How to disable extra login steps on an Confluence Cloud instance used only for end-to-end testing?

Hi!

We use a free Confluence Cloud instance (or many of them) for running end-to-end tests for our Confluence Cloud app Scroll Viewport.

Recently our end-to-end tests stopped working, because the test user cannot login anymore with its normal login credentials.

Instead the test user is always requested to enter an extra security code received via an e-mail. The e-mail has title “Verifying its you”, and text “As an added layer of security, you’re required to verify your identity. To access Confluence, enter the following code: …”

Logging in once manually with the test user does not fix the issue.

Scripting around this would be challenging, so I thought to ask if someone knows how this extra login layer could be disabled? The test system only contains test data, so security is not an issue here.

Cheers,
Riku

We are having the same problem, any workaround ? in our case, only seems to happen in headless mode. Would be nice to be able to switch this off for testing purpose

Can confirm the issue also for Jira (why would it be any different). Looking for a workaround.

We’re also impacted. Our End-to-end github action tests are blocked since the extra validation step is required.

Same here.
Also impacted our end-to-end testing suite.

Is there a way to get somebody from Atlassian to comment on this? This is really a blocker for us in terms of testing, release planning etc. I have created a support ticket already and linked this post.

P.S.: Dev Support would forward you to Customer Support. That’s what happened to me at least.

What is happening again and again, is that cloud provider ( SaaS ) is failling to recognize they are cloud provider: Meaning, we can only test app integrations in their environment, which is OK, but not providing any improvements for that - which is not OK.

So far we are doing automated testing by introducing many workarounds in tests, which are every time more and more cumbersome, consume time and energy.

But what we really need from cloud provider are test instances:

• with popups disabled ( marketing / tutorials / announcements )
• with 2FA disabled
• without login rate limit

This is what people do, when they have control over their testing environments. And this is the way to remove 80% of problems with automated testing.

In case it can help, we solved it login with user API_TOKEN instead of using UI

Could you elaborate? Entry points for login, response and how exactly you utilized it? I assume you are storing sessions?

We are intercepting atlassian requests and adding credentials to the authentication header using the user email and API_TOKEN and works properly. In our case we use testcafe which allows to intercept request with the requestHook

We have figured out how to use Playwright with one-time passwords (OTP).
If someone else is using the same tool, this might be helpful.

We have made use of otpauth - npm.
As a recommendation, use ZXing Decoder Online to decode the QR code and get the secret.

A sample of implementation is as follows:

import { TOTP } from 'otpauth'

const TOTP_SECRET = env.ATLASSIAN_OTP

if (!TOTP_SECRET) {
  throw new Error('ATLASSIAN_OTP is not set.')
}

const totp = new TOTP({
  issuer: 'Atlassian',
  label: 'Atlassian',
  algorithm: 'SHA1',
  digits: 6,
  period: 30,
  secret: TOTP_SECRET
})

[...]

const totpInput = page.getByPlaceholder('6-digit verification code').first()

const totpValue = totp.generate()
await totpInput.fill(totpValue)

Hopefully, other test frameworks and/or languages will have comparable solutions.

What node version are you on? I get “Missing HMAC function” error. Different version of crypto maybe? Anyhow, I gave it a shot with another library and I can generate a 6-digit verification code which is working, node library:

import * as twoFactor from 'node-2fa'

const TOTP_SECRET= "Password extracted from QR"

const newToken = twoFactor.generateToken(TOTP_SECRET)

console.log("TOTP Value:", newToken?.token)```

I am working with Node 18.

This solved it for us - thank you very much for sharing!