Automating a Password Reset flow with Testcafe - automation

My goal is to somehow send the email and click the link to reset the password, access that link and write a new password. Don't really know if this is possible or could only be mocked.
I would also like to catch the content of the email and check it. Is there a way within TestCafe to do this?

You can use TestCafe to fill out and submit the password recovery form that will initiate a request to your backend. After that, you can use either of the following solutions:
Intercept this request to the backend using TestCafe features for Intercepting HTTP Requests. Then, make sure that the "an email with a retrieval link was sent" message was shown, navigate to the known in advance retrieval link and log in with a new password.
Make this request to the backend actually initiate sending an email. Then, in your test, connect to an email service (using some of the Node.js email clients), receive the email, and navigate TestCafe to the link.
The first approach seems to be more robust because it doesn't rely on any third-party services.

Related

Is there a way for a SPA to check if there's a proxy and handling it properly?

We have developped a SPA SaaS and went to a soft production launch recently.
Everything was fine until one of our customers told us they had trouble using the app.
Once they open the app, the first request to our backend triggers their proxy credential prompt. Hopefully on the login request.
They have to enter their proxy credentials to let the request go. All subsequent requests are passing properly and they can use the app.
The problem is:
When they stop using the app, close the browser and then come back the day after, the persistent login tries to connect them to our backend, but the proxy credentials prompt is not triggered and the request fails. All subsquent requests fail also.
For it work again, they have to delete all app data in chrome (so the service worker is unregistered, the localstorage and cache are cleared). The next api call will trigger their proxy credentials prompt and they will be able to work again.
So is there any way for the app to know if the proxy is set or not ? Any way of triggering the proxy prompt if not set or whatever ?
I don't exactly know how those proxies work and we have zero access to the proxy settings.
It surely is something with the credentials expiration after some time but that's all we can figure out right now. Maybe we could monitor some params in the request headers ?
We are using VueJS with axios for the requests.
My guess is when user session credentials get expired, your UI is not handling redirection to login page. When the user login for the first time you should store that the user has logged in successfully in browser localstorage. If your server returns 401 error code, you can delete the flag and redirect the user to login page. You can achieve that using meta fields in router.
Check out this link on how to use meta fields https://router.vuejs.org/guide/advanced/meta.html

Jmeter is not passing the Microsoft authentication in my script for testing performance on my test website, showing Access denied

My application has a microsoft authentication on it before logging into it & I have recorded script but when I am running it, it is showing me access denied error everytime.I have set authentication manager but still same error. See image attached.
I have tried HTTP Authentication Manager & provided login username & password.
Most probably your application uses OAuth therefore it is neither something you can really record and replay nor handle with the HTTP Authorization Manager.
Depending on your application setup you will either need:
To perform correlation of the query parameters
Or to pass the relevant Authorization Bearer token via HTTP Header Manager. The process of obtaining the token can be different depending on your application login chain implementation, check out How to Run Performance Tests on OAuth Secured Apps with JMeter article to get a couple of ideas regarding bypassing 3rd-party provider login challenge in JMeter tests.
Check if you can provide the auth credentials as parameter of the requests.
for example www.abc.com?username=abc&password=abc. Replicate the same with Jmeter
Use Fiddler (or you can get away with browser dev tools if you don't mind searching manually) and log in manually via your browser.
Check the request(s) that are submitted to Microsoft for tokens/GUIDs and search for where the browser got those strings from (it'll be in one of the previous requests' responses' bodies or redirect URLs. In Fiddler you can use the find function on responses, browser dev tools you'll have to find it manually).
You can then use a JMeter Regular Expression Extractor post-processor (or any of the other post processors you prefer) to extract that string from the earlier request into a variable.
In your login request you can then use the value of that variable (if you used regular expression post-processor with a capture group the first group's value will be ${variable_g1}
You'll probably have an anti-forgery value that you can extract from the HTML of the login page which needs to be submitted with the username and password and then in the response you'll get a cookie set and potentially JWT token in the response body/URL.

Is there a way to test verification emails using Karate?

The problem I have is that I need to test if user verification is working. We generate a verification token, and an email is sent to the user. Whenever the user clicks on it, it checks if the verification token has expired. I've tried mocking this, but it just won't work. We have an endpoint to verify a user, but we still need the verification token, which is not available on any endpoint.
I think this article may help you: https://www.testingexcellence.com/automated-api-testing-emails-karate/
To summarize:
use the API at http://qamail.ala.se/ to create a test mailbox
initiate the flow that sends the e-mail
use the API to "read" the e-mail and grab the token
EDIT: looks like the link is dead. but you should be able to find similar offerings on the internet. since the source-code seems to be available, it may make sense for you to host this e-mail server somewhere so that it can receive e-mail from whichever system is the sender

How to access OData URLs with authentication

I have a OData Server which returns me a json.
When I accessing the URL through a browser i need to input the username/password.
Doesn't accept the entries which I do in the pop-up. Need to cancel it and then it shows me a dialog box after which i can see the required json.
I am not able to figure out the kind of authentication in use.
Using basic authentication in Postman client is not working.
Any suggestions as to how do I go about using this URL both in postman and inside an Anuglar JS or Node JS program.
You can install interceptor in postman. Go to cookies tab next to body and install the interceptor then turn it on.After installing interceptor you can login with your user/pass and then send your request.
See this picture.enter image description here
Thanks for the input.
But I got access to the code implementation which is accessing the URI which I want.
So There is a Sharepoint/C# application in the universe which is doing a Forms based authentication to get the data required. :/
Will try to reverse engineer that get it working in my Node App.
Cheers. :)

Auto login user to third party site without showing a password to him

Background
We are integrating third party email solution into our site. When a user goes to the Mail page it must be automatically authenticated at the Mail site.
For now, the Mail link points to our page which automatically submits a form with the user's login and password. After clicking submit the user is redirected to the Mail site with authentication cookie.
The problem with this approach is that we do not want the user to see his Mail password, because we generate it automatically for him and there are some sane reasons not to show it.
Question
Is there any way to receive mail authentication cookies without sending the login information to the client and performing form.submit operation from the client's browser? Is there a better way to do what I'm trying to do?
Edit
Of course "I am trying to do it programatically". Looks like that there are no sane solution except pass these login/password to the client. Looks like we must accept that user can see his mail password and somehow make sure he cannot use this information to change password to some other value we will not know.
Edit: I didn't read the post correctly, I thought he was trying to login to a remote mail application, not one hosted on his own server. Ignore this answer.
When you login to the remote third party mail website, they will create a cookie (since HTTP is stateless, it's the only way it knows the user is authenticated unless they store some kind of session ID in the url). When you send the user to that site, the site needs to know how to authenticate the user. Even if you logged in from your application and grabbed the cookie, you can set a cookie on the users browser for another website. The only way for this to work is if there is some kind of development API on the third parties website you can hook into, or they allow you to use session id's in the URL.
Possible solution but has a security risk
If they allow you to set a session_id in the URL (for instance, PHPSESSID in PHP) then you could grab the session ID and append it to the URL when sending it to the user. I don't really like this idea since if the user clicks on a link in an e-mail, the new page will be able to check the referrer and see their session ID in the URL. This can become a huge security risk.
Lookup topics related to your mail vendor and "Pass-through Authentication." You did not mention what vendor/software you are using for your web mail solution, so I can't help you very much there. Other than forwarding the user's information (in a post request) to the login handler.
Generate unique IDs before sending an email and put them as hidden instead of username/password into form. Make them disposable (usable only once or usable once before successful entering the site)