End-to-end testing automation guide with two-step verification for Marketplace partners

Summary

This article covers app testing for Marketplace partners and how to handle challenges from triggered security features.

App testing and security

Marketplace partners have end-to-end (E2E) tests that allow them to log in to Atlassian programmatically to test their apps. During login, these test accounts may trigger Atlassian account security features such as an email one-time password (OTP) challenge. Since app vendors use automated tests, these tests can't run smoothly.

There is no way to bypass these security features. Please remember that these workarounds may stop working as the Atlassian account service continues to evolve and change.

Suggestions

Here are five suggestions that may help navigate challenges relating to E2E testing at the time of writing (December 2024).

1. Switch to API tokens instead: Manage API tokens for your Atlassian account. This is not an option if Selenium type/style tests need to be run.

2. Set up two-step verification(2SV), also known as multi-factor authentication(MFA), on the test account: Start the process to configure two-step verification and programmatically type the generated OTP code after authentication with a password as part of the automated test. For more information, please see the time-based one-time password (TOTP) section below.

3. Set up security keys and complete the security key challenge programmatically: Use a security key (similar process to above).

4. Log in with a third-party account provider. See Log in with a third-party account for more information.

5. Configure/enable SAML for the test account and log in with those credentials for the automated test. This will require an Atlassian Guard subscription + your identity provider (IdP) if you don't already have one. See Configure SAML single sign-on with an identity provider.

TOTP

Please see the instructions below on setting up two-step verification and an example of a Typescript code which you can use to generate TOTP codes programmatically.

1. Log in to the test account with a password at id.atlassian.com.

2. Start the two-step verification configuration process as per: Start the process to configure two-step verification

3. Set up TOTP:

   1. Select the Authenticator app

      

   2. Once presented with this page, select Can't see the code.

      

   3. Copy the "Key"

      

   4. Use the key to generate the current TOTP

4. Compute TOTP using the generated Key example

   import base32 from 'thirty-two'; import * as notp from 'notp'; const totpSecret = base32.decode('<Key>'); const totpCode = notp.totp.gen(totpSecret, { time: 30 });

   (TypeScript)

   Alternative example: https://github.com/atlassian/1time- see under "Prover"