Passwordless Auth Testing Plan

Functional Tests

#	Test	Steps	Notes
1	Valid magic link	Request link → click within 15min → logged in
2	Expired link	Request link → wait 15min+ → click	Expected: expiration error
3	Already-used link	Click valid link twice	Expected: already-used error
4	Invalid/malformed link	Modify token in URL → click	Expected: invalid error
5	Unregistered email	Enter non-existent email → request link	Expected: generic success (no enumeration)

#	Test	Steps	Notes
1	Within limit	Request 5 links for same email within 1hr	All should succeed
2	Exceed limit	Request 6th link within 1hr	Expected: 429 error
3	Limit reset	Wait 1hr after hitting limit → request again	Should succeed

#	Test	Steps
1	Email received	Request link → check inbox
2	Aktion branding	Verify colors match Aktion theme
3	Plain text version	View plain text version
4	Link works	Click CTA button in email

#	Test	Steps	Notes
1	Create user	Admin creates user with email + name only
2	Disable user	Admin disables user → user's session ends
3	Disabled user login	Disabled user requests magic link	Expected: cannot log in

#	Test	Steps
1	Successful login logged	Log in → check audit log
2	Rate limit logged	Trigger rate limit → check audit log
3	Admin view	Admin views audit log UI

#	Test	Steps
1	No password fields	Check login page, user mgmt UI
2	HTTPS enforced	Attempt HTTP access
3	Generic errors	Invalid email shows same message as valid

#	Scenario	Steps
1	New user first login	Receive welcome email → click login → request magic link → log in
2	Returning user	Go to login → enter email → click link → logged in
3	Expired link recovery	Click expired link → see error → request new link → success
4	Access revoked	Admin disables → user session ends immediately

See AST-1194 for detailed browser and email client testing.

Tested by: **___* *Date: **___* *Environment: **___****