SUL3 is on the testwikis now, and could use some extra manual testing.
Some things that could be tested:
== Login ==
[] basic password login
[] "keep me logged in checkbox" (should result in `centralauth_Token` cookie with 1-year expiry on the wiki where you are logging in)
[] forced password change on login when having a weak password
[] login with a temporary password
[] login with a temporary password, on a different wiki than where the email was sent from
[] captcha appears after a few failed login attempts for the same user, and prevents further login attempts unless correctly filled out
[] login gets throttled after even more failed attempts
[] blocked user cannot login, gets reasonable error message
[] same for locally spam-blacklisted user (test both the JS dropdown on the username field, and the form submit)
[] same for locally title-blacklisted user (test both the JS dropdown on the username field, and the form submit)
[] same for username blocked by AbuseFilter (test both the JS dropdown on the username field, and the form submit)
[] same when trying to log in on a closed wiki
[] test one of the mitigations in PrivateSettings
[] TOTP second factor
[] WebAuthn second factor (nice to have - T376021; probably no way to set up a working key on auth.wikimedia.org at this point)
[] starting signup, switching to login via user menu
[] security reauthentication (e.g. when doing a password change) works
[] OAuth flow: use OAuth-based identity while not being logged in on Wikimedia (the OAuth Authorization would have to happen on testwiki, not sure if there's an existing tool like that, or we need to create a new tool for testing)
[] login via a permission error redirect (e.g. visit Special:Preferences while logged out)
[] checkuser data is logged after successful login, including client hints (currently somewhat broken: T385572)
[] checkuser data is logged after failed login login, including client hints
[] LoginNotify email is sent after login from new device (currently somewhat broken: T385574)
[] LoginNotify email is sent after failed login
[] instrumentation: **TBD** (also pending some backports)
[] login via fallback URL (once T377140 is done)
== Signup ==
[] basic user account creation
[] email notification gets sent, links use canonical domain
[] captcha works
[] signup gets throttled after a few successful signups from the same IP; can be unthrottled with [[resetAuthenticationThrottle|https://wikitech.wikimedia.org/wiki/Increasing_account_creation_threshold]]
[] blocked user cannot sign up, gets reasonable error message
[] same for spam-blacklisted user (test both the JS dropdown on the username field, and the form submit)
[] same for title-blacklisted user (test both the JS dropdown on the username field, and the form submit)
[] same for username caught by AntiSpoof (test both the JS dropdown on the username field, and the form submit)
[] same for username blocked by AbuseFilter (test both the JS dropdown on the username field, and the form submit)
[] signup is disallowed on a closed wiki
[] something something IPReputation? not sure if this is testable in production
[] starting login, switching to signup via form button
[] starting login, switching to signup via user menu
[] GrowthExperiments signup flow (signup should end with Special:WelcomeSurvey)
[] GrowthExperiments signup-during-edit flow (signup from VE should end with Special:WelcomeSurvey after page save)
[] [[https://www.mediawiki.org/wiki/Extension:GrowthExperiments/Technical_documentation/Campaigns/Creation_of_customized_landing_pages|customized landing pages]]
[] `campaign` URL parameter results in user preference correctly set
[] `incubatortestwiki-project`/`incubatortestwiki-code` user preferences correctly set when using a signup link with `testwikiproject` / `testwikicode` query parameters on Incubator (this probably won't work, we need to forward the parameters)
[] instrumentation: **TBD**
[] temp user creation via edit works in basic editor
[] temp user creation via edit works in some JS editor, e.g. DiscussionTools
[] temp user signing up for named account
== API ==
[] login via action=clientlogin (on a local domain)
[] bot login via action=login (on a local domain)
[] action=logout
(future: make sure credentials change APIs are unaffected after T362715)
== Central session ==
[] after login or signup, user should be logged in on other registrable domains
[] "keep me logged in" state is transferred correctly
[] after deleting cookies on a given domain, centrally logged-in user should autologin
[] after deleting cookies on a given domain and setting `CentralAuthAnon=1` cookie, centrally logged-in user should autologin when clicking login link
[] after temp user creation, temp user should be logged in on other registrable domains
[] "keep me logged in" state is transferred correctly
[] after deleting cookies on a given domain, centrally logged-in temp user should autologin
[] after deleting cookies on a given domain and setting `CentralAuthAnon=1` cookie, centrally logged-in temp user should autologin when clicking login link
[] logout clears the `centralauth_*` cookies on registrable domains other than the current one
== Other ==
[] taking a long time to fill out the login form (more than the 5 minute login session expiry)
(future: credentials change workflows after T362715)