Protractor E2E testing: email verification after creating an account - selenium

So I am writing some E2E tests for creating an account on a website. After creating a website account, the website will send me an email to verify my account so I can login. My question is, how far is E2E testing suppose to go? would I be going in the wrong direction if I use protractor to go to google, find the email, and click the link to verify myself. Then go back to the website and login? My other possible option would be to somehow get my userID and then send a request for verification?
I'm just not sure which direction would be best. Any ideas?

It is pretty much arguable how far your tests should go. But if there is a critical to testing information being sent on email, you should consider extracting that information during the test run.
In other words, this is so called "end-to-end testing", but both of the ends could be beyond the borders we are used to think and consider.
Here is the solution using mail-listener2 nodejs library that worked for me during the Two Factor Authentication functionality test (registration code is sent to an email after passing username/password verification step).

Personally I do test that a verification email gets sent with the correct contents — I do not, however, login at Google, to find the email. Instead I've exposed a server side function that returns the latest email it sent to a certain email address. Here's how I use it:
b.get(origin + '/-/e2e/last-email-sent?to=' + address, (response) => {
var responseObj = JSON.parse(response.body);
// Now I have the email text in responseObj.bodyHtmlText.
// Let's extract the URL to the next page:
// (it's the first thing we find that starts with our server origin, i.e.
// http://whatever/....)
var regexString = originRegexEscaped + '\\/[^"]+';
var matches = responseObj.bodyHtmlText.match(new RegExp(regexString));
if (!matches) {
b.assert.fail(responseObj.bodyHtmlText, regexString,
'No next-page-link regex match in email');
}
else {
// Tell our e2e browser to go to the page linked in the email
// as if the user had clicked the link in the email.
b.url(matches[0]);
}
});
I'm going to add lots of other funny e2e test server side functions too, like /-/e2e/fast-forward-time?how-much=3600-seconds :-)
What I do test, with a real Gmail user (a real Gmail account I created for e2e tests and nothing else), is just signups. I.e. that OpenAuth login works. If that works, I'm going to assume any Gmail user is thereafter able to read emails.

Related

Firebase auth email verification message

I'm using Firebase auth to control access to my app and it's been working great and was easy to implement. Now that I'm bringing real testers on, I've got a question.
When a user registers, I'm forcing email verification and that all works fine. I've even found how to somewhat customize the email that user receives asking them to verify their address. However, when the user clicks that link, they get a very generic message:
Your email has been verified
You can now sign in with your new account
Is there any way to customize this? I don't want to do anything particularly fancy - just a more helpful message and maybe a link to return to the app.
Thoughts?
If you mean the web page that they get to when they click the link, there is no way to customize the existing page. But you can create your own page, and host it (for example on Firebase Hosting). For full documentation on this process, see the documentation on creating a custom email action handler.

Keycloak - Multi/2FA Factor - OTP - QR Code - Custom Login Screen - Rest API

I have my own Login page where user enters username/password.
This username/password are used to login through Keycloak Rest API.
http://localhost:8080/auth/realms/Demo/protocol/openid-connect/token
input - {username,password,grant_type,client_secret,client_id}
And in response i get access token.
Now i wish to enable Authenticator (Google Authenticator). I have enabled it from backend. Now if user wishes to login thorugh my application, my login page i need to get below details.
1.) Somehow i need to include QR Code that appears on keycloak login page post username/password validation to show on my login screen for the first time login once user enter username/password. So do we have any API which return Keycloak QR code image in response.
2.) Subsequent login i will have OTP field, so need a REST api to pass OTP along with username/password.
Please help with REST API if keycloak has any. Integrating through Javascript.
Similar flow as described in use case 1 here
Just want to use keycloak as a database, doing all operation for me, input will be my screen. I do want redirection of URL's while login in and yet should be standalone deployed.
I've managed to implement this through the rest API of Keycloak. To realize this, you need to extend Keycloak yourself with a SPI. To do this create your own Java project and extend org.keycloak.services.resource.RealmResourceProvider and org.keycloak.services.resource.RealmResourceProviderFactory. You can find more information in the official docs (https://www.keycloak.org/docs/latest/server_development/#_extensions), github examples and other stack overflow posts how to do this.
Once you got this up and running you can implement it like this:
#GET
#Path("your-end-point-to-fetch-the-qr")
#Produces({MediaType.APPLICATION_JSON})
public YourDtoWithSecretAndQr get2FASetup(#PathParam("username") final String username) {
final RealmModel realm = this.session.getContext().getRealm();
final UserModel user = this.session.users().getUserByUsername(username, realm);
final String totpSecret = HmacOTP.generateSecret(20);
final String totpSecretQrCode = TotpUtils.qrCode(totpSecret, realm, user);
return new YourDtoWithSecretAndQr(totpSecret, totpSecretQrCode);
}
#POST
#Path("your-end-point-to-setup-2fa")
#Consumes("application/json")
public void setup2FA(#PathParam("username") final String username, final YourDtoWithData dto) {
final RealmModel realm = this.session.getContext().getRealm();
final UserModel user = this.session.users().getUserByUsername(username, realm);
final OTPCredentialModel otpCredentialModel = OTPCredentialModel.createFromPolicy(realm, dto.getSecret(), dto.getDeviceName());
CredentialHelper.createOTPCredential(this.session, realm, user, dto.getInitialCode(), otpCredentialModel);
}
The secret received with the GET must be send back with the POST. The initial code is the one from your 2FA app (e.g. Google Authenticator). The QR code is a string which can be displayed in an img with src 'data:image/png;base64,' + qrCodeString;
I know this is an old question, but I've recently been looking at something similar, and so thought it would be potentially valuable to share what I have found for others who may be looking into this and wondered what the possibilities are.
TL;DR
You can only really use the existing Keycloak actions to do this or embed the user account management page found at https://{keycloak server URL}/auth/realms/{realm name}/account in an iframe. That's it, I'm afraid. In my opinion it is currently best to just assign actions directly to accounts or use the Credential Reset emails to assign actions; both of these can be done via the Admin API if desired:
Send Credential Reset email containing assigned actions:
https://www.keycloak.org/docs-api/11.0/rest-api/index.html#_executeactionsemail
Set actions directly on the account (include the actions in the requiredActions portion of the user JSON that you send in the body to the endpoint):
https://www.keycloak.org/docs-api/11.0/rest-api/index.html#_updateuser
Background is that as part of a project that I have been working on we wanted to see if we could have an integrated way for users to set up their initial password and OTP device when a new account has been created for them, since the default method of sending them an email from Keycloak using the "Credential Reset" functionality has the limitations that a) it doesn't provide a link to the application itself unless you override the theme, and if you have multiple instances of the application for different users you have no way of knowing which instance to provide the link for, so may have to end up including a list of them, and b) it often doesn't feel truly native to the application, even with changes to the theme. If you're sensible though, I'd suggest you stop and just use this functionality - please see the TL;DR section above for details.
So, in short there is NO API endpoint for receiving a QR code to set up an OTP device. There are two places, however, where the QR code can be retrieved from - the OTP device setup screen when you log in as a user who has had a "Configure OTP" action assigned to their account, and the user's own account management screen.
The first option of the Configure OTP action screen is a non-starter. It only shows up when you log in, and so by definition the user has to log in to Keycloak via the Keycloak login page in order to trigger the page to be displayed. At this point you're already on a Keycloak page instead of one of your app's pages, and so unless you can get very creative with changes to these Keycloak pages via a custom theme, tapping into this page isn't really an option.
The second option is more interesting, but far from ideal. Every user who has logged in has access to an account management page that can be found at https://{keycloak server URL}/auth/realms/{realm name}/account. This page allows you to do things like change your name, password, etc. and it also allows you to add an OTP device if you don't already have one, or delete any existing OTP devices associated with your account. This OTP device tab of the account management page can be reached directly via https://{keycloak server URL}/auth/realms/{realm name}/account/totp.
As I mentioned, there isn't an API that you can access to view the QR code that shows up on this page. The only way it is accessible is via the GET request to https://{keycloak server URL}/auth/realms/{realm name}/account/totp, which returns the HTML for the page I've already mentioned. Okay great, so can we scrape the QR code programmatically and then put it in our own page on our application? Err, no, not really. You see, whilst a lot of the Keycloak API endpoints rightly allow you to send a bearer token (e.g. access token) in the authorization header to access and endpoint, this page will not accept a bearer token as a means of authentication/authorization. Instead it uses a session cookie that is locked down to the Keycloak URL. This cookie is set when you log in to your application via the Keycloak login page, and so is available to this account management page when you navigate to it, having already logged in, and since the account management page uses the same server and domain name as the original Keycloak login page, it has access to the cookie and can let you in. This cookie cannot be sent by your application to e.g. your own REST API to then programmatically call the account management page and scrape the QR code, because your application doesn't have access to it for good security reasons. This might be something you can change in Keycloak somewhere, but if there is I would strongly recommend against changing it.
So if we can't scrape the page from our own server, can we do something on the front-end? Well, as mentioned, your application doesn't have access to the session cookie but if you make a request (e.g. using fetch or axios) in your front-end JavaScript to the account management page then that request will send the cookie along with it, so that could work right? Umm, well actually you will get hit with an error message in this scenario due to CORS. CORS is Cross-Origin-Resource-Sharing and in order to allow the Keycloak page to be accessed then you would have to open up the settings on the server to allow it to be accessed from your website's address. I've seen some articles that look at how you can open up your CORS settings on Keycloak if you wish but I'd be very nervous about doing this. I don't know enough about the internals of Keycloak and how it operates to comment on how much of a security risk this is, but I certainly wouldn't recommend it. There some information here (Keycloak angular No 'Access-Control-Allow-Origin' header is present) on changing the "Web Origins" setting of your application's Keycloak client, but this opens up your application to some serious potential abuse. There is also the MAJOR issue that even if you scraped the QR code, the device isn't actually added to the user's account (even though it appears in the authenticator app) until you enter a code into the page that the QR code is on and click Save. Since there isn't an API endpoint that you can use to complete this operation, I therefore don't think that this option is viable either. I've tried out whether or not you can use the token retrieval endpoint at https://{keycloak server URL}/auth/realms/{realm name}/protocol/openid-connect/token to see if making a request with your username/password/otp code will somehow "register" your device and complete the process, but although you can get a token this way, and it doesn't complain about the otp code, it doesn't actually take any notice of the code because as far as it's concerned the user's account doesn't have a device registered with it. So we have to use the form on the account management page in order to complete this registration process.
So the final way of possibly doing this is.... an iframe. Sorry, yeah it's rubbish but that's all your left with. You can have the iframe point at your account management page, and because the user is logged in then they will be able to see the contents from your application's page. You can use relative positioning, fixed width and height and remove scroll bars to ensure that you ONLY show the QR code and the fields for the one time code, device name, and the Save/Cancel buttons. This, sadly, seems to be the only option at the moment, and due to how nasty and unreliable iframes can be in general - they certainly don't feel native to your application, and you'll need to override your Keycloak theme to get the page in question to look more like your app - I'd recommend steering clear of this and using the standard approach of using Keycloak actions and the Admin API instead.
If you've made it this far, congratulations, you win at Stack Overflow :-)

Bypass google recaptcha for bot test

Has there anyone come out with a good way to bypass a Recaptcha check in a page to launch a bot test?
Basically, I want for a particular bot (for which I know the IP address) to bypass a google recaptcha check and not sure what would be the most apropiate way of doing it.
I have seen this question How to bypass recaptcha human check in nightwatch test?
but it does not seem to give a clear anwser.
Thanks
EDIT
I am referring myself to the invisible recaptcha that will show some random images and thus the bot will not know where to click to pass the check.
It looks like there is a special set of test keys you can use.
If you configure your testing environment to use these keys, reCaptcha will always return a valid response.
Excerpt from the link below:
With the following test keys, you will always get No CAPTCHA and all
verification requests will pass.
Site key: 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
Secret key: 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe
The reCAPTCHA widget will show a warning message to claim that it's
only for testing purpose. Please do not use these keys for your
production traffic.
https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha-v2-what-should-i-do
As long as you have control over the server:
You can create a if check when validating the captcha on the server side. So when you make the call to google, surround it with an if() check that checks for the current IP, and if it matches a certain IP, or an array of IP's then ignore the validation.
if($_SERVER['REMOTE_ADDR'] !== 'x.x.x.x') {
//Code that checks captcha and returns error if invalid
}

SoapUI Automated OAuth2 token retrieval issue

I'm a new user with SoapUI, but I feel like this process should be easy. I've read all of the documentation I can find on this matter but I can't seem to get around this.
The issue:
I am working on load testing a website for a customer, this will involve creating 1000 accounts and navigating through a course signup process. I've managed to create test cases that step through the creation process for a new user, upon creating the new user the website automatically does an OAuth2 process and redirects the user to their profile. The way this process flows is: account created > credentials sent to a token URI in the REQUEST > RESPONSE kicks back an access token > token is used to grab credentials and redirect user to profile.
I have successfully extracted the token as a variable and stored it to the local test case, however this is where I get stuck. The only way I am able to retrieve the user profile is by manually pasting the access token into the OAuth2 access token field in SoapUI, then running the test case. Since I have to do this with 1000 accounts, this is obviously not an effective method.
I've attempted to grab ElementIDs of the login page/user creation page using the automated access token script editor, but all of these fields are located in a separate .js script, therefore the ElementID doesn't exist in SoapUI.
Am I going about this wrong, or is there someway this can be done? I'm not looking for anyone to write my code, merely explain this process if I'm understanding it incorrectly.
I managed to bypass the OAuth2 Authentication method by creating a Groovy Script that grabs the "Set-Cookie" header from the token call then adds the cookie to each call afterwards.
This method appears to have solved the issue!
import com.eviware.soapui.support.types.StringToStringMap
def getcookie = context.testCase.testSteps["Token"].testRequest.response.responseHeaders["Set-Cookie"][0]
def headers = new StringToStringMap()
headers.put('Cookie', getcookie)
testRunner.testCase.getTestStepByName('Get User').testRequest.setRequestHeaders(headers)

GITkit "Account Chooser" Questions

Has anyone successfully implemented the Google Identity Toolkit, an implementation of an Account Chooser. I followed the initial steps here, but I still have a few questions, as I don't quite know how to handle the entire data flow. I'm using Clojure / Compojure in the back-end:
http://havethunk.wordpress.com/2011/08/10/google-identity-toolkit-asp-net-mvc3/
http://code.google.com/apis/identitytoolkit/v1/acguide.html
A) don't quite understand how ID Provider authentication, fits into my data model
when implementing the callbackURL, what data should I expect, and
how's that session state managed by GITkit (and all Account Choosers)
B) Is there a way to set this up the 'callbackURL' for development.
the identity provider would need a URL that it can redirect back to
C) How can the GITkit / Account Chooser workflow let my users register an account that's native to my app?
Thanks in advance
The questions aren't entirely clear, but I've done an implementation of GITkit in ruby and can give you some pointers.
A) The callback URL is what handles the assertion from the identity providers. Rightnow GITKit only does OpenID, so the URL will contain an OpenID response either in the query parameters or as the POST body. You'll need to do a few things:
1) Call verifyAssertion in the gitkit API and pass the params/post body. This will return a JSON response that contains the user details (assuming assertion is valid). There are some other checks you should do as well
2) Decide what to do with the assertion. If it is an existing user, most likely you'll just establish a session and save the user ID. If it's a new user, you can either create a new account and start a session immediately, or defer that and redirect them to a signup page.
3) Render HTML/JS to notify the widget. There are different status codes and data you can return that changes the flow.
GITKit itself doesn't really manage session state, that's up to your app. Some of the reference implementations have code to help, but it's not part of the API. The widget does have some state that you can control with JS (add account, show as logged in, etc) and uses local storage in the browser.
The docs give some details and example code for how this should be implemented.
B) Of course. The URL is just configured in the javascript widget when you call setConfig() It can be set to localhost or any staging server for development. So long as your browser can reach it you're OK.
C) By "native", I assume you mean where they're signing up with just a username/password instead of using an IDP. If so, the user just has to enter their email address when logging in. If that email address matches a known IDP it'll attempt to authenticate with OpenID, otherwise if it's a new user it'll redirect to whatever signup page you configured in the widget. That signup page would just ask the user to create a password like you normally would. You should also return whether or not accounts are 'legacy' (password) accounts in the userStatus checks.
Hope that helps.
For anyone's future reference. I was able to resolve the issue. You can follow this thread of how's it's done in Clojure.
I got it working with Ring/Compojure, and another fellow showed me his solution in Webnoir.
HTH