I have two Symfony projects (a back application and an API).
The back application is the graphic side, it just call API.
The API is connected to database.
I would like to test my back : currently, at each test, I make an API call to reload the database but I have the impression that I make it wrong.... and moreover it's so slow...
There is a better solution ?
Thanks
It depends of the test purpose. If you want to test the logic of your back app I would mock the api client of your back app and simulate responses to be sure all kind of response are well processed.
Related
I'd like to create a set of automated tests that could run in a CI/CD pipeline. I'm struggling to understand how to verify the Generate and Validate Tokens portion of the "Sign in with Apple" flow (REST API implementation):
How can I verify that I'm properly handling the exchange of an authorization code for a refresh token? Considering that the authorization code is single-use and only valid for five mins, which in turns comes from authenticating. In my case authenticating requires 2FA.
END TO END TESTS
A common starting point is to perform UI tests to verify logins in a basic way, in technologies such as Selenium:
These will automatically sign in test user accounts, to perform real logins and exchange of the authorization code for tokens.
After login the UI can proceed to test the application logic, such as calling real APIs using real tokens.
COMPONENTS UNDER TEST
Sometimes though, the OAuth related infrastructure gets in the way, eg if it is not possible to automate 2FA actions such as typing in a one time password.
It is possible when working with this type of technology to mock the Identity system. One option can be to pretend Apple authentication has completed, while issuing your own mock tokens with a JWT library, with the same properties as the Apple ones.
A key behaviour of course is to ensure that zero code is changed in UIs or APIs, so that they continue to run the same production logic, with no awareness that they are using mock tokens.
HTTP MOCK ENDPOINTS
The open source Wiremock tool can be a useful addition to your toolbox in this case, as in these API focused tests of mine. To use this type of tool, an automated test stage of the pipeline would need to repoint UIs and / or APIs to a URL that you are pretending represents Apple's identity system. So deployment work would be needed.
DESIGNING THE INFRASTRUCTURE
As always of course, it depends what you want to focus on testing, and which areas you are happy to mock. I recommend thinking this through end to end, thinking about both UIs and APIs. The important thing is to avoid situations where you are blocked and unable to test.
The problem
I am following a Vue.js 3 tutorial on youtube and I tried to implement the app shown in this video.
Then I started improving it a bit at a time. You can view my project here.
One of the main features I am trying to add is a Hall of Fame component in which you can view the best ten scores of anyone who plays. You can submit your score just after finishing the game. I decided to use Firestore to hold the data.
However, suppose I build the app for production and host it in a server. Then, I can download the whole project on my laptop, change a little bit the logic, and then play it locally on my computer. That way, I can send any type of data to my firestore database (because my credentials are injected in the javascript by Vue). I can then just send the ideal score of 1 ms to hack the game (this is indeed what a friend of mine managed to do).
The question(s)
The question is: how can I prevent this from happening?
Should I make a few changes in the code about the firebase configuration?
Should I use some other way to store the data, and not firestore?
Should I config properly the firestore security rules?
Also, what are the best security practices in JS frameworks like Vue.js (or React, in general) to prevent the insertion of non-wanted data on the client side? How do I manage the connection to a cloud database from such front-end frameworks?
Disclaimer
I learn everything about programming on my own, by watching youtube videos or googling and so on. I am new not only to Vue and Firebase, but to web development in general. Please consider this when answering.
TL;DR;
If the score is calculated on client-side (in browser) you can't secure it.
Anyone can just see the API call being made from the app to the server and replicate that with rest API tool like postman, so you wouldn't even need to download it locally to make changes.
If your game relies on client-side as a source of data, there is no way for the server to ensure that it is un-tampered.
You can try obfuscating the source code and doing client-side data encription, but it's all in javascript so everything is readable.
If you were to implement it in a more secure way, you would have the server trigger an action (as opposed to the script) but then the times would end up being longer because of the data turn-around time. Since the event fired from server to client and back would be reflected, but even then the automated response can be hacked by handling it with a script.
Still quite new to meteor/coding and I have a question on how to connect meteor to a live api that uses websocket.
The api is from bittrex (exchange for cryptocurrency) and there is a node js package that gives a "subscribtion" to the api in order to get live data:
https://github.com/dparlevliet/node.bittrex.api
I manage to have it run with node with no problem but I would ideally like to connect it to Meteor in order to present the data nicely. The props should be updated live with the data received. (nb: there is a lot of data, it is continuously coming).
Is there a good way to do this or is meteor not suitable for this. It means the props would change continuously.
Would a node/react solution only be better ?
This question might get closed because it's a bit opinion based but...
You have a streaming data source providing data over ws. You could:
(a) have all your clients subscribe directly to that source and not involve your server at all. In this case you'd be just using React on the client and basically ignoring Meteor (even though you'd be building the UI in a Meteor app). I don't know how bitrex charges for access or how they scale across many connections so that may be an issue if there are many connections.
(b) use your Meteor app to proxy then fan-out the bitrex data. In this case you would:
subscribe to the bitrex data source from your server
copy the data into a mongo collection
publish that data using a Meteor publication.
Your clients would subscribe to the Meteor publication and on the front end you would get reactive data updates like any other Meteor app.
The benefits of (b) are that bitrex only sees one subscriber and your app looks like a pretty vanilla Meteor app. Also if you have to use any kind of api key or secret to access bitrex then that key doesn't need to be shared with the client side.
i have a bit theoretical question.
When creating web applications, there is difference to desktop applications with working and active connection to database. So im curious if there is some solution, which can provide more desktop-like access to database e.g. transactions on asynchronous requests from client (web browser)?
edit:
So i figured out, that there can be a transaction process of asynchronous request, from client. Is there solution, which can provide it in web apps?
e.g I have assynchronou ajax call, which consist of multiple operations, and i wana to process them as transaction. If everything is okay, operations will be all done. But if one of them fail, just rollback it. Like its in DB. Is it possible?
edit2: maybe im wrong and the issue is not about ajax, but about whole web applications, but i dont think there is a way how to make a asynchronnous request from web client.
Transaction need continuous connection to database. To make it work with web application you need a platform which allow the application to run continuously independent of client request. Java servlet is best fit, php is a no-no. So I asume you will use java servlet.
In java servlet, you can create a db transaction, create an id for it, and then store them in a static variable or in the provided application-wide object, context. Then, return the id to the client.
When the client want to send another request, make it send the id. The application then can locate the transaction variable based on the id. As long as the application doesn't restarted between the two requests, the transaction is still there and active.
Because web application don't know when the user leave the application, you must create a mechanism to check the transactions periodically, and then rollback it if the user leave them for a specified time period.
The database has no knowledge of who is connected outside of authentication.
I'm write a turn-by-turn mobile game. Each game have 2 minutes. So every two minutes server will calculate rank and generate next game to clients. I use Asp.net to write server.
I choose SignalR to communicate between client and server. I have 2 choices for implementing games:
1) Use SignalR only to communicate with clients
2) Use SignalR to notify client, and use REST API to get or update information of game.
Could you please advice me what choice is better and please explain detail.
Thanks in advance.
While I am not a SignalR expert, I can definitely tell you this:
Since you have chosen SignalR, use it for all the tasks it can perform.
Sending updated information about the game to the client definitely seems like a task for SignalR. Having a separate REST api is unnecessary.
Sending a message via SignalR that the state has updated, and client should make a REST call to get the updated information, is an unnecessary extra request. I would avoid it and use SignalR to send the updated information.