ASM Resilience Testbed

A single FastAPI service mounting 24 deliberately-shaped products. Each is a complete, signable surface — landing page, sign-in, dashboard, entity list, detail pages — with its own auth carrier and its own session store. Pick a scenario, sign in with alice@test.local / Password123!, and walk it.

24 scenarios

3 seeded users (alice, bob, carol)

26 mounted routers (incl. /oauth-idp · /saml-idp)

Stateless — restart wipes everything

Carrier

Each subdir uses a different industry-standard auth shape — cookie, bearer, API key, JS storage, multi-carrier, or token-in-URL.

ASM-01 · Cookie only

A quiet place for your thinking.

Opaque session cookie; no bearer fallback.

ASM-02 · Bearer header only

Synthetic checks for every endpoint you care about.

data.access_token; no Set-Cookie.

ASM-03 · API key (X-API-Key)

Webhook delivery, queues and retries — all in one console.

Custom header; X-Auth-Token alias supported.

ASM-04 · JS storage bearer

Plan, ship, repeat. A focused tracker for small teams.

JSON-only login; SPA reads localStorage.

ASM-05 · Multi-carrier (cookie + bearer)

One pane of glass for every carrier, every consignment.

authentication.token + session cookie.

ASM-06 · Multi-carrier (3+ headers)

Treasury operations, audit-ready by default.

session + bearer + X-CSRF-Token.

ASM-07 · Token in URL query / form

RetroDesk Portal

Vendor self-service since 1998.

Legacy; unsupported carrier surfaced explicitly.

State

Subdirs whose value is in how the session evolves: version monotonicity, rolling Set-Cookie capture, carrier-pin stability, re-auth coordination.

ASM-10 · Cookie version monotonic

Every edit, every reviewer, every approval — in one place.

Counter advances per login; old values 401.

ASM-11 · Concurrent agents share auth

See what everyone is doing — without asking.

One user → one session, regardless of clients.

ASM-12 · Re-auth coordination

Considered banking for considered investors.

Deliberate ~2 s login to expose races.

ASM-13 · Rolling Set-Cookie (curl)

Real-time visibility on every truck and trailer.

Every response rotates; 2 s grace.

ASM-14 · Rolling Set-Cookie (browser)

Live telemetry for ops teams who don't sleep.

SPA fires setInterval(refresh, 4000).

ASM-15 · Carrier pin holds under storm

Edgeops Console

Run, observe and recover edge fleet at scale.

Storm window widens acceptance temporarily.

Failure

Failure modes the ASM has to survive without losing operator state: sabotaged re-auths, cookie-loss tripwires, mid-dispatch expiry, transient 5xx.

ASM-20 · Re-auth fails → state preserved

Secrets that stay secret. Built for security teams.

Sabotaged login issues DOA cookie.

ASM-21 · Cookie-loss tripwire (6→2)

Customer success, ops and analytics — one workspace.

Full jar = 6 cookies; degraded = 2.

ASM-22 · Session expired mid-dispatch

Small-business books with auto-logout for shared terminals.

60 s TTL; explicit session_expired body.

ASM-23 · Health-probe 503 / timeout

Public status pages that customers actually trust.

Drill 503 and network-timeout windows.

Preflight

Multi-step login flows: TOTP, email / SMS OTP, OAuth, SAML, WebAuthn, and dual-principal sessions for IDOR testing.

ASM-30 · TOTP (RFC 6238)

Multi-factor banking for the next generation.

2-step login; cookie issued after MFA.

ASM-31 · Email OTP (MailSlurp)

One-tap email verification for any flow.

Offline mode via /admin/last-otp.

ASM-32 · SMS OTP (Twilio)

SMS verification for consumer logins.

Offline mode via /admin/last-otp.

ASM-33 · OAuth / OIDC redirect chain

One sign-on, every social platform you publish to.

RP at /asm-33; IdP at /oauth-idp.

ASM-34 · SAML SSO redirect chain

Enterprise identity, federated.

SP at /asm-34; IdP at /saml-idp.

ASM-35 · WebAuthn (negative + bypass)

Phishing-resistant authentication for every operator action.

Magic-cookie bypass for test rigs.

ASM-36 · Secondary principal (dual IDOR)

Two-sided marketplace for makers and stockists.

Per-user ownership enforced.