Hoping this convinced someone at dropbox to write a three-line release-blocking test to ensure that you can't login with a wrong password... Crosses fingers
If you're disquieted by the idea that a single broken boolean expression could allow arbitrary users to access a web site, one way to mitigate the concern is indeed to write fiddly little tests to catch every point at which a broken boolean expression could short-circuit authentication.
Another thing to do would be to change the design of the authentication process so that it is more inherently fail-closed. For instance, you could encrypt/decrypt the database ID of the user with a key derived securely and deterministically from the user's password, perhaps (just to keep the code simple) after verifying the password against a secure password hash.
Another thing to do would be to change the design of the authentication process so that it is more inherently fail-closed. For instance, you could encrypt/decrypt the database ID of the user with a key derived securely and deterministically from the user's password, perhaps (just to keep the code simple) after verifying the password against a secure password hash.