Gor - from stateless API's to complex auth workflows

Transcript

1. From stateless API’s to complex auth workflows Move fast without

   breaking things https://gortool.com

2. What is Gor? Open-source tool allowing you to re-use your

   existing users activity to test your apps http://gortool.com • In active development for 3+ years • 5500+ stars on Github • Trusted by hundreds of companies
 including large ones like: TomTom, theguardian or gov.uk • Commercially supported

3. Replaying as is gor —input-raw :80 —output-http http: //staging.env Duplicate

   traffic from app running on port 80 to your staging environment Works if you app is stateless or test environment database synced with production, so all the user specific data (like user ids or api keys) are the same. https://github.com/buger/gor/wiki/Getting-Started

4. Dealing with differences between production and test environment gor --http-allow-header

   api-key:^(1|2|3) … Replay only traffic with api keys with values 1, 2 or 3 (accepts regex) If you can’t afford fully sync test environment with production, you can partially sync only a few accounts, and replay only their traffic Partial syncing https://github.com/buger/gor/wiki/Request-filtering

5. Dealing with differences between production and test environment gor --http-set-param

   api_key=test … For all requests set api_key param to value of “test” user If test environment can’t be synced with production, even partially, you may override requests, and force headers or params to have specific values Rewriting requests https://github.com/buger/gor/wiki/Request-rewriting

6. Middleware Middleware is a program that accepts request and response

   payload at STDIN and emits modified requests at STDOUT. You can implement any custom logic like stripping private data, advanced rewriting, support for oAuth and etc. Middleware can access original request and response as well as replayed response, and can be written in any language Implementing custom logic https://github.com/buger/gor/wiki/Middleware

7. Middleware Example of middleware written in Ruby

8. Dynamically generated data that can’t be synced 1. User requests

   permissions 2. Server responds with dynamically generated token 3. User should provide this token on each request There is plenty of cases, usually security related, when request need to sign itself with token which was dynamically generated by server: oAuth, JWT, CSRF tokens and etc. Example workflow

9. Dynamically generated data that can’t be synced Using middleware we

   can analyze responses of original and replayed requests, which contain tokens, and create map with token aliases. For all the following requests we will replace original auth tokens with their aliases from test environment. See the code: examples/middleware/token_modifier.go

10. Links • Site - https://gortool.com • Community version source code

    - https:// github.com/buger/gor • Pro and Enterprise version - https://gortool.com/ #pro • Documentation - https://github.com/buger/gor/wiki