search

apple / password-manager-resources

A place for creators and users of password managers to collaborate on resources to make password management better.
MIT License
4.14k stars 449 forks source link

consider adding example URLs for automated testing of shared backends #158

Open geoffcline opened 4 years ago

geoffcline commented 4 years ago

I propose adding URLs for the shared backend groups. As shown below.

The URL should point to a page on that domain, that returns a 2XX-3XX HTTP response (e.g., redirects ok), and (preferably) includes at least one HTML form element for a username.

The goal here is to enable minimal automated testing of these groups, and also to indicate when a group is no longer necessary. 

    [
        {"kcls.bibliocommons.com", "https://kcls.bibliocommons.com/user/login"},
        {"kcls.overdrive.com", "https://kcls.overdrive.com/account/ozone/sign-in"},
        {"kcls.org", "https://login.ezproxy.kcls.org/login"}
    ],
igor-makarov commented 4 years ago

I have made some attempts to test some of the URLs already in the repo for validity, but the Internet is large and held together with baling wire - there were password reset pages that have 401 redirects and ea.com causes cURL to go into a redirect loop.

@rmondello seems less than thrilled to add network-based validation: https://github.com/apple/password-manager-resources/pull/130#issuecomment-640251583

I'm beginning to lean that way too.

geoffcline commented 4 years ago

do you think there is value in having the URLs there as an option to be used downstream by password managers?

also -- it would make manually verifying new pull requests easier, a matter of clicking the link compared to hunting around for the "login" page on each domain.

I see that point that headless/network-based validation is a challenge, especially for these quirky URLs

rmondello commented 4 years ago

I don’t like validating the URLs, but I like documenting them!

rmondello commented 4 years ago

(Although, citing them in the pull request documents them in a weak way.)

bradcush commented 4 years ago

To the points above, I don't think adding specific login/signup URLs for backends helps password managers themselves but only tooling or humans to validate them more easily. I would be in favor of not adding them to the repo for this reason. It makes more sense to validate things using the core information in the resources if at all possible