Best practice for authentication in test and CI environments?

We are developing a Node API which is used by a React SPA and uses access token auth. We aren’t much past the “Hello World” stage at the moment but already starting to think about testing the API and full stack integration tests.

For development testing we can probably stub the JWT verifier but for our CI environment we ideally want real authentication. What is the best practice for this? - e.g. is it sensible to create separate API and SPA app instances and test user accounts in Okta just for this purpose and have some hook code which runs before the test suite to get an access token for the test user when testing the API alone (without the SPA)?

Thanks in advance.

You can get a development environment in which to test apps which I recommend. Each app should get its own API token/access token etc so you can remove/add apps at will. If you got an environment like bitbucket or git then each developer should have an environment file they can plug into each app (if needed).

Thanks. When you say “You can get a development environment in which to test apps” do you mean sign up for another developer account? I am just trying out the service at the moment so that’s all we have. When you upgrade to a paid account do you get a separate dev environment?

If you look here (https://developer.okta.com/pricing/) you can get an enterprise version which is the current version my team uses. It allows multiple app under a single dev tenant. That page can give you more information on the restrictions that are done for other accounts.

If you continue to use the free version I recommend using something like git/bitbucket to make an all inclusive app for all you applications. I recommend organising how you are doing it before executing your solution. Be aware that if you use git that you can only have two free projects with 4 contributers max (including the user managing the project).

1 Like