Mocking Authorization Code Flow in Tests

[mdwiltfong]

Hello!

I recently implemented the authorization code flow in my project. It's using the Spotify strategy. Although the code flow is working when I test it manually (with my own spotify account), it's now causing my other unit tests to fail.

For example, here I have unit tests that call on my API to retrieve playlists and users. Since these requests are not authenticated, they are not returning playlists or users. When I originally wrote these tests, they did pass.

Since my tests can't prompt Spotify to generate an access token, how do I enable these tests to work? As in, how do I authenticate these tests if my app uses the authorization code flow which requires me to manually authorize the app?

In contrast, when I've created apps that use a simple username and password, I just hard code a test user in the database. I was thinking I could hard code a session in the DB, but since the passportjs encodes the session that is stored in the browser, I don't know how I can produce the cookie the cookie that I would attach to tests' API requests.

How is the authorization code flow testable in this scenario?

In addition to my tests above, here is my authorization routes, as well as how i authenticate requests coming to a route.

Any chance I can get some of your wisedom @jaredhanson ?

[mdwiltfong]

I've found some articles where people basically create a "mock strategy" to bypass the authorization code flow. I'm thinking this might be the easiest way.

I'm currently looking at either making a mock strategy using passport-strategy or this passport-custom strategy. I noticed that passport-strategy seems outdated. I'm not sure how to implement that strategy with TS 🤔

[mdwiltfong]

Okay in hindsight I was too intimated by the old syntax. I was able to implement the mock strategy using Es6 syntax. Although now when calling on my authentication route, i'm getting 404s. The good news is that the callback is passing the mock profile since i see it being logged.

[mdwiltfong]

Phew! I was actually able to create a mock strategy that immediately creates authenticates requests. What's cool is that this strategy is only used in test, while the authorization code flow is for development and production! Not sure if this is a good way to do it, but it works.

https://github.com/mdwiltfong/jamming-nx/blob/master/jamming-app/apps/jamming-api/src/mocks/mockStrategy.ts