dong co reset failed_login_count khong?

US-AUTH-020: Hien captcha sau threshold

AS A System I WANT TO hien captcha sau threshold SO THAT giam bot login.
Mode du kien: STANDARD.
AC tom tat:
- Sau 5 failed attempts, login page hien captcha lan tiep theo (D-04).
- Captcha field co accessible label.
- Neu captcha disabled/unavailable thi fallback TBC.
- Captcha khong hien truoc threshold.
Open Questions: Lockout va captcha cung threshold 5 thi captcha co bao gio test duoc neu account bi lock?

US-AUTH-021: Validate captcha bat buoc

AS A Anonymous User I WANT TO nhap captcha khi duoc yeu cau SO THAT toi co the tiep tuc login attempt.
Mode du kien: STANDARD.
AC tom tat:
- Captcha required ma empty return HTTP 422.
- Captcha sai return CAPTCHA_REQUIRED/TOO_MANY_ATTEMPTS 429 [TBC].
- Captcha dung cho phep credential validation tiep tuc.
- Captcha response khong duoc reuse [TBC].
Open Questions: Error code chinh xac cho captcha sai la 422, 401 hay 429?

US-AUTH-022: Xu ly captcha service unavailable

AS A System I WANT TO xu ly captcha service unavailable SO THAT login flow fail/fallback co kiem soat.
Mode du kien: STANDARD.
AC tom tat:
- Captcha service unavailable return HTTP 503 DEPENDENCY_UNAVAILABLE [TBC].
- Khong bypass captcha neu security policy bat buoc [TBC].
- Error duoc log cho ops.
- UI hien message retry/contact admin [TBC].
Open Questions: Security Lead muon fail closed hay fallback lockout only?

US-AUTH-023: Phat hien password expired

AS A System I WANT TO phat hien password het han SO THAT user phai doi password.
Mode du kien: STANDARD.
AC tom tat:
- password_expires_at < now thi expired.
- Expired user sau credential hop le bi redirect change password (D-05).
- Global Admin duoc exception (D-05).
- Disabled account check truoc expiry va deny generic.
Open Questions: Expiry 30 ngay hay policy configurable?

US-AUTH-024: Redirect sang change password

AS A Authenticated User I WANT TO duoc chuyen sang change password khi password expired SO THAT toi cap nhat password truoc khi dung he thong.
Mode du kien: STANDARD.
AC tom tat:
- Expired password redirect change password page.
- User khong truy cap module khac truoc khi doi password.
- New password validation theo password policy.
- Sau doi thanh cong, redirect role landing.
Open Questions: Endpoint change password la gi?

US-AUTH-025: Xu ly ngoai le Global Admin cho expiry

AS A Global Admin I WANT TO duoc exception password expiry SO THAT admin khan cap khong bi chan.
Mode du kien: STANDARD.
AC tom tat:
- Global Admin expired password khong redirect change password (D-05).
- Other admin/employee van bi expiry.
- Exception duoc log [TBC].
- Disabled Global Admin van bi deny.
Open Questions: Security Lead co approve exception khong?

US-AUTH-026: Chuyen sang OTP Required sau password hop le

AS A Anonymous User I WANT TO thay OTP screen sau password hop le SO THAT toi thuc hien 2FA.
Mode du kien: STANDARD.
AC tom tat:
- Password hop le trigger OTP Required neu 2FA bat (D-08).
- Chua tao full authenticated session truoc OTP.
- OTP screen hien otp_code va verify button.
- Password expired xu ly truoc hay sau OTP TBC.
Open Questions: Thu tu expiry vs OTP la gi?

US-AUTH-27: Nhap OTP code

AS A Anonymous User I WANT TO nhap otp_code SO THAT toi co the verify 2FA.
Mode du kien: LIGHTWEIGHT.
AC tom tat:
- OTP field chap nhan input theo do dai/format TBC.
- Empty submit return HTTP 422 va OTP code is required.
- Verify button disable khi loading.
- Raw OTP khong hien/log.
Open Questions: OTP format 6 digit hay configurable?

US-AUTH-029: Xu ly OTP sai hoac het han

AS A Anonymous User I WANT TO nhan loi khi OTP sai/het han SO THAT toi biet can thu lai.
Mode du kien: STANDARD.
AC tom tat:
- OTP sai bi deny, no full session.
- OTP expired bi deny, no full session.
- Error message khong expose secret/device.
- Failed OTP attempts/rate limit TBC.
Open Questions: Error code cho OTP sai la 401 hay 422?

US-AUTH-030: Resend OTP hoac yeu cau ma moi

AS A Anonymous User I WANT TO resend hoac refresh OTP challenge SO THAT toi co ma xac thuc moi khi can.
Mode du kien: STANDARD.
AC tom tat:
- Resend endpoint/action chi kha dung khi co OTP challenge.
- Resend tao/refresh challenge moi [TBC].
- Rate limit resend [TBC].
- Dependency fail return 503 [TBC].
Open Questions: OTP la TOTP app hay email/SMS code? Neu TOTP app thi “resend” co phu hop khong?

US-AUTH-031: Ghi nhan OTP verified vao session

AS A System I WANT TO ghi nhan OTP da verify SO THAT session duoc xem la authenticated day du.
Mode du kien: STANDARD.
AC tom tat:
- Sau OTP success, session co flag/status verified [TBC].
- last_verified_at duoc cap nhat.
- Protected route chi accept session verified.
- OTP failure khong update verified state.
Open Questions: AuthSession co can field otp_verified_at khong?

US COVERAGE (R6 - doi chieu voi 01)

Chi so	So luong	Ghi chu
Tong US trong 01-module-map	35	Khop Total Estimated US cua 01.
US viet FULL template	16	Tat ca US thuoc Must features: US-AUTH-001..011, US-AUTH-032..035; cong US size L: US-AUTH-028.
US viet BACKLOG rut gon	19	Should/Could size S/M con lai.
US bo sot	0	Khong bo sot.

SELF-CHECK (Global Rules)

Lint passed: Yes
Invariant violations fixed: Dung module M-AUTH-01; dung US-AUTH/AC-01/GH-US-AUTH-xxx-001/TC-US-AUTH-xxx-001; dung Priority/Severity P0-P2; khong dung Product List template lam requirement.
Decision Registry refs used: D-01, D-02, D-03, D-04, D-05, D-06, D-08, D-09, D-10, D-11, D-12.
Upstream issues found: UI-001 F-AUTH-014 them tu 01; UI-002 BR-AUTH-015/016 khong co trong context goc; UI-003 template Product List bi override; UI-004 validation code o step 03 dung 422 theo current prompt.
US coverage khop 01: Yes

USER STORY

Upstream Issues

US-AUTH-001: Xem login page

0. MODE SELECTION

1. BUSINESS FLOW

2. ACCESS CONTROL - RBAC / ABAC

3. ACCEPTANCE CRITERIA

4. EDGE CASES & ERROR HANDLING

5. GHERKIN SCENARIOS

GH-US-AUTH-001-001 Happy path

GH-US-AUTH-001-002 Edge case

6. OPEN QUESTIONS

7. DEFINITION OF DONE

US-AUTH-002: Nhap username va password

0. MODE SELECTION

1. BUSINESS FLOW

2. ACCESS CONTROL - RBAC / ABAC

3. ACCEPTANCE CRITERIA

4. EDGE CASES & ERROR HANDLING

5. GHERKIN SCENARIOS

GH-US-AUTH-002-001 Happy path

GH-US-AUTH-002-002 Error

6. OPEN QUESTIONS

7. DEFINITION OF DONE

US-AUTH-003: Validate required fields

0. MODE SELECTION

1. BUSINESS FLOW

2. ACCESS CONTROL - RBAC / ABAC

3. ACCEPTANCE CRITERIA

4. EDGE CASES & ERROR HANDLING

5. GHERKIN SCENARIOS

GH-US-AUTH-003-001 Happy path validation

GH-US-AUTH-003-002 Error

6. OPEN QUESTIONS

7. DEFINITION OF DONE

US-AUTH-004: Validate username case-insensitive

0. MODE SELECTION

1. BUSINESS FLOW

2. ACCESS CONTROL - RBAC / ABAC

3. ACCEPTANCE CRITERIA

4. EDGE CASES & ERROR HANDLING

5. GHERKIN SCENARIOS

GH-US-AUTH-004-001 Happy path

GH-US-AUTH-004-002 Error

6. OPEN QUESTIONS

7. DEFINITION OF DONE

US-AUTH-005: Validate credential dung

0. MODE SELECTION

1. BUSINESS FLOW

2. ACCESS CONTROL - RBAC / ABAC

3. ACCEPTANCE CRITERIA

4. EDGE CASES & ERROR HANDLING

5. GHERKIN SCENARIOS

GH-US-AUTH-005-001 Happy path

GH-US-AUTH-005-002 Security

GH-US-AUTH-005-003 Edge case

6. OPEN QUESTIONS

7. DEFINITION OF DONE

US-AUTH-006: Validate credential sai

0. MODE SELECTION

1. BUSINESS FLOW

2. ACCESS CONTROL - RBAC / ABAC

3. ACCEPTANCE CRITERIA

4. EDGE CASES & ERROR HANDLING

5. GHERKIN SCENARIOS

GH-US-AUTH-006-001 Happy path error

GH-US-AUTH-006-002 Security

GH-US-AUTH-006-003 Edge case

6. OPEN QUESTIONS

7. DEFINITION OF DONE

US-AUTH-007: Login bang demo credential

0. MODE SELECTION

1. BUSINESS FLOW

2. ACCESS CONTROL - RBAC / ABAC

3. ACCEPTANCE CRITERIA

4. EDGE CASES & ERROR HANDLING

5. GHERKIN SCENARIOS

GH-US-AUTH-007-001 Happy path

GH-US-AUTH-007-002 Error

6. OPEN QUESTIONS