How to Test Authentication in Vibecoded Apps

Begin with the standard happy path: create an account, verify it, log in, and confirm you land on the right page. Then test edge cases that AI tools routinely miss. Try signing up with an email that already exists — the app should give a clear error without revealing whether the email is registered (to prevent enumeration attacks).

Test password requirements by submitting passwords that are too short, too long, or missing required character types. Verify that password strength indicators match the actual enforcement rules. Many vibecoded apps show a strength meter but accept any password on the backend.

After logging in, check how the session is maintained. Open developer tools and inspect cookies or local storage for auth tokens. Tokens should be httpOnly, secure, and have a reasonable expiry. AI-generated code often stores JWT tokens in localStorage, which is vulnerable to XSS attacks.

Test session expiry by waiting or manually adjusting token expiry times. When a session expires, the user should be redirected to login gracefully — not shown a broken page or raw error. Also test concurrent sessions: log in from two browsers and verify both work independently.

Test the full password reset flow: request a reset, check that the email arrives, follow the link, and set a new password. Verify that the reset link expires after use and after a reasonable time period. Try using the same reset link twice — it should be rejected the second time.

Test edge cases like requesting multiple reset emails in quick succession. Only the latest link should work. Also verify that after a password reset, existing sessions are invalidated so that a compromised session cannot persist.