What is the best setup to test an application that is fully behind a login? I include the auth middleware through route groups. I suppose there is no point in testing all pages and actions as a not logged in user to see they indeed have no access.
Jeffrey shows a lot of that and more in the newest series: https://laracasts.com/series/lets-build-a-forum-with-laravel
Basically in the test, create a new user and log them in and use that user for the test. Since you'll do that a lot, it might be best to create a new class and then have your test class extend that and create a method to create a user and log them in.
Do you need your final project to be completely behind login, or will there be unauthenticated pages/functionality as well?
Because in that case, I think you're best bet is to take the full login outside the application and place it in front, for instance by making the public folder protected using .htaccess authentication.
This way, your application behaves like it will work once you push it to production, but you still won't have any snoopers around.
Of course, you can make this a lot simpler by only allowing certain IP addresses too, but this is not always a solution when your addresses tend to change.
//Edit: okay, disregard this one, as I seem to have completely misread/misunderstood your question. My bad!
In one of the videos, Jeffrey was saying that he prefers to do such a test for very important routes, just to be double sure everything works as expected...
I agree with him. In my opinion it doesn't hurt to have an array of routes/url, iterate over them and check whether unauthorized users can access them or not.
And even if right now your application is fully behind the guarding middleware, you may end up having some routes working as callbacks which should be unguarded.
Thanks for the feedback. For now I'll go with a few tests just to be sure.
Please or to participate in this conversation.