How to Test Login Flows Automatically
Rihario can explore login flows automatically, but authentication requires special handling. The AI can fill login forms and test form validation, but you may need to manually authenticate for protected pages. Here's how it works.
How Login Flow Testing Works
1. Automatic Form Testing
The AI can automatically:
- Find login forms - Identifies email/password fields
- Fill form fields - Types test credentials
- Submit forms - Clicks submit buttons
- Check validation - Tests form error handling
- Detect issues - Flags errors, broken validation, etc.
2. Authentication Handling
After form submission, the AI will:
- Observe the result - See if login succeeded or failed
- Follow redirects - Navigate to post-login pages if successful
- Continue exploring - Explore authenticated areas if logged in
- Report blockers - Flag CAPTCHAs, MFA, or other blockers
Step-by-Step Guide
Step 1: Start Exploration on Login Page
Start your exploration with the login page URL:
Instructions: "test the login flow"
Step 2: AI Explores Login Form
The AI will:
- Load the login page
- Identify email and password fields
- Fill in test credentials
- Check for validation errors
- Submit the form
Step 3: Handle Authentication
After form submission, you have a few options:
Option A: Use Test Credentials
If you have test credentials that don't require CAPTCHA or MFA:
- Provide test credentials in the instructions
- AI uses them to log in
- Exploration continues in authenticated state
Option B: Manual Authentication (Recommended)
For real credentials or complex auth flows:
- Start exploration on login page
- When AI reaches login form, pause exploration
- Take control and log in manually
- Resume exploration
- AI continues exploring authenticated areas
See Human-in-the-Loop Testing for details on taking control.
Option C: Start from Authenticated State
If you're already logged in:
- Log into your app manually in a browser
- Copy the authenticated session (if possible)
- Start exploration from a protected page
- Use "Take Control" if authentication expires
Note: Session handling varies by app. Some apps require cookies, some use tokens. See Credentials Handling for details.
What Gets Tested
Form Validation
- Required field validation
- Email format validation
- Password requirements
- Error message display
- Form submission behavior
Login Functionality
- Form submission works
- Invalid credentials are rejected
- Valid credentials log in successfully
- Redirect after login works
- Session is created correctly
Post-Login Experience
- Protected pages are accessible
- Navigation works in authenticated state
- User-specific content loads
- No authentication errors
Common Scenarios
Simple Email/Password Login
Works automatically: AI can handle standard email/password forms without intervention.
Social Login (OAuth)
Requires manual help: OAuth flows usually require manual authentication. AI will detect the OAuth button and you can click it manually.
CAPTCHA or MFA
Blocks automatic testing: Exploration will be marked as BLOCKED if it hits CAPTCHA or MFA. You'll need to handle these manually.
See CAPTCHA, MFA, and Verification Limits for details.
Multi-Step Authentication
May require guidance: Complex multi-step flows might need human intervention. Use "Take Control" to handle intermediate steps.
Best Practices
- Use test accounts - Don't use real user credentials
- Handle auth manually if needed - Complex flows are easier to handle manually
- Test validation separately - Focus on form validation, then test login separately
- Check post-login state - Verify protected pages work after login
- Test error cases - Check what happens with invalid credentials
Limitations
- CAPTCHA blocks automation - Cannot automatically solve CAPTCHAs
- MFA requires manual input - Multi-factor authentication needs human help
- Session handling varies - Some apps require special session handling
- OAuth flows are complex - Social login usually requires manual steps
- Not exhaustive - Tests common flows, not every edge case
Example: Testing a Login Flow
- Start exploration on
https://app.com/login - AI finds email and password fields
- AI types test credentials
- AI checks for validation errors
- AI submits form
- If login succeeds: AI continues exploring authenticated pages
- If login fails: AI reports the error
- If CAPTCHA appears: Exploration marked as BLOCKED