Using Supertest with Auth0 - authentication

I have an application that uses NestJS and Angular. I am currently using #auth0/auth0-angular on the frontend to log users in and out. I want to write e2e tests with Supertest using the Authorization Code Flow and according to the Auth0 docs (https://auth0.com/docs/get-started/authentication-and-authorization-flow/add-login-auth-code-flow#parameters), I have to:
1) Authorize the user by sending the user to the authorization URL
2) If all goes well, I should receive an HTTP 302 response which includes an authorization
code
3) Exchange this authorization code for tokens by POSTing to the token URL
('https://YOUR_DOMAIN/oauth/token').
4) If all goes well, I should receive an HTTP 200 response with a payload containing the
tokens.
However, since I’m writing tests with Supertest on the backend, I can’t send a user to the authorization url and have the user handle authentication. Is there a way to get around this and get an authorization code (perhaps fake the authorization code somehow?) so that I can POST to the token url in order to get the tokens?
I initially tried to use the Auth0.js SDK but turns out that was only for browsers (can't use it since I'm writing Supertest tests on backend). Auth0 docs haven't been too helpful either and there seems to be very limited resources on using Supertest with Auth0.

Related

Google OAuth redirect_uri_missmatch

I am trying to create an automated login in my own API through Cypress.
It uses Google SSO and with the authorization code, it generates an entirely new JWT to the user.
Everything looks fine. I can retrieve an id_token and access_token from https://oauth2.googleapis.com/token using the refresh_token
And with this data I can even check the user consuming the route https://www.googleapis.com/oauth2/v2/userinfo
But when I pass my auth code to the API it says redirect_uri_mismatch
I am calling an URL like
localhost:3000/foo/auth/callback?state=%7B%22pasUrl%22:%22terminal%22%7D&code=4/0AX4XfWhZRB1mZZ_VByR26EGJkXlhO1WMQ89yaysG56ihdlb9dJbOASvITFm-yv6iMMGYrA&scope=email%20profile%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20openid&authuser=0&hd=foo.com&prompt=consent
and in the list of Authorized redirct URIs I have http://localhost:3000/foo/auth/callback

What is the redirect URL for karate like the one we have in Postman?

Problem:
As per Auth0 below are the prerequisite for Auth0
Prerequisites
Register your app with Auth0. To learn more, read Register Regular Web Applications.
Select Regular Web App as the Application Type. (Done)
Add an Allowed Callback URL of https://YOUR_APP/callback. (This part I am not able to find and question is related to this that what is the call back URL in karate?)
Make sure your application's Grant Types include Authorization Code. To learn more, read Update Grant Types. (Done)
Below are the details how this Auth0 API will be authenticated.
Authorization API is called to generate code.
Token API is then called with the code generated at step 1 in order to exchange code for token.
Both of above APIs require a redirect URL of the calling application like we have in Postman as can be seen in below image. What is the redirect URL that can be provided in karate so once the token is generated it gets redirected to karate and token is shown there in response.

Authorization between nuxtjs and the backend API

I have a Vuejs application created using Nuxtjs. I am also using Django as the backend server, and I made an API to interact with the backend server (Django) and front-end app (Vuejs/Nuxtjs). And any API related fetch are done in the AsyncData function of the page to render the data on the server-side using axios. Also, I am using json web token authentication, and the API generates a jwt token after successful login which is stored in the cookie. So on the backend, it will always check for the request's authorization header for the token. If the request is from a logged in user (authorized token) then return authenticated json data, or else return non authenticated data.
The problem:
When the user navigates to the app, I would like to check if the user is authenticated. If the user is authenticated, render the authenticated page. If not then display non authenticated page.
My thoughts:
When the fetch is done from the App on the AsyncData function, I would check whether there is any value for the cookie. If there is then send the token with the request's authorization header. But, since the page will be rendered on the server first, and not on the client side (where the cookie actually is) it will never find the token for the authorization.
How can I check if the user is already logged in or not so that I can get authenticated and non authenticated data respectively from the API?
Update
When I successfully log in (post authorized email and password), I get a json response back with the token, which I set in the cookie like this:
this.$cookie.set('my_auth_token', this.token, {expires: 15})
How can I retrieve client side cookie and into the nuxt server for server side rendering?
Cookies are exposed in the (Express) Nuxt server through middleware.
Specifically, they can be read from the req.headers.cookie property. You can see an example implementation of this in the Nuxt documentation.
Regarding your implementation: fetching the privileged data from your API using Node would seem to be the ideal way to delegate session handling to that single service (rather than both) and provide SSR for your users.
If you've chosen to instead implement your session handling on the Django service then you'll need to "forward" your cookies by passing them into your axios request headers.
I did something similar using Firebase authentication. There is an example project on Github as well as a blog entry outlining the important files and configuration used in the application.

Okta: Failed to get authorization code through API call

I'm integrating Okta to my own IdP server by using Okta's API.
I'm implementing the Authorization code flow by following the steps below:
In my own server, use the /api/v1/authn endpoint to get the sessionToken.
Use the sessionToken to obtain the authorization by calling this endpoint: /oauth2/v1/authorize?client_id=" + clientId + "&sessionToken=" + sessionToken + "&response_type=code&response_mode=query&scope=openid&redirect_uri=" + redirectUrl + "&state=evanyang&nonce="
It's supposed to return a response with status code 302 and with the Location header containing the redirect url as well as the code value.
However, I keep getting a response with status code 200 and without the Location header, with a html body saying "You are using an unsupported browser." and "Javascript is disabled on your browser."
According to the API documentation: http://developer.okta.com/docs/api/resources/oidc.html#authentication-request, the sessionToken parameter is sufficient to do this: An Okta one-time sessionToken. This allows an API-based user login flow (rather than Okta login UI).
Am I missing any extra requirement for getting the authorization code through API? Please help.
Thanks in Advance :)
The Authorization Code grant type and the Authorization endpoint in there are meant to be access through a browser, not a non-browser client.
This issue is caused by obtaining session id between obtaining session token and authorization code. Once the session token is used to get session id, it becomes invalid, which means it cannot be used to get authorization code anymore.
According to Okta, the Authorization Code grant type and the Authorization endpoint and be used through a API-based web app too, as long as the session token is provided in the request: http://developer.okta.com/docs/api/resources/oidc.html#authentication-request. In fact, one can use this script(https://github.com/SohaibAjmal/Okta-OpenId-Scripts) to finish the flow.

What does Ember-simple-auth check against?

I have been looking for answer of implementing ember-simple-auth (oauth2-password-grant) for days without luck. I use firebase to sign up users, which is successful. However on the log in page, the action of this.get('session').authenticate('authenticator:oauth2', credentials) seems to cause a json error (SyntaxError: Unexpected token < in JSON at position 0).
So my first question is, in theory, how does this authentication check if the user's email/password is correct? Meaning, in which file is the "answer" located? Am I supposed to define a token? If yes, I already tried "serverTokenEndpoint: 'http://localhost:4200/' or serverTokenEndpoint: 'http://localhost:4200/token" and nothing works. Thanks.
Ember simple auth sends login request to API(in your case Firebase). If entered credentials are valid your API will authenticate user, create and save auth token. Authenticated user with created token will be sent to Ember and token will be saved in local storage by Ember simple auth. Every subsequent request from Ember after login needs to include that token in its header and API will authenticate your request based on that token(comparing token from Ember with the one saved in API).