Feature: Add token validation, basic confirmation workflow (#164)

src/Core/API/API.Specs/Features/AccessTokenValidation.feature

@@ -0,0 +1,51 @@
+Feature: Protected Endpoint Access Token Validation
+   As a backend developer
+   I want protected endpoints to validate access tokens
+   So that unauthorized requests are rejected
+
+   Scenario: Protected endpoint accepts valid access token
+      Given the API is running
+      And I have an existing account
+      And I am logged in
+      When I submit a request to a protected endpoint with a valid access token
+      Then the response has HTTP status 200
+
+   Scenario: Protected endpoint rejects missing access token
+      Given the API is running
+      When I submit a request to a protected endpoint without an access token
+      Then the response has HTTP status 401
+
+   Scenario: Protected endpoint rejects invalid access token
+      Given the API is running
+      When I submit a request to a protected endpoint with an invalid access token
+      Then the response has HTTP status 401
+      And the response JSON should have "message" containing "Unauthorized"
+
+   Scenario: Protected endpoint rejects expired access token
+      Given the API is running
+      And I have an existing account
+      And I am logged in with an immediately-expiring access token
+      When I submit a request to a protected endpoint with the expired token
+      Then the response has HTTP status 401
+      And the response JSON should have "message" containing "Unauthorized"
+
+   Scenario: Protected endpoint rejects token signed with wrong secret
+      Given the API is running
+      And I have an access token signed with the wrong secret
+      When I submit a request to a protected endpoint with the tampered token
+      Then the response has HTTP status 401
+      And the response JSON should have "message" containing "Unauthorized"
+
+   Scenario: Protected endpoint rejects refresh token as access token
+      Given the API is running
+      And I have an existing account
+      And I am logged in
+      When I submit a request to a protected endpoint with my refresh token instead of access token
+      Then the response has HTTP status 401
+
+   Scenario: Protected endpoint rejects confirmation token as access token
+      Given the API is running
+      And I have registered a new account
+      And I have a valid confirmation token
+      When I submit a request to a protected endpoint with my confirmation token instead of access token
+      Then the response has HTTP status 401

src/Core/API/API.Specs/Features/Confirmation.feature

@@ -0,0 +1,59 @@
+Feature: User Account Confirmation
+   As a newly registered user
+   I want to confirm my email address via a validation token
+   So that my account is fully activated
+   Scenario: Successful confirmation with valid token
+      Given the API is running
+      And I have registered a new account
+      And I have a valid confirmation token for my account
+      When I submit a confirmation request with the valid token
+      Then the response has HTTP status 200
+      And the response JSON should have "message" containing "is confirmed"
+
+   Scenario: Re-confirming an already verified account remains successful
+      Given the API is running
+      And I have registered a new account
+      And I have a valid confirmation token for my account
+      When I submit a confirmation request with the valid token
+      And I submit the same confirmation request again
+      Then the response has HTTP status 200
+      And the response JSON should have "message" containing "is confirmed"
+
+   Scenario: Confirmation fails with invalid token
+      Given the API is running
+      When I submit a confirmation request with an invalid token
+      Then the response has HTTP status 401
+      And the response JSON should have "message" containing "Invalid token"
+
+   Scenario: Confirmation fails with expired token
+      Given the API is running
+      And I have registered a new account
+      And I have an expired confirmation token for my account
+      When I submit a confirmation request with the expired token
+      Then the response has HTTP status 401
+      And the response JSON should have "message" containing "Invalid token"
+
+   Scenario: Confirmation fails with tampered token (wrong secret)
+      Given the API is running
+      And I have registered a new account
+      And I have a confirmation token signed with the wrong secret
+      When I submit a confirmation request with the tampered token
+      Then the response has HTTP status 401
+      And the response JSON should have "message" containing "Invalid token"
+
+   Scenario: Confirmation fails when token is missing
+      Given the API is running
+      When I submit a confirmation request with a missing token
+      Then the response has HTTP status 400
+
+   Scenario: Confirmation endpoint only accepts POST requests
+      Given the API is running
+      And I have a valid confirmation token
+      When I submit a confirmation request using an invalid HTTP method
+      Then the response has HTTP status 404
+
+   Scenario: Confirmation fails with malformed token
+      Given the API is running
+      When I submit a confirmation request with a malformed token
+      Then the response has HTTP status 401
+      And the response JSON should have "message" containing "Invalid token"

src/Core/API/API.Specs/Features/TokenRefresh.feature

@@ -0,0 +1,39 @@
+Feature: Token Refresh
+   As an authenticated user
+   I want to refresh my access token using my refresh token
+   So that I can maintain my session without logging in again
+
+   Scenario: Successful token refresh with valid refresh token
+      Given the API is running
+      And I have an existing account
+      And I am logged in
+      When I submit a refresh token request with a valid refresh token
+      Then the response has HTTP status 200
+      And the response JSON should have "message" equal "Token refreshed successfully."
+      And the response JSON should have a new access token
+      And the response JSON should have a new refresh token
+
+   Scenario: Token refresh fails with invalid refresh token
+      Given the API is running
+      When I submit a refresh token request with an invalid refresh token
+      Then the response has HTTP status 401
+      And the response JSON should have "message" containing "Invalid"
+
+   Scenario: Token refresh fails with expired refresh token
+      Given the API is running
+      And I have an existing account
+      And I am logged in with an immediately-expiring refresh token
+      When I submit a refresh token request with the expired refresh token
+      Then the response has HTTP status 401
+      And the response JSON should have "message" containing "Invalid token"
+
+   Scenario: Token refresh fails when refresh token is missing
+      Given the API is running
+      When I submit a refresh token request with a missing refresh token
+      Then the response has HTTP status 400
+
+   Scenario: Token refresh endpoint only accepts POST requests
+      Given the API is running
+      And I have a valid refresh token
+      When I submit a refresh token request using a GET request
+      Then the response has HTTP status 404