Testing Date: 09 April 2026
Bug Details:
Pending students receive a valid JWT before manager approval and can access protected student APIs
Test Case 1:
Step 1: Register a new student and complete OTP verification.
Step 2: Use the returned token to call a protected student endpoint such as GET /api/menu/today before any manager approval.
Expected Output:
Pending students should not receive a usable session token and should not be able to access student-only APIs until a manager approves the account.
Actual Output:
verifyOTP created the student in Pending status and still returned a valid JWT that successfully accessed protected APIs.
Bug Report Date: 09 April 2026
Has the bug been fixed? No
Date of Bug Fixing: N/A
Any other comment:
Severity: High. This defeats the documented approval workflow and allows unapproved users to use student functionality early.
Testing Date: 09 April 2026
Bug Details:
Pending students receive a valid JWT before manager approval and can access protected student APIs
Test Case 1:
Step 1: Register a new student and complete OTP verification.
Step 2: Use the returned token to call a protected student endpoint such as GET /api/menu/today before any manager approval.
Expected Output:
Pending students should not receive a usable session token and should not be able to access student-only APIs until a manager approves the account.
Actual Output:
verifyOTP created the student in Pending status and still returned a valid JWT that successfully accessed protected APIs.
Bug Report Date: 09 April 2026
Has the bug been fixed? No
Date of Bug Fixing: N/A
Any other comment:
Severity: High. This defeats the documented approval workflow and allows unapproved users to use student functionality early.