350 — should issue a fresh authorization token on each reset-link visit¶
Description¶
Verifies that the password-reset email link mints a brand-new authorization token on every visit: opening the same link a second time (even from a different browser) yields a different token in the URL while the underlying email link remains valid.
Preconditions¶
- Signed-out browser.
- An existing test account exists and the forgot-password flow has already been initiated (the
forgotPasswordFlowfixture provides a validresetLink); the initialization token in that link is valid for up to 2 hours or until a new password is actually submitted.
Steps¶
- Open the reset link in the current browser. Expected: the "Reset password" page is shown.
- Capture the authorization token from the current URL (this is the first token).
- Open a fresh browser context (simulating a second tab on another machine) and navigate to the same reset link. Expected: the "Reset password" page is shown again.
- Capture the authorization token from the URL in the new browser. Expected: this second token is different from the one captured in step 2, confirming a fresh token was issued on the second visit.
Related¶
- Spec:
playwright/tests/integration/login.spec.ts(line 187)