Auth & sessions
The flows that lock users out when they break — and the ones attackers try first. The spider drives real sign-ins with test accounts and checks every unhappy path.
- Sign-up with valid / already-used / malformed emails
- Login, logout, session expiry and refresh
- Password reset end-to-end, including the email link
- Redirect back to the intended page after login
- Rate limiting and error copy on repeated failures