New in reflex-enterprise v0.9.1.
Testing Guarded Code
When the AuthPlugin is enabled, every
non-exempt page, event handler, base field, and computed var is
secure by default. The logic worth
testing is usually the auth=<callable> authorization checks that decide who
may see a value or run a handler.
Because a check is an ordinary function that takes a context object and returns a bool, you can test it directly with no network, IdP, or browser. Use a local mock provider when the OIDC wiring itself is under test.
A check is a function
An authorization check receives a single context object and returns a bool (or an
awaitable of one). It reads the user's claims from
ctx.auth_user_state.userinfo:
To test it, build a context around an AuthUserState carrying the claims for
that case, and call the check. Set the claims on the private _userinfo attribute;
the check reads them back through the public userinfo property:
The context classes are exported from reflex_enterprise.auth. Build the one
that matches the guarded surface:
A check typed with the AuthContext union works on any surface. Test it through
the simplest matching context, usually VarAuthContext.
Async checks
Async checks are tested the same way. Pass the claims into the test context and await the check:
Use the mock IdP flow below when the OIDC wiring itself or live Reflex state is under test.
End-to-end against a mock IdP
To exercise the OIDC flow, including the login redirect, /callback token
exchange, JWKS validation, userinfo fetch, and async checks that touch real
state, run the app against a local mock identity provider.
is a small OIDC server that runs in-process. Add it as a dev dependency:
Run it on a background thread and point the OIDC_* env vars at it before the
app starts. It accepts any client credentials by default and issues refresh
tokens:
ExpandCollapse
The login flow is browser-driven: redirects, cookies, and websocket state.
Exercise it with AppHarness (from reflex.testing) and a browser driver such
as Playwright. With the mock_idp fixture above active, drive the auth-specific
steps and assert that a protected value is delivered:
The auth_app fixture starts your app under AppHarness with mock_idp active;
page is the standard Playwright fixture. oidc-provider-mock also ships a CLI
for standalone manual testing.
Related
- Secure by default:
auth=, context objects, and enforcement semantics. - Overview: plugin setup and current-user access.
- Providers: provider configuration.