What is the best way to test secure routes on APIs that requires authentication while using Cognito OAuth with MFA?

Question

I am using AWS Cognito with MFA and I can't use an actual user with a session to test the routes in with supertest testcases.

What is the best practice for testing authenticated routes without getting a valid token?

I tried to login with an actual user, but I can't do that because I have MFA required.

I ended up having an environment variable, to check if we are in a test environment and then create the routs without authentication.

I don't know if there are better ways.

Answer 1

As far as I know, there isn't.

The whole point of MFA is to be secure - if there was a backdoor, they'd be no point.

You could also create a user pool just for testing which doesn't require MFA in your application and alternate between your production user pool with MFA enabled & your testing user pool with MFA disabled.

The easiest way I've seen, however, as you've described, to disable MFA for end to end tests is disabling authentication as a whole based on a local secure configuration setting.