Authentication Testing Checklist: What AI Coding Tools Get Wrong About Auth

Authentication is the most security-critical code in any application. CodeRabbit found AI-generated code is 1.88x more likely to introduce improper password handling.

This checklist covers every auth pattern AI code commonly gets wrong.

Login Flow

• Valid credentials grant access and create session
• Invalid password shows generic error (not "wrong password")
• Account lockout after N failed attempts
• Rate limiting on login endpoint
• "Remember me" creates persistent session correctly
• Login redirects to originally requested page

Session Management

• Session persists across page reloads
• Session expires after configured timeout
• Expired session redirects gracefully (no broken state)
• Logout invalidates session server-side
• Session tokens not exposed in URLs

Password Security

• Passwords hashed with bcrypt/scrypt/argon2
• Unique salt per user
• Password reset tokens expire after use and time limit
• Old password required for password change

Authorization

• Protected routes reject unauthenticated access
• User A cannot access User B's data (IDOR)
• Role-based access enforced on frontend routes AND API endpoints
• Admin endpoints require admin role, not just authentication

TestSprite tests all of these patterns automatically on every PR. When it finds a gap — missing rate limit, IDOR vulnerability, exposed token — it flags it before merge.

Print this checklist. Then automate it.

Try TestSprite free →