1

Our test environment is behind Google IAP and the application under test is using Bearer tokens for user authentication.

In order to access the test environment, I am getting the Google JWT token and then adding it as Authorization header on all requests by extending the RequestHook:

import { RequestHook } from 'testcafe';
import config from '../config/.config.json';
import serviceGoogleAccount from '../config/.service-google-account.json';

import { GoogleAuth } from 'google-auth-library';

export class GoogleIapJWTAuthorization extends RequestHook {

  constructor () {
    // No URL filtering applied to this hook
    // so it will be used for all requests.
    super();

    const auth = new GoogleAuth({
      credentials: serviceGoogleAccount
    });

    console.log('Google Authentication');

    console.log(`Loaded Service Account ${serviceGoogleAccount.client_email}`);
    auth.getClient()
    .then(client => client.fetchIdToken(`${config.googleAuthSettings.targetAudience}`))
    .then(token => {
        console.log(`Successfully authenticated with Identity Aware Proxy. Id Token: ${token}`);
        this._token = token;
        return token;
    })
    .catch(err => {
        console.log(`Identity Aware Proxy Authentication Failed. Id Token: ${token}`);
        console.log(JSON.stringify(err));
        process.exitCode = 1;
    });
}
  getGoogleJwtToken() {
    return this._token;
  }

  onRequest (e) {
    //Authorization header for authentication into Google Auth IAP
    e.requestOptions.headers['Authorization']= `Bearer ${this._token}`;
  }

  onResponse (e) {
      // This method must also be overridden,
      // but you can leave it blank.
  }
}

When testing manually and logging into Google account in order to access the test environment, this token is set as a cookie:

Cookie example set by Google IAP after logging in

So far, so good.

The problem occurs when I am trying to login into application with a user. Our identity endpoint returns Bearer token for a user and in order to access user specific pages I need to pass this user's Bearer token as Authorization header on requests.

But due to above Google JWT token implementation the Authorization Header is already in use. And because after login into application I am getting 401 Unauthorized for pages/endpoints that require user's Bearer token, I presume that the user's Bearer token is getting overwritten by Google JWT token above.

Is there any way to solve this?

As far as I understand setting the cookie is not that straight forward according to https://github.com/DevExpress/testcafe/issues/4063

M. Lukjanska
  • 21
  • 4
  • 1
    It seems that it is not necessary to set access token via the RequestHook when authenticating as user. As I understand it, you are logging in as user via the browser, so it will set the required cookie itself – Shurygin.Sergey Nov 11 '20 at 09:52
  • Maybe I did not explain it well - we have sort of 2 steps: 1. Google login form to access the test environment (this part is simply to not allow outside access to our test environments, it is not present in production) 2. Our user login mechanism which uses Bearer tokens in Authorization Header and does not set cookies When manually accessing the test environment I do login using Google Account and for that the cookie is set. I can not automate this process using TestCafe because Google might show captcha for automatic tries (and it also slows down tests). – M. Lukjanska Nov 11 '20 at 13:10
  • 1
    If I understand correctly, you're using the Google IAP authentication to access your test environment, and you cannot log in to tests via a browser due to the captcha. Also, your application has its own authentication that uses a token passed via the Authorization header. When you run your application manually, Google IAP sets an authentication cookie instead of a token. Tests are not working because the application and Google IAP use the same header. TestCafe doesn't allow setting a cookie in a test. Is it possible to use cookie authentication in your application? – Shurygin.Sergey Nov 12 '20 at 10:13
  • All above is correct. Just a slight correction to my previous comment - when logging to Google IAP via UI it does not seem to bring up captcha (at least for several runs I did), so my plan for now will be to use the Google IAP UI authentication for tests where I need user to login into our app. – M. Lukjanska Nov 13 '20 at 11:08

0 Answers0