FEA102 Test Case
| Test Case description | Verify secure authentication mechanisms including password hashing and session management |
| Test Case ID | FEA102-TC01 |
| Author/Designer | Developer |
| Date of creation | 19.02.2024 |
| Class | functional |
Test description / objective
This test case aims to verify that the authentication mechanisms implemented as part of FEA102 securely handle user authentication. This includes checking for the presence of strong password hashing (e.g., bcrypt, Argon2) with unique salts, effective session management, and the secure handling of data transmission over HTTPS.
Links to requirements or other sources
- Requirements: FUNC-REQ-C0002
- User story: US02
Test pre-state
- The system should be in an idle state with the authentication system initialized and ready for authentication requests.
Test steps
- Attempt to register a new user account with a strong password to verify password hashing and salt usage.
- Login with the newly created user account to verify session management and HTTPS data transmission.
- Attempt to log in with incorrect credentials to test rate limiting and account lockout mechanisms.
- Inspect session cookies to ensure they are marked as secure and HttpOnly.
- Log out to verify session termination.
Test end-state
- The user account remains secure with all authentication mechanisms verified as functional. No unauthorized access should be possible, and all session data should be correctly invalidated upon logout.
To be taken into account during test
- Ensure network conditions are stable to accurately test HTTPS data transmission.
- Verify the system's behavior under different scenarios, such as correct and incorrect login attempts, to ensure comprehensive testing of rate limiting.
- Ensure that password hashing and session management mechanisms are robust and secure.
Test result (Pass/Fail Criteria)
- PASS condition: The system securely hashes passwords with unique salts, effectively manages sessions, securely transmits data over HTTPS, and correctly implements rate limiting.
- FAIL condition: Any failure in hashing passwords with unique salts, managing sessions securely, securely transmitting data over HTTPS, or properly implementing rate limiting.