Question: How to test page behind authentication?

[fdn]

I found that authentication is cleared when requesting a page. It makes sense however when testing an app behind authentication it doesn't seem like there is a way to specify an authorization header or cookie to be used.

Reference issue: #592

Any tips on how I can test a page that is behind authentication?

UPDATE (LATEST METHOD): The best way to currently do this is to load your authenticated page in DevTools, uncheck the "Clear storage" checkbox, and run Lighthouse.

[brendankenny]

Is this in the extension? Cookies should not be cleared, so you should stay logged in.

If this is the CLI, you can run npm run chrome to launch a Chrome with the right flags set, log in to the site, then run lighthouse as normal. It will use the Chrome that was already launched.

We do clear a lot of other things in storage, though, so more exotic forms of authentication may not work.

[fdn]

Sorry, I should have specified that this is from the CLI. I'm trying to automate the process as much as possible so manual authentication will be a problem. Assuming nothing works out of the box, I'll try hacking at the gather source files.

[brendankenny]

It shouldn't require hacking the gather files. How were you intending to authenticate in this workflow?

If you were just going to manually authenticate in Chrome once and then reuse that browser repeatedly, that should still work. Lighthouse will talk to any Chrome launched with --remote-debugging-port=9222 (and that port number can be changed by passing in --port=XXXX to Lighthouse), so you can launch like that and keep that workflow.

You'll probably want to launch Chrome with the other flags here as well to reduce noise due to extensions, prevent first run screen, etc.

[fdn]

I don't intend on manually authenticating Chrome before the run. I'm leveraging Lighthouse for the performance monitoring so I want to do this at scale.

[paulirish]

I can see room for a "setCookie" command being added to the driver, probably very similar to the url blocking PR

[brendankenny]

I don't intend on manually authenticating Chrome before the run. I'm leveraging Lighthouse for the performance monitoring so I want to do this at scale.

Can you explain how your workflow (current or intended) for authenticating in a CI or performance monitoring environment works? Happy to make this easier for folks doing this.

[paulirish]

I'll take a stab at that. For example: I want to perf test the loading of drive.google.com with a very active account, and watch this for regressions. Would need to set cookies on the run configuration because the browser is otherwise a clean slate.

---

To me it seems to be similar to the scripting capabilities of WebPageTest, where things like custom cookies can be set: https://sites.google.com/a/webpagetest.org/docs/using-webpagetest/scripting

[brendankenny]

Would need to set cookies on the run configuration because the browser is otherwise a clean slate

Right, sorry, I understood that part :) my question was about how authentication like this is normally handled (or intended to be handled) in this kind of monitoring situation. setCookie seems like a good solution in this case.

[fdn]

@paulirish SetCookie would be nice. Thinking about it a bit more, SetHeaders might be more generic providing a mechanism for basic auth as well.

[fdn]

I poked around a bit. It looks like there isn't a mechanism for setting cookies in the Chromium API. But there is a mechanism for setting arbitrary headers.

driver.js

  setExtraHTTPHeaders(jsonHeaders) {
    let headers;
    try {
      headers = JSON.parse(jsonHeaders);
    } catch(e) {
      log.warn('Driver', 'Invalid extraHeaders JSON');
      headers = {};
    }
    return this.sendCommand('Network.setExtraHTTPHeaders', {
      headers
    });
  }

gather-runner.js

      .then(_ => driver.clearDataForOrigin(options.url))
      .then(_ => driver.setExtraHTTPHeaders(options.flags.extraHeaders || '{}'))
      .then(_ => driver.blockUrlPatterns(options.flags.blockedUrlPatterns || []));

Invoking

node node_modules/lighthouse/lighthouse-cli http://localhost:8080 --disable-device-emulation --disable-network-throttling --perf --extra-headers="{\"Authorization\":\"Basic YWRtaW46YWRtaW4=\"}"

I was able to send a basic authorization header which allowed me authenticated access. The JSON configuration via the CLI is gross but it works.

[wardpeet]

@fdn looks like devtools has https://chromedevtools.github.io/debugger-protocol-viewer/tot/Network/#method-setCookie
we can add both though

[fdn]

@wardpeet That's much more convenient than constructing the cookie header manually. 👍

Is there anything I can do to help this functionality get implemented?

[paulirish]

@fdn a PR would be awesome. Some mix of #1195 and your comment above makes sense to me. Up to you if you would prefer to do it at the HTTP header level or right to setCookie.