Back to Repositories

Validating GitLab OAuth Authentication Flow in Insomnia

This test suite validates the GitLab OAuth authentication flow in Insomnia, ensuring secure user authentication and proper handling of OAuth redirects. It simulates the complete sign-in process and verifies the authentication state management.

Test Coverage Overview

The test suite provides comprehensive coverage of GitLab OAuth authentication workflow in Insomnia.

Key areas tested include:

OAuth flow initialization and redirect handling
Authentication state management
User session verification
CSRF protection through state parameter validation
Integration with GitLab’s authentication endpoints

Implementation Analysis

The test implements a sophisticated approach using Playwright’s testing framework to simulate the OAuth authentication flow. It leverages custom event handling and promise-based flow control to mock GitLab’s OAuth responses.

Technical patterns include:

Electron window event interception
Asynchronous OAuth flow simulation
Custom URL scheme handling
Web content manipulation

Technical Details

Testing infrastructure includes:

Playwright test runner and assertions
Electron API integration
Custom OAuth mock implementation
URL parsing and manipulation
Event listener management
Async/await pattern usage

Best Practices Demonstrated

The test exemplifies high-quality testing practices through careful attention to authentication security and flow control.

Notable practices include:

Proper event cleanup and listener management
CSRF protection validation
Async operation handling
UI interaction simulation
State verification
Clean test organization

kong/insomnia

packages/insomnia-smoke-test/tests/smoke/oauth-gitlab.test.ts

            
import { test } from '../../playwright/test';

test('Sign in with Gitlab', async ({ app, page }) => {
  await page.getByRole('button', { name: 'New Document' }).click();
  await page.getByRole('dialog').getByRole('button', { name: 'Create' }).click();
  await page.getByLabel('Insomnia Sync').click();
  await page.getByRole('menuitemradio', { name: 'Switch to Git Repository' }).click();
  await page.getByRole('tab', { name: 'GitLab' }).click();

  const fakeGitLabOAuthWebFlow = app.evaluate(electron => {
    return new Promise<{ redirectUrl: string }>(resolve => {
      const webContents = electron.BrowserWindow.getAllWindows()?.find(w => w.title === 'Insomnia')?.webContents;
      // Remove all navigation listeners so that only the one we inject will run
      webContents?.removeAllListeners('will-navigate');
      webContents?.on('will-navigate', (event: Event, url: string) => {
        event.preventDefault();
        const parsedUrl = new URL(url);
        // We use the same state parameter that the app created to assert that we prevent CSRF
        const stateSearchParam = parsedUrl.searchParams.get('state') || '';
        const redirectUrl = `insomnia://oauth/gitlab/authenticate?code=12345&state=${stateSearchParam}`;
        resolve({ redirectUrl });
      });
    });
  });

  const [{ redirectUrl }] = await Promise.all([
    fakeGitLabOAuthWebFlow,
    page.getByText('Authenticate with GitLab').click({
      // When playwright clicks a link it waits for navigation to finish.
      // In our case we are stubbing the navigation and we don't want to wait for it.
      noWaitAfter: true,
    }),
  ]);

  await page.locator('input[name="link"]').click();
  await page.locator('input[name="link"]').fill(redirectUrl);
  await page.getByRole('button', { name: 'Authenticate' }).click();

  test.expect(await page.locator('text="Mark Kim"')).toBeTruthy();
  test.expect(await page.locator('button[name="sign-out"]')).toBeTruthy();
});