x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

Test the Authentication and Authorization Logic #331

New Issue
Closed
opened 2024-12-16 12:17:05 +00:00 by tim · 0 comments
tim commented 2024-12-16 12:17:05 +00:00
Owner
Copy Link

SignIn

  • should redirect to "/" if user is already signed in
  • should fail without valid csrf token
  • should fail with invalid username
  • should fail with invalid password
  • should return secure cookie with NEW session-id
  • should always return in a maximum of 250 ms (email exists, email doesn't exist)
  • should create new session and invalidate old one (session fixation prevention)

SignUp

  • should redirect to "/" if signed in
  • should fail if csrf token is invalid
  • should fail if password is insecure
  • should say "verification mail send" if user already exists with 250 ms
  • should say "verification mail send" if user does not exists with 250 ms
  • should fail verifying email with non existent token
  • should fail verifying email with outdated token
  • should verify email with correct token

SignOut

  • should fail if csrf token is not valid
  • should delete current session and redirect to "/"

Delete Account

  • should redirect to "/" if user is not signed in
  • should forbid if not signed in
  • should fail if password is incorrect
  • should fail if csrf token is invalid
  • should delete all user related data

Change Password

  • should redirect to "/" if not signed in
  • should fail if csrf token is invalid
  • should fail if current password does not match
  • should fail if new password is insecure
  • should change password and invalidate all other user sessions

Forgot Password

  • should redirect to "/" if signed in
  • should fail if csrf token is invalid
  • should return the same message, independent of email existence
  • should generate and send token

Forgot Password Response

  • should redirect to "/" if signed in
  • should fail if token does not exist
  • should fail if token is outdated
  • should fail if new password is insecure
  • should change password and invalidate ALL sessions

Session

  • should create new anonymous session if current session gets outdated
  • should create anonymous session
  • should not have access to user information with outdated session
SignIn - [x] should redirect to "/" if user is already signed in - [x] should fail without valid csrf token - [x] should fail with invalid username - [x] should fail with invalid password - [x] should return secure cookie with NEW session-id - [x] should always return in a maximum of 250 ms (email exists, email doesn't exist) - [x] should create new session and invalidate old one (session fixation prevention) SignUp - [x] should redirect to "/" if signed in - [x] should fail if csrf token is invalid - [x] should fail if password is insecure - [x] should say "verification mail send" if user already exists with 250 ms - [x] should say "verification mail send" if user does not exists with 250 ms - [x] should fail verifying email with non existent token - [x] should fail verifying email with outdated token - [x] should verify email with correct token SignOut - [x] should fail if csrf token is not valid - [x] should delete current session and redirect to "/" Delete Account - [x] should redirect to "/" if user is not signed in - [x] should forbid if not signed in - [x] should fail if password is incorrect - [x] should fail if csrf token is invalid - [x] should delete all user related data Change Password - [x] should redirect to "/" if not signed in - [x] should fail if csrf token is invalid - [x] should fail if current password does not match - [x] should fail if new password is insecure - [x] should change password and invalidate all other user sessions Forgot Password - [x] should redirect to "/" if signed in - [x] should fail if csrf token is invalid - [x] should return the same message, independent of email existence - [x] should generate and send token Forgot Password Response - [x] should redirect to "/" if signed in - [x] should fail if token does not exist - [x] should fail if token is outdated - [x] should fail if new password is insecure - [x] should change password and invalidate ALL sessions Session - [x] should create new anonymous session if current session gets outdated - [x] should create anonymous session - [x] should not have access to user information with outdated session
tim added this to the security milestone 2024-12-16 12:17:05 +00:00
tim closed this issue 2024-12-25 22:15:08 +00:00
This repo is archived. You cannot comment on issues.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
blocker
fun
medium
minor
No Label
Milestone
No items
No Milestone security
Assignees
Clear assignees
renovate tim
No Assignees
1 Participants
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: x/web-app-template#331
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?