Skip to content

Phase 8: Testing Strategy

Document Type: Normative Specification
Phase: 8 - Authentication & Authorization
Status: Active

Overview

This document specifies the testing strategy for Phase 8 authentication components.

Test Categories

Unit Tests

Component Test File Coverage Target
crypto.rs crypto_tests 100%
jwt.rs jwt_tests 100%
session.rs session_tests 95%
user.rs user_tests 95%
rls.rs rls_tests 100%
api.rs api_tests 90%

Integration Tests

Scenario Location Dependencies
Full auth flow tests/auth_integration.rs In-memory DB
RLS enforcement tests/rls_integration.rs In-memory DB
Token lifecycle tests/token_integration.rs None

Critical Test Scenarios

Authentication

  1. Signup Flow
  2. Valid registration succeeds
  3. Duplicate email rejected
  4. Weak password rejected

  5. Email format validated

  6. Login Flow

  7. Valid credentials return tokens
  8. Invalid password returns 401
  9. Non-existent user returns 401 (same error)

  10. Timing attack protection

  11. Token Refresh

  12. Valid refresh returns new tokens
  13. Expired refresh rejected

  14. Reused refresh revokes session

  15. Logout

  16. Session invalidated
  17. Refresh token invalidated
  18. Access token still valid until expiry (stateless)

Authorization (RLS)

  1. Read Filtering
  2. Users see only owned records
  3. Service role sees all records

  4. Anonymous denied (fail-closed)

  5. Write Validation

  6. Users can create owned records
  7. Users cannot modify others' records

  8. Owner field auto-set on insert

  9. Policy Types

  10. Ownership policy enforced
  11. Public read policy allows anonymous reads
  12. Custom policies rejected (not implemented)

Security Tests

Invariant Tests

Invariant Test
AUTH-1 Passwords never logged
AUTH-2 Argon2id for password hashing
AUTH-3 Constant-time password comparison
AUTH-T1 JWT stateless validation
AUTH-T4 Expired tokens rejected
AUTH-R1 Refresh reuse = revocation

Penetration Tests

  1. Timing attacks - Response time constant
  2. SQL injection - Parameterized queries
  3. Token forgery - Signature validation
  4. Session fixation - New session on login

Test Data

Test Users

const TEST_EMAIL: &str = "test@example.com";
const TEST_PASSWORD: &str = "ValidP@ssw0rd123";
const WEAK_PASSWORD: &str = "123";

Test Tokens

// Generated at test time, not hardcoded
let (access, refresh) = auth.login(email, password)?;

Coverage Requirements

Component Minimum Target
crypto.rs 100% 100%
jwt.rs 95% 100%
session.rs 90% 95%
user.rs 90% 95%
rls.rs 95% 100%
api.rs 85% 90%
Overall 90% 95%

CI/CD Integration

Pre-Merge

cargo test auth:: --lib
cargo test --test auth_integration

Post-Merge

cargo test --all
cargo audit

Security Scan

Weekly automated security scan for: - Dependency vulnerabilities - Credential leaks - Timing attack patterns