.ai/principles/baselines/authentication-testing.md
spec/lib/gitlab/auth/auth_finders_spec.rb and spec/requests/api/api_guard_spec.rb.allow_any_instance_of(...).to receive(:current_user).and_return(...) to short-circuit auth.allow(Ability).to receive(:allowed?).and_return(true) (or false) to bypass the policy framework.sign_in without using the Devise/Warden test helpers.IamService client, OAuth provider callbacks); Sidekiq workers in unrelated specs; time helpers (travel_to, freeze_time); feature flag state (stub_feature_flags); application settings (stub_application_setting); file and storage clients (Fog, CarrierWave, GCS/S3 doubles).check_rate_limit!, Gitlab::ApplicationRateLimiter), verify a spec covers (a) the limit fires after N attempts, and (b) the limit key includes the credential subject, not only the IP.spec/support/shared_examples/controllers/rate_limited_endpoint_shared_examples.rb if a shared example applies.:api scope to test a :read_user-protected endpoint can mask a scope-enforcement bug. Prefer create(:personal_access_token, scopes: [:read_user]) when the endpoint requires only read access.