[rspec-users] Cucumber: acceptance testing OAuth

Matt Wynne matt at mattwynne.net
Tue Jan 6 18:08:11 EST 2009


We're adding OAuth support for our API, and I paired with the guy  
who's spiked it today to try and write some features to drive out the  
behaviour we need.

It ended up getting quite tricky, so if you don't mind I'd like to  
bounce my ideas of this list and see what you think.

The spike uses the OAuth Provider plugin[1] which is what we're  
planning to integrate. This adds a ClientApplication model to your  
database. A ClientApplication represents, for example, the flickr  
uploader application that I've downlaoded. One User has many  

A ClientApplication instance has a #key and a #secret which are stored  
on the server, and also known by the application on the client side  
which it represents.

Anyway, so back to my Cucumber scenario.

In the Given step, I create a User and a ClientApplication. Now I have  
to pretend to be the actual API client making a request to my rails app.

At this point, I need to make some special magic OAuth parameters for  
the HTTP request, called 'signature' and 'signature_method'. These  
signify some magic munging of the key and secret for the  
ClientApplication which will (hopefully) be understood and processed  
by the SUT.

In the real world, you would delegate the work of talking to an OAuth  
provider like this to the oauth gem[2]. I had a crack, for an hour or  
so, to use the gem in my When step, injecting a fake replacement for  
the Net::HTTP which it uses and instead forwarding calls to rails  
IntegrationSession post / get methods.

This wasn't easy. Net::HTTPResponse objects don't look much like  
ActionController::CgiResponse objects, for example, so you have to do  
a lot of bridging.

So I feel like it's time to pull back and have a re-think. Has anyone  
else tried to do something similar, and has some code to bridge from  
Net::HTTP objects to the ones used by Rails' Test::IntegrationSession?

Am we barking up the wrong tree? Should we perhaps just spin up a web  
server for the test session and just go ahead and call the app through  
the gem?

Any other ideas? Am I missing anything else obvious?

All thoughts greatly appreciated guys!


Matt Wynne

[1] http://github.com/pelle/oauth-plugin/tree/master
[2] http://github.com/pelle/oauth/tree/master

More information about the rspec-users mailing list