What is the difference between authentication and authorisation, and how do you test each?

Authentication is the process of verifying that a user is who they claim to be. Test cases for authentication:

• Valid credentials → successful login and session token issued
• Invalid credentials → 401 response, no session token, specific error message ("incorrect email or password" — not separate messages for each, which would be an enumeration vulnerability)
• Account locked after N failed attempts → 429 or 403 response
• Expired or missing session token → 401, redirect to login
• Multi-factor authentication bypass attempts → second factor is required every time, not skippable

Authorisation is the process of verifying that an authenticated user has permission to perform a specific action or access a specific resource. Test cases for authorisation:

• Regular user accessing admin endpoint → 403 Forbidden (not 404, not 200)
• User A accessing User B's resource (IDOR) → 403 Forbidden
• Unauthenticated request to a protected endpoint → 401 Unauthorized
• Downgraded privilege: user in role "viewer" attempting a write action → 403
• Privilege escalation: user modifying their own role via the API → rejected

The most common mistake in systems is getting authentication right but implementing authorisation inconsistently — some endpoints check the token, some check the permission, some check neither on secondary API paths. A thorough authorisation test plan covers every endpoint, not a sample.