pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-20 06:31:13 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
django-backend
thrilltrack-explorer/AUTHENTICATION_TESTING_GUIDE.md

7.7 KiB
Raw Permalink Blame History

Authentication System - Testing Guide

Quick Start Testing

Prerequisites

  1. Django Backend Running
cd django-backend
python manage.py runserver
  1. Next.js Frontend Running
npm run dev
# or
bun dev
  1. Test User Account Create a test user via Django admin or API:
cd django-backend
python manage.py createsuperuser

Test Scenarios

Scenario 1: New User Registration

  1. Open http://localhost:3000
  2. Click "Sign Up" button
  3. Fill in the form:
    • Username: testuser
    • Email: test@example.com
    • Password: TestPass123!
    • Confirm Password: TestPass123!
  4. Click "Sign Up"
  5. Expected: Success message, modal closes
  6. Note: User needs to login separately (Django doesn't auto-login on registration)

Scenario 2: Login Flow

  1. Open http://localhost:3000
  2. Click "Login" button
  3. Enter credentials:
  4. Click "Sign In"
  5. Expected:
    • Modal closes
    • User avatar appears in header
    • Username/email displayed
    • Dashboard link appears in welcome section

Scenario 3: Access Dashboard

  1. After logging in, click "Dashboard" link
  2. Expected:
    • Redirected to /dashboard
    • User profile card displays
    • Username and email shown
    • User ID visible
    • Quick actions section present

Scenario 4: Logout Flow

  1. While logged in, click "Logout" button
  2. Expected:
    • Redirected to home page
    • Login/Sign Up buttons reappear
    • Dashboard link hidden
    • User avatar gone

Scenario 5: Protected Route Access

  1. Ensure you're logged out (click Logout if needed)
  2. Manually navigate to http://localhost:3000/dashboard
  3. Expected:
    • Brief loading screen
    • Automatic redirect to home page

Scenario 6: Token Persistence

  1. Login to the application
  2. Open browser DevTools → Application → Local Storage
  3. Expected:
    • thrillwiki_access_token present
    • thrillwiki_refresh_token present
  4. Refresh the page (F5)
  5. Expected:
    • User remains logged in
    • No need to login again

Scenario 7: Password Reset Request

  1. Click "Login" button
  2. Click "Forgot your password?" link
  3. Enter email: test@example.com
  4. Click "Send Reset Email"
  5. Expected:
    • Success message shown
    • Check Django console for email output
    • Email contains reset link

Scenario 8: OAuth Flow (Google)

Note: Requires Google OAuth configuration in Django backend

  1. Click "Login" button
  2. Click "Sign in with Google" button
  3. Expected:
    • Redirected to Django OAuth endpoint
    • Redirected to Google authorization
    • After authorization, redirected back to callback
    • Logged in and redirected to dashboard

Scenario 9: MFA Challenge

Note: Requires user with MFA enabled

  1. Enable MFA for test user in Django admin
  2. Login with that user
  3. Expected:
    • After email/password, MFA code input appears
    • Enter TOTP code from authenticator app
    • After successful verification, redirected to dashboard

Scenario 10: Session Expiry

  1. Login to the application
  2. Open DevTools → Application → Local Storage
  3. Delete thrillwiki_access_token
  4. Try to navigate to dashboard
  5. Expected:
    • Redirected to home page
    • Need to login again

Browser DevTools Checks

Local Storage Verification

Open DevTools → Application → Local Storage → http://localhost:3000

When Logged In:

thrillwiki_access_token: eyJ0eXAiOiJKV1QiLCJhbGc...
thrillwiki_refresh_token: eyJ0eXAiOiJKV1QiLCJhbGc...

When Logged Out: Should be empty or missing

Network Requests

Open DevTools → Network → XHR

On Login:

  • POST to /api/v1/auth/login/
  • Response: { "access": "...", "refresh": "..." }
  • GET to /api/v1/auth/user/
  • Response: User object with id, username, email

On Dashboard Load:

  • GET to /api/v1/auth/user/
  • Should include Authorization: Bearer <token> header

Error Scenarios to Test

Invalid Credentials

  1. Try to login with wrong password
  2. Expected: Error message "Invalid credentials" or similar

Network Error

  1. Stop Django backend
  2. Try to login
  3. Expected: Error message about network/server error

Token Expiry (Manual)

  1. Login successfully
  2. In DevTools, edit thrillwiki_access_token to invalid value
  3. Try to access protected route
  4. Expected: Token refresh attempted, then logout if refresh fails

Validation Errors

  1. Try to register with:
    • Password too short
    • Passwords don't match
    • Invalid email format
  2. Expected: Validation error messages displayed

Console Messages

Expected Console Output (Normal Flow)

Access token refreshed successfully  // Every ~55 minutes
Auth check complete
User loaded: {username: "testuser", ...}

Error Console Output

Failed to refresh token: ...
Refresh token expired, logging out
Login failed: ...

API Endpoint Testing (Optional)

Using curl or Postman

Register:

curl -X POST http://localhost:8000/api/v1/auth/register/ \
  -H "Content-Type: application/json" \
  -d '{"username":"testuser","email":"test@example.com","password":"TestPass123!"}'

Login:

curl -X POST http://localhost:8000/api/v1/auth/login/ \
  -H "Content-Type: application/json" \
  -d '{"email":"test@example.com","password":"TestPass123!"}'

Get User (with token):

curl http://localhost:8000/api/v1/auth/user/ \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Common Issues & Solutions

Issue: Can't login, getting 401 errors

Solution: Check Django backend is running and accessible at http://localhost:8000

Issue: CORS errors in console

Solution: Ensure Django settings have proper CORS configuration for http://localhost:3000

Issue: Tokens not persisting

Solution: Check browser privacy settings allow localStorage

Issue: OAuth not working

Solution: Verify OAuth credentials configured in Django backend .env file

Issue: MFA not appearing

Solution: User must have MFA enabled in Django admin first

Success Indicators

All tests passing if:

  • Can register new user
  • Can login with valid credentials
  • Dashboard loads with user info
  • Logout works and clears session
  • Protected routes redirect when not logged in
  • Tokens persist across page refreshes
  • Password reset email sent
  • OAuth flow completes (if configured)
  • MFA challenge works (if configured)
  • Error messages display appropriately

Next Steps After Testing

  1. Fix any bugs found during testing
  2. Document any issues in GitHub issues
  3. Consider security audit before production
  4. Set up production environment variables
  5. Test in production-like environment (staging)
  6. Add automated tests (unit, integration, e2e)
  7. Monitor error logs for auth failures
  8. Set up user analytics (optional)

Testing Checklist

Use this checklist to track testing progress:

  • New user registration works
  • Login with email/password works
  • Dashboard displays user info correctly
  • Logout works and clears tokens
  • Protected route redirects when logged out
  • Direct dashboard access requires login
  • Tokens persist on page refresh
  • Password reset email sent
  • OAuth Google works (if configured)
  • OAuth Discord works (if configured)
  • MFA challenge works (if configured)
  • Invalid credentials show error
  • Network errors handled gracefully
  • Form validation works
  • Token refresh works automatically
  • Session expiry handled properly
  • UI responsive on mobile
  • Loading states display correctly
  • Error messages clear and helpful
  • No console errors (except expected ones)

Date Tested: ___________ Tested By: ___________ Environment: Development / Staging / Production Status: Pass / Fail / Needs Work

Reference in New Issue View Git Blame Copy Permalink