
Research
PyPI Package Disguised as Instagram Growth Tool Harvests User Credentials
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
fake-spotify-api
Advanced tools
A fake version of the Spotify API to allow:
You'll need npm installed. Run npm install
.
Run npm install chai --save-dev
and npm install chai-http --save dev
. You can then run the app as part of your tests using:
import chai from 'chai';
import chaiHttp from 'chai-http';
import { fakeSpotifyApi } from 'fake-spotify-api';
chai.use(chaiHttp);
const request = chai.request;
describe('Some API', () => {
let server: ChaiHttp.Agent;
beforeEach(async () => {
// Startup a server using the Fake Spotify API. Use the agent so that we can use the sp_ac cookie created in signup to automatically authorize
server = request.agent(fakeSpotifyApi).keepOpen();
// Create a user. Note that this is not possible with the real Spotify API - you'd have to go through the signup process on the website.
await server.post('/signup').type('form').send({
display_name: 'Test',
email: 'test@example.com',
password: 'secret',
}); // You can use the response to this to get the user ID
// Call the authorize endpoint, which replies with a redirect to the supplied location, adding a the token details.
await server.get(`/authorize`).query({
client_id: '1',
redirect_uri: encodeURIComponent('http://localhost/'),
response_type: 'token',
}).redirects(0); // You can use the headers.location property of the response to get the token_type and access_token
});
// ...Add your tests here
afterEach(async () => {
// Shutdown the server so that we don't leave lots of these lying around
server.close();
});
});
See the end2end tests folder for examples.
Run npm start
.
For environment variables see .env
There are two types of endpoint:
You should be careful not use the helper endpoints outside of your tests.
All I've found is:
There are lots of different definitions for these. I've used the one from https://martinfowler.com/articles/mocksArentStubs.html
Alot.
I've used vscode with the following plugins:
And the following in my User Settings json:
"createTest.srcFolder": "src",
"createTest.testFolder": "tests/unit",
"createTest.testFileExtension": ".spec.ts",
"createTest.testFileTemplate": [
"import ${moduleName} from '${modulePath}';",
"import { expect } from 'chai';",
"",
"describe('${moduleName}', () => {",
" it('does something', () => {",
" ",
" });",
"});"
],
"mocha.requires": ["ts-node/register"],
"mocha.files.glob": "./tests/**/*.spec.ts",
"javascript.preferences.quoteStyle": "single",
"prettier.singleQuote": true,
"prettier.tabWidth": 2,
"prettier.trailingComma": "es5",
"prettier.tslintIntegration": true,
"typescript.preferences.quoteStyle": "single",
"typescriptHero.imports.organizeOnSave": true,
"editor.tabSize": 2
process.env.NODE_ENV = "test"
The best place to start is in the src/controllers folder. This is where incoming requests are handled.
Run npm run test
to run all the tests
Run npm run watch
to run the application and watch for changes in source files, which will be automatically built in to the application.
/* tslint:disable:no-unused-expression */
to the top of test files. I've tried to disable this for test files but failed. I tried:
FAQs
Fake version of the Spotify API for testing against
The npm package fake-spotify-api receives a total of 0 weekly downloads. As such, fake-spotify-api popularity was classified as not popular.
We found that fake-spotify-api demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
Product
Socket now supports pylock.toml, enabling secure, reproducible Python builds with advanced scanning and full alignment with PEP 751's new standard.
Security News
Research
Socket uncovered two npm packages that register hidden HTTP endpoints to delete all files on command.