checklists

Login & Signup Testing Checklist.

Auth & Identity A thorough checklist for testing user registration, login flows, session management, password rules, password reset, email verification, social login, and authentication security.

sections

items

2–3 hours

time

QA engineersSDETsAutomation engineersSecurity engineers

When to use this checklist

Before shipping a new authentication flow or identity provider integration
After any changes to session handling, token storage, or cookie configuration
When onboarding a new OAuth provider (Google, GitHub, Microsoft)
As part of a security review of a login surface
During regression testing after framework or library upgrades that touch auth middleware

Authentication is the highest-risk surface in any application. A bug in signup duplication protection, session invalidation, or password reset token handling can expose user accounts at scale. This checklist covers the full auth lifecycle: registration, login, session management, validation, password rules and enforcement, reset and recovery flows, email verification, social OAuth, MFA basics, and security hardening against brute-force, timing attacks, and session fixation.

0/36

User Registration (Signup)

0/6

Verify the registration flow creates accounts correctly, enforces constraints, and handles duplicates safely.

Valid registration creates an account and redirects to the correct post-signup destinationCriticalfunctionalauto
Submit the signup form with all valid data. Assert the user is redirected to the expected destination (dashboard, email verification prompt, or onboarding flow) — NOT back to the signup page with a 200. Confirm the account exists by logging in immediately after.
Registering with an already-used email returns a generic error without revealing account detailsCriticalsecurityauto
Submit signup with an email that already has an account. The error message must NOT reveal whether the existing account is password-based or social-login-based (e.g., avoid 'This email is already linked to a Google account'). A safe message: 'An account with this email already exists.'
Submitting the signup form twice rapidly does not create duplicate accountsCriticaledge-caseauto
Rapidly double-click the submit button or submit the form via two concurrent API calls with the same email. The server must create exactly one account. The submit button should be disabled after the first click. Check the database state, not just the UI response.
Registration fields enforce maxlength server-side, not only in the HTML input attributesHighnegativeauto
Using the API directly (bypassing the UI), send a username of 1,000 characters or a bio of 50,000 characters. The server must return a 400 with a field-specific error. HTML maxlength alone is easily bypassed via DevTools or direct API calls.
After successful registration the user is automatically logged in — no second login requiredHighfunctionalauto
Complete registration and assert the user lands on the authenticated destination without being shown the login page. Check that the session cookie or token is set correctly on the signup response, not only on a subsequent login call.
All registration fields have visible labels — placeholder text alone does not countHighaccessibilityauto
Inspect the DOM for every input/select in the signup form. Each must have an associated <label> via for/id pairing, or an aria-label/aria-labelledby attribute. Placeholder text disappears on focus and cannot serve as a label. Check with axe-core in CI.

Login Flow & Session Management

0/6

Confirm login grants access correctly, sessions are properly scoped, and logout fully terminates access.

Valid credentials redirect to the authenticated landing page — not a 200 on the login URLCriticalfunctionalauto
Submit login with valid credentials and assert the response is a redirect (302/303) to the dashboard or intended destination. A 200 response on the login page URL itself means the redirect is missing and the user may appear logged out to client-side routing.
Invalid credentials return a generic 'Invalid email or password' message — not field-specificCriticalsecurityauto
Test wrong password for a real email, and a nonexistent email. Both must return the identical error message and HTTP status. Distinguishing 'user not found' from 'wrong password' enables account enumeration.
Session cookie has Secure, HttpOnly, and SameSite=Strict or Lax flagsCriticalsecurity
After login, open DevTools → Application → Cookies and verify the session token cookie has: Secure (prevents HTTP transmission), HttpOnly (prevents JS access), and SameSite=Strict or Lax (CSRF mitigation). Missing HttpOnly allows XSS to steal the session.
Logging out invalidates the server-side session — a replayed token returns 401Criticalsecurityauto
Capture the session token before logout. Log out. Replay the captured token in a fresh API request to a protected endpoint. Expect 401, not 200. Client-side cookie deletion without server-side session invalidation leaves the session alive for token theft scenarios.
Visiting a protected route while logged out redirects to login with the intended URL preservedHighfunctionalauto
While logged out, navigate directly to /dashboard/settings. Assert a redirect to /login?returnTo=%2Fdashboard%2Fsettings. After logging in, assert the user lands on /dashboard/settings — not the generic dashboard root. Dropping the returnTo forces users to navigate manually every time.
An expired session on a protected page redirects to login gracefully, not a JS error or blank screenHighedge-caseauto
Manually expire the session (delete the session cookie or fast-forward the token expiry in a test environment). Navigate to a protected page. Expect a clean redirect to login, not an unhandled 401 that renders a blank page or throws a TypeError in the console.

Input Validation & Error Handling

0/5

Verify that all fields validate server-side, errors are specific, and validation cannot be bypassed via the API.

Submitting with all required fields empty shows a field-level error per fieldCriticalnegativeauto
Clear all required fields and submit. Each required field must have a visible, adjacent error message — not only a generic banner at the top. Assert the form does NOT submit (no network request, or a 400 response with the expected error structure).
Email validation rejects malformed addresses and accepts valid edge casesHighnegativeauto
Reject: 'plainaddress', '@nodomain.com', 'user@'. Accept: 'user+tag@example.org', 'user@sub.domain.co.uk', 'first.last@corp.io'. Confirm errors reference the field specifically ('Please enter a valid email address') rather than a generic 'Invalid input'.
Bypassing frontend validation and calling the API directly returns the same validation errorsHighsecurityauto
Using a tool like Postman or curl, POST to the registration endpoint with the same invalid data that the UI rejects. Expect a 400 with the same field-level error messages. Server-side validation must mirror client-side rules exactly.
Validation errors are linked to their fields via aria-describedby and announced to screen readersHighaccessibilityauto
Each error message element must have an id that matches the aria-describedby attribute of its corresponding input. Use a screen reader (VoiceOver or NVDA) or axe-core to verify the error message is associated and announced on focus or after submission.
XSS payloads in registration fields are escaped — not executed — in success and error statesCriticalsecurityauto
Enter '<script>alert(document.cookie)</script>' into the username and display-name fields. Submit. Check both the registration success page (where the username may be displayed) and any error state. The string must appear as literal escaped text — not cause an alert or DOM mutation.

Password Rules & Strength Enforcement

0/5

Confirm the server enforces password policies independently of the frontend, and that policies are sensible.

Server rejects passwords shorter than the minimum regardless of frontend validationCriticalsecurityauto
POST to the registration or change-password API with a 1-character password. Expect 400 with a clear error ('Password must be at least 8 characters'). The HTML minlength attribute is trivially bypassed — server enforcement is mandatory.
Long passwords (≥ 64 characters) are accepted without silent truncationMediumedge-caseauto
Register or change password with a 64-character and a 128-character passphrase. Both should succeed. Truncation at an undisclosed limit silently weakens passwords — a 64-char passphrase truncated to 20 chars is much weaker than the user intended.
Passwords containing Unicode, emoji, and special characters are accepted without encoding issuesMediumedge-caseauto
Set a password like 'P@ssw0rd!🔐αβγ'. Register, log out, and log in with the identical string. If the login fails, the server is likely applying different encoding on registration vs. authentication, silently mutating the password.
Mismatched password and confirmation fields block submission with a clear errorHighnegativeauto
Enter different values in the password and confirm-password fields. The error should appear before the request reaches the server (client-side check), and if the form is submitted via API directly with mismatched values, the server must also reject it with 400.
Passwords never appear in API responses, error bodies, or server logsCriticalsecurityauto
Inspect all API responses during registration and login (success and error). The submitted password must not appear in any response body, in any error message, or in any server log line (check log output if accessible). Logging passwords is a critical data breach risk.

Password Reset & Recovery

0/5

Verify the password reset flow is secure: tokens are single-use, expire on schedule, and do not reveal user existence.

Requesting reset for a nonexistent email returns the same success message as a real emailCriticalsecurityauto
Submit the password-reset form with a random email that has no account. The response must be identical to a valid email ('If an account exists, a reset email has been sent'). Differentiated responses allow attackers to enumerate registered emails.
A password reset link works exactly once and is invalidated after useCriticalsecurityauto
Request a reset link, use it to set a new password, then attempt to use the same link again. The second use must return an error ('This link has already been used or has expired'). Reusable reset tokens are effectively persistent backdoors.
Reset links expire after the documented timeout and show a clear expired-link messageHighedge-caseauto
If the reset token has a 1-hour TTL, request a link, wait (or manipulate the token's expiry in a test environment), and attempt to use it after expiry. Expect a clear 'This link has expired. Please request a new one.' — not a 500 or a generic 'Invalid token'.
After a successful password reset, all existing sessions for that user are invalidatedHighsecurityauto
Log in on two browsers. Reset the password via browser A. Use browser B (which still has the old session) to access a protected route. Expect 401/redirect-to-login. Leaving old sessions alive after a reset undermines the security purpose of the reset.
The new password set via reset must satisfy the same strength rules as registrationHighnegativeauto
Attempt to set a 1-character password via the reset form. The server must return a 400 with the password policy error — the same error shown during registration. Reset flows sometimes skip the password validation middleware.

Social Login & OAuth

0/5

Verify OAuth flows handle success, denial, and account-linking edge cases correctly.

Completing the OAuth flow creates or links an account and redirects to the correct destinationCriticalfunctional
Using a test OAuth provider account, complete the full social login flow. If the email matches an existing account, it should link to it (confirm with the user, or auto-link per your policy). If the email is new, it should create an account. Assert the user lands on the expected authenticated page.
Denying OAuth permissions on the provider side returns to login with an error — not a crashHighnegative
At the provider's consent screen, click 'Deny' or 'Cancel'. Assert the app returns the user to /login (or the entry point) with a human-readable message ('Sign in with Google was cancelled'). A blank page, a 500, or an unhandled redirect is a UX failure.
OAuth redirect includes a state parameter that is validated to prevent CSRF on the callbackCriticalsecurity
Inspect the authorization URL generated for the OAuth flow. It must include a state parameter (random, per-request). The callback endpoint must validate the state against the value stored in the session before proceeding. Missing state validation enables OAuth CSRF attacks.
OAuth tokens are stored in HttpOnly cookies, not in localStorage or sessionStorageCriticalsecurity
After completing social login, open DevTools → Application → Local Storage and Session Storage. The OAuth access/refresh token must not appear there. localStorage is accessible to all JS on the page, making it trivially stealable via XSS.
A user who signed up with password and tries social login with the same email is handled gracefullyMediumedge-case
Create an account with email/password. Attempt social login with a provider using the same email. The app should either merge the accounts (with user confirmation), or prompt 'An account with this email exists — please log in with your password'. Silently creating a second account for the same email causes user confusion and data fragmentation.

Security & Brute-Force Protection

0/4

Verify the login surface is hardened against credential-stuffing, timing attacks, and session fixation.

Repeated failed login attempts trigger rate limiting or lockout after the documented thresholdCriticalsecurityauto
Send N+1 failed login attempts in rapid succession (where N is the documented limit). Expect 429 Too Many Requests or account lockout. Without rate limiting, an attacker can attempt thousands of passwords per second via the login API.
Login response times are consistent for 'user not found' and 'wrong password' to prevent timing attacksHighsecurity
Measure the response time for: a nonexistent email, a valid email with wrong password, and a valid email with correct password. The first two should be indistinguishable in timing. If 'user not found' returns in 10ms and 'wrong password' in 200ms (due to bcrypt), attackers can enumerate valid emails.
The session ID rotates on login — the pre-login session ID is no longer valid after authenticationCriticalsecurityauto
Note the session cookie value before login. Complete login. Assert the session cookie value has changed. Session fixation attacks plant a known session ID before the victim logs in, allowing the attacker to reuse that ID post-login without ever knowing the credentials.
The full auth flow (signup, login, password reset) is operable via keyboard aloneHighaccessibility
Tab through every form field, submit, and navigate the flow without touching the mouse. All buttons must be reachable with Tab, activatable with Enter/Space, and focus must not become trapped outside of intentional modal dialogs.

Common Bugs

Login redirects to the login page itself (200 on /login after submit)

The POST /login handler returns 200 with a body instead of a 302 redirect. The browser stays on /login, and client-side routing never fires. The user appears stuck. Always use a redirect response (302/303) after a successful POST login.

Password reset token reusable after first use

The reset token is not invalidated in the database after the first successful password change. An attacker who intercepts or finds the reset email can use the same link again to take over the account. Always mark tokens as used immediately after the password change is committed.

Session cookie missing HttpOnly flag — readable by JavaScript

The session cookie is set without HttpOnly, making it accessible via document.cookie in any JavaScript context on the same origin. A single XSS vulnerability anywhere on the site becomes an immediate account-takeover vector.

Account enumeration via different error messages for 'user not found' vs 'wrong password'

The login endpoint returns 'No account found with that email' for nonexistent users and 'Incorrect password' for wrong credentials. Attackers use this to build a list of valid registered emails by observing which message they receive.

Old sessions remain valid after password change or logout

The logout action only clears the client-side cookie but does not invalidate the server-side session record. A previously captured session token continues to work indefinitely. Always implement server-side session revocation on logout and after password changes.

OAuth state parameter missing — CSRF on the OAuth callback

The OAuth authorization URL does not include a state parameter, or the callback endpoint does not validate it. An attacker can craft a callback URL that links a victim's app account to the attacker's social account, granting them access.

Recommended Tools

Cypress

cy.session() makes auth flow reuse fast in test suites. cy.intercept() lets you test error states (wrong password, network failure) without real credentials.

Playwright

storageState API saves and restores authenticated sessions across tests. API requests via APIRequestContext let you test session invalidation at the HTTP layer.

OWASP ZAP

Automated scan of the login surface for missing security headers, missing rate limiting, and OWASP Top 10 auth vulnerabilities.

Burp Suite

Intercept and replay login requests to test brute-force protection, token reuse, and cookie flag checks.

axe-core

Catches missing form labels, low-contrast error messages, and missing aria-describedby on validation errors in automated CI runs.