Skip to main content
Back to Elite Events

Elite Events Documentation

Technical documentation, guides, and API references for the Elite Events platform.

Development Guides/API Testing

Authentication & API Testing Guide

Quick Start

1. Start the Development Server

npm run dev

Visit http://localhost:3000

2. Test User Registration

Via UI:

  1. Go to http://localhost:3000/signup
  2. Fill in the form:
    • Full Name: Test User
    • Email: test@example.com
    • Password: password123
    • Confirm Password: password123
  3. Click "Create Account"
  4. Should be signed in automatically and redirected to home

Via API (curl):

curl -X POST http://localhost:3000/api/auth/signup \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Test User",
    "email": "testuser@example.com",
    "password": "password123"
  }'

3. Test User Login

Via UI:

  1. Go to http://localhost:3000/signin
  2. Enter email: test@example.com
  3. Enter password: password123
  4. Click "Sign in to account"
  5. Should see your name in the header

Expected Flow:

  • Form submits
  • Shows "Signing in..." button state
  • On success: toast notification + redirect to home
  • On failure: error message displayed + button returns to normal

4. Test Session State in Header

When Not Logged In:

  • Header shows: "ACCOUNT" / "Sign In" link

When Logged In:

  • Header shows: "ACCOUNT" / Your username
  • Click on username to see dropdown with:
    • My Account
    • Orders
    • Sign Out

5. Test Sign Out

  1. Click your username in header
  2. Click "Sign Out"
  3. Redirected to home page
  4. Header reverts to "Sign In" link

API Testing

Cart Operations (Require Authentication)

Add Item to Cart:

# First, get a valid session by signing in via UI or using signIn

curl -X POST http://localhost:3000/api/cart \
  -H "Content-Type: application/json" \
  -H "Cookie: <session-cookie-from-browser>" \
  -d '{
    "productId": 1,
    "quantity": 1
  }'

Get Cart:

curl -X GET http://localhost:3000/api/cart \
  -H "Cookie: <session-cookie-from-browser>"

Update Cart Item:

curl -X PATCH http://localhost:3000/api/cart/1 \
  -H "Content-Type: application/json" \
  -H "Cookie: <session-cookie-from-browser>" \
  -d '{
    "quantity": 2
  }'

Remove from Cart:

curl -X DELETE http://localhost:3000/api/cart/1 \
  -H "Cookie: <session-cookie-from-browser>"

Wishlist Operations (Require Authentication)

Add to Wishlist:

curl -X POST http://localhost:3000/api/wishlist \
  -H "Content-Type: application/json" \
  -H "Cookie: <session-cookie-from-browser>" \
  -d '{
    "productId": 1
  }'

Get Wishlist:

curl -X GET http://localhost:3000/api/wishlist \
  -H "Cookie: <session-cookie-from-browser>"

Remove from Wishlist:

curl -X DELETE http://localhost:3000/api/wishlist/1 \
  -H "Cookie: <session-cookie-from-browser>"

Testing Without Authentication

Try accessing protected endpoints without a session cookie - should return:

{
  "error": "Unauthorized"
}

With status code 401.

Test Scenarios

Scenario 1: Complete Auth Flow

  1. ✅ Signup new user
  2. ✅ Verify auto-signin works
  3. ✅ Check header shows user name
  4. ✅ Add item to cart (authenticated)
  5. ✅ Add to wishlist (authenticated)
  6. ✅ Sign out
  7. ✅ Verify header reverts to "Sign In"
  8. ✅ Signin with same user
  9. ✅ Verify cart/wishlist still there

Scenario 2: Error Handling

  1. ✅ Try signup with existing email → "Email already registered"
  2. ✅ Try signup with non-matching passwords → "Passwords do not match"
  3. ✅ Try signup with short password → "Password must be at least 6 characters"
  4. ✅ Try signin with wrong password → "Invalid credentials"
  5. ✅ Try signin with non-existent email → "Invalid credentials"

Scenario 3: Protected Routes

  1. ✅ Try adding to cart without signin → 401 Unauthorized
  2. ✅ Try adding to wishlist without signin → 401 Unauthorized
  3. ✅ Try getting cart without signin → 401 Unauthorized
  4. ✅ Try getting wishlist without signin → 401 Unauthorized

Scenario 4: Session Persistence

  1. ✅ Signin user
  2. ✅ Close browser tab
  3. ✅ Open new tab to http://localhost:3000
  4. ✅ User should still be logged in
  5. ✅ Session cookie should persist

Browser DevTools Tips

Viewing Session

  1. Open DevTools (F12)
  2. Go to Application → Cookies
  3. Look for cookies like:
    • next-auth.session-token (JWT session)
    • next-auth.csrf-token (CSRF protection)

Viewing API Requests

  1. Open DevTools → Network tab
  2. Perform auth action (signin/signup)
  3. Look for requests to /api/auth/*
  4. Check response status and body

Console for Debugging

  1. Open DevTools → Console
  2. Check for any JavaScript errors
  3. NextAuth logs debugging info in console

Common Issues & Solutions

Issue: "Unauthorized" on All Cart Requests

Solution:

  • Make sure you're signed in
  • Check that session cookie exists in DevTools
  • Try signing out and signing in again
  • Clear browser cookies and start fresh

Issue: Signup Shows "Email already registered"

Solution:

  • Use a different email address
  • Or clear database and reseed it: 
    npx prisma migrate reset --force

Issue: Signin Doesn't Work

Solution:

  • Verify email and password are correct
  • Check that user exists in database: 
    npx prisma studio
# Navigate to User table and check records

Issue: Header Not Showing User Name After Signin

Solution:

  • Refresh the page (F5)
  • Check browser console for errors
  • Check that NEXTAUTH_SECRET is set in .env

Issue: "NEXTAUTH_SECRET not set" Error

Solution:

  • Add to .env: 
    NEXTAUTH_SECRET="your-secret-key"
  • Restart dev server with npm run dev

Database Testing

View Users

npx prisma studio
# Then navigate to User table

Query Users via Prisma CLI

npx prisma db execute --stdin < query.sql

Reset Database

⚠️ Warning: This deletes all data!

npx prisma migrate reset --force

Performance Testing

Load Testing Auth Endpoints

# Using Apache Bench
ab -n 100 -c 10 http://localhost:3000/api/auth/signup

# Using wrk
wrk -t4 -c100 -d30s http://localhost:3000/

Memory Profiling

  1. Open DevTools → Memory
  2. Take heap snapshots
  3. Perform auth actions
  4. Take another snapshot
  5. Compare for memory leaks

Security Testing

Password Validation

  • ✅ Min 6 characters required
  • ✅ Passwords hashed with bcryptjs
  • ✅ Password never logged or exposed

Email Uniqueness

  • ✅ Trying to signup twice with same email fails
  • ✅ Case-insensitive email checking

Session Security

  • ✅ JWT tokens signed with NEXTAUTH_SECRET
  • ✅ Session cookies HTTP-only
  • ✅ CSRF protection enabled
  • ✅ Unauthorized requests return 401

SQL Injection Prevention

  • ✅ All queries use Prisma (parameterized)
  • ✅ No raw SQL strings exposed to user input

Checklist Before Deploying

  • Test signup flow in production build
  • Test signin flow in production build
  • Test cart operations require auth
  • Test wishlist operations require auth
  • Test session persistence
  • Test sign out functionality
  • Verify NEXTAUTH_SECRET is set
  • Verify NEXTAUTH_URL is correct domain
  • Test HTTPS works (required for cookies)
  • Test error handling and validation
  • Performance test under load
  • Security audit complete

Additional Resources

Documentation | Elite Events | Philip Rehberger