Following a use-case usability requirement, I just changed the new TeamMentor ’password forgot’ page ...
... from: ...to:
The objective with the new version is to only ask the user for its password (a good example of how the 'more secure version' has severe usability problems (what happens if the user can't remember his username?)).
After I implemented the changes in the back-end, before I even try it on the GUI, I went to my the back-end unit tests project, and got a number of new errors:
All from this UnitTest:
This is what i was expecting (since the internal behavior changed from requiring a valid username+email to reset the password, to just requiring an email)
And after a couple minor changes:
The PasswordResetToken test is working:
Which confirms that the password reset workflow is still working (including security checks like now allowing the password reset token to be used more than once)
Btw, can you see how powerful these unit tests can be for Security Testing to enforce security policies?
If only there was something like an OWASP ESTAPI I could use, and measure my code against? :)