Skip to content

350 — should issue a fresh authorization token on each reset-link visit

Description

Verifies that the password-reset email link mints a brand-new authorization token on every visit: opening the same link a second time (even from a different browser) yields a different token in the URL while the underlying email link remains valid.

Preconditions

  • Signed-out browser.
  • An existing test account exists and the forgot-password flow has already been initiated (the forgotPasswordFlow fixture provides a valid resetLink); the initialization token in that link is valid for up to 2 hours or until a new password is actually submitted.

Steps

  1. Open the reset link in the current browser. Expected: the "Reset password" page is shown.
  2. Capture the authorization token from the current URL (this is the first token).
  3. Open a fresh browser context (simulating a second tab on another machine) and navigate to the same reset link. Expected: the "Reset password" page is shown again.
  4. Capture the authorization token from the URL in the new browser. Expected: this second token is different from the one captured in step 2, confirming a fresh token was issued on the second visit.
  • Spec: playwright/tests/integration/login.spec.ts (line 187)