Engineering

Authentication Test Prompt

Login, token refresh, and everything that must fail: expired tokens, wrong permissions, malicious credentials — auth tested as behavior.

Overview

Auth code is tested backwards everywhere: the login-works test exists, the seventeen ways auth must FAIL don't. This setup generates the auth test suite with security as a first-class coverage area: authentication failures (missing, expired, malformed credentials — each its own test), permission boundaries returning the right 403s, malicious input through every credential field, and access to other users' resources by ID rejected — alongside the API failure scenarios: 401 vs 403 distinguished, idempotent refresh behavior, and error shapes that don't leak what exists.

Workflow

Count the failure tests
A healthy auth suite has more failure tests than success tests — the contract is built to produce that ratio.
Test expiry as a moment
The token that expires BETWEEN two requests is the scenario that separates tested auth from lucky auth.
Verify the cross-user wall
Authenticated-but-wrong-user requests against every resource type — the test that catches IDOR before users do.

Why This Works

Failure-first framing matches auth reality: success is one path, failure is the surface
The 401/403 separation tests the distinction attackers probe first
Cross-user scenarios catch the authorization bugs authentication tests can't see

Best for

Auth endpoints, middleware, and guards
Systems where a 403 returned as 404 (or worse, 200) is an incident
Token lifecycles with refresh, expiry, and revocation

Not for

Reviewing auth code for vulnerabilities — that's the Code Review Prompt Generator's security focus; review finds, tests verify
Pen-testing — these tests verify specified behavior, not undiscovered attack surface

Use cases

Testing login and token-refresh endpoints before release
Covering expired-token behavior on every protected route
Verifying users can't reach each other's resources by ID

Customize This Resource

Opens this setup in Test Case Prompt Generator. Generate to get the full test contract — then adjust the strategy, framework, coverage, and depth.

Open in Test Case Prompt Generator

Prompt Template

TESTING OBJECTIVE
Test the login and token-refresh endpoints — including everything that must fail.
Strategy: API tests — the contract is the subject: requests, responses, status codes, auth.
Generate tests only — do not modify the implementation.

CODE CONTEXT
[Paste the endpoint under test here]

TEST STRATEGY
- Test the contract, not the implementation: request validation, response shape, and status codes are the spec.
- Every response asserts three things: status code, body shape, and the headers that matter.
- Auth is tested as behavior: 401 for missing/expired credentials, 403 for valid-but-forbidden — and they are different tests.
- Error responses have a contract too — assert their shape as strictly as the success path.

COVERAGE AREAS
Happy Path:
- The primary success path with realistic, typical inputs
- The most common variations users actually exercise
- Expected outputs asserted precisely — values and shape, not just "no exception"
Error Handling:
- Every declared error path actually triggers in a test
- Errors carry the right type, message, and code
- Failures leave state clean — no partial writes survive
- Errors propagate or are swallowed exactly as specified
Security:
- Authentication failures: missing, expired, and malformed credentials
- Permission boundaries: the right operations return 403 for the wrong roles
- Malicious input: injection attempts in every text field
- Access to other users' resources by ID is rejected

FAILURE SCENARIOS
Each of these gets at least one test:
- Invalid payloads return 400 with the documented error shape — not 500
- Missing or expired auth returns 401; wrong permissions return 403
- Nonexistent resources return 404, not 500 or an empty 200
- A duplicate of a completed request behaves as specified (idempotency)
- Oversized payloads are rejected at the documented limit

TEST DATA GUIDANCE
- Use realistic, production-shaped data — names, amounts, and dates that could exist.
- Build complex objects with builders or factories, not hand-assembled literals repeated per test.
- Name boundary data for its intent (maxLengthName, expiredToken), not its value.
- Never share mutable fixtures between tests.

FRAMEWORK GUIDANCE
Framework: Generic.
- Use the project's existing test framework and follow its established conventions.

OUTPUT FORMAT
- Return one complete, runnable test file.
- Group tests by coverage area, with a comment header per group.
- Each test: arrange-act-assert structure, one behavior per test.
- Cover every selected coverage area systematically — each coverage item above gets at least one test.
- Parametrize repetitive cases instead of copy-pasting tests.
- Name tests so a failure message alone identifies the broken behavior.

ASSUMPTIONS
- After the tests, list every assumption you made about unspecified behavior under an ASSUMPTIONS heading.
- Where the code's intent is ambiguous, test the most likely intent and flag the ambiguity.
- List GAPS: behaviors you could not test with the information given.

NON-GOALS
- Do not rewrite or "improve" the implementation code — test it as it is.
- Do not refactor the architecture to make it more testable; flag testability problems instead.
- Do not invent requirements — test only specified or clearly implied behavior.
- Do not weaken assertions to make tests pass.

Related Resources

Explore more resources that work well with this one.