02/04: thoughts on testing 3rd-party auth

Author: kettanaito

exercises/02.authentication/04.solution.third-party-providers/README.mdx

@@ -1,3 +1,23 @@
 # Third-party providers
 
 - How to test authentication that uses a third-party provider, like GitHub (usually OAuth).
+
+## Approaches
+
+1. Test users. Create an actual user of your third-party server and use their credentials in tests.
+  - Pros:
+    - Actual user.
+    - Running OAuth fully.
+  - Cons:
+    - Rigid. Need different user states? Have to create different users.
+    - Brittle. Some providers dislike automation in general and might block your test user.
+1. **API mocking + test data**. Intercept the OAuth flow and respond with mocked data. Requires you to have a mock user, too.
+  - Pros:
+    - Full control. Tap into any user/OAuth state/behavior.
+  - Cons:
+    - OAuth never really runs (not a bad thing).
+    - Coupled to the provider. You MUST replicate the network flow + data structures used by the provider in real life. Great if they ship some SDKs or typedefs to help you out. Not so great if you have to type it by hand (risk getting stale).
+
+
+- https://github.com/epicweb-dev/epic-stack/blob/97135fcd7899cab299b402f36804b0d169e87d9d/tests/e2e/onboarding.test.ts#L197
+- https://github.com/epicweb-dev/epic-stack/blob/97135fcd7899cab299b402f36804b0d169e87d9d/tests/mocks/github.ts#L136