Testing API Key Authentication

When running tests there are several ways you might want to handle API Key authentication. This document outlines a few strategies for testing with API Key authentication both locally and in deployed environments.

Testing Locally#

When running API key Authentication locally, if you link the project to an project the same API Key Bucket used in working copy will also be used for local development.

Setting the API Key Bucket Name#

Either locally or in CI/CD you can specify any API Key Bucket on the API Key Authentication policy by setting the bucketName property. This allows using a consistent API Key Bucket that is setup with consumers, etc. as required for testing. You can use the Zuplo Developer API to create and manage buckets, consumers, keys, etc.

Selectively Disabling#

Danger

Be extremely careful using this strategy. If configured incorrectly this could leave your API open to unauthorized access.

Another option is to disable authentication on endpoints for testing purposes. One way of doing this is to configure the API Key Authentication policy to allow unauthenticated requests through. This can be done by setting allowUnauthenticatedRequests to true.

In order to enforce authentication with this setting disabled, you can create a policy that comes after that selectively enforces auth based on some condition.

For example, an environment variable flag could be used to disable auth with the following policy.

import {
  ZuploContext,
  ZuploRequest,
  environment,
  HttpProblems,
} from "@zuplo/runtime";
 
export default async function enforceAuth(
  request: ZuploRequest,
  context: ZuploContext,
) {
  if (environment.DISABLE_AUTH === "AUTH_DISABLED") {
    return request;
  }
 
  if (!request.user) {
    return HttpProblems.unauthorized(request, context);
  }
 
  return request;
}