DE-135 - Doppler security #12
Conversation
andresmoschini
force-pushed
the
DE-135-doppler-security
branch
from
ba27eb3 to
1369489
Compare
| // TODO: I would like to use ownResourceOrSuperUserPolicy as the default policy, but I | ||
| // cannot override a more restrictive policy with a less restrictive one. So, | ||
| // for the moment, we have to be carefull and chooses the right one for each | ||
| // controller. | ||
| o.DefaultPolicy = simpleAuthenticationPolicy; |
There was a problem hiding this comment.
@ms-darianbenito this what we were talking about today.
| # Unit Testing in the local environment | ||
|
|
||
| To be able to run unit tests, if those require JWT to execute correctly, then you will be able to generate/update them by using the following private key located in this directory ([`dev.priv.key`](./dev.priv.key)) | ||
|
|
||
| The steps needed to do so are the following | ||
|
|
||
| 1. Go to [jwt.io](https://jwt.io/) | ||
| 2. Select RS256 as the algorithm | ||
| 3. Enter the payload | ||
| 4. Paste the key mentioned above in the private key section | ||
| 5. [jwt.io](https://jwt.io/) will generate a token ready to be used in the tests | ||
|
|
||
| **Note:** The tokens generated for unit tests will be valid for that context only |
There was a problem hiding this comment.
Lo veo bien como parte de este commit. También quedaría claro en un siguiente commint con docs:
| var response = await client.GetAsync(url); | ||
|
|
||
| // Assert | ||
| Assert.Equal(expectedStatusCode, response.StatusCode); |
There was a problem hiding this comment.
I am not sure but we need that anonymous endpoint just not response 401 status code.
Assert.NotEqual(HttpStatusCode.Unauthorized, response.StatusCode);
There was a problem hiding this comment.
I did not understand.
Is not enough waiting for a 200 OK?
There was a problem hiding this comment.
Yes, It is, but I am thinking on another response status like InternalServerError, and that still a valid scenario.
There was a problem hiding this comment.
Oh, I understand now.
I think that an InternalServerError is not enough to confirm that anonymous authorization is working fine.
Maybe there is another problem, so, in that case, the result should not be pass, maybe inconclusive, but in that case, the test will be more complex.
andresmoschini
force-pushed
the
DE-135-doppler-security
branch
2 times, most recently
from
d0c548d to
78e27fd
Compare
Hi team,
This is a big PR! but I think that it is possible to review it easily by reading commit by commit.
It supports 3 different scenarios, not all APIs require all of them:
Maybe you do not need all of these scenarios and having a specific policy as the default is enough.
The tests are very detailed, so, it could be easy and safe adapt it for a new behavior.
Tested in INT environment with my account's token: