Let's say we have a REST/HTTP API with a jwt Auth mechanism, i.e. there is
- a service GET /token to provide jwt tokens on successful Basic Authentication, with expiry of a day, say
- a middleware that validates incoming requests to all other services against a secret. the secret resides within the app.
Now we have a testsuite built into the project consisting of API calls (defined through some schema system) to do integration tests. We obviously don't want the tokens hardcoded into the config of the testsuite. The testsuite should be running in a build pipeline very frequently (e.g. on every commit).
How would one properly factor out the "getting the token" part from the testsuite?
Options I can think of:
- generating a token with very long expiry (for each user) and hardcoding it
- building a service into the API specifically for the testsuite to receive tokens with auth as technical user. need to then restrict usage of the service somehow to testing scope
- building a service like the above but dont include it in the project
Aucun commentaire:
Enregistrer un commentaire