diff --git a/tests/db/test_auth.py b/tests/db/test_auth.py
new file mode 100644
index 0000000000000000000000000000000000000000..3236db58c5f199600e2f6bf341e8b7ea283aeb27
--- /dev/null
+++ b/tests/db/test_auth.py
@@ -0,0 +1,34 @@
+# -*- coding: utf-8 -*-
+
+from .. import DataTestCase
+
+from rattail.db import auth
+from rattail.db import model
+
+
+class TestAuthenticateUser(DataTestCase):
+
+    def test_nonexistent_user_returns_none(self):
+        self.assertTrue(auth.authenticate_user(self.session, u'fred', u'fredpass') is None)
+
+    def test_correct_credentials_returns_user(self):
+        fred = model.User(username=u'fred')
+        auth.set_user_password(fred, u'fredpass')
+        self.session.add(fred)
+        self.session.commit()
+        user = auth.authenticate_user(self.session, u'fred', u'fredpass')
+        self.assertTrue(user is fred)
+
+    def test_wrong_password_user_returns_none(self):
+        fred = model.User(username=u'fred', active=False)
+        auth.set_user_password(fred, u'fredpass')
+        self.session.add(fred)
+        self.session.commit()
+        self.assertTrue(auth.authenticate_user(self.session, u'fred', u'BADPASS') is None)
+
+    def test_inactive_user_returns_none(self):
+        fred = model.User(username=u'fred', active=False)
+        auth.set_user_password(fred, u'fredpass')
+        self.session.add(fred)
+        self.session.commit()
+        self.assertTrue(auth.authenticate_user(self.session, u'fred', u'fredpass') is None)