Task given to me is to derive a test plan I was provided with test_scenario document so I have no idea what I have to draft one of my colleague told me both are same document but I have my doubts about that
Please help
A test scenario is: "Check the Authentication feature".
A test plan could be:
log in with valid credentials
log in with invalid credentials for an existing user
log in with credentials for a non existing user
reset the password
and so on.
Related
I'm setting up an authentication where MFA is not optional, which means from the very first login attempt after registration, the user will be asked to set up MFA (in this case I will be using Time Based One Time Passcode, or TOPT). For this, I can see that following steps would be reasonable:
1)Get user information via the login form - Auth.signUp()
2)Determine from the user data retrieved in step 1) whether TOPT-based MFA is set for the user already. If not, go to step 3) or else step 4)
3)If TOPT is not set, redirect to a form where a QRCode will be generated in order to set up this MFA feature. After verifying the code, log the user in.
4)If TOPT is set, ask for the passcode. After verifying, log the user in.
My dilemma: It seems I cannot get the information in Step 2), i.e, whether TOPT-based MFA is set for the user already without the user already being authenticated. The flag challengeName retrieved in the payload via Auth.signUp() in step 1) only gives me info on whether MFA is enabled or not ('MFA_SETUP'), and not whether TOTP-based MFA has been set up already. For that, the method Auth.getPreferredMFA() is what would do the trick, but it only works if the user object being passed to it represents an authenticated (or already logged in) user. Is there a way to determine if TOTP MFA is set up for a user trying to log in (but not logged in yet)?
Also, any other solutions to tackle this problem would be welcome. There must be somebody out there who has run into the same scenario I have, where MFA is mandatory from the first log in itself.
I am facing the same issue. If the MFA is required, I open up a modal to get QR code displayed and setup the mfa for the user.
code: "NotAuthorizedException"
message: "Invalid session for the user."
name: "NotAuthorizedException"
But getting this error because the user hasn't logged in and created any access token yet.
My idea of solving this is actually logging in the user but making their permissions to not go beyond the SetupMFA screen so they only gain some permissions when they have completed the setup.
Have you made any progress yourself? I'd like to hear any solutions.
I am very curious to know some of the points regarding registration and login related points as a developer points of view. Please see below the steps for any online account which is publicly open for all,
CREATE USER ACCOUNT : Insert the data entered by user along with a column activate which default value is 0
SEND A LINK TO ACTIVATE : a link has been sent to user email at the time of registration
ACTIVATE THE ACCOUNT : user clicks over the link and the link is verified and update the column 'activate' with value 1
Why to sent a link & verifying is necessary which I supposed that is not utmost required. I asked to clients why u want such verification and i get the answer almost same e.g. checking the authenticity of the user and it'd be helpful to stop the duplicity of the user.
but practically at the time of user login, i suppose it is useless to verify each time the activate column along with password for every user.
I would appreciate if u explain the points which is very important regarding my concern.
This is really a slippery slope, but there are reasons. Obviously spam users will try to create accounts as quickly as possible, for spam reasons. Email and captcha verification will handle this.
Another is the issue of clumsy or accident-prone users that will forget their passwords, which can be worked around by email reminders/resets. Sadly, users may try to add fake email addresses(or mistyped ones) and lose access to their accounts, requiring admin intervention. Simple verification can force users to get their account into a self-rescuable state before adding any data.
I want to write up a scenario that looks something like:
Given I am logged in
And I am on my profile page
Then I see my name
For the "Given I am logged in" - do I need to write something like:
When I go to the log in page
And I fill in "user_username" with "test"
And I fill in "user_password" with "invalid password"
And I press "Sign in"
Question is: does the test have to go through the login scenario every time I test a logged in user functionality?
EDIT:
Note that I am using the Devise gem. I am not sure how to log in the user directly since the user session, cookies, etc have to be set
I would write a step definition to handle the login instead of a scenario.
This step definition can then put the cookies in the cookie jar for subsequent use.
If you store the cookiejars in a hashmap keyed on the test users then the method can be smart enough to only log in when needen and reuse a session if one is still available. This can save a lot of time in the tests at the expense of not having completely independent tests, since now they're coupled through the session data on the server. The session can always be cleared by logging out before logging in again.
I am a newbie to testing field. I know that test cases are the conditions to fulfil any client requirements i.e. the test conditions we need to fulfil the requirements.
I need some idea how to formally write a test case. Can anyone give me any idea of writing the test cases.
Assume an example of login page. i want to write the test case for a login screen. Please provide a pattern to do so.
Any other example is also favourable.
Hey.
BDD approach is also nice way to express behavior. Simple Given-When-Then lets you structure your idea.
For example:
Scenario: Login as Admin
Given: Login Page is loaded
And loginInput field is present
And loginPassword secure filed is present
And locinSubmit button is present
When: User puts adminLoginName into loginName field
And User puts adminLoginPassword in loginPassword secure field
And User clicks loginSubmit button
Then: LoginPage is closed
And MainPage is loaded
And AdminPanel is visible
Basically, in order to create tests and test cases you need a good requirements document (what you refer to as 'client requirements'). If these requirements are written correctly, writing tests will be a piece of cake.
In the requirements document, there should be shall and will statements. For example:
the login page shall block a user after 10 failed logins
This is a testable requirement and then you write a test that has a user login incorrectly 10 times and sees if he can login successfully on the 11th try. Obviously you would be more specific in the test procedure, but that is the general idea.
Your example of having a login page isn't a good requirement. To test that requirement, you would just have to show that the login page exists. You want to be writing tests for specific features of this login page.
Also, there are will statements in a requirements document. These may not be required features depending on how the requirements were written, so you may not have to make tests for your will statements.
Test cases preparation is for understanding purpose of your project after testing. The test cases document is useful for you to quick review about the bugs/the cases status information either that test case is passed/failed.
Login Page:
Assume the login page in website or any other
Case1: What happens if you give valid Username and Invalid password
Case2: Invalid Username and Valid Password
Case3: Invalid Username and Invalid password
Case4: Valid User name and Valid Password
Case5: Empty User Name and Valid Password
Case6: Valid Username and Empty Password.
Here is a page with a brief overview over software testing and also a example of a table with test cases.
Software Testing Tutorial
This table can be of course extended to your needs, e.g. you will need a column for the result and maybe one for a comment, maybe for the test case are some preconditions needed, then add another column for that.
Here is a description of how to document a bug. (You will need that when you do your test ;-) )
Software Testing - Contents of a Bug
Positive test cases.
• Enter valid username and password.
• Click on forgot password link and retrieve the password for the username.
• Click on register link and fill out the form and register username and password.
• Use enter button after typing correct username and password.
• Use tab to navigate from username textbox to password textbox and then to login button.
..................................................................................
Negative test cases
• Enter valid username and invalid password.
• Enter valid password but invalid username.
• Keep both field blank and hit enter or click login button.
• Keep username blank and enter password.
• Keep password blank and enter username.
• Enter username and password wrong.
I'm wondering what the best method is for creating a forgot password function on a website. I have seen quite a few out there, here are a few or combination of:
passphrase question / answer (1 or more)
send email with new password
on screen give new password
confirmation through email: must click link to get new password
page requiring user to enter a new password
What combination or additional steps would you add to a forgot password function? I'm wondering about how they request the new password and how they end up getting it.
I'm operating on the principal that the password cannot be retrieved; a new password must be given/generated.
Edit I like what Cory said about not displaying if the username exists, but I'm wondering what to display instead. I'm thinking half the problem is that the user forgot which email address they used, which displaying some sort of "does not exist" message is useful. Any solutions?
I personally would send an email with a link to a short term page that lets them set a new password. Make the page name some kind of UID.
If that does not appeal to you, then sending them a new password and forcing them to change it on first access would do as well.
Option 1 is far easier.
A few important security concerns:
A passphrase question / answer actually lowers security since it typically becomes the weakest link in the process. It's often easier to guess someone's answer than it is a password - particularly if questions aren't carefully chosen.
Assuming emails operate as the username in your system (which is generally recommended for a variety of reasons), the response to a password reset request shouldn't indicate whether a valid account was found. It should simply state that a password request email has been sent to the address provided. Why? A response indicating that an email does/doesn't exist allows a hacker to harvest a list of user accounts by submitting multiple password requests (typically via an HTTP proxy like burp suite) and noting whether the email is found. To protect from login harvesting you must assure no login/auth related functions provide any indication of when a valid user's email has been entered on a login/pass reset form.
For more background, checkout the Web Application Hackers Handbook. It's an excellent read on creating secure authentication models.
EDIT: Regarding the question in your edit - I'd suggest:
"A password request email has been
sent to the address you provided. If
an email doesn't arrive shortly,
please check your spam folder. If no
email arrives, then no account exists
with the email you provided."
There's a trade-off being made here between ease of use and security. You have to balance this based on context - is security important enough to you and your users to justify this inconvenience?
Send email with new password.
FORCE a password change when they arrive and key in the new password.
This ensures that the person who wanted the password will be the only only getting in to the account.
If the email is sniffed, someone could get in to the account (of course), but the real party will discover this immediately (as their password you just sent them doesn't work).
Also send confirmations of password changes to the users.
If someone get the new password, and then an email saying "thanx for changing the password", they're going to be rather puzzled and will talk to an admin if they didn't do it.
Using the email verification/password reset link will give you better security.
If you look around this is how most websites do it and people are pretty used to this verification, so I'd recommend using this type of authentication.
I would think (gbrandt's) Option 2 would be a great method if it is combined with some personal information you already have for the user. i.e date of birth.
When the user requests a new password (reset) via entering his email address, he also has to enter a correct date of birth (or something else) before the password is reset and a new one is emailed to the user.
Only those who know him well can possibly annoy him by resetting his password! It cant be a stranger or a bot
Upon 5 or 7 bad email-address & date of birth combinations the user is emailed that his password has been requested to be reset and has failed due to an incorrect credential. Then password resetting for that account is suspended for 24hrs or any desired period.
(if too many users contact the webadmin regarding this email he'll know someone is trying to maliciously attain information from your website/app)
What do you guys think?
Option 1. is not a good idea, as generally his becomes easily guessable by others. Sarah Palin's personal email (Yahoo I think) was hacked in this way by a third party.
The other options are better and previous posts have outlined the detail.
The idea I was thinking about was to sign the data in the link that is sent to the user. Then, when the user clicks the link and the server receives the call, the server also gets the encrypted part and can validate that the data was untouched.
I have implemented a JAVA project for this use case. It is on GitHub, open source. It answers your question perfectly... implemented in Java.
As for the link in the email - it generates the link, plus validates it upon usage.
There are explanation for everything (and if something is missing - let me know...)
Have a look: https://github.com/OhadR/Authentication-Flows
See a Demo here.
This is the client web-app that uses the auth-flows, with the README with all explanations. it directs you the implementation: https://github.com/OhadR/authentication-flows/tree/master/authentication-flows