Supertest, test secure REST API

Question

I am writing an integration test for a REST API protected by a jwt. One API operation POST /user/token is returning a jwt given a username and a password and this token is then used for a list of operations such as:

GET /user/:id

Where the route is using jwt({secret: secret.secretToken}), so the token is included into the HTTP header Authorization.

When testing with supertest, I can have nested testing but I want to first get the token, then use this token for testing other operations.

POST /user/token => 12345
GET /user/:id, `Authorization Bearer 12345`
GET /user/:foo, `Authorization Bearer 12345`

How to avoid generating a new token for every operation testing (see below) but use only a single one generate by POST /user/token.

it('should get a valid token for user: user1', function(done) { 
  request(url)
    .post('/user/token')
    .send({ _id: user1._id, password: user1.password })
    .expect(200) // created
      .end(function(err, res) {
        // test operation GET /user/:id

vesse · Accepted Answer · 2017-06-03T13:43:04.717

42

You want to perform single POST to /user/token and then use the token received in every test case? If so, then use the before hook of the test framework you are using (Mocha?) and store the token to a variable, e.g.

describe('My API tests', function() {

  var token = null;

  before(function(done) {
    request(url)
      .post('/user/token')
      .send({ _id: user1._id, password: user1.password })
      .end(function(err, res) {
        token = res.body.token; // Or something
        done();
      });
  });

  it('should get a valid token for user: user1', function(done) { 
    request('/get/user')
      .set('Authorization', 'Bearer ' + token)
      .expect(200, done);
  });
});

edited Jun 03 '17 at 13:43

answered Oct 20 '14 at 04:10

vesse

4,126
22
32

3

How to achieve this if we have multiple files and folders with unit tests dispersed in them, without repeating the token getting in each file? – Steve K Mar 30 '15 at 11:28
@SirBenBenji I think you just need to define the hook so that you can `require` it where needed, eg. http://stackoverflow.com/a/10561632 would work. See also https://github.com/mochajs/mocha/wiki/Shared-Behaviours – vesse Mar 31 '15 at 09:05

score 3 · Answer 2 · answered Feb 25 '17 at 03:16

Need to set Authorization as 'Bearer ' + token

 var token = null;

 before(function(done) {
    request(url)
      .post('/user/token')
      .send({ _id: user1._id, password: user1.password })
      .end(function(err, res) {
        token = res.body.token; // Or something
        done();
      });
  });


 it('should get a valid token for user: user1', function(done) { 
    request('/get/user')
      .set('Authorization', 'Bearer ' + token)
      .expect(200, done);
  });

Supertest, test secure REST API

2 Answers2

Linked