Testing OTP password link username and password for 2 factor authentication (2FA)

Testing OTP password link username and password for 2 factor authentication (2FA)

Many modern web and mobile applications use modern user account authentication techniques that involve temporary passwords. These one-time passwords (OTP) are sent via email or SMS as part of 2FA two factor authentication in OAuth and SAML applications. Using a free email service we can test username and password authentication methods end-to-end in software applications.

What are OTP passwords?

One time email links are emails that are sent to a user of a website when they enter their email address during login. A server sends the email containing a link or passcode that expires after a short time. This password can be used by the user to sign into an application without requiring a typical permanent password.

Example usage of one time 2FA authentication

AWS provides the Cognito authentication service for logging users into applications using OAuth or SAML username and password. In a demo app we created for this post we can use a simple react app hosted at playground.mailslurp.com to sign up for an account on a dummy application. A verification code is then sent to your email address which can be entered into a confirmation screen to confirm the account.

cypress otp email

Automated OTP testing with CypressJS

We can test this demo app using Cypress JS and the MailSlurp email API.

npm install --save-dev cypress-mailslurp cypress

Then run npx cypress open to scaffold your tests.

Writing a test to receive OTP emails

The main steps for testing OTP are as follows:

  • Create a test email account
  • Sign up using a test email address
  • Wait for the email to arrive in the account
  • Extract the OTP code and submit it

We can automate that process using a Cypress end-to-end test like the one below.

Creating a dummy email address

Start your test by creating a throwaway email account.

/// <reference types="cypress-mailslurp" />
describe("user sign up test with mailslurp plugin", function () {
    // use cypress-mailslurp plugin to create an email address before test
    before(function () {
        return cy.mailslurp()
            .then(mailslurp => mailslurp.createInbox())
            .then(inbox => {
                // save inbox id and email address to this (make sure you use function and not arrow syntax)
                cy.wrap(inbox.id).as('inboxId')
                cy.wrap(inbox.emailAddress).as('emailAddress')
            })
    });
});

Load playground application in cypress

Next we need to load the app we are testing using cy.visit:

it("01 - can load the demo application", function () {
    // get wrapped email address and assert contains a mailslurp email address
    expect(this.emailAddress).to.contain("@mailslurp");
    // visit the demo application
    cy.visit("https://playground.mailslurp.com")
    cy.title().should('contain', 'React App');
});

Fill the login form with email address

Use the inbox email address and submit it to the test application.

// use function instead of arrow syntax to access aliased values on this
it("02 - can sign up using email address", function () {
    // click sign up and fill out the form
    cy.get("[data-test=sign-in-create-account-link]").click()
    // use the email address and a test password
    cy.get("[name=email]").type(this.emailAddress).trigger('change');
    cy.get("[name=password]").type('test-password').trigger('change');
    // click the submit button
    cy.get("[data-test=sign-up-create-account-button]").click();
});

Receive OTP username password via email

Once we submit the form wait for the code to arrive using the WaitForController methods. This method will hold the connection open for 30 seconds until the email arrives. It will throw an exception if the email does not arrive before then. Then we use a regex pattern to extract the OTP code and submit it.

it("03 - can receive confirmation code by email", function () {
    // app will send user an email containing a code, use mailslurp to wait for the latest email
    cy.mailslurp()
        // use inbox id and a timeout of 30 seconds
        .then(mailslurp => mailslurp.waitForLatestEmail(this.inboxId, 30000, true))
        // extract the confirmation code from the email body
        .then(email => /.*verification code is (\d{6}).*/.exec(email.body!!)!![1])
        // fill out the confirmation form and submit
        .then(code => {
            cy.get("[name=code]").type(code).trigger('change');
            cy.get("[data-test=confirm-sign-up-confirm-button]").click();
        })
});

Submit the confirmation code and test the welcome

Submit the email one-time password and assert the welcome page is shown.

// fill out sign in form
it("04 - can sign in with confirmed account", function () {
    // use the email address and a test password
    cy.get("[data-test=username-input]").type(this.emailAddress).trigger('change');
    cy.get("[data-test=sign-in-password-input]").type('test-password').trigger('change');
    // click the submit button
    cy.get("[data-test=sign-in-sign-in-button]").click();
});
// can see authorized welcome screen
it("05 - can see welcome screen", function () {
    // click sign up and fill out the form
    cy.get("h1").should("contain", "Welcome");
});

Why test OTP?

By using disposable email addresses we can test OTP 2FA one time passwords in any real world application. Test your authentication username and password login for real using actual email addresses so you know that your application is functioning.

OTP testing

Related content

Golang email library for sending and reading emails

Golang Email Library for sending and receiving emails in Go over SMTP or HTTP/S.

NodeJS MailSlurp SDK

Nodemailer alternatives to send and receieve email in code and tests

Email for testing

Test email accounts for email testing. Alternatives to Mailinator, MailTrap, Mailosaur and more.

How to wait for Selenium to start during Codeception tests

Example tutorial for how to wait until webdriver and Selenium have started during Codeception PHP tests

Email API for email marketing and more

APIs for email marketing and social campaign testing. Send, receive, validate and test emails in code and online.

Fastest way to start a typescript project

Modern typescript tooling has come a long way. See how to setup a new project with TS-Node, TSC, and typeconfig.json.

Fetch error message javascript

Handle response exceptions with Fetch in Javascript

GraphQL API disposable email accounts

How to create real email addresses using GraphQL to send and receive emails in tests and frontend applications.

GraphQL Email API Tutorial

Did you know you can send and receive emails using GraphQL?

How to test an email address

Test email accounts for testing email addresses in code or online. Create fake email accounts for testing.

Hugo responsive image srcsets

Serve responsive picture tags with custom render-image layout partial in Hugo static site generator.

How to send emails in Javascript (NodeJS)

JS SMTP email sending guide using HTML and NodeJS.

NodeMailer NPM Tutorial

Send and receive email using NodeMailer in Node JS.

How to start selenium in a background process and wait for it to start

Spawn Selenium server process before tests start for easier acceptance testing.

Create custom print classes with Tailwind

Configure tailwind.config.js to create prefixed classes with a custom media query.

CypressJS Example

Test email sign-up. password verification and more with Cypress JS and MailSlurp.

CypressJS Email Testing

Use real email accounts in CypressJS to test user sign-up, email verification, and more.

Golang mail Library (SMTP)

How to send and receive emails in Go (test email addresses).

Java JVM Examples

Test email sending and receive emails without a mail server.

TestNG Selenium Java Example

Testing user sign up in Java using TestNG and MailSlurp test email accounts

Codeception PHP acceptance testing using real email address APIs

Write acceptance tests in PHP with real email addresses using Codeception and MailSlurp

PHP Email Test Plugins: send and receive email in PHPUnit (example code)

How to send and receive emails in PHPUnit tests.

PyTest Email Testing

Send and receive email in Pytest Python tests.

Java, Selenium

Receive emails in Java test suites using MailSlurp, Junit, and Selenium.

Receive email in PHP: using MailSlurp to send and receive emails

Test email in PHP using real email addresses

Testing authentication using real email addresses in Ruby with Capybara, Cucumber, and Selenium

Cucumber example project using Capybara to test user authentication using real email addresses.

Test applications with real emails using Serenity BDD, JBehave and Selenium

Email acceptance testing with Serenity and MailSlurp. Test applications with real email addresses.

Specflow user sign-up testing with MailSlurp accounts

How to test .NET authentication and sign-up using real email accounts with MailSlurp and SpecFlow.

Jest, Puppeteer

Test email accounts in React with Jest and Puppeteer. Send and receive emails in Javascript.

.NET Selenium C#

Send and receive email in DotNET Nunit tests using Selenium and MailSlurp.

Cucumber, Ruby

Generate test email accounts with Ruby and Cucumber. Test email sign-up, password verification and more.

Webdriver, JS, WDIO

Test email related processes like sign-up and verification using WDIO WebDriver and MailSlurp.

TestCafe end-to-end MFA testing for user sign-up and email verification

End-to-end testing with MailSlurp, NodeJS, and TestCafe.

Base64 file uploads

How to encode files as Base 64 encoded strings in several languages

Deno Email Apis

Send and receive emails in Deno JS. Use APIs in Deno with MailSlurp.

Email read (opened seen settings)

How to control the seen or read settings for an email using MailSlurp.

How To Test Emails Before You Send

There are many free tools to test emails before sending. This can help prevent spam warnings and increase deliverability.

GraphQL Email API

Fetch and read emails with GraphQL inboxes using MailSlurp email API.

Testing OTP password link username and password for 2 factor authentication (2FA)

Testing OTP password link username and password for 2 factor authentication (2FA)

MailSlurp NodeMailer SMTP Usage

Use SMTP nodemailer with MailSlurp disposable email addresses

Test email address

Free test email address for testing emails online with web dashboard or REST API.

How to test 2FA OTP login using SMS codes with Playwright

The ultimate guide to testing OAuth one-time-password flows with real SMS MFA. Use Playwright to automate authentication tests with programmable TXT message APIs.

Testing guide

Integration testing with disposable email accounts using CypressJS, Selenium and many other frameworks. Test OTP password login, transactional emails, notifications and more.

Testing email with Cypress test email accounts

Test email accounts for CypressJS. End-to-end testing with real email addresses using MailSlurp Cypress plugin.

Testing Webhooks

How to test HTTP webhooks using MailSlurp test hooks.

Send emails in NodeJS using SMTP

How to use Javascript SMTP client (or Nodemailer) to send email with MailSlurp mail server

Testing Email with Cypress JS and MailSlurp

Email testing with Cypress JS

Ready to dive in?Start building email applications today.