Auth Flow QA
Dedicated auth testing: signup, login, sessions, guards, reset, and the edge cases that expose fake auth.
The route
5 steps to Done
- 01
Test the signup surface
Account creation is the front door - test it including the ugly inputs.
Preview prompt + verify gate ▾ Hide ▴
Execute signup tests with a fresh state and record PASS/FAIL with observations: valid signup creates a persisted account (verify the record exists) and lands correctly with an active session; duplicate email is rejected with a visible, non-technical error; each validation rule fires inline (empty fields, bad email format, short password, mismatched confirmation); the submit button disables while working; the created password is stored hashed (verify no plaintext).
- ✓ A real record was verified created
- ✓ Duplicate rejection is visible in the UI
- ✓ No plaintext password exists
- 02
Test the login surface
Login must pass friends and stop strangers - test both.
Preview prompt + verify gate ▾ Hide ▴
Execute login tests and record results: correct credentials succeed and land with a session; wrong password is rejected with a generic visible error; nonexistent email is rejected with the SAME generic error (no account-existence leak); empty submits are blocked inline; five rapid wrong attempts behave sanely (no crash; rate limiting noted if present or absent); the loading state shows during authentication.
- ✓ Wrong-password and no-account errors are identical
- ✓ Failures are visible in the UI
- ✓ Rapid attempts were actually tried
- 03
Test the session lifecycle
Sessions are where fake auth dies - test persistence hard.
Preview prompt + verify gate ▾ Hide ▴
Execute session tests: refresh on a protected page (session persists, no logged-out flash); close and reopen the tab (persists); logout (session fully cleared - verify by trying a protected API call after); back button after logout (no protected content from cache); two browsers/sessions simultaneously (both work independently); token/session tampering (edit the stored token - app must reject and recover cleanly, not crash).
- ✓ Refresh and tab-reopen persistence verified
- ✓ Post-logout API call rejected
- ✓ Tampered token handled cleanly
- 04
Test guards at both layers
Routes and APIs must both reject the logged-out - verify by attack.
Preview prompt + verify gate ▾ Hide ▴
Execute guard tests from a fully logged-out state: open every protected route by direct URL (redirects to login, no content flash - list each route tested); call every private API endpoint directly (401/403 for each - list each endpoint); after logging in from a guard redirect, land on the originally-requested page; verify no logged-in-only data appears in any public page or response. Produce the two-layer guard table.
- ✓ Every protected route URL-tested
- ✓ Every private endpoint called directly
- ✓ Post-login redirect returns to the intended page
- 05
Test recovery and close
Reset flows and the final edge sweep complete the audit.
Preview prompt + verify gate ▾ Hide ▴
Execute recovery tests (if reset exists): request reset for an existing email (neutral confirmation), and a nonexistent one (identical response); complete the reset - the new password works, the old fails, and the token is single-use (reuse rejected). Then the final sweep: session expiry handling (if tokens expire - expired token redirects cleanly), auth forms on mobile widths, and a summary table of the entire auth QA with every fix re-verified.
- ✓ The reset actually changed the password
- ✓ Token reuse was rejected
- ✓ The consolidated table shows all sections passing