So I am implementing a PHP-based API with middleware that checks for the presence of, and verifies JWT access tokens sent via the Authorization request header. The middleware uses the Auth0 PHP SDK to verify and decode the JWT token, and it works great.
However, I’m not sure how to do automated testing of the API endpoints without having to contact Auth0 to get a token. The only thing I can come up with is either disabling the middleware during testing or somehow mock out the token verification (leaving the middleware enabled).
I’m a little paranoid about having some kind of mechanism to disable or skip the middleware, since I want to be sure it cannot be bypassed in production through misconfiguration or other means.
Is there a recommended approach to this? Any ideas or pointers?