See T402597: Exploratory testing on PHP 8.3 for MediaWiki Platform Team components for context. T384232: QA for SUL3 on testwikis has more info on some checklist items.
Login
- basic password login ✅
- logout ✅
- "keep me logged in checkbox" (should result in centralauth_Token cookie with 1-year expiry on the wiki where you are logging in) ✅
- title-blacklisted user cannot autocreate-on-login (test both the JS dropdown on the username field, and the form submit) ✅
- LoginNotify email is sent after failed login attempts ✅
- checkuser data is logged after successful login, including client hints ✅
Reauthentication
- when using Special:BotPassword, user is required to reauthenticate, then can set up a bot password (note that reauthentication timout has been increased to 1 hour recently - if you don't want to wait 1 hour after login, you can delete your <wiki>Session cookie to get a non-reauthenticated session) ✅
- same for Special:ChangePassword (which will redirect to the central domain) ✅
API
- login via action=clientlogin (on a local domain) ✅
- bot login via action=login ✅
- log in and out on one of the WMF mobile apps (skipped ❌). See T403824
Credentials change
- Change your password ✅
- Do a password reset (log in with a temporary password) ✅
Instrumentation
- accountcreation/account_conversion gets logged during successful login (see EventStreams docs) ✅