Api: Testing a protected api, without using a token
I am not sure what I am missing. My test looks something like that:
class SearchTest extends TestCase
{
protected $baseUrl = 'http://api.todo.dev';
protected $headers;
function setUp()
{
parent::setUp();
$this->headers = [
'HTTP_ACCEPT' => 'application/vnd.' . env('API_VENDOR', '') . '.v1+json'
];
}
/** @test */
function it_should_have_a_key_data(){
$uri='api/todo';
$this->call('get', $uri, [], [], [], $this->headers);
}
}
My problem is, that although my route is jwt protected, there is no need to send a jwt token as header when testing.
Notice, that when using postman, i get 401 unauthorized if I make my call without jwt token in the authorization header.
How can I test that I get a 401 staus code when I do not send a token?
catalinux
All 10 comments
What code have you implemented that lets you test without a token?
jasonlewis
on 3 Aug 2015
Something like this:
$api->version('v1', ['prefix' => 'api', 'protected' => true],
function ($api) {
$api->resource('todo', App\Http\Controllers\TodoController::class);
}
}
Yes, but you said in your test that you don't need to send a token? How are you getting around the authentication to begin with?
jasonlewis
on 4 Aug 2015
That is my problem. My testing works without using any header with token.
My tests from PostMan work only with token usage in header, but my Lumen TestCases do not need to send token header. That is my problem: testing a protected api end-point without token - should fail. But mine does not. It returns 200 status code, instead of 401 Unauthorized.
catalinux
on 5 Aug 2015
@jasonlewis 'protected' => true should be used anymore? I see in the docs you provide examples with $api->version('v1', ['prefix' => 'api','middleware' => 'api.auth']
catalinux
on 10 Aug 2015
That is correct, if you're running the latest 0.10.*@dev then protected is no longer used, you must manually specify the authentication middleware.
jasonlewis
on 11 Aug 2015
For now, I changed to 0.10 and I have other problems, but not the one ignoring protected
catalinux
on 18 Aug 2015
@catalinux How I got around the prob. was that, in /config/api.php, I registered 2 authentication providers like;
'auth' => [
'basic' => function ($app) {
return new Dingo\Api\Auth\Provider\Basic($app['auth']);
},
'jwt' => function ($app) {
return new Dingo\Api\Auth\Provider\JWT($app['Tymon\JWTAuth\JWTAuth']);
}
],
So that either authentication works. All you gotta do, in your test code, is to provide a valid auth.basic header. you can bypass the JWT auth that way.
jinseokoh
on 18 Aug 2015
Hm. nice way. However, there was still a problem with the last version. So instead of trying to get a token from the api in my tests, I made a before method that generates a token
/**
* @before
*/
public function runLoginWithTokenTrait()
{
$user = factory(User::class)->create();
$jwt = \Tymon\JWTAuth\Facades\JWTAuth::fromUser($user);
$this->headers = [
'HTTP_ACCEPT' => 'application/vnd.' . env('API_VENDOR', '') . '.v1+json',
'HTTP_AUTHORIZATION' => 'Bearer ' . $jwt
];
}
In case anyone reads this with the same issue, I solved it by adding a little method in my TestCase.php file:
protected function actingAsApiUser(UserContract $user)
{
$this->app['api.auth']->setUser($user);
return $this;
}
So now I can write my tests in a more Laravel-esque way:
$this->actingAsApiUser(factory(\App\User::class)->create())
->get('/api/protected');
michaelstivala
on 11 May 2016
Related issues
MicroDroid
路
3Comments
pedrolari
路
3Comments
cristiammercado
路
3Comments
jhayiwg
路
3Comments
yaoshanliang
路
4Comments
Most helpful comment
In case anyone reads this with the same issue, I solved it by adding a little method in my TestCase.php file:
So now I can write my tests in a more Laravel-esque way: