Testing OTP password link username and password for 2 factor authentication (2FA)
Testing OTP password link username and password for 2 factor authentication (2FA)
Many modern web and mobile applications use modern user account authentication techniques that involve temporary passwords. These one-time passwords (OTP) are sent via email or SMS as part of 2FA two factor authentication in OAuth and SAML applications. Using a free email service we can test username and password authentication methods end-to-end in software applications.
What are OTP passwords?
One time email links are emails that are sent to a user of a website when they enter their email address during login. A server sends the email containing a link or passcode that expires after a short time. This password can be used by the user to sign into an application without requiring a typical permanent password.
Example usage of one time 2FA authentication
AWS provides the Cognito authentication service for logging users into applications using OAuth or SAML username and password. In a demo app we created for this post we can use a simple react app hosted at playground.mailslurp.com to sign up for an account on a dummy application. A verification code is then sent to your email address which can be entered into a confirmation screen to confirm the account.
Automated OTP testing with CypressJS
We can test this demo app using Cypress JS and the MailSlurp email API.
npm install --save-dev cypress-mailslurp cypress
Then run npx cypress open
to scaffold your tests.
Writing a test to receive OTP emails
The main steps for testing OTP are as follows:
- Create a test email account
- Sign up using a test email address
- Wait for the email to arrive in the account
- Extract the OTP code and submit it
We can automate that process using a Cypress end-to-end test like the one below.
Creating a dummy email address
Start your test by creating a throwaway email account.
/// <reference types="cypress-mailslurp" />
describe("user sign up test with mailslurp plugin", function () {
// use cypress-mailslurp plugin to create an email address before test
before(function () {
return cy.mailslurp()
.then(mailslurp => mailslurp.createInbox())
.then(inbox => {
// save inbox id and email address to this (make sure you use function and not arrow syntax)
cy.wrap(inbox.id).as('inboxId')
cy.wrap(inbox.emailAddress).as('emailAddress')
})
});
});
Load playground application in cypress
Next we need to load the app we are testing using cy.visit
:
it("01 - can load the demo application", function () {
// get wrapped email address and assert contains a mailslurp email address
expect(this.emailAddress).to.contain("@mailslurp");
// visit the demo application
cy.visit("https://playground.mailslurp.com")
cy.title().should('contain', 'React App');
});
Fill the login form with email address
Use the inbox email address and submit it to the test application.
// use function instead of arrow syntax to access aliased values on this
it("02 - can sign up using email address", function () {
// click sign up and fill out the form
cy.get("[data-test=sign-in-create-account-link]").click()
// use the email address and a test password
cy.get("[name=email]").type(this.emailAddress).trigger('change');
cy.get("[name=password]").type('test-password').trigger('change');
// click the submit button
cy.get("[data-test=sign-up-create-account-button]").click();
});
Receive OTP username password via email
Once we submit the form wait for the code to arrive using the WaitForController methods. This method will hold the connection open for 30 seconds until the email arrives. It will throw an exception if the email does not arrive before then. Then we use a regex pattern to extract the OTP code and submit it.
it("03 - can receive confirmation code by email", function () {
// app will send user an email containing a code, use mailslurp to wait for the latest email
cy.mailslurp()
// use inbox id and a timeout of 30 seconds
.then(mailslurp => mailslurp.waitForLatestEmail(this.inboxId, 30000, true))
// extract the confirmation code from the email body
.then(email => /.*verification code is (\d{6}).*/.exec(email.body!!)!![1])
// fill out the confirmation form and submit
.then(code => {
cy.get("[name=code]").type(code).trigger('change');
cy.get("[data-test=confirm-sign-up-confirm-button]").click();
})
});
Submit the confirmation code and test the welcome
Submit the email one-time password and assert the welcome page is shown.
// fill out sign in form
it("04 - can sign in with confirmed account", function () {
// use the email address and a test password
cy.get("[data-test=username-input]").type(this.emailAddress).trigger('change');
cy.get("[data-test=sign-in-password-input]").type('test-password').trigger('change');
// click the submit button
cy.get("[data-test=sign-in-sign-in-button]").click();
});
// can see authorized welcome screen
it("05 - can see welcome screen", function () {
// click sign up and fill out the form
cy.get("h1").should("contain", "Welcome");
});
Why test OTP?
By using disposable email addresses we can test OTP 2FA one time passwords in any real world application. Test your authentication username and password login for real using actual email addresses so you know that your application is functioning.
Related content
Golang email library for sending and reading emails
Golang Email Library for sending and receiving emails in Go over SMTP or HTTP/S.
NodeJS MailSlurp SDK
Nodemailer alternatives to send and receieve email in code and tests
Email for testing
Test email accounts for email testing. Alternatives to Mailinator, MailTrap, Mailosaur and more.
How to wait for Selenium to start during Codeception tests
Example tutorial for how to wait until webdriver and Selenium have started during Codeception PHP tests
Email API for email marketing and more
APIs for email marketing and social campaign testing. Send, receive, validate and test emails in code and online.
Fastest way to start a typescript project
Modern typescript tooling has come a long way. See how to setup a new project with TS-Node, TSC, and typeconfig.json.
Fetch error message javascript
Handle response exceptions with Fetch in Javascript
GraphQL API disposable email accounts
How to create real email addresses using GraphQL to send and receive emails in tests and frontend applications.
GraphQL Email API Tutorial
Did you know you can send and receive emails using GraphQL?
How to test an email address
Test email accounts for testing email addresses in code or online. Create fake email accounts for testing.
Hugo responsive image srcsets
Serve responsive picture tags with custom render-image layout partial in Hugo static site generator.
How to send emails in Javascript (NodeJS)
JS SMTP email sending guide using HTML and NodeJS.
NodeMailer NPM Tutorial
Send and receive email using NodeMailer in Node JS.
How to start selenium in a background process and wait for it to start
Spawn Selenium server process before tests start for easier acceptance testing.
Create custom print classes with Tailwind
Configure tailwind.config.js to create prefixed classes with a custom media query.
CypressJS Example
Test email sign-up. password verification and more with Cypress JS and MailSlurp.
CypressJS Email Testing
Use real email accounts in CypressJS to test user sign-up, email verification, and more.
Golang mail Library (SMTP)
How to send and receive emails in Go (test email addresses).
Java JVM Examples
Test email sending and receive emails without a mail server.
TestNG Selenium Java Example
Testing user sign up in Java using TestNG and MailSlurp test email accounts
Codeception PHP acceptance testing using real email address APIs
Write acceptance tests in PHP with real email addresses using Codeception and MailSlurp
PHP Email Test Plugins: send and receive email in PHPUnit (example code)
How to send and receive emails in PHPUnit tests.
PyTest Email Testing
Send and receive email in Pytest Python tests.
Java, Selenium
Receive emails in Java test suites using MailSlurp, Junit, and Selenium.
Receive email in PHP: using MailSlurp to send and receive emails
Test email in PHP using real email addresses
Testing authentication using real email addresses in Ruby with Capybara, Cucumber, and Selenium
Cucumber example project using Capybara to test user authentication using real email addresses.
Test applications with real emails using Serenity BDD, JBehave and Selenium
Email acceptance testing with Serenity and MailSlurp. Test applications with real email addresses.
Specflow user sign-up testing with MailSlurp accounts
How to test .NET authentication and sign-up using real email accounts with MailSlurp and SpecFlow.
Jest, Puppeteer
Test email accounts in React with Jest and Puppeteer. Send and receive emails in Javascript.
.NET Selenium C#
Send and receive email in DotNET Nunit tests using Selenium and MailSlurp.
Cucumber, Ruby
Generate test email accounts with Ruby and Cucumber. Test email sign-up, password verification and more.
Webdriver, JS, WDIO
Test email related processes like sign-up and verification using WDIO WebDriver and MailSlurp.
TestCafe end-to-end MFA testing for user sign-up and email verification
End-to-end testing with MailSlurp, NodeJS, and TestCafe.
Base64 file uploads
How to encode files as Base 64 encoded strings in several languages
Deno Email Apis
Send and receive emails in Deno JS. Use APIs in Deno with MailSlurp.
Email read (opened seen settings)
How to control the seen or read settings for an email using MailSlurp.
How To Test Emails Before You Send
There are many free tools to test emails before sending. This can help prevent spam warnings and increase deliverability.
GraphQL Email API
Fetch and read emails with GraphQL inboxes using MailSlurp email API.
Testing OTP password link username and password for 2 factor authentication (2FA)
Testing OTP password link username and password for 2 factor authentication (2FA)
MailSlurp NodeMailer SMTP Usage
Use SMTP nodemailer with MailSlurp disposable email addresses
Test email address
Free test email address for testing emails online with web dashboard or REST API.
How to test 2FA OTP login using SMS codes with Playwright
The ultimate guide to testing OAuth one-time-password flows with real SMS MFA. Use Playwright to automate authentication tests with programmable TXT message APIs.
Testing guide
Integration testing with disposable email accounts using CypressJS, Selenium and many other frameworks. Test OTP password login, transactional emails, notifications and more.
Testing email with Cypress test email accounts
Test email accounts for CypressJS. End-to-end testing with real email addresses using MailSlurp Cypress plugin.
Testing Webhooks
How to test HTTP webhooks using MailSlurp test hooks.
Send emails in NodeJS using SMTP
How to use Javascript SMTP client (or Nodemailer) to send email with MailSlurp mail server
Testing Email with Cypress JS and MailSlurp
Email testing with Cypress JS