URS-001 · Secure Login with Unique User Credentials
Status: PASS · Duration: 1m 28s · Run Date: April 21, 2026
Test Scenarios
Section titled “Test Scenarios”Step 1: Login page loads correctly
Section titled “Step 1: Login page loads correctly”
Step 2: Valid login - Distributor user
Section titled “Step 2: Valid login - Distributor user”
Step 3: Valid login - Manufacturer user
Section titled “Step 3: Valid login - Manufacturer user”
Step 4: Valid login - Admin user
Section titled “Step 4: Valid login - Admin user”
Step 5: Invalid credentials - Wrong password
Section titled “Step 5: Invalid credentials - Wrong password”
Step 6: Invalid credentials - Non-existent email
Section titled “Step 6: Invalid credentials - Non-existent email”
Step 6b: Locked account - inactive user cannot login
Section titled “Step 6b: Locked account - inactive user cannot login”
Step 7: Empty field validation
Section titled “Step 7: Empty field validation”
Step 8: Session security - Cookie verification
Section titled “Step 8: Session security - Cookie verification”
Step 9: Session isolation - Multiple users
Section titled “Step 9: Session isolation - Multiple users”
Step 10: Logout and session termination
Section titled “Step 10: Logout and session termination”
Recordings
Section titled “Recordings”step 01 login page
Section titled “step 01 login page”step 02 valid login distributor
Section titled “step 02 valid login distributor”step 03 valid login manufacturer
Section titled “step 03 valid login manufacturer”step 04 valid login admin
Section titled “step 04 valid login admin”step 05 wrong password
Section titled “step 05 wrong password”step 06 nonexistent email
Section titled “step 06 nonexistent email”step 06b locked account
Section titled “step 06b locked account”step 07 empty fields
Section titled “step 07 empty fields”step 08 session security
Section titled “step 08 session security”step 09 session isolation a
Section titled “step 09 session isolation a”step 10 logout
Section titled “step 10 logout”Database Validations
Section titled “Database Validations”Demo users exist
Section titled “Demo users exist”All 4 demo users should exist in the users table
SELECT id, email, name, created_at FROM users WHERE email IN ( 'alex.admin@zurimed.com', 'mark.manufacturer@zurimed.com', 'dan.distributor@stellartech.com', 'demo.user@zurimed.com' ) ORDER BY email| id | name | created_at | |
|---|---|---|---|
| f6a7b8c9-d0e1-2345-f123-456789012345 | alex.admin@zurimed.com | Alex Admin | 2026-04-21T03:36:14.401Z |
| c3d4e5f6-a7b8-9012-cdef-123456789012 | dan.distributor@stellartech.com | Dan Distributor | 2026-04-21T03:36:14.401Z |
| e5f6a7b8-c9d0-1234-ef12-345678901234 | demo.user@zurimed.com | Demo User | 2026-04-21T03:36:14.401Z |
| d4e5f6a7-b8c9-0123-def1-234567890123 | mark.manufacturer@zurimed.com | Mark Manufacturer | 2026-04-21T03:36:14.401Z |
No duplicate emails
Section titled “No duplicate emails”No email address should appear more than once in the users table
SELECT email, COUNT(*) as count FROM users GROUP BY email HAVING COUNT(*) > 1No rows returned.
Passwords are hashed
Section titled “Passwords are hashed”All password hashes should use Argon2id algorithm (not plaintext)
SELECT id, email, LEFT(password_hash, 10) as hash_prefix, password_hash LIKE '$argon2id$%' as is_argon2 FROM users WHERE email IN ( 'alex.admin@zurimed.com', 'mark.manufacturer@zurimed.com', 'dan.distributor@stellartech.com', 'demo.user@zurimed.com' ) ORDER BY email| id | hash_prefix | is_argon2 | |
|---|---|---|---|
| f6a7b8c9-d0e1-2345-f123-456789012345 | alex.admin@zurimed.com | $argon2id$ | true |
| c3d4e5f6-a7b8-9012-cdef-123456789012 | dan.distributor@stellartech.com | $argon2id$ | true |
| e5f6a7b8-c9d0-1234-ef12-345678901234 | demo.user@zurimed.com | $argon2id$ | true |
| d4e5f6a7-b8c9-0123-def1-234567890123 | mark.manufacturer@zurimed.com | $argon2id$ | true |
Recent sessions created
Section titled “Recent sessions created”Sessions should have been created within the last 10 minutes for users who logged in during the test
SELECT s.id as session_id, u.email, s.created_at, s.expires_at FROM session s JOIN users u ON s.user_id = u.id WHERE u.email IN ( 'alex.admin@zurimed.com', 'mark.manufacturer@zurimed.com', 'dan.distributor@stellartech.com' ) AND s.created_at > NOW() - INTERVAL '10 minutes' ORDER BY s.created_at DESC LIMIT 10| session_id | created_at | expires_at | |
|---|---|---|---|
| ef993f23ccc4fc7388ed5fdb8d9a240be989be2e51c672ac3f91905f2… | alex.admin@zurimed.com | 2026-04-21T05:57:01.667Z | 2026-05-21T05:57:01.665Z |
| 5fdd8f4dd4559e6c32352e841d56d505328018441bf1fed8497d0c851… | dan.distributor@stellartech.com | 2026-04-21T05:57:00.544Z | 2026-05-21T05:57:00.540Z |
| fddfaf9216b071eaf03f800640dc181098c6d6ae0b5c19b2abf468e7e… | alex.admin@zurimed.com | 2026-04-21T05:56:53.178Z | 2026-05-21T05:56:53.174Z |
| c3364fd44f7445ac9ebbe3384e78e1f766b96a90e8b287a15859c17d6… | alex.admin@zurimed.com | 2026-04-21T05:56:10.207Z | 2026-05-21T05:56:10.205Z |
| de32ec1c03bca6eae56a28decca6ed88a8ab083479d45246d2d699754… | mark.manufacturer@zurimed.com | 2026-04-21T05:56:03.372Z | 2026-05-21T05:56:03.370Z |
| f020a4191c6ed13273bd9d24df24065f86b1433d8ef736f57806fe997… | dan.distributor@stellartech.com | 2026-04-21T05:55:56.485Z | 2026-05-21T05:55:56.478Z |
Locked user is inactive
Section titled “Locked user is inactive”demo.user@zurimed.com should have inactive org membership (locked account)
SELECT u.email, om.active, om.organization_id FROM organization_members om JOIN users u ON om.user_id = u.id WHERE u.email = 'demo.user@zurimed.com'| active | organization_id | |
|---|---|---|
| demo.user@zurimed.com | false | a1b2c3d4-e5f6-7890-abcd-ef1234567890 |
| demo.user@zurimed.com | false | b2c3d4e5-f6a7-8901-bcde-f12345678901 |
| demo.user@zurimed.com | false | 6763fc17-7da1-47e3-851e-8f4fac570dc6 |
Global email uniqueness
Section titled “Global email uniqueness”Every user should have a unique email address
SELECT COUNT(DISTINCT email) as unique_emails, COUNT(*) as total_users FROM users WHERE email IS NOT NULL| unique_emails | total_users |
|---|---|
| 12 | 12 |