Skip to main content

Authentification Objects

Oat provides several authentification objects that all implement the interface for a SecuritySchemeObject. These security objects can be passed into a withSecuritySchemes function. Oat will create individual test for every security object passed into withSecuritySchemes.

Oat supports the following auth mechanism:

  • Basic auth via BasicAuth class
  • Bearer tokens via BearerAuth class
  • Custom Headers via APIKeyAuth class
  • Combined security schemes via CombinedSecuritySchemes class

Methods

Every security object provides the following methods:

skip

If called on the object, all test containing this security object will be skipped.

import { Testplan, APIKeyAuth } from 'oat'

const apiToken = new APIKeyAuth('Authorization', 'vollq-b82b312d-4d44-40a3-bb5a-02529417e2d7', 'header')
apiToken.skip()

const plan = new Testplan(specification)
plan.runTest('delete', '/api/specifications/{id}')
  .withSecuritySchemes([apiToken]) // test will be skipped

Security Object Classes

BasicAuth

Extends from SecuritySchemeObject.

A security object that represents a Basic Authentification header key.

import { BasicAuth } from 'oat'
const basicAuth = new BasicAuth('admin', 'password')

BearerAuth

Extends from SecuritySchemeObject.

A security object that represents a bearer token key.

import { BearerAuth } from 'oat'
const basicAuth = new BearerAuth('vollq-b82b312d-4d44-40a3-bb5a-02529417e2d7')

You can extract a value from a request defined in the same specification using its operationId as a value for the token, e.g.:

import { BearerAuth } from 'oat'

/**
 * Given you have an operation defined as following:
 * ```ts
 * {
 *   "operationId": "createUser",
 *   "response": {
 *     "201": {
 *       "content": {
 *         "application/json": {
 *           "schema": {
 *             "type": "object",
 *             "properties": {
 *               "data": {
 *                 "type": "object",
 *                 "properties": {
 *                   "user": { ... }
 *                   "token": { "type": "string" }
 *                 }
 *               }
 *             }
 *           }
 *         }
 *       }
 *     }
 *   }
 * }
 * ```
 * You can reference the value of the response of that request via `#/<operationId>/<statusCode>/<scope>/<path to property>`.
 */
new BearerAuth('#/createUser/201/body/data.token') // get token from body payload of `createUser` response
new BearerAuth('#/createUser/201/header/authorization') // get token from "Authorization" header of `createUser` response
new BearerAuth('#/createUser/201/cookie/sessionId') // get token from "sessionId" cookie of `createUser` response

Supported scopes are body, header and cookie.

Note: you must have a test that delivers that response defined and run first, otherwise Oat won't be able to resolve the value and will throw an error.

APIKeyAuth

Extends from SecuritySchemeObject.

A security object that represents a key/value header pair.

import { APIKeyAuth } from 'oat'
const apiToken = new APIKeyAuth('Authorization', 'vollq-b82b312d-4d44-40a3-bb5a-02529417e2d7')

CombinedSecuritySchemes

Extends from SecuritySchemeObject.

Allows to combine multiple security schemas for a single test, e.g. when an endpoint requires multiple auth mechanism at once.

import { CombinedSecuritySchemes, APIKeyAuth, BasicAuth } from 'oat'
const authMethodHeader = new APIKeyAuth('x-auth-method', 'basic-auth')
const basicAuth = new BasicAuth('admin', 'password')
const combinedSecScheme = new CombinedSecuritySchemes([ authMethodHeader, basicAuth ])