Using Supertest to test an application that uses Auth0

I have an application that uses NestJS and Angular. I am currently using @auth0/auth0-angular on the frontend to log users in and out. I want to write e2e tests with Supertest using the Authorization Code Flow and if I’m understanding everything correctly, I have to:

1) Authorize the user by sending the user to the authorization URL
2) If all goes well, I should receive an HTTP 302 response which includes an authorization 
code
3) Exchange this authorization code for tokens by POSTing to the token URL 
    ('https://YOUR_DOMAIN/oauth/token'). 
4) If all goes well, I should receive an HTTP 200 response with a payload containing the 
    tokens.

However, since I’m writing tests with Supertest on the backend, I can’t send a user to the authorization url and have the user handle authentication. Is there a way to get around this and get an authorization code so that I can POST to the token url in order to get the tokens?

@simon17

I have been working on almost a similar project although I am using React for the front end. I am trying to migrate to nestjs from django. Since the nestjs app still isn’t ready, I’m currently redirecting all the requests to the django app. My code looks something like this:

import * as request from 'supertest';
import { INestApplication } from '@nestjs/common';
import { Test } from '@nestjs/testing';
import { ApiModule } from '../src/api.module';

describe('/api/auth', () => {
    let app: INestApplication;
    var Token = '';

    beforeEach(async () => {
        const moduleRef = await Test.createTestingModule({
            imports: [ApiModule]
        }).compile();

        app = moduleRef.createNestApplication();
        await app.init();
    });

    /*The user is going to be redirected to the /api/auth endpoint where the username and password of the user will be sent via the request body*/
    /*The redirects(1) denotes that the request is going to be redirected once to the django app*/

    it('POST /api/auth/token-obtain', () => {
        let data = {
            "username": "user30",
            "password": "shortbutstrongpassword"
        };

    /*If the credentials are authentic, then a token will be generated for the user. Hence a property name called "token" is expected in the response body*/
    /*Since the request is already being redirected, instead of 302 status we will get a status 200*/

        return request(app.getHttpServer())
            .post('/api/auth/token-obtain')
            .set('Content-type', 'application/json')
            .send(data)
            .redirects(1)
            .expect(200)
            .then((res) => {
                Token = res.body.token; /*Saving the token in a variable named Token.*/
                expect(res.body).toHaveProperty('token');
            });
    });

    it('POST /api/auth/token-refresh', () => {
        let data = {
            "token": Token
        };
    /*We are now going to use the Token in our POST request body*/

        return request(app.getHttpServer())
            .post('/api/auth/token-refresh')
            .set('Content-type', 'application/json')
            .send(data)
            .redirects(1)
            .expect(200)
            .then((res) => {
                expect(res.body).toHaveProperty('token');
            });
    });

Hope this sheds some light on the problem that you are facing.