It is true for simple logging systems only.
For example, you can log in with a test user, but ... you need to know
user's login and password.
In the real world if you can get a login and password (for example from
the db), you do something wrong.
Of course, you can create a test user in the test. But it is true only
for very simple authorization systems
In my case, users can log in using our FB clone (VK.com). So the only
way to test what's going on with registered users is to set a session
and bypass authorization (or login via my real VK account, but it's too
hard)
Or if users have to confirm an email, phone and so on...
$t->get->find('#id') won't work for that cases.
The second item against weird realistic test is that it becomes broken
every time when templates are changed.
And you still need to take a csrf_token somehow.
My example methods works just as they should. (the same way if the
session was created in the application)
But if you're going to write a Facebook killer, you'll be missing
a way
to test protected parts of your site because it's hard to calculate
cookies manually.
Which is why you don't create cookies manually, the client side is not
supposed to touch them.
Right now it's impossible (or very hard) to test what's going on
because
routes are protected (we have to encrypt cookie manually and get
somehow
a csrf_token)
No, you are not supposed to do that, those are artifical test cases
that have no relation to what your users see in the real world.
Of course, You can do it something like this (a weird way):
# log in and find csrf_token in the html output
$t->get_ok('/')->post('/login', form => {pass => 'pass', login =>
'login'});
my $csrf = $t->ua->get('/')->res->dom->at('#csrf')->text;
But this is a realistic test, you are actually testing what your users
are working with. Many applications specifically set the X-CSRF-Token
header to make life easier for API clients.
--
sebastian
--
You received this message because you are subscribed to the Google
Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
Visit this group at http://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
