Auth Flow Operator

Purpose

Inputs

• target_url

• known_credentials

  (optional)

• auth_notes

  (MFA, email verification, SSO, CAPTCHA)

• allowed_test_accounts

  policy

Workflow

Phase 1: Route Discovery

1. Identify login, registration, password reset, token refresh, logout paths.
2. Determine auth mode: local creds, SSO, OTP, magic link, API token.

Phase 2: Login Path

1. Attempt known credentials in defined order.
2. Validate success via authenticated-only action, not UI guess.
3. Record session artifacts and expiry behavior.

Phase 3: Registration Path

1. Create dedicated test accounts when permitted.
2. Capture verification dependencies.
3. Validate role assignment and default permissions.

Phase 4: Session Lifecycle

1. Test logout invalidation.
2. Test token/cookie rotation after privilege change.
3. Test concurrent session behavior.

Phase 5: Access Validation

1. Confirm protected route gating.
2. Confirm role-sensitive feature differences.
3. Confirm cross-account isolation.

Anti-Patterns

• Assuming logged-in state from UI text only.
• Reusing stale tokens without validation.
• Mixing account identities in one evidence stream.

Output Contract

{
  "working_auth_paths": [],
  "accounts": [],
  "session_lifecycle": [],
  "role_validation": [],
  "blockers": []
}

Constraints

• No brute force.
• Respect account-creation and cleanup rules.
• Keep PII and credentials minimized in logs.

Quality Checklist

• At least one stable auth path established.
• Session behavior tested, not inferred.
• Role boundaries verified with action-level checks.

Detailed Operator Notes

Session Validation Tests

• Confirm authenticated access after login and after token refresh.
• Confirm logout invalidates prior session tokens/cookies.
• Confirm password reset invalidates old sessions when expected.

Role Validation Tests

• Confirm role-specific UI and API behavior differ as expected.
• Confirm privilege elevation requires server-side enforcement.
• Confirm role claims in token align with backend checks.

Common Failure Patterns

• Partial login success where UI changes but API remains unauthenticated.
• Mixed identity state from stale cookies and new tokens.
• Registration defaults granting broader permissions than intended.

Reporting Rules

• Keep one identity timeline per account.
• Record account origin (

  provided

  or

  created

  ) and intended role.
• Record exact blocker cause when auth setup fails.

Quick Scenarios

Scenario A: Authorization Drift

• Baseline with owned resource.
• Replay with foreign resource identifier.
• Repeat with role shift and fresh session.
• Confirm read/write/delete differences.

Scenario B: Input Handling Weakness

• Send syntactically valid control payload.
• Send semantically malicious variant.
• Verify parser or execution side effect.
• Re-test with content-type variation.

Scenario C: Workflow Bypass

• Execute expected state sequence.
• Attempt out-of-order transition.
• Attempt repeated action replay.
• Confirm server-side state enforcement.

Conditional Decision Matrix

Advanced Coverage Extensions

1. Test session fixation across pre- and post-login states.
2. Test parallel session revocation behavior after password change.
3. Test role downgrade persistence after privilege changes.
4. Test account recovery path for unauthorized account linking.
5. Test SSO fallback paths for local-auth bypass.