Wouldn't a functional test have caught this better? Ideally a unit test would use mock objects for all external resources, so it probably wouldn't have caught this. A full end to end functional test would have.

Yes. Functional test, integration test, request test (as rspec-rails calls it).

Better if it tests the production site directly, in addition to testing in a test environment.

I'm shocked that Dropbox didn't actually unit test their authentication method. Doesn't it seem like there is something else going on here?

No one knows that they didn't unit test these methods. Bugs can arise from the unexpected interaction of separate components also - does anyone seriously think that unit testing is a silver bullet?

Well, I think it goes to show that an automated process that attempts to log in with a random string every 10 minutes to a random account should probably be a standard feature of production. (Or maybe just to a specific account so you don't lock people out, but random would be ideal.)

hindsight is indeed 20/20