Skip to content
Flows
QA Intermediate · 45-75 minutes

Auth Flow QA

Dedicated auth testing: signup, login, sessions, guards, reset, and the edge cases that expose fake auth.

Start Route · 5 steps

The route

5 steps to Done

  1. 01

    Test the signup surface

    Account creation is the front door - test it including the ugly inputs.

    Preview prompt + verify gate ▾

    Execute signup tests with a fresh state and record PASS/FAIL with observations: valid signup creates a persisted account (verify the record exists) and lands correctly with an active session; duplicate email is rejected with a visible, non-technical error; each validation rule fires inline (empty fields, bad email format, short password, mismatched confirmation); the submit button disables while working; the created password is stored hashed (verify no plaintext).

    • A real record was verified created
    • Duplicate rejection is visible in the UI
    • No plaintext password exists
  2. 02

    Test the login surface

    Login must pass friends and stop strangers - test both.

    Preview prompt + verify gate ▾

    Execute login tests and record results: correct credentials succeed and land with a session; wrong password is rejected with a generic visible error; nonexistent email is rejected with the SAME generic error (no account-existence leak); empty submits are blocked inline; five rapid wrong attempts behave sanely (no crash; rate limiting noted if present or absent); the loading state shows during authentication.

    • Wrong-password and no-account errors are identical
    • Failures are visible in the UI
    • Rapid attempts were actually tried
  3. 03

    Test the session lifecycle

    Sessions are where fake auth dies - test persistence hard.

    Preview prompt + verify gate ▾

    Execute session tests: refresh on a protected page (session persists, no logged-out flash); close and reopen the tab (persists); logout (session fully cleared - verify by trying a protected API call after); back button after logout (no protected content from cache); two browsers/sessions simultaneously (both work independently); token/session tampering (edit the stored token - app must reject and recover cleanly, not crash).

    • Refresh and tab-reopen persistence verified
    • Post-logout API call rejected
    • Tampered token handled cleanly
  4. 04

    Test guards at both layers

    Routes and APIs must both reject the logged-out - verify by attack.

    Preview prompt + verify gate ▾

    Execute guard tests from a fully logged-out state: open every protected route by direct URL (redirects to login, no content flash - list each route tested); call every private API endpoint directly (401/403 for each - list each endpoint); after logging in from a guard redirect, land on the originally-requested page; verify no logged-in-only data appears in any public page or response. Produce the two-layer guard table.

    • Every protected route URL-tested
    • Every private endpoint called directly
    • Post-login redirect returns to the intended page
  5. 05

    Test recovery and close

    Reset flows and the final edge sweep complete the audit.

    Preview prompt + verify gate ▾

    Execute recovery tests (if reset exists): request reset for an existing email (neutral confirmation), and a nonexistent one (identical response); complete the reset - the new password works, the old fails, and the token is single-use (reuse rejected). Then the final sweep: session expiry handling (if tokens expire - expired token redirects cleanly), auth forms on mobile widths, and a summary table of the entire auth QA with every fix re-verified.

    • The reset actually changed the password
    • Token reuse was rejected
    • The consolidated table shows all sections passing