►
From YouTube: Testing Secure Endpoints - NodeJS - Tom Wilson
Description
Testing secure endpoints does not have to be painful, using tools like sinon you can create integration tests that stub out the auth middleware and give you the freedom to create integration tests that successfully test your features.
Blog Post: https://hyper.io/testing-securea-endpoints-with-integration-testing
Source Code: https://github.com/hyper63/testing-secure-endpoints
Subscribe to hyper videos to learn more about Svelte, Javascript, Functional Programming, and API architecture.
https://www.youtube.com/channel/UC_V8BG1cTmILu9IkTK-yn1A
A
A
Save
that
yes-
and
we
can
go
to
our
test
and
see
that
we
are
running
our
test
server
and
then
we're
doing
a
fetch
to
the
movies
endpoint
and
we
expect
to
get
a
list
of
movies.
So
if
we
run
our
test.
A
We
can
see
we
get
success,
so
the
server
is
running.
We
make
a
request
and
we're
getting
a
list
of
movies.
Now,
if
we
want
to
secure
that
endpoint,
because
it's
unsecure,
we
can
use
cookie
sessions
right,
a
secure
server,
cookie
session.
So
in
our
server
we
set
up
a
session
using
secure
cookies
and
what
we
want
to
do
is
pull
in
some
middleware
to
essentially
authenticate
that
that
endpoint
or
secure
that
endpoint
and
we
want
to
secure
all
of
our
endpoints.
A
So
we
have
this
middleware
off
js
and
we're
just
going
to
run
a
check
and
say
if
request.session.user
and
we
want
to
check
on
a
particular
path,
so
we're
going
to
say,
request,
dot
path
equals
slash
movies.
Now
this
is
just
for
this
demo.
More
than
likely,
you
would
have
like
a
a
success
list
or
an
failure
list
of
past
that
you
don't
want
to
do
or
you
could
just
do
each
specific
path.
A
But
anyway,
for
this
demo
we're
going
to
secure
the
movies
in
point
and
if
the
session
dot
user
it
exists,
then
we're
going
to
set
that
user
to
request.user
and
then
we're
going
to
call
next,
which
will
escape
us
out
of
this
middleware
and
everything
is
great.
Otherwise,
if
not
we're
not
going
to
leave
the
middleware
and
we're
going
to
report
a
status
401
and
send
back
some
json
with
a
message
of
not
authorized.
A
Like
that-
and
we
just
do
a
use-
and
we
want
to
do
a
use
after
the
session,
so
we'll
do
a
use-
auth
check
all
right,
because
we're
exporting
the
check
method,
so
we're
going
to
use
auth
check
and
that
should
secure
our
our
movies
endpoint
here
and
we
have
our
login
and
log
out
set
up
to
set
up
our
session,
but
for
right
now
we're
just
testing
the
movies
endpoint.
So
if
we
run
yarn
test,
we
don't
get
a
passing
and
we
get
a
message
not
authorized.
A
So
with
that,
how?
How
do
we
go
about
securing
that
which
we
did?
But
now
we
want
to
run
our
test
and
our
test.
We
want
to
run
in
a
reliable
automated
way,
and
that
brings
us
to
sign
on
cyanon
is
a
tool
kit
of
spies,
stubs
and
mocks,
and
we're
going
to
use
the
stub
feature
of
cyan
and
there's
other
mocking
libraries
out
there
as
well.
A
But
this
one
works
pretty
good
and
what
we
want
to
do
is
essentially
pull
in
the
auth
middleware
and
then
we're
gonna
stub
it
out
with
a
fake
function,
call
and
tell
it
that
you
know
we
have
a
session
and
we
have
a
user,
and
that
way
it
will
allow
us
to
run
our
test
and
validate
that
our
endpoints
work,
while
keeping
our
api
secure.
A
A
A
And
then
we
just
want
to
stub
it,
so
we'll
do
sign
on
dot,
stub
auth
and
then
we'll
give
it
the
method
we
want
to
stub,
which
is
check
and
then
we're
going
to
say,
fake
call
or
calls
fake
function.
I
think
calls
fake.
A
And
let
me
just
double
check
make
sure
I
get
it
right,
but
I
think
it's
just
calls
fake.
That's
right
calls
fake,
and
then
we
just
give
it
the
function
instead
of
the
check
function,
which
will
give
it
a
request,
response
and
next
arguments
and
now
we're
just
going
to
say,
request.user
equals
bob
and
then
we're
going
to
call
next.
Okay,
so
now
that
that
stub
is
set,
we
should
be
able
to
run
our
test.
A
Sign
on
stub
off
call
spate
there
we
go
spelling
all
right
and
it
works
so
with
that
we've
got
our
endpoint
secure,
but
we
also
have
a
reliable
test
running
to
test
our
endpoint
and
we
can
put
that
on
a
ci
and
run
it
all
day
long.
So
with
that,
that's
pretty
much.
What
I
wanted
to
show
in
this
screencast
so
hope
hope
you
get
something
out
of
it
and
if
you
want
to
check
out
the
blog
post
or
the
repository
they'll
be
in
the
description.
Thank.