Test Token / Cookie for Integration Testing or manual testing of Backend

[Leon0402]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] This issue affects my Ory Network project.
• [X] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Describe your problem

A standard project consists of an ory instance, frontend (e.g. spa) and backend. A key challenge is testing the frontend / backend manually while developing, as well as automatic testing with unit / integration / e2e tests.

For the frontend, the situation is rather easy. There, you have implemented a login process with ory Kratos. Thus, it's easy manually testing your frontend and automatic testing is very easy as well (there are frameworks to make this easier as well), because you can just create once a test user and then use the login functionality to obtain a valid session and test whatever you need to test.

The backend part though is much more involved. Consider the scenario where you implemented a new API Rest Endpoint in the backend (not yet in the frontend) which needs a valid token and / or cookie and our two use cases:

1. Manual Testing: Assume you want to test your new endpoint with something like Postman or similar. How do you get the valid token / cookie? => Your backend has no function to directly obtain this as in the frontend. Spinning up your frontend and doing the login there first, then extracting the cookie and copying it over to postman, is really painful. You could also develop a separate script to get the cookie. Less painful, but still always some extra steps, and you actually need to develop such a script.
2. Automatic Testing: Say for instance some integration test, so you actually want to test that it is working with Ory Kratos. Even more painful, you cannot obtain this manually with your frontend. So implementing a login process is mandatory. Again, this is work, and additionally it makes the test more complex, slower to run, more fragile.

Developing / Testing is hard enough by itself. When I need five additional steps to simply test my endpoint with postman, it is incredibly demotivating.

Describe your ideal solution

Ory Kratos should have some sort of Developer Setup (with security measurements to prevent it from being used in production in this mode!). In developer mode it should be possible to hardcode Cookies and Tokens which will always be accepted by Ory Kratos as valid.

This makes manual and automatic testing a breeze. Just hardcode the cookie / token (depending on the setup) in your test or copy it into postman (you can even save queries there with this hardcoded cookie) and it just works. Testing and developing is almost as easy and painless as without Ory Kratos, which should be the ultimate goal.

Workarounds or alternatives

1. The current approach of developing some scripts. As explained above: Somebody needs to develop & maintain them. And it is still an extra step for manual testing. For automatic testing, it makes everything more complex / fragile / longer to run.

2. Implement an Ory Cli / Admin Endpoint to obtain some test cookie / token. This is similar to alternative one. The advantage would be that the script does not need to be developed / or maintained. Less overhead to integrate this into automatic testing as well. But the point of complexity, fragility, ... still stands.

Version

v0.13.0

Additional Context

No response

[sgrannan]

We are just now implementing integration testing using testcontainers and this is the exact issue I ran into today. We want to test our backend APIs and all the infrastructure included to support them, which includes Kratos. Our APIs require the a Kratos session cookie, but I have no way of easily doing this without several other steps that I'm not sure will work consistently (yet).

As the user mentioned above, at the very least would it be possible to introduce CLI commands for self-hosted that could be issued directly to the docker container in "dev" mode? Do you have anything like this on your roadmap already? Does Ory do integration tests with their whole suite of products?

[github-actions[bot]]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas on how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️