How to create mock authenticated users without actually authenticating via oauth?

If you have 2FA setup and need to auth to access the system under test then using the time based one time passwords (TOTP) option is probably the way forward https://www.checklyhq.com/blog/how-to-bypass-totp-based-2fa-login-flows-with-playwright/

Then just resuse your auth state over and over as you would in any other situation.

If you need to have users that are independent of each other then I'd either create fixtures for each user (if they need to be re-used across multiple test files) or just setup auth in a beforeAll() in the test file for that user

Can you provide an example of a fixture for each user?

Would I use same github login for both users somehow?

Follow the example here: https://playwright.dev/docs/test-fixtures#with-fixtures

And extend the test class (from PW Test) , setting the storageState to what ever it is you need for the test. If doing this per user.

Pretty good example in the docs for this, where storage states are setup in the global setup and you just re-use them in each test:

https://playwright.dev/docs/auth#testing-multiple-roles-with-pom-fixtures

export * from '@playwright/test';
export const test = base.extend<MyFixtures>({
  adminPage: async ({ browser }, use) => {
    const context = await browser.newContext({ storageState: 'playwright/.auth/admin.json' });
    const adminPage = new AdminPage(await context.newPage());
    await use(adminPage);
    await context.close();
  },
  userPage: async ({ browser }, use) => {
    const context = await browser.newContext({ storageState: 'playwright/.auth/user.json' });
    const userPage = new UserPage(await context.newPage());
    await use(userPage);
    await context.close();
  },
});

No if you were testing based on two different roles, you'd need to use two different sets of credentials. If you wanted two separate users, the same would be true.

Thank you @testdouble ++ It seems from this that I can avoid logging in through github entirely and just creating two fixtures to mock two different users.

The automation will still need to log in, so you'll need two real sets of authentication credentials

(I'll still write one test that checks the login flow though using the TOTP article you psoted.)

Oh that's a problem.

Can't I fake the authentication credentials somehow? I don't have two sets of auth credentials.

Unless you've configured a system to accept the "mocked" auth credentials probably not, otherwise the authentication itself would be pretty pointless

If you have that level of control over the auth, you could also flag users as not needing 2FA but that creates a hole in your auth

I guess I'll have to get creative on how to create another user at this point.

Good luck!

Have you discussed this with the developers of your app? I don't know anything about your app but maybe the devs can set up the test environment to use a GitHub mock for authentication? (server-side mocking).

Mocking of auth gets super flimsy super fast in my experience, wouldn't recommend it in the long term

The 'mock' could be just another authentication provider for the test environment. But of course you'd have to test the real authentication provider somewhere as well.

I'm the developer of the app 🙂

I think this is what I was trying to get at with my question.

This is likely the way I'll move forward. For preview environments, I've used the same idea.

In our app that uses next-auth, we just mock response from '/api/auth/session' to look like a response of authorized user. We still need to retrieve some tokens for that mock, we do it in a global setup script. Having that, we do not touch 2FA for testing although it is enabled for real users.