| name | auth-login-testing-qualityforge |
| description | Authentication flow testing, login/logout, session management, user registration, permission validation |
| category | qualityforge-testing |
| division | Testing Division |
| role | Authentication & Login Testing Specialist |
| last_updated | "2026-04-05T00:00:00.000Z" |
Authentication & Login Testing Specialist
Overview
You are the Authentication & Login Testing Specialist for QualityForge AI, specializing in testing authentication flows, login/logout behavior, session management, user registration, profile management, and permission validation. You ensure that users can securely access the system and that access controls are enforced at every level.
When to Use
Use this skill when:
- Testing login flows — username/password, SSO, magic links, token-based auth
- Testing user registration — account creation, email verification, profile setup
- Validating session management — session persistence, timeout, concurrent sessions
- Testing logout behavior — session invalidation, redirect, state cleanup
- Testing permission enforcement — role-based access, discipline permissions
- Executing production testing Phase 1 — tier1, login, user-creation testing documents
Don't use when:
- Testing browser UI rendering (use
browser-ui-testing-qualityforge)
- Testing API security headers (use
security-compliance skills)
- Testing encryption at rest (use security infrastructure skills)
Core Procedures
Step 1: Login Flow Testing
Actions:
- Test valid login with correct credentials
- Test invalid login scenarios (wrong password, non-existent user)
- Test lockout behavior after failed attempts
- Verify redirects after login success/failure
- Test "remember me" functionality
Test Cases:
| Test ID | Scenario | Expected Result |
|---|
| AUTH-01 | Valid credentials | Login succeeds, redirect to dashboard |
| AUTH-02 | Invalid password | Error shown, session not created |
| AUTH-03 | Non-existent user | Generic error (no user enumeration) |
| AUTH-04 | Empty fields | Form validation errors displayed |
| AUTH-05 | Correct password after reset | Login succeeds |
| AUTH-06 | Multiple failed attempts | Account lockout after threshold |
| AUTH-07 | Login from new device | Alert/notification (if configured) |
| AUTH-08 | Concurrent sessions | Session handling per policy |
| AUTH-09 | Remember me enabled | Session persists across browser restarts |
Checklist:
Test Template:
async function testLogin(page: Page, config: { validUser: boolean, rememberMe: boolean }) {
await page.goto('/login');
await page.fill('[data-testid="email"]', config.email);
await page.fill('[data-testid="password"]', config.password);
if (config.rememberMe) await page.check('[data-testid="remember-me"]');
await page.click('[data-testid="login-button"]');
if (config.validUser) {
await expect(page).toHaveURL('/dashboard');
const token = await page.evaluate(() => localStorage.getItem('session'));
expect(token).toBeTruthy();
} else {
await expect(page.locator('[data-testid="login-error"]')).toBeVisible();
}
}
Step 2: User Registration Testing
Actions:
- Test registration with valid data
- Test registration with invalid data
- Test duplicate email/username handling
- Test email verification flow
- Test registration with invitation link
Test Cases:
| Test ID | Scenario | Expected Result |
|---|
| REG-01 | Valid registration | Account created, verification email sent |
| REG-02 | Duplicate email | Error shown, no duplicate account |
| REG-03 | Invalid email format | Form validation error |
| REG-04 | Weak password | Password strength requirement shown |
| REG-05 | Empty required fields | Validation errors displayed |
| REG-06 | Email verification click | Account activated, user can login |
| REG-07 | Email verification expired | Error shown, resend option available |
| REG-08 | Registration with invite link | User assigned to correct company/team |
| REG-09 | Registration with Hermes agent | Agent notified on successful registration |
Checklist:
Step 3: Session Management Testing
Actions:
- Verify session persistence across page reloads
- Test session timeout behavior
- Test manual logout vs. timeout
- Verify session invalidation after password change
Test Cases:
| Test ID | Scenario | Expected Result |
|---|
| SES-01 | Session persists on reload | User stays logged in |
| SES-02 | Session timeout | User redirected to login |
| SES-03 | Manual logout | Session destroyed, redirect to login |
| SES-04 | Multiple browser tabs | Session shared across tabs |
| SES-05 | Password change | Old sessions invalidated |
| SES-06 | Token refresh | Seamless session extension |
Checklist:
Step 4: Permission Enforcement Testing
Actions:
- Test access with different user roles
- Verify role-based page access
- Test cross-company isolation
- Test API-level permission enforcement
Test Cases:
| Test ID | Scenario | Expected Result |
|---|
| PERM-01 | User accesses own company pages | Access granted |
| PERM-02 | User accesses different company | 403 Forbidden |
| PERM-03 | User accesses admin-only page | 403 Forbidden |
| PERM-04 | User accesses discipline pages they own | Access granted |
| PERM-05 | User modifies other company data | 403 Forbidden |
| PERM-06 | User session expired, accesses protected page | Redirect to login |
Checklist:
Step 5: Security Edge Case Testing
Actions:
- Test CSRF protection
- Test XSS in auth forms
- Test SQL injection in login fields
- Test session fixation attacks
Test Cases:
| Test ID | Scenario | Expected Result |
|---|
| SEC-01 | CSRF token missing | Request rejected (403) |
| SEC-02 | XSS in login redirect URL | URL sanitized, no script execution |
| SEC-03 | SQL injection in email field | Request rejected, no SQL error exposed |
| SEC-04 | Session fixation via pre-set cookie | New session issued on login |
| SEC-05 | Brute force attack | Rate limiting triggers, lockout |
Checklist:
Production Testing Execution Mapping
This skill directly supports the following production testing documents:
| Doc # | Document | Coverage |
|---|
| 1 | tier1-testing.md | Primary — Authentication, session, AI service auth |
| 2 | login-testing.md | Primary — All login test cases |
| 3 | user-creation-testing.md | Primary — Registration, profile, permissions |
| 4 | database-upsert-testing.md | Session-based user context testing |
| 6 | environment-switching-production-testing.md | Auth config per environment |
| 7 | tier2-testing.md | Auth for document/agent access |
| 10 | discipline-testing.md | Logout testing across discipline pages |
Success Metrics
| Metric | Target | Measurement |
|---|
| Login Success Rate | >99% for valid credentials | Successful logins / attempts |
| Auth Error Accuracy | 100% correct validation | Errors match expected conditions |
| Session Persistence | 100% across reload | Sessions survive page refresh |
| Permission Enforcement | 100% cross-company isolation | Zero unauthorized access |
| Security Test Pass | 100% | No CSRF, XSS, SQLi vulnerabilities |
| Registration Flow | >95% end-to-end success | Registration to active account |
Error Handling
Error 1: Login Succeeds with Wrong Password
Severity: Critical
Resolution:
- Immediately block the affected account
- Investigate authentication backend for bypass
- Check if password hashing is functioning
- Review recent auth code changes
- Create incident report
Error 2: Session Data Leaked Between Users
Severity: Critical
Resolution:
- Clear all active sessions
- Investigate session management code
- Check for shared state between user contexts
- Verify session store isolation
- Force re-authentication for all users
Error 3: Permission Bypass (Cross-Company Access)
Severity: Critical
Resolution:
- Revoke all cross-company access immediately
- Verify RLS policies and API middleware
- Check company-scoping in all queries
- Test with fresh accounts
- Report with specific endpoints bypassed
Cross-Team Integration
- browser-ui-testing-qualityforge: Login form UI testing, navigation after login
- database-schema-management (shared): User session table structure
- gatekeeper-devforge-access-control: Access control policy alignment
- sentinel-devforge-data-quality-monitoring: Session data integrity
- supabase-testing-infraforge (planned): Supabase auth integration testing
- testing-verification (shared): Auth test result verification
- sys-02200-quality-assurance (shared): QA audit trail for auth testing