SUL3 is on the testwikis now, and could use some extra manual testing.
Some things that could be tested:
== Login ==
[X] basic password login - works as expected ✅
[X] "keep me logged in checkbox" (should result in `centralauth_Token` cookie with 1-year expiry on the wiki where you are logging in) ✅
NOTE: (Per above test) The `centralauth_Token` cookie is set on the top-level/parent domain `.wikipedia.org` and has a 1 year expiry (when I log in via test wikipedia) and also the 1-year expiry applies to the local domain where I'm logged into (test.wikipedia.org).
[] forced password change on login when having a weak password
[] login with a temporary password
[] login with a temporary password, on a different wiki than where the email was sent from
[X] captcha appears after a few failed login attempts for the same user, and prevents further login attempts unless correctly filled out ✅
NOTE: The above test passes. A CAPTCHA security check is triggered after 3 failed login attempts for the same user.
[] login gets throttled after even more failed attempts
[] blocked user cannot login, gets reasonable error message
[] same for locally spam-blacklisted user (test both the JS dropdown on the username field, and the form submit)
[] same for locally title-blacklisted user (test both the JS dropdown on the username field, and the form submit)
[] same for username blocked by AbuseFilter (test both the JS dropdown on the username field, and the form submit)
[] same when trying to log in on a closed wiki
[] test one of the mitigations in PrivateSettings
[X] TOTP second factor - works as expected ✅
[] WebAuthn second factor (nice to have - T376021; probably no way to set up a working key on auth.wikimedia.org at this point)
[X] starting signup, switching to login via user menu - works as expected ✅
[] security reauthentication (e.g. when doing a password change) works
[] OAuth flow: use OAuth-based identity while not being logged in on Wikimedia (the OAuth Authorization would have to happen on testwiki, not sure if there's an existing tool like that, or we need to create a new tool for testing)
[] login via a permission error redirect (e.g. visit Special:Preferences while logged out)
[] NewUserMessage autocreate welcome message
[x] checkuser data is logged after successful login, including client hints
[x] checkuser data is logged after failed login login, including client hints
[x] LoginNotify email is sent after login from new device
[x] LoginNotify email is sent after failed login
[] login via fallback URL (once T377140 is done)
== Signup ==
[x] basic user account creation - works as expected ✅
[] email notification gets sent,x] email notification gets sent, links use canonical domain - works as expected ✅
NOTE: Yes, the link works correctly. It's in the canonical form e.g. links use canonical domainhttps://test.wikipedia.org/wiki/Special:ConfirmEmail/<code-REDACTED>
[x] captcha works
[] signup gets throttled after a few successful signups from the same IP; can be unthrottled with [[https://wikitech.wikimedia.org/wiki/Increasing_account_creation_threshold | resetAuthenticationThrottle]]
[] blocked user cannot sign up, gets reasonable error message
[] same for spam-blacklisted user (test both the JS dropdown on the username field, and the form submit)
[] same for title-blacklisted user (test both the JS dropdown on the username field, and the form submit)
[] same for username caught by AntiSpoof (test both the JS dropdown on the username field, and the form submit)
[] same for username blocked by AbuseFilter (test both the JS dropdown on the username field, and the form submit)
[] signup is disallowed on a closed wiki
[] something something IPReputation? not sure if this is testable in production
[] starting login, switching to signup via form button
[] starting login, switching to signup via user menu
[x] GrowthExperiments signup flow (signup should end with Special:WelcomeSurvey) - works as expected ✅
[] GrowthExperiments signup-during-edit flow (signup from VE should end with Special:WelcomeSurvey after page save)
[] [[https://www.mediawiki.org/wiki/Extension:GrowthExperiments/Technical_documentation/Campaigns/Creation_of_customized_landing_pages|customized landing pages]] (especially that it doesn't result in auth.wikimedia.org URLs for some inolved page / message due to parser cache pollution)
[] NewUserMessage welcome message (especially that it doesn't end up with auth.wikimedia.org URLs due to parser cache pollution)
[] `campaign` URL parameter results in user preference correctly set
[] `incubatortestwiki-project`/`incubatortestwiki-code` user preferences correctly set when using a signup link with `testwikiproject` / `testwikicode` query parameters on Incubator
[] temp user creation via edit works in basic editor
[] temp user creation via edit works in some JS editor, e.g. DiscussionTools
[] temp user signing up for named account
== API ==
[X] login via action=clientlogin (on a local domain) - works as expected ✅
[x] bot login via action=login
[X] action=logout - works as expected ✅
(future: make sure credentials change APIs are unaffected after T362715)
== Central session ==
[X] after login or signup, user should be logged in on other registrable domains - works as expected ✅
NOTE: (Per above test) Logged into test.wikipedia.org and was also logged into test2.wikipedia.org. Also visited test.wikidata.org, it detected that I was centrally logged in and I reloaded to gain a session there.
[] "keep me logged in" state is transferred correctly
[] after deleting cookies on a given domain, centrally logged-in user should autologin
[] after deleting cookies on a given domain and setting `CentralAuthAnon=1` cookie, centrally logged-in user should autologin when clicking login link
[] after temp user creation, temp user should be logged in on other registrable domains
[] "keep me logged in" state is transferred correctly
[] after deleting cookies on a given domain, centrally logged-in temp user should autologin
[] after deleting cookies on a given domain and setting `CentralAuthAnon=1` cookie, centrally logged-in temp user should autologin when clicking login link
[] logout clears the `centralauth_*` cookies on registrable domains other than the current one
== Instrumentation ==
[] [[https://schema.wikimedia.org/repositories//secondary/jsonschema/analytics/mediawiki/accountcreation/account_conversion/current.yaml|accountcreation/account_conversion]] gets logged during login page view + after successful login, and has correct SUL3 flag
[] [[https://schema.wikimedia.org/repositories/secondary/jsonschema/analytics/legacy/serversideaccountcreation/current.yaml|serversideaccountcreation]] gets logged after signup and has correct SUL3 flag
[] [[https://schema.wikimedia.org/repositories//secondary/jsonschema/analytics/mediawiki/accountcreation/account_conversion/current.yaml|accountcreation/account_conversion]] gets logged during signup page view + after successful signup, and has correct SUL3 flag
[] [[https://schema.wikimedia.org/repositories//secondary/jsonschema/analytics/mediawiki/accountcreation/block/current.yaml|accountcreation/block]] gets logged after signup attempt from a blocked IP, and has correct SUL3 flag
[] `sul3_authentication_start_total` / `sul3_authentication_end_total` gets incremented during login / signup
== Rollout ==
[] using the fallback login link results in SUL2 login workflow. Central autologin remains functional. (once T377140 is done)
[] same for signup. User still gets opted into SUL3.
[] when signing up on a SUL3-for-signup-enabled wiki, the next login on the same registrable domain will result in a SUL3 flow. (once T377144 is done)
[] when an existing user got opted into SUL3, their next login (on any registrable domain where they have logged in recently) will result in a SUL3 flow. (once T384215 is done)
== Other ==
[] taking a long time to fill out the login form (more than the 5 minute login session expiry)
(future: credentials change workflows after T362715)