We ran into a issue where, after adding a functionality for authentication through an in-app web browser, a new confirmation alert appears in the app, that cannot be targeted by Detox. This alert is at this moment seemingly impossible to handle, since there are no preferences that can be added at the setup of the test.
We actually bypass the entire authentication process once we get into the web browser, but we need to open it in order to call the service and validate that the user that tries to login has the necessary permissions. Also, mocking is not an option, since we use different users between the tests (for testing various feature flags) and that would mean rebuilding the release app for each separate user (at least, that's how I understand the mocking mechanism works). We also tried to tap by coordinates, but Detox validates that there is no system alert present before tapping, which is kind of ironic and funny considering what we are trying to do.
Are there any options for interacting with this popup?
Related
As title, there would be a alert "verify your identity with webauthn.io" poped when I regisetered a user through FIDO. The alert might have some options. My target is to write a script that can automatically sign in a website by selenium, but I have no idea how to handle this alert in selenium.
Is there any way to handle this alert?
the alert be like
For testing purposes you could use a virtual authenticator. Chromium based browsers have the option to emulate WebAuthn/FIDO2 authenticators - https://developer.chrome.com/docs/devtools/webauthn/
I've found when the virtual authenticator is enabled, it'll "bypass" the menu in your image above. The WebAuthn ceremony is still completed, the menu just immediately utilizes the virtual authenticator when enabled. The same will be true for authentication
Some considerations
This is not an option in all browsers (notably Firefox and Safari)
For application testing I highly recommend that you still perform a round of manual testing utilizing a real authenticator (YubiKey, Face ID, Windows Hello, etc..)
Hope this helps
I maintain an application written in C++Builder 2009. Part of it involves using a TWebBrowser control (based on Internet Explorer) to send users to a Google login page in order to obtain an OAuth key. This has worked well for a while, but now Google, bless their hearts, has implemented some kind of security upgrade, and now my users get to a page that says "Couldn't sign you in, this browser or app may not be secure". FYI, I am already setting a Registry key that is supposed to make IE run in version 11 emulation mode.
I do have a couple of workarounds: If the user runs IE first in admin mode, signs on, leaves it up while running my application, we don't get the problem. Second, I can start up the default browser - Chrome, IE, whatever - and send them to the URL for OAuth, then it avoids the error message.
The problem with this solution is that without being able to hook into TWebBrowser events, I don't have any way to automatically retrieve the OAuth key - it is necessary for the user to cut/paste it into my application. I'd like to avoid these clunky solutions.
I should also mention, this problem occurs only for certain Gmail accounts. I have no idea what the difference is between accounts that work and don't work. Any ideas on that?
So, is there any way to configure IE or TWebBrowser so this security issue is bypassed? Or, if I was to update to a modern version of C++Builder and use TWebBrowser (or something else?), would this problem be avoided? Any other ideas to fix this problem?
The latest C++Builder supports Google's Chromium engine, it's probably safe to say it'll be compatible with Google's security upgrades.
Powerful Chromium Based WebView Component To Host Web Content In Your Delphi/C++ Builder FireMonkey Apps
I'm enjoying developing cross-browser web extensions, the main target being Chrome, so much that I started to think to develop one for my company. I find a chrome extension quite a cheap and efficient way to deploy internal apps. The main purpose is to host a couple of dynamic dashboards that fetch data from various APIs by using cross-domain ajax in background scripts. I finalized the app and I was also able to implement the authentication via chrome.identity and Azure AD.
However, I am struggling to find a safe way to customise the content.
I mean, when the extension is installed it requires to login to azure via the chrome.identity flow. Then I get a token that I use to query ms graph and get the user ID, name, email and basic info.
Until I get this information I want the browser action (popup) to be unavailable to the user as well as any other extension pages. After a successful login I would like to show the content on the pop up and to let the user access the pages, but here I want to customize the experience.
I know how to use the user id retrieved from the api call to customize the extension, but I think it is not safe because all the code is in the client.
If I code something like
if (user === logged) show something
it will be damn easy for a malicious user to look at the code and bypass it, or even to impersonate another user. And chrome extension cannot be obfuscated.
Any help?
Thanks
We have a desktop application for which the user enters some registration details (e.g. support code), and can then use the application.
We would like to be able to automatically fill our support website ticket form with this information, even if the desktop application is not running.
So far we've considered:
InternetSetCookie - but it only works for Windows+IE
use Selenium to create cookies for all major browsers (seems an overkill, and required us to distribute Selenium along with our app)
have a JS service always run in the background
Are there better alternatives?
Context
Many native apps have the user authenticate with Facebook, rather than with their own authentication system. This has been problematic for me to write iOS UIAutomation testcases with the Javascript bindings. Our scenario, from the user's perspective, typically looks like this.
Scenario
The user clicks "Connect to Facebook".
The (target) applications moves to the background, and a Safari browser moves into the foreground, so the user can authenticate with oAuth.
The user enters their authentication data and submits.
The Safari browser window moves into the background, and the target application moves back into the foreground.
Problem
Before running tests, Instruments has the user set the "target app" in the top menu bar.
Using the Automation within Instruments proves problematic when the target app moves into the background and the Safari app moves into the foreground (Step #2). At this point, Instruments reports
The target application appears to have died
I thought this would be as simple as merely polling/testing for changes in UIATarget.localTarget().frontMostApp() (or something similar), but does not seem to be the case -- the test run stops executing.
How can I use Instruments to successfully test this scenario? Is this a testable scenario with UIAutomation's Javascript bindings?
Alas, this is not possible. Instruments loses it's connection with the app since the app freezes in the background and does not continue. Also, it's not possible to send touch events to Safari because UI Automation doesn't work with apps that you didn't build yourself.
If you're using a pre-built SDK, you're pretty much out of luck. But if you are rolling your own Oauth connection to them, you could present a modal view controller with a webview going to Facebook's Oauth authentication page instead of kicking the user all the way out to mobile Safari.
That way, the application never exits. You can then figure out the events to send to the webview and try testing this from there.