I'm writing automation tests for my web application. One of the step is to complete authentication in my app. To do so, there is a button for GitHub authentication. I'm using GitHub OAuth app.
When my automation test runs, I successfully fill the account details: username & password. However, after completing this step, it requires me to enter verification code sent to my email from GitHub. This prevents me from completing the test.
If I take a look in this documentation: https://playwright.dev/docs/auth
This issue is not even stated, so I think there is some issue with my code/account/configuration.
This is my running test:
await page.goto('/');
await page.getByTestId('auth-github-auth-button').click();
await page.getByLabel('Username or email address').fill('feggfd#dfgsdfgsdfgdfgsd');
await page.getByLabel('Password').fill('jopjopopjopjopj');
await page.getByRole('button', { name: 'Sign in' }).click();
I'm running my test with script playwright test, and this is my playwright.config.ts file:
import { defineConfig } from '#playwright/test';
const configuration = defineConfig({
testDir: './tests',
testIgnore: 'scripts',
globalSetup: './tests/scripts/global-setup.ts',
globalTeardown: './tests/scripts/global-teardown.ts',
reporter: [['html', { open: 'never' }]],
use: {
testIdAttribute: 'data-testid',
baseURL: 'http://localhost:8080',
storageState: './tests/storage/storage-state.json',
},
});
export default configuration;
I debugged the automation using playwright test --debug, and I did see the automation successfully enters the credentials, but then prompted to enter verification code:
This is pretty much standard when you're logging into GitHub and you haven't enabled two-factor authentication. The reason is that some people reuse passwords or pick commonly used passwords and this makes it harder to brute-force things.
You have a couple of choices here. First, you could create an account with 2FA using TOTP and use a TOTP library to generate the code. In all likelihood, you'll have to extract the key from the QR code, though. Note that in any case, you should avoid checking the credentials (username, password, TOTP secret) into your codebase, because if your code is ever accidentally exposed (which is quite common), your credentials will as well.
You could also set up some sort of IMAP access to the email account and read the email from the account, and fill that in.
Either way, you're going to need more than just a username and password to log into GitHub these days.
Related
I made an admin application with react-admin and I made firebase authentication through react-admin-firebase library. User can both login with username and password, and with google account. I wanted to use login and password while testing as I thought it's gonna be easier to manage when writing tests in cypress. The problem is that when I login, a call to google api is made and that's what triggers the error. This results in cypress not accessing app as an authenticated user but rather returns to login page.
Here's a test I wrote:
describe('Login page', () => {
it('Logged in successfully with login and password', () => {
cy.visit('http://localhost:3000')
cy.get('input#username')
.type('login')
cy.get('input#password')
.type('password')
cy.get('button')
.contains('Sign in')
.click()
cy.visit('/#/users')
})
})
And these are logs that cypress is sending.
logs
Is there any way around it? I tried chromeWebSecurity: false in my config and sadly it didn't help. Thank you in advance.
Sending an email using NodeMailer & Gmail
Google has reported that after May 30 third party apps cannot use username and password for signing in. Does this affect nodemailer. We usually allow less secure APP in the gsuit gmail setting before using it in nodemailer.
var transporter = nodemailer.createTransport({
service: 'gmail',
auth: {
user: 'youremail#address.com',
pass: 'yourpassword'
}
});
It would help if you generated an app password to use nodemailer.
First, you need to turn on two-factor-authentication.
And then in your manage account go to security.
You can see the app password below two-step verification.
Go to app password select app other and write custom app name (example project name) and click on generate.
You get a password use that password instead of your mail password.
I've been digging all over for this. Their docs are pretty woeful about the change. Found this, not definitive...I'm in the "set up app password let's see if it still works" camp.
Note the reply "Second, yes, the best information we have is that App Passwords will continue to work."
https://support.google.com/mail/thread/157808790/will-imap-work-after-may-30th?hl=en
I had the same issue and solved it.
Follow these steps:
1)Go to the google account security section
2) turn on 2-step verification under "singing in" to google (else 3rd step is not possible)
3) under signing in to google you will find App passwords, click it
4) select the "select app" and click custom app
5) Type any name of your choice and generate a password.
Now use the same email account and instead of your real password use the generated password.
All right?
I am in need of help with Azure AD B2C implementation. I need an API that manages the login for my application and that makes a connection with AAD B2C. However, I only find login options through the B2C login page. I would like to know if there is any way to implement in Node a form of login in my application without having to use the MS login screen. User entering with password and email and validating in AD. I saw that there is ROPC, but at the same time saying that it is an insecure method.
I am currently implementing it with ms graph, azure-graph, ms-rest-azure, but I think this way is wrong.
User enter the email prefix and password via post.
server.post('/login', (request, response) => {
const {email, password} = request.body
msRestAzure.loginWithUsernamePassword(`${email}#<tenant-name>.onmicrosoft.com`, `${password}`, { tokenAudience: 'graph', domain: tenantId }, function (err, credentials, subscriptions) {
if (err) console.log(err);
console.log(credentials.tokenCache)
Update: few days ago, they announced the preview feature for iframe compatibility (i.e. embedded login):
https://learn.microsoft.com/en-us/azure/active-directory-b2c/embedded-login?pivots=b2c-custom-policy
of course, it's better if you don't use it in production yet, but it might be the solution you were looking for. :)
Old answer:
The only way to achieve that is by using ROPC, as you mentioned. ROPC is insecure basically because for some time you have to manage the credentials of the user (unlike when the user directly inserts them in B2C), but in your case, this is a requirement.
You cannot achieve this with Graph API, because you'll be only able to register the user, update his/her data (incl. password), but you won't be able to get an access token.
I have been having this issue for the past couple of weeks, it works every time locally, however once I deploy it to my heroku server, it will give me an invalid login error. I have gone into the account and givin access to less secure apps. And the credentials are correct, and it works on localhost every time. Is there something I am missing?
quickSendMail: function(routeBody, callback) {
//configuring the nodemailer for email notifications
var smtpConfig = {
host: 'smtp.gmail.com',
port: 465,
secure: true, // use SSL
auth: {
user: 'mysmtpemail123',
pass: '******'
}
};
var mailOptions = {
from: 'SageStorm Site <mysmtpemail123#gmail.com>',
to: ['my email'],
subject: routeBody.subject,
html: 'my message'
};
var transporter = nodemailer.createTransport(smtpConfig);
transporter.verify(function(error, success) {
if (error) {
console.log(error);
} else {
console.log('server is ready to send emails');
}
})
transporter.sendMail(mailOptions, function(error, info) {
if (error) {
console.log(error);
return callback(err, null);
} else {
console.log('Message sent: ' + info.response);
return callback(null, info);
}
})
}
You can allow machines to access your gmail remotely using this link, but keep in mind that Google will affect your default account (even if you are connected with another one).
The easy way: use a incognito / private window (to have no google account connected) and log in your google account and then use the link above.
If that doesn't work try updating your nodemailer to the latest version.
According to https://support.google.com/accounts/answer/6009563, Go to https://accounts.google.com/b/0/DisplayUnlockCaptcha and allow access and try again ..
Also according to docs at nodemailer (https://github.com/nodemailer/nodemailer#delivering-bulk-mail)
I'm having issues with Gmail Gmail either works well or it does not
work at all. It is probably easier to switch to an alternative service
instead of fixing issues with Gmail. If Gmail does not work for you
then don't use it.
I set a bounty to this question, but after looking through the Nodemailer docs/Github, it seems that using Gmail will only lead to headaches.
According to the Nodemailer docs...
"...Gmail expects the user to be an actual user not a robot so it runs a lot of heuristics for every login attempt and blocks anything that looks suspicious to defend the user from account hijacking attempts.
For example you might run into trouble if your server is in another geographical location – everything works in your dev machine but messages are blocked in production."
I believe the second thing was my issue; my Nodemailer ran without issue on my machine, but immediately failed when I pushed the app to Heroku.
As for a fix, my only fix was to use a different email provider. All email accounts I've tried using have been fully authorized to allow other sign-ins and less safe apps; I've gone through every method Google has to offer to allow usage of the account, and I fully believe that it's simply not possible to get consistent results with Nodemailer and Gmail.
Using Outlook/Hotmail worked for me. I also tried switching to a different Gmail account. It worked successfully a couple times, then returned to the previous state.
Most times when one ends up with this kinda error from Nodemailer, one of these options listed by Google gets to fix it, take your time to go through the google account to be used has the required setting.
Google has listed all the potential problems and fixes for us. In as much as you turned on less secure apps setting. Be sure you are applying these to the correct account.
Step 1: Check your password
If you have these problems or can’t sign in, first check to make sure you’re using the right password.
Step 2: Try these troubleshooting steps
If you've turned on 2-Step Verification for your account, you might need to enter an App password instead of your regular password.
Sign in to your account from the web version of Gmail at https://mail.google.com. Once you’re signed in, try signing in to the mail app again.
Visit Display Unlock Captcha and sign in with your Gmail username and password. If asked, enter the letters in the distorted picture.
Your app might not support the latest security standards. Try changing a few settings to allow less secure apps access to your account.
Make sure your mail app isn't set to check for new email too often. If your mail app checks for new messages more than once every 10 minutes, the app’s access to your account could be blocked.
I am new to node.js programming .I am using nodemailer module for sending emails.
const nodemailer = require ('nodemailer'),
credentials=require('./credentials.js');
var mailTransport=nodemailer.createTransport({
service:'Gmail',
auth: {
user : credentials.gmail.user,
pass : credentials.gmail.password,
}
});
function sendMail(mail_id){
mailTransport.sendMail({
from: ' "my name" <myname#gmail.com>',
to : mail_id, //user#gmail.com
subject : 'Hello',
text: "Hello How do u do ?",
},function(err,info){
if(err){
console.log('Unable to send the mail :'+err.message);
}
else{
console.log('Message response : '+info.response);
}
});
}
exports.sendMail=sendMail;
This is my program for sending emails to different users. But I am getting Invalid Login . I don't have any idea why this is coming . I am new to node.js and server side scripting.
I am using my gmail username and password for credentials.
Please help me.
One reason could be the 'modern security standard' protection from Gmail.
Check you gmail inbox for any new mail having subject "Google Account: sign-in attempt blocked"
If yes, open the mail and click on the link https://www.google.com/settings/security/lesssecureapps
set 'Access for less secure apps' to 'Turn on'. Try again, it should be working now.
Particularly 2 issues: or you don't have enabled Less Secure Apps https://myaccount.google.com/lesssecureapps or you don't have enabled Display Unlock Captcha https://accounts.google.com/DisplayUnlockCaptcha, you need to turn on both of them.
U need to Enable Security for Apps :
|*| If u r using gmail,
Use :
service: 'gmail',
Goto :
https://myaccount.google.com/lesssecureapps
Enable :
Allow less secure apps: ON
|*| If u r using yahoo,
Use :
service: 'yahoo',
Goto :
https://login.yahoo.com/account/security
Enable :
Allow apps that use less secure sign in
|*| If u r using Live or Hotmail, No need to enable anything.
Use :
service: 'hotmail',
Did you double-check your login credentials? Also did you double-check your "from" adress to match your email?
I used the nodemailer for some tests 3 weeks ago with the gmail example given on the github page and it worked like a charm:
https://github.com/andris9/Nodemailer
Invalid login indicates mistyped/wrong credentials.
In my case,
turning on less secure apps only was not enough: https://myaccount.google.com/lesssecureapps
I had to enable display unlock captcha also: https://accounts.google.com/DisplayUnlockCaptcha
This solved my issue and i was able to send emails using nodemail and gmail.
This thing is not random actually nodemailer community site itself says to perform the second step to enable captcha, if turning on the less secure apps do not work alone.
https://community.nodemailer.com/using-gmail/
Above image is taken from the nodemailer article link i have shared.
Adding this as a separate answer, since the accepted answer no longer works.
Since May 30, 2022, Google no longer supports less secure apps. There is a nodemailer GitHub issue on this (https://github.com/nodemailer/nodemailer/issues/1424) with the updated steps:
Go to https://myaccount.google.com/security
Enable 2FA
Create App Password for Email
Copy that password (16 characters) into the pass parameter in Nodemailer auth.
...,
auth: {
user: 'yourmail#gmail.com',
pass: 'your_new_app_password',
},
...
if you have a workspace user account you may need to, as an admin:
Create a user group
Add the user to that group
Go to the user group settings and enable unsecure apps under Security so that other groups emails won't be affected
If that isn't enough (this worked for me after everything was fine for months with first three steps), go to myaccount.google.com and log in with the specific user email and password, go to Security again and turn on less secure apps.