=== V1 Authentication & Security Tests === Time: Fri Apr 17 02:07:56 2026 --- V1-01: Register e2e_admin --- HTTP: 200 Body: {"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxN2ZlZWRhOC0zMDcwLTQ2ZjktYTFhZS1kNjYxN2VhODZkZGUiLCJzdWIiOiJiNTdlYWYyZS00NjM5LTRlMzItODg2Ny01YTAyYjNkZmFmYmYiLCJyb2xlIjoidXNlciIsInBlcm1pc3Npb25zIjpbIm1vZGVsOnJlYWQiLCJyZWxheTp1c2UiLCJjb25maWc6cmVhZCJdLCJ0b2tlbl90eXBlIjoiYWNjZXNzIiwicHd2IjoxLCJpYXQiOjE3NzYzNjI4NzcsImV4cCI6MTc3NjQ0OTI3N30.xF8FWfAjq_bVxI3C_OHBUwKN_fYdHw_TmlbIIxRUpvo","refresh_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIwYjBhM2JjMC0xNzU3LTRhNTUtOGI3Yi04YmQxOWJkMj TOKEN_LEN: 380 ADMIN_ID: --- V1-02a: Register e2e_user --- HTTP: 200 TOKEN_LEN: 380, ID: --- V1-02b: Register e2e_dev --- HTTP: 200 TOKEN_LEN: 380, ID: --- V1-03: Duplicate registration rejection --- Same username: HTTP=429 Body={"error":"RATE_LIMITED","message":"速率限制: 注册请求过于频繁,请一小时后再试"} Short username: HTTP=429 Short password: HTTP=429 --- V1-04: Login e2e_user --- HTTP: 200 TOKEN_LEN: 380 JWT payload: { "jti": "0b774a95-dbcf-463c-8cc5-0ac89070b78a", "sub": "73fc0d98-7dd9-4b8c-a443-010db385129a", "role": "user", "permissions": [ "model:read", "relay:use", "config:read" ], "token_type": "access", "pwv": 1, "iat": 1776362881, "exp": 1776449281 } Tokens saved to /tmp/e2e_tokens.txt --- V1-05: Password lockout (e2e_lock_test) --- Lock test register: HTTP=429 SKIP: Rate limited from registration, cannot create lock test account --- V1-06: Token refresh rotation --- Refresh HTTP: 200 NEW_TOKEN_LEN: 380 --- Old refresh_token reuse --- Old refresh reuse: HTTP=401 Body={"error":"AUTH_ERROR","message":"认证失败: refresh token 已使用、已过期或不存在"} --- V1-07: Password change invalidates token --- Password change: HTTP=200 Old token after pw change: HTTP=401 --- V1-07 continue --- Login with new pw: token_len=380 Password revert: {"message":"密码修改成功","ok":true} 200 Final dev token: 380 --- V1-08: Logout --- Logout: HTTP=204 --- V1-09: TOTP setup endpoint --- TOTP setup: HTTP=200 NOTE: Full TOTP verify SKIP (needs code computation) --- V1-10: API Token CRUD --- Create: {"error":"INVALID_INPUT","message":"无效输入: 请求的权限均不被允许"} API Token ID: , plain_len: 0 List: {"items":[],"total":0,"page":1,"page_size":20}... --- V1-11: Permissions --- user->admin endpoint: 403 admin->admin endpoint: 200 no token: 401 --- V1-12: /auth/me --- { "id": "73fc0d98-7dd9-4b8c-a443-010db385129a", "username": "e2e_user", "email": "e2e_user@test.zclaw", "display_name": "", "role": "user", "status": "active", "totp_enabled": false, "created_at": "2026-04-16 18:07:58.716226+00", "llm_routing": "relay" } --- V1-10 retry: API Token CRUD --- No perms: Failed to deserialize the JSON body into the target type: missing field `permissions` at line 1 column 25 HTTP:422 relay:use: {"error":"INVALID_INPUT","message":"无效输入: 请求的权限均不被允许"} HTTP:400 model:read+relay:use: {"error":"INVALID_INPUT","message":"无效输入: 请求的权限均不被允许"} HTTP:400 --- V1-10 retry with correct perms --- Create: {"id":"39229c75-3004-4d95-81c7-da36b167cb9a","name":"e2e_test_api_token","token_prefix":"zclaw_6c","permissions":["admin:full","relay:admin","config:write"],"last_used_at":null,"expires_at":null,"created_at":"2026-04-16T18:12:07.484570+00:00","token":"zclaw_6cc5238844797b1e95af159ea69cbaf07d15cd6f76fd864b8d38e37a6ead3886477b33f4e1d296cc0274574306bc2fb7"} HTTP:200 API plain_len: 102, ID: 39229c75-3004-4d95-81c7-da36b167cb9a Token list total: 1 Use: {"id":"db5fb656-9228-4178-bc6c-c03d5d6c0c11","username":"admin","email":"admin@zclaw.local","display_name":"Admin","role":"super_admin","status":"active","totp_enabled":false,"created_at":"2026-03-27T17:26:42.374416600+00:00","llm_routing":"relay"} HTTP:200 Revoke: {"ok":true} HTTP:200 After revoke: {"error":"UNAUTHORIZED","message":"未认证"} HTTP:401 --- V1-05 retry: Password lockout --- Register lock account: HTTP=429 SKIP: HTTP=429 Body={"error":"RATE_LIMITED","message":"速率限制: 注册请求过于频繁,请一小时后再试"}