freealberta/map/TEMP_USER_TEST.md

# Temp User Implementation Test Guide

## Testing the Implementation

### 1. Database Setup
Before testing, ensure your NocoDB Login table has these columns:
- `UserType` (Single Select: admin, user, temp)
- `ExpiresAt` (DateTime, nullable)
- `CreatedAt` (DateTime)
- `ExpireDays` (Integer, nullable)

### 2. Test User Creation via Admin Panel

1. **Access Admin Panel**
   - Login as an admin user
   - Navigate to `/admin.html`
   - Go to the "Users" section

2. **Create Regular User**
   - Email: `testuser@example.com`
   - Name: `Test User`
   - Password: `password123`
   - User Type: `Regular User`
   - Click "Create User"

3. **Create Temp User**
   - Email: `tempuser@example.com`
   - Name: `Temp User`
   - Password: `password123`
   - User Type: `Temporary User`
   - Expires After: `30` days
   - Click "Create User"

4. **Create Admin User**
   - Email: `adminuser@example.com`
   - Name: `Admin User`
   - Password: `password123`
   - User Type: `Admin`
   - Click "Create User"

### 3. Test User Permissions

#### Test Temp User Restrictions:

1. **Login as temp user** (`tempuser@example.com`)

2. **Verify UI Elements Hidden:**
   - No "Shifts" link in navigation
   - No "Profile" link in navigation
   - User email shows "Temp" badge
   - Map search only shows "docs" mode (no database search)

3. **Test Location Operations:**
   - ✅ **Add Location**: Should work
   - ✅ **Edit Location**: Should work
   - ❌ **Delete Location**: Delete button should be hidden in edit form
   - ❌ **Move Location**: Move button should be hidden in popup

4. **Test Restricted Access:**
   - Navigate to `/shifts.html` → Should redirect or show 403
   - Navigate to `/user.html` → Should redirect or show 403
   - Navigate to `/admin.html` → Should redirect or show 403

#### Test Regular User:

1. **Login as regular user** (`testuser@example.com`)

2. **Verify Full Access:**
   - ✅ Can access shifts page
   - ✅ Can access user profile
   - ✅ Can add, edit, and delete locations
   - ✅ Can use database search
   - ❌ Cannot access admin panel

#### Test Admin User:

1. **Login as admin user** (`adminuser@example.com`)

2. **Verify Admin Access:**
   - ✅ Full access to all features
   - ✅ Can access admin panel
   - ✅ Can create/manage users

### 4. Test Backend API Endpoints

Use browser console or testing tool:

```javascript
// Test temp user cannot delete location
fetch('/api/locations/1', { method: 'DELETE' })
.then(r => r.json())
.then(console.log); // Should return 403 error for temp users

// Test temp user cannot access shifts
fetch('/api/shifts')
.then(r => r.json())
.then(console.log); // Should return 403 error for temp users
```

### 5. Expected Results

#### User Table Display:
- Regular User: Blue "User" badge
- Temp User: Orange "Temp" badge + expiration date
- Admin User: Green "Admin" badge

#### Authentication Response:
```json
{
  "authenticated": true,
  "user": {
    "email": "tempuser@example.com",
    "name": "Temp User",
    "isAdmin": false,
    "userType": "temp"
  }
}
```

### 6. Troubleshooting

**If temp user can access restricted features:**
- Check middleware is properly imported in routes
- Verify session includes `userType`
- Check browser console for JavaScript errors

**If user creation fails:**
- Verify NocoDB table has required columns
- Check server logs for database errors
- Ensure column names match exactly

**If UI elements not hiding:**
- Check browser console for auth errors
- Verify `currentUser.userType` is set
- Check CSS classes are applied correctly

### 7. Security Verification

Temp users should receive **403 Forbidden** responses for:
- `DELETE /api/locations/:id`
- `GET /shifts.html`
- `GET /user.html`
- `GET /admin.html`
- `GET /api/shifts`

All restrictions should be enforced server-side, not just hidden in UI.