eloquence
commented
3 years ago Open question: Would it be preferable ensure that our TOTP utility code is clean & reusable across that tests rely on it, and to refactor conftest.py in SecureDrop Client to make use of it? While I can see the convenience of this proposal, I worry that it sets up a potentially problematic pattern in terms of test fidelity.
As discussed in https://github.com/freedomofpress/securedrop-client/issues/1140, for CI automation of cassette generation and similar tasks, it may be desirable to be able to spin up a dev container with TOTP checks disabled.
To minimize any unintended side effects, this flag would only disable the TOTP check itself, not input validation checks -- so you would still have to submit a 6 digit number.
Note that SecureDrop Client in particular currently hardcodes the TOTP value in https://github.com/freedomofpress/securedrop-client/blob/main/tests/conftest.py#L37 and we're relying on a process of manually patching the server code during cassette generation: https://github.com/freedomofpress/securedrop-client/#generating-new-cassettes