Comments (8)
emmenko
commented on June 14, 2024
1
Sounds a bit fishy as well. What does this mean?
Third-party service needs to implement a new authentication method on the server side so that the JWT token is recognized and verified.
Also, this means that everyone contributing from a fork, has to change .travis.yml in order to provide the custom credentials.
Additionally, this will require that all external contributors have to do this even though they didn't provide any integration test, otherwise the build won't run.
I still think that disabling is the better solution for now.
from nodejs.
emmenko
commented on June 14, 2024
1
That's unfortunately not easy to do, and not reliable. Also, bootstrapping / deleting projects takes more time than the actual integration test itself :/
But that's already a discussion that has been going on for a long time.
from nodejs.
PhilippSpo
commented on June 14, 2024
1
Sorry wrong button 🙈
from nodejs.
Siilwyn
commented on June 14, 2024
So any external PR doesn't get the results of integration tests? That sounds like a really bad idea to me or am I missing something?
from nodejs.
emmenko
commented on June 14, 2024
Exactly. I mean this is a fundamental problem with a build system (like travis) that has encrypted variables and it's a big security issue.
https://docs.travis-ci.com/user/pull-requests#Pull-Requests-and-Security-Restrictions
I read some discussions about this and most of the time people just recommend to disable such tasks from an external PR. I also read that for example saucelabs was thinking of having a complex "authentication" mechanism with like public/private keys to allow such cases.
But I don't see much of a problem to be honest:
- integration tests are decoupled from the packages, so providing unit tests when contributing to packages still allows PRs to be built correctly
- external contributors can still provide integration tests and run them locally with their own credentials
- when we merge, integration tests will run again, so we will see anyway if something broke
from nodejs.
Siilwyn
commented on June 14, 2024
Yeah it seems like a tough 🥜 too crack.
when we merge, integration tests will run again, so we will see anyway if something broke
That sounds a bit late. What about this solution?
from nodejs.
emmenko
commented on June 14, 2024
I had a quick chat with @PhilippSpo. The jwt approach is not good.
Ideally we should just get from the API a way of getting a temporary token (e.g. valid for 10min) for one of the test projects. No client credentials needed anymore.
More ideally, the API should provide a pool of test projects to use for integration tests, which can be cleaned from the backend.
Until then, I think this is the best way to go ahead with it. But we should bring up this conversation with the backend team.
from nodejs.
Siilwyn
commented on June 14, 2024
Well ideally we can create and delete projects. Because afaik that's how they do tests on the backend team. :)
from nodejs.
Related Issues (20)
- Set fetch keepalive HOT 3
- To update version of the node-fetch in @commercetools/sdk-middleware-auth HOT 3
- [Sync-Actions] - add support for standalone prices
- Missing required polyfill for `sdk-middleware-http` package HOT 1
- Custom Objects Importer error regeneratorRuntime is not defined
- [sync-actions] Missing sync actions for API extensions
- problem with sdk-auth in esmodule HOT 1
- Standalone prices as part of api request builder services
- setCustomField Not updating values in CT using cart API
- Investigate Bulk Delete Discount failing for more than 10k HOT 6
- Discuss on Node.js Documentation
- Discount codes import Not working for 2k imports
- Product type exporter not working when enum value is type 'Set'
- [DiscountCodeImporter] Show meaningful error
- Commercial tools logo is not rendering
- Add support for Password Flow for Customers in a Store
- Unhandled Promise Rejections coming from sdk-middleware-http HOT 1
- '@commercetools/sync-actions' is missing type definitions
- Sanitize user input to prevent SQL injections
- Outdated resource links in docs for Resource Deleter
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nodejs.