Step-by-step checks to verify the PoC is working correctly.
Make sure the stack is running:
docker compose up --build| Service | URL | Container |
|---|---|---|
| Angular SPA | http://localhost:4200 |
poc-spa |
| BFF API | http://localhost:5100 |
poc-bff |
| Redis | localhost:6380 |
poc-redis |
Note (zsh users): The Redis password contains
!. Always wrap it in single quotes in shell commands to prevent zsh history expansion errors.
Verify Redis is up and has no persistence.
# Ping
docker exec poc-redis redis-cli -a 'P0cR3d!s2024' PING
# Expected: PONG
# Confirm persistence is disabled
docker exec poc-redis redis-cli -a 'P0cR3d!s2024' CONFIG_b4f8e2a1 GET save
# Expected: save ""
docker exec poc-redis redis-cli -a 'P0cR3d!s2024' CONFIG_b4f8e2a1 GET appendonly
# Expected: appendonly no
# Confirm dangerous commands are renamed
docker exec poc-redis redis-cli -a 'P0cR3d!s2024' FLUSHALL
# Expected: ERR unknown command 'FLUSHALL'Verify endpoints reject unauthenticated requests.
# Workflow resume without token → 401
curl -s -o /dev/null -w "%{http_code}" http://localhost:5100/api/workflow/resume
# Expected: 401
# Workflow save without token → 401
curl -s -o /dev/null -w "%{http_code}" \
-X POST http://localhost:5100/api/workflow/save \
-H "Content-Type: application/json" \
-H "X-CSRF: 1" \
-d '{"currentStep":1}'
# Expected: 401Verify POST without X-CSRF header is rejected.
# POST without X-CSRF → 400
curl -s -w "\n%{http_code}" \
-X POST http://localhost:5100/api/workflow/save \
-H "Content-Type: application/json" \
-H "Authorization: Bearer fake-token" \
-d '{"currentStep":1}'
# Expected: 400 with {"error":"Missing X-CSRF header"}
# GET requests don't need X-CSRF
curl -s -o /dev/null -w "%{http_code}" http://localhost:5100/api/workflow/resume
# Expected: 401 (auth issue, not CSRF)Verify the full Auth0 login flow with opaque tokens + PKCE.
- Open
http://localhost:4200 - You should see the login page with a "Sign In with Auth0" button
- Click the button — you should be redirected to Auth0 Universal Login
- Sign in (create an account if needed)
- After login, you should be redirected back to the workflow stepper
Verify in DevTools (F12):
- Network tab: API calls to
/api/*should include anAuthorization: Bearer <token>header - Application tab → Local Storage: Auth0 SDK cache entries (opaque token, not a readable JWT)
- Console tab: Run
document.cookie— should return empty string (no auth cookies)
After logging in, fill out Step 1 and proceed to Step 2.
Then verify the data is encrypted in Redis:
# List all workflow keys
docker exec poc-redis redis-cli -a 'P0cR3d!s2024' KEYS 'workflow:*'
# Expected: workflow:<user-sub-id>
# Read the stored value
docker exec poc-redis redis-cli -a 'P0cR3d!s2024' GET 'workflow:<user-sub-id>'
# Expected: A Base64 blob (NOT readable JSON)
# It should look like: "dGhpcyBpcyBlbmNyeXB0ZWQ..." (random characters)
# Check TTL
docker exec poc-redis redis-cli -a 'P0cR3d!s2024' TTL 'workflow:<user-sub-id>'
# Expected: ~86400 (24 hours in seconds, minus elapsed time)Verify data survives a page refresh.
- Fill in Step 1 (Personal Info) with test data:
- First Name:
John - Last Name:
Doe - Email:
john@example.com - Phone:
555-1234
- First Name:
- Click Next (saves to Redis)
- Refresh the page (F5 or Ctrl+R)
- After reload, you should be back at Step 2 with Step 1 marked complete
- Click Back — Step 1 form should be pre-filled with the data you entered
Verify data is deleted after confirmation.
- Complete all three steps (Personal Info → Banking Info → Review)
- Click Confirm & Submit
- You should see a success toast message
Verify Redis key is gone:
docker exec poc-redis redis-cli -a 'P0cR3d!s2024' KEYS 'workflow:*'
# Expected: (empty array)Verify PII never enters the NgRx Signal Store.
- Log in and fill some steps
- Open DevTools → Console
- The Signal Store only contains step tracking data (
currentStep,step1Complete, etc.) - PII (names, emails, account numbers) lives in component-scoped signals and is not inspectable via store devtools
Verify AES-256-GCM encryption produces different ciphertext for the same input.
# Save the same data twice and compare Redis values
# Fill Step 1, note the Redis value
docker exec poc-redis redis-cli -a 'P0cR3d!s2024' GET 'workflow:<user-sub-id>'
# Save: <value-1>
# Clear and re-save the same data
# The new Redis value should be DIFFERENT (unique nonce per encryption)
docker exec poc-redis redis-cli -a 'P0cR3d!s2024' GET 'workflow:<user-sub-id>'
# Save: <value-2>
# value-1 ≠ value-2 (same plaintext, different ciphertext)Verify cross-origin requests from unauthorized origins are blocked.
# Request from unauthorized origin → blocked by CORS
curl -s -o /dev/null -w "%{http_code}" \
-H "Origin: http://evil-site.com" \
-H "Access-Control-Request-Method: GET" \
-X OPTIONS \
http://localhost:5100/api/workflow/resume
# Expected: No Access-Control-Allow-Origin header for evil-site.comdocker logs poc-bffLook for:
No Authorization header found— token not being sent by the browserValidating opaque token via /userinfo— token received, calling Auth0Auth0 /userinfo returned 4xx— token invalid or Auth0 config issue
- Network tab — click on any
/api/*request and check Request Headers forAuthorization: Bearer ... - Console tab — look for Auth0 SDK errors
- Application tab → Local Storage — verify Auth0 cache entries exist after login
| # | Test | Expected | Pass? |
|---|---|---|---|
| 1 | Redis PING | PONG | |
| 1 | Redis no persistence | save "", appendonly no | |
| 2 | API without auth | 401 | |
| 3 | POST without X-CSRF | 400 | |
| 4 | Auth0 login flow | Redirect → login → back to app | |
| 4 | Bearer token in API calls | Authorization header present | |
| 4 | No auth cookies | document.cookie empty |
|
| 5 | Redis value is encrypted | Base64 blob, not JSON | |
| 5 | Redis TTL | ~86400 seconds | |
| 6 | Page refresh resumes | Data pre-filled after reload | |
| 7 | Submit clears Redis | Key deleted | |
| 8 | No PII in store | Only step tracking data | |
| 9 | Nonce uniqueness | Different ciphertext for same input | |
| 10 | CORS blocks bad origin | No allow header for unknown origin |