Testing Password Resets with Cypress

Any website relying on accounts has had to deal with users needing a password reset. This critical step in account recovery has to be thoroughly tested to ensure it works properly, and to prevent it from becoming a security vulnerability

Generic AI Artwork

Cypress quick start guide to testing your password reset

  1. Create a Cypress test that navigates to your password reset screen - Start by writing a Cypress test that automatically navigates to the password reset screen of your application. This involves directing the test to the appropriate URL and interacting with any necessary elements (e.g., buttons, input fields) to reach the password reset page.

  2. Install the Mailosaur Plugin - Install the Mailosaur Cypress plugin by following the link above. This plugin allows Cypress to interact with Mailosaur, an email testing service that captures and manages test emails for verifying email functionality within your tests.

  3. Catch and fetch the email via Mailosaur - Configure Mailosaur within your Cypress test to catch the password reset email that is sent to the user. Once the email is detected, retrieve it using the Mailosaur API to access the email content, including any reset links or verification codes.

  4. Use Cypress to navigate to the link found in the email - Extract the reset link from the email content retrieved via Mailosaur, and use Cypress to navigate to this link within the same test. This step validates that the reset link functions correctly by directing the test to the password reset confirmation or form page.

The guide below will walk you through setting up password reset testing with one of the most common and flexible software tools for testing, Cypress.

Why test password reset emails?

Password reset testing is a crucial part of any organization’s website and email development, and when done right will ensure users can easily regain access to their accounts after losing their password. Without testing, password resetting systems can have bugs that go unaddressed which can have consequences ranging from annoyed users to massive security breaches.

Here’s an example: many password resets use automated emails or SMS messages sent to the address or phone linked to the account in question. If the reset email gets delivered to the wrong address, someone can get access to an account and lock out the real account owner. This can give bad actors access to personal information like addresses, contact information, payment information, and other critical data. That information can be used for phishing attacks, identity theft, unauthorized charges to financial institutions, and more.

In addition, if the compromised account has the right permissions enabled it can be used to wreak havoc on IT systems, steal your organization’s data, and redirect web traffic from your website to a fraudulent one, among other things.

Security breaches like these have become increasingly common. They make your users lose trust in your organization’s ability to perform its objectives. Even something as small as a password reset email landing in spam instead of the user’s inbox can have an impact on their likelihood to engage with your organization in the future.

The best way to prevent this is to have a good password reset system in place and test it thoroughly to find and eliminate bugs before they can be exploited.

Is Cypress the right email testing tool for you?

The smoother and more automated the password reset process is, the less work your organization will have in the long run and the smaller the chance of human error. However, setting up automation means more opportunities for bugs and other issues that your organization might not be familiar with if they’re used to doing password resets manually. Using the right testing tools can make your tests faster and more efficient, but the right tool depends on the job.

Cypress is a software tool designed for running customized tests directly in the browser. It’s quick to set up, easy to integrate with other software, and can be used to create flexible password reset tests that mimic the way a user would interact with your system.

Cypress can also be used to create automated tests that step through defined user interactions, record events, and even record the screen to show what the user would have seen. Once you’ve set up a test in Cypress, you can use it as a starting point for creating new, similar tests, or for rerunning past tests with new inputs.

Organizations that might use Cypress for testing often have automated password reset emails, a decent amount of user accounts, and data that needs to be kept protected. Setting up tests in Cypress might be overkill for organizations with only a couple accounts to worry about, but it can be a good entry point for learning how to run tests for future expansion.

How to test password resets with Cypress

When setting up a password reset test with Cypress, it’s important to keep a few things in mind. There are three main stages to follow:

• Establish test plan • Set up and run test • Evaluate results

The sections below go into detail on each of these stages to help you get started.

Establishing a test plan for testing password resets

A good test plan will keep your test organized, make sure you don’t miss details, and help teams stay on the same page. Some things to include in a test plan: a measurable goal, an outline of all the steps for the test, a place to record results, and any other documentation your organization needs.

One of the main purposes of a test plan is to have all the steps that need testing written down. This will save time when setting up the test, as well as make it easier to find where bugs might be hiding.

Here is a non-exhaustive list of possible user interactions and steps that occur during a typical password reset process: • requesting a password reset • receiving a password reset email to the right account • clicking a link in the reset email • entering information to confirm identity and/or 2 factor authentication (if applicable) • entering and confirming a new password • checking if the password matches requirements • sending a confirmation email of password change • checking if new password works properly

Depending on your organization’s process, some of the above steps might not be needed, or you may have additional steps you need to include. Also, your steps should have enough description to set up the test. For example, if your password reset process sends an SMS message to a phone instead of an email, your listed steps should include that detail.

Setting up password reset testing with Cypress

The general process for setting up password reset testing with Cypress includes the following: setting up Cypress, writing the code used for the test, and checking to see if the test is functioning as expected. Once all three are completed, the test is ready to run.

Installing Cypress

Cypress is fairly easy to set up. It can be installed using npm, yarn, or downloaded directly onto your computer as an application. To make it easy for you to familiarize yourself with Cypress, the first time you open the program it will walk you through a guided setup to make configuration as quick and painless as possible. The company has also put together an example test you can write to help you learn some basics about how Cypress handles tests.

Once Cypress is installed and you’ve explored some of how it works, you’re ready to start writing more detailed tests for password resetting. If you need more help getting started, you can find their documentation on their website.

Structuring tests with Cypress

Cypress uses a basic structure for tests. The first part of the test sets up the base state, or in other words, tells the test program what the initial conditions are. The second part of the test performs an action (sometimes more than one). The third and final part of the test checks if the base state has changed, and if so, how it changed.

Here’s an example of this structure for requesting a password reset on a website: 1. Load the page 2. Find the password reset link on the page and click the password reset link 3. Check if the link is correct/working

Many steps you are testing will require more than one action to occur, like the example above. Both finding the reset link and clicking the link are two separate actions that need to be written in the code. This is where the detail you included in your testing steps becomes important. If your testing steps include each detail, it can be a lot faster to set up multiple actions for a test.

Setting up complex tests

It’s a good idea to keep chaining multiple actions in the same test segment to a minimum, even though in some instances it will be required. The more actions you chain, the more variables there are in the test. The increased complexity makes it harder to pinpoint bugs. You can break up complicated tests into multiple smaller segments to make things easier.

For example, the test segment outlined above could be continued in another segment to check the next set of actions: 4. Input and submit a test email to reset the password 5. Check if the test email is linked to an account 6. Check if the test email received the reset email

The base state for this segment is the state that the last segment ended at. Once the action is performed (inputting and submitting a test email), this test segment outline performs two checks to see how the base state has changed.

Setting up test emails and phone numbers

Testing password resets like the above example require having test emails and phone numbers ready to go. A fast, efficient way to set up test emails and numbers you have access to is through integrating a software tool like those provided by Mailosaur. Mailosaur makes password reset testing a lot simpler to set up by generating test emails and numbers that you can integrate directly into Cypress, allowing you to easily check the base state change of steps that rely on users receiving emails and SMS.

Evaluating test results with Cypress

Once you’ve written your test segments, you’re ready to run your test. Cypress shows pass and fail results directly in the code using the following color changes: blue for pending, red for failed, and green for successes. Cypress also includes detailed error and bug messages that are designed to provide clues about what went wrong with the test if something failed.

Learn more about testing password resets

Mailosaur provides tools for email and SMS testing that can simplify your tests, save you time, and make your tests more repeatable. If you have questions about testing password reset systems with Cypress or other questions about email and SMS testing, feel free to reach out to us!