Authentication software testing

Once the Authentication passed the Authorization comes in the picture to limit the user as per the permission set for the user. Confidentiality is to be carried out to check if unauthorized user and less privileged users are not able to access the information. It is to check that the protection of information and resources from the users other than the authorized and authenticated. The confidentiality of information is carried out at all stages like processing, storage and displays the information.

Also check if while accessing the information by administrator or developer all information should be displayed in encrypted format or not. Downtime of the system should be minimum but the downtime can be due to natural disasters or hardware failure. Most of the time backup failover site is parallel running with main site. Once the main site down due to some reason then the all requests to main site are redirected to backup site.

One more example of availability is the mirroring of the databases. In this concept there are two databases one is main primary database other is secondary mirroring database. Once the new record is added or updated or deleted from system then this action is taken in the main primary database, once any action is taken in this primary database then the updated data gets reflected on secondary database.

Tracking who is accessing the systems and which of the requests were denied along with additional details like the Timestamp and the IP address from where the requests came from.

Means confirmation sent by receiver to sender that the requested services or information was successfully received as Digital confirmation e. Digital Certificates, this not only serves as acknowledgement but also helps to validate both sender and receiver is genuine. Resilience is to check the system is resistance to bear the attacks, this can be implemented using encryption, use OTP One Time Password , two layer authentication or RSA key token.

This can be accomplished either by modifying the given URL parameter, by manipulating the form, or by counterfeiting sessions. Problems related to the authentication schema can be found at different stages of the software development life cycle SDLC , like the design, development, and deployment phases:.

There are several methods of bypassing the authentication schema that is used by a web application:. If a web application implements access control only on the log in page, the authentication schema could be bypassed. For example, if a user directly requests a different page via forced browsing, that page may not check the credentials of the user before granting access.

Attempt to directly access a protected page through the address bar in your browser to test using this method. Figure 4. Another problem related to authentication design is when the application verifies a successful log in on the basis of a fixed value parameters. In addition, we will use Jest to write tests for this implementation. The complete code for the example discussed can be found at github. Before getting started with this example, make sure you have Node installed, and that MongoDB is installed and running.

Then, initialize the project code by creating your project folder, and running npm init from the command line. This will create a package. Next, we will set up Mongoose to implement a user model, and Jest to start writing test code.

Before we implement the user model, we need to install the mongoose npm module by running the command:. We will use Mongoose to start with a simple user model, which will be defined and exported from a file called user. The initial version of the user schema for this model will only contain a username and an email field. Besides defining the value type for each field, we added built-in validators to make the username a required field in the schema, and to ensure the email value is unique and also matches a valid email pattern.

In the rest of this example, we will extend this initial version of the User Model to add password authentication. We will use Jest , a JavaScript Testing Framework, to write and run our tests for the password authentication implementation. We add Jest by installing the jest npm module as a development dependency. Next, we will add a test script to package. The tests will run with the command npm run test , and display the test outcomes. By default, Jest assumes that the tests will run in a browser environment, but since our tests will be running in the node environment, we need to configure Jest to specify this.

In a jest. When we run Jest, it will look in this folder for tests to execute. Before writing and executing specific test cases for the User Model implementation, we will use Mongoose to connect to MongoDB as follows:. With the MongoDB connection ready, we can access and modify the User collection in the tests to check our implementation of the Mongoose User Model. We will also add code in an afterAll block, which will close the established database after all the tests are run.

We will use a describe block to group the test cases for the password authentication implementation in the User Model.