We have an API which restricts access based on who you are. For example, some endpoints allow access to the public, some allow access to users, and some allow access to users with higher level roles like administrator. We wish to write tests which confirm that these restrictions are working.
To this end we wish to store permanently tokens which correspond to users, then use those tokens during our integration tests. Is there a way to create permanent tokens for specific test users? If not how is this usually handled?
I’m in the same situation and trying to get this working. I don’t have the solution yet, but here’s what I did so far.
At this point, I have created 2 test users in Auth0 database (with different app_metadata). I managed to get test suite working from authentication point to verification and getting user details. However, this is not very good approach, as I just learned - there’s rate limiting to Auth0 requests, so the test suite using full integration is pretty much useless. I run into weird errors related to Auth0 requests count.
Looks like I have two options:
use some kind of request/response recording library (polly.js or similar) - not a big fan of this
adjust BE to avoid Auth0 completely and mock it when some flag is set (env variable)
In essence, for automation suite, where I want to have real world use cases, and not just “login-logout” flow, I think I just have to reduce API calls to Auth0 to minimum.