Rayrun
← Back to Discord Forum

How to create mock authenticated users without actually authenticating via oauth?

The docs (https://playwright.dev/docs/auth) mention "acquiring a user" and their example shows actually logging in via github (or your preferred oauth provider) to create the fixture.

The problem is that I have 2FA setup, and in any case, would like to create the fixtures without any login. Especially since I need to test multiple users: one user can't access resources of another user. And creating multiple accounts would be against Github's terms of service.

I have tried modifying the auth file playwright/.auth/user.json to extend the expiration date indefinitely but haven't been successful.

This thread is trying to answer question "How can I create mock authenticated users without actually authenticating via oauth?"

22 replies

If you have 2FA setup and need to auth to access the system under test then using the time based one time passwords (TOTP) option is probably the way forward https://www.checklyhq.com/blog/how-to-bypass-totp-based-2fa-login-flows-with-playwright/

Then just resuse your auth state over and over as you would in any other situation.

If you need to have users that are independent of each other then I'd either create fixtures for each user (if they need to be re-used across multiple test files) or just setup auth in a beforeAll() in the test file for that user

Can you provide an example of a fixture for each user?

Would I use same github login for both users somehow?

Follow the example here: https://playwright.dev/docs/test-fixtures#with-fixtures

And extend the test class (from PW Test) , setting the storageState to what ever it is you need for the test. If doing this per user.

Pretty good example in the docs for this, where storage states are setup in the global setup and you just re-use them in each test:

https://playwright.dev/docs/auth#testing-multiple-roles-with-pom-fixtures

export * from '@playwright/test';
export const test = base.extend<MyFixtures>({
  adminPage: async ({ browser }, use) => {
    const context = await browser.newContext({ storageState: 'playwright/.auth/admin.json' });
    const adminPage = new AdminPage(await context.newPage());
    await use(adminPage);
    await context.close();
  },
  userPage: async ({ browser }, use) => {
    const context = await browser.newContext({ storageState: 'playwright/.auth/user.json' });
    const userPage = new UserPage(await context.newPage());
    await use(userPage);
    await context.close();
  },
});
@jonroby: No if you were testing based on two different roles, you'd need to use two different sets of credentials. If you wanted two separate users, the same would be true.

No if you were testing based on two different roles, you'd need to use two different sets of credentials. If you wanted two separate users, the same would be true.

Thank you @testdouble ++ It seems from this that I can avoid logging in through github entirely and just creating two fixtures to mock two different users.

@jonroby: The automation will still need to log in, so you'll need two real sets of authentication credentials

The automation will still need to log in, so you'll need two real sets of authentication credentials

(I'll still write one test that checks the login flow though using the TOTP article you psoted.)

@testdouble: Oh that's a problem.

Oh that's a problem.

Can't I fake the authentication credentials somehow? I don't have two sets of auth credentials.

Unless you've configured a system to accept the "mocked" auth credentials probably not, otherwise the authentication itself would be pretty pointless

If you have that level of control over the auth, you could also flag users as not needing 2FA but that creates a hole in your auth

I guess I'll have to get creative on how to create another user at this point.

Good luck!

Have you discussed this with the developers of your app? I don't know anything about your app but maybe the devs can set up the test environment to use a GitHub mock for authentication? (server-side mocking).

Mocking of auth gets super flimsy super fast in my experience, wouldn't recommend it in the long term

The 'mock' could be just another authentication provider for the test environment. But of course you'd have to test the real authentication provider somewhere as well.

I'm the developer of the app 🙂

@refactoreric: I think this is what I was trying to get at with my question.

I think this is what I was trying to get at with my question.

@refactoreric: This is likely the way I'll move forward. For preview environments, I've used the same idea.

This is likely the way I'll move forward. For preview environments, I've used the same idea.

In our app that uses next-auth, we just mock response from '/api/auth/session' to look like a response of authorized user. We still need to retrieve some tokens for that mock, we do it in a global setup script. Having that, we do not touch 2FA for testing although it is enabled for real users.

Related Discord Threads

TwitterGitHubLinkedIn
AboutQuestionsDiscord ForumBrowser ExtensionTagsQA Jobs

Rayrun is a community for QA engineers. I am constantly looking for new ways to add value to people learning Playwright and other browser automation frameworks. If you have feedback, email luc@ray.run.