Authentication is the most security-critical code in any application. CodeRabbit found AI-generated code is 1.88x more likely to introduce improper password handling.

This checklist covers every auth pattern AI code commonly gets wrong.

Login Flow

• Valid credentials grant access and create session

• Invalid password shows generic error (not "wrong password")

• Account lockout after N failed attempts

• Rate limiting on login endpoint

• "Remember me" creates persistent session correctly

• Login redirects to originally requested page

Session Management

• Session persists across page reloads

• Session expires after configured timeout

• Expired session redirects gracefully (no broken state)

• Logout invalidates session server-side

• Session tokens not exposed in URLs

Password Security

• Passwords hashed with bcrypt/scrypt/argon2

• Unique salt per user

• Password reset tokens expire after use and time limit

• Old password required for password change

Authorization

• Protected routes reject unauthenticated access

• User A cannot access User B's data (IDOR)

• Role-based access enforced on frontend routes AND API endpoints

• Admin endpoints require admin role, not just authentication

TestSprite tests all of these patterns automatically on every PR. When it finds a gap — missing rate limit, IDOR vulnerability, exposed token — it flags it before merge.

Print this checklist. Then automate it.

Try TestSprite free →