# Flow 1 — Auth & Recovery · ~8 min · Oli=Chrome · Oscar=Firefox > Sign up with a real email, log in, recover access if you forget your password — and make sure a brand-new signup is NOT bounced to a "Welcome back, log in again" lock (the "ghost"). **▶ Start here** - **Link:** the app home — `https://xjobs-final-production.up.railway.app/` *(or the link Jorge gives you).* Jump straight to sign-up with `…/?action=signup`. - **Lands on:** the **landing page** (hero + the agent cards). `?action=signup` opens the **sign-up form** directly. - **Voice:** none — Auth is silent. ## Preconditions - [ ] **P1.** Fresh Incognito window. No prior XJobs tabs. - [ ] **P2.** A **Gmail +alias** you control, e.g. `you+a1@gmail.com` (you'll receive any reset email there). - [ ] **P3.** DevTools → Console open (F12). ## Stage 1 — Sign up ⭐ (P0) | # | Action | Expected result | |---|--------|-----------------| | 1 | On the landing, choose **Sign up**; enter name + a fake/disposable email (e.g. `test@example.com`) + password. | **Rejected** with a clear message ("please use a real email address"). | | 2 ⭐ | Now use your **real** Gmail +alias + a password → submit. | Account is created and you land **inside the app** (the product, e.g. the dashboard/exchange). | | 3 ⭐ | **You are NOT shown a "Welcome back, log in again" screen right after signing up.** | Straight in — no re-auth lock on a brand-new account. | | | | **RED FLAG** | a fresh signup gets bounced to "Welcome back … enter your password / Not me" (the ghost). Report immediately (⭐). | ## Stage 2 — Stay logged in on return (the "ghost" fix) ⭐ (P0) | # | Action | Expected result | |---|--------|-----------------| | 4 | Stay logged in. Open a **new tab** to the same URL (same session). | App recognizes you; no lock. | | 5 ⭐ | Close **all** tabs, then reopen the app fresh in the **same browser** (token still stored). Reload a few times; bounce between the landing and the app. | You stay **logged in — NO "Welcome back, re-authenticate" wall** during normal use. Your device remembers you. | | 6 | From the account menu, **Log Out**, then reopen. | Now you get a clean login screen (logout clears the device's "remember"); logging back in keeps you in on future returns. | | | | **RED FLAG** | a "Welcome back … enter password / Not me" wall appears on a normal return on **your own device**, or it loops / rejects the correct password. Report immediately (⭐). | ## Stage 3 — Log in ⭐ (P0) | # | Action | Expected result | |---|--------|-----------------| | 7 | Log out. Log in with your email + the **wrong** password. | **Blocked** — clear error, no access. | | 8 ⭐ | Log in with the **correct** password. | You're in. | | | | **RED FLAG** | a wrong password logs you in. Report immediately (⭐). | ## Stage 4 — Forgot password / reset | # | Action | Expected result | |---|--------|-----------------| | 9 | Log out → **Forgot my password?** → enter your email → submit. | Confirmation that a reset link was sent (check the +alias inbox). | | 10 | Open the email, follow the reset link, set a new password. | Reset succeeds; link is one-time / expires (~15 min). | | 11 | Log in with the **new** password; then try the **old** one. | New works; **old password no longer works**. | ## Stage 5 — Continue with Google (manual) | # | Action | Expected result | |---|--------|-----------------| | 12 | From login, **Continue with Google** → pick an account. | Returns signed in; no second "Welcome back" lock after the round-trip. | | | | **RED FLAG** | OAuth returns but the app shows you as logged out / re-prompts. | ## Report 🐞 **Found a bug?** on any screen (talk or type) — or **Submit a run**: step # · browser · expected · actual · screenshot. ⭐ = P0. ## 🎥 Video (what to record · ≤2 min) Screen-record: (1) reject a fake email, (2) sign up real → land in the app with **no** "welcome back" lock, (3) wrong password blocked → right password in, (4) forgot-password → reset → old password dead. Narrate plainly what you're doing and what you expect. Reset between takes by logging out + new +alias.