Common strategies for supporting testing complicated scenarios that may also be dependent on 3rd parties

I have an app with a backend (Ruby on Rails) that provides APIs, a web app, an iOS app and an Android app that consume these APIs.

The app is used by people from lots of different countries. To use the app there are a set of verifications the customer must pass – like they provide their address that we then verify is theirs. We use 3rd parties to perform this verification. The verification requirements vary from country to country.

Web, iOS and Android submit the verification info to backend using APIs, and the APIs then talk to our verification service which then talks to 3rd parties.

Web, iOS and Android engineers would like the ability to easily test the app as users from different countries. They would also like to test different scenarios: user submits verification info and the result is that verification failed, or the result is that more info is required etc.

The 3rd party services we rely on do not provide a sandbox or staging environment or ability to deterministically elicit a certain result (verification failed, was successful etc.).

The folks working on verification service abstraction layer are also not in a position currently to provide support for this type of testing.

So, I am looking into various solutions to make this type of testing possible for our client engineers without waiting for the services to implement this support. Some ideas I have:

  1. The verification APIs will accept additional set of parameters in development and staging environments, nested in a testing attribute. When the testing param is present, the APIs will mock the desired result (including database records) without ever talking to the verification service and return that. Client engineers would implement support in their apps to make it easy for developers to use these params in dev/staging/beta environments. Example param: {testing:{target_status: 'failed', failure_reason: 'bad info'}}

  2. Similar to approach (1) but instead of params, the verification APIs will accept the testing options in custom request headers. This helps keep the API contract uncontaminated.

  3. Use ‘canned’ values. If the verification info uploaded contains first name of ‘xyz’, then return failure with reason code of ‘bad info’ etc. This is least amount of work for client engineers but has a few shortcomings imo: (1) the number of canned values will keep increasing (for example one canned value for each possible failure reason). (2) some APIs do not accept anything other than a file upload. This would require either using a canned file with some smart detection on backend to identify this file or rely on the user attributes, like user’s first name. I do not like depending on user attributes since you can now test only one type of result with this user.

I haven’t worked at companies where we had to solve this type of problem. Online searches showed companies using canned values (example PayPal’s sandbox region lets you create test accounts with certain characteristics) or mocked APIs.

My questions for this community is: Based on your experience, what is the best way to solve this problem?

Thank you!

Are there issues with allowing parties to accidentally succeed at encounters with DC checks?

During Waterdeep Dragon Heist, there are a number of faction missions, one of which is:

With a suggested solution:

Given that a suggested solution involves the party spending money and checks of a given DC.

The party’s solution was:

So, while fun, roleplay not rollplay, but without paying or using checks, the party seem to have solved the requirements of the mission.

What are the issues with not charging/challenging the players in this case? Are there any compelling reasons to force the party to follow the suggested, published solutions closer?

Parties and Messages in SQL e-Commerce db design

I’m posting a follow-up question based on my first question. My goal is to, as an exercise for myself, create a complex (in my opinion) e-commerce application. The explanation of the application can be found in my first question.

This concerns the parties of my application. It can have Users & Companies. Companies always have an owner (user) and they can have Employees who act on behalf of the company. Companies can buy products from other companies, users can buy products from companies. To negotiate the internal messaging system will be used.

  1. How can I make sure I know which of the company contacts (employees) was in contact (messaging) with the buyer (who also can be an employee of another company)? Maybe this should also include orders as I would also like to know which employee made the purchase or which employee sold the product.

  2. How do I make sure an employee is linked to 1 company? And that employee cannot act in the role of user.

This is my db schema: (updated with missing relationship between user and company)

DB Schema

As requested I’ve only put a subset of code to be reviewed. This is the part with Parties (Users and Companies) and Messages.

This is the SQL code:

-- ************************************** [dbo].[PartyType]  CREATE TABLE [dbo].[PartyType] (  [PartyTypeCode] nvarchar(5) NOT NULL ,  [Description]   nvarchar(50) NOT NULL ,  [Name]          nvarchar(50) NOT NULL ,    CONSTRAINT [PK_PartyType] PRIMARY KEY CLUSTERED ([PartyTypeCode] ASC) ); GO  -- ************************************** [dbo].[Party]  CREATE TABLE [dbo].[Party] (  [PartyId]       uniqueidentifier NOT NULL ,  [PartyTypeCode] nvarchar(5) NOT NULL ,    CONSTRAINT [PK_Party] PRIMARY KEY CLUSTERED ([PartyId] ASC),  CONSTRAINT [PartyToPartyType_FK] FOREIGN KEY ([PartyTypeCode])  REFERENCES [dbo].[PartyType]([PartyTypeCode]) ); GO  -- ************************************** [dbo].[User]  CREATE TABLE [dbo].[User] (  [UserId] uniqueidentifier NOT NULL ,    CONSTRAINT [PK_User] PRIMARY KEY NONCLUSTERED ([UserId] ASC),  CONSTRAINT [FK_18] FOREIGN KEY ([UserId])  REFERENCES [dbo].[Party]([PartyId]) ); GO   -- ************************************** [dbo].[Company]  CREATE TABLE [dbo].[Company] (  [CompanyId] uniqueidentifier NOT NULL ,  [OwnerId]   uniqueidentifier NOT NULL ,    CONSTRAINT [PK_Company] PRIMARY KEY CLUSTERED ([CompanyId] ASC),  CONSTRAINT [FK_21] FOREIGN KEY ([CompanyId])  REFERENCES [dbo].[Party]([PartyId]),  CONSTRAINT [FK_243] FOREIGN KEY ([OwnerId])  REFERENCES [dbo].[User]([UserId]) ); GO  -- ************************************** [dbo].[Contact]  CREATE TABLE [dbo].[Contact] (  [ContactId] uniqueidentifier NOT NULL ,  [CompanyId] uniqueidentifier NOT NULL ,    CONSTRAINT [PK_Contact] PRIMARY KEY CLUSTERED ([ContactId] ASC),  CONSTRAINT [FK_229] FOREIGN KEY ([CompanyId])  REFERENCES [dbo].[Company]([CompanyId]) ); GO  -- ************************************** [dbo].[Thread]  CREATE TABLE [dbo].[Thread] (  [ThreadId] uniqueidentifier NOT NULL ,    CONSTRAINT [PK_Thread] PRIMARY KEY CLUSTERED ([ThreadId] ASC) ); GO  -- ************************************** [dbo].[ThreadParticipator]  CREATE TABLE [dbo].[ThreadParticipator] (  [ThreadId] uniqueidentifier NOT NULL ,  [PartyId]  uniqueidentifier NOT NULL ,    CONSTRAINT [PK_ThreadParticipator] PRIMARY KEY CLUSTERED ([PartyId] ASC, [ThreadId] ASC),  CONSTRAINT [FK_100] FOREIGN KEY ([PartyId])  REFERENCES [dbo].[Party]([PartyId]),  CONSTRAINT [FK_97] FOREIGN KEY ([ThreadId])  REFERENCES [dbo].[Thread]([ThreadId]) ); GO  -- ************************************** [dbo].[Message]  CREATE TABLE [dbo].[Message] (  [MessageId] uniqueidentifier NOT NULL ,  [ThreadId]  uniqueidentifier NOT NULL ,  [AuthorId]  uniqueidentifier NOT NULL ,    CONSTRAINT [PK_Message] PRIMARY KEY CLUSTERED ([MessageId] ASC),  CONSTRAINT [FK_211] FOREIGN KEY ([ThreadId])  REFERENCES [dbo].[Thread]([ThreadId]),  CONSTRAINT [FK_214] FOREIGN KEY ([AuthorId])  REFERENCES [dbo].[Party]([PartyId]) ); GO  -- ************************************** [dbo].[MessageReadState]  CREATE TABLE [dbo].[MessageReadState] (  [MessageId] uniqueidentifier NOT NULL ,  [PartyId]   uniqueidentifier NOT NULL ,    CONSTRAINT [PK_MessageReadState] PRIMARY KEY CLUSTERED ([MessageId] ASC, [PartyId] ASC),  CONSTRAINT [FK_88] FOREIGN KEY ([MessageId])  REFERENCES [dbo].[Message]([MessageId]),  CONSTRAINT [FK_91] FOREIGN KEY ([PartyId])  REFERENCES [dbo].[Party]([PartyId]) ); GO  -- ************************************** [dbo].[Address]  CREATE TABLE [dbo].[Address] (  [AddressId] uniqueidentifier NOT NULL ,    CONSTRAINT [PK_Address] PRIMARY KEY CLUSTERED ([AddressId] ASC) ); GO  -- ************************************** [dbo].[PartyAddress]  CREATE TABLE [dbo].[PartyAddress] (  [PartyId]   uniqueidentifier NOT NULL ,  [AddressId] uniqueidentifier NOT NULL ,    CONSTRAINT [PK_PartyAddress] PRIMARY KEY CLUSTERED ([AddressId] ASC, [PartyId] ASC),  CONSTRAINT [FK_55] FOREIGN KEY ([PartyId])  REFERENCES [dbo].[Party]([PartyId]),  CONSTRAINT [FK_58] FOREIGN KEY ([AddressId])  REFERENCES [dbo].[Address]([AddressId]) ); GO 

Having one OIDC provider and multiple APIs from third parties, how can I federate logins?

If I have an app which authenticates against one OIDC provider eg. Google but then uses the provided id- and access-token to make request against a 1. app-api and 2. a third-party-api using the tokens from before.

Is this possible how does this work where can I learn more? I know about OpenID Connect but only in a “single backend api flow”. I came across OpenID Federation but do not know if this is the standard. Can anybody help me out?

Last but not least how to I manage roles in this type of setup? Someone mentioned custom claims for this, as a property of the token but I could not really get a clue about this either.

In summary: How do I do enterprise authentication and access management having third party APIs but only one place to sign up and login?

Having one OIDC provider and multiple APIs from third parties, how can I federate logins?

If I have an app which authenticates against one OIDC provider eg. Google but then uses the provided id- and access-token to make request against a 1. app-api and 2. a third-party-api using the tokens from before.

Is this possible how does this work where can I learn more? I know about OpenID Connect but only in a “single backend api flow”. I came across OpenID Federation but do not know if this is the standard. Can anybody help me out?

Last but not least how to I manage roles in this type of setup? Someone mentioned custom claims for this, as a property of the token but I could not really get a clue about this either.

In summary: How do I do enterprise authentication and access management having third party APIs but only one place to sign up and login?

Can two parties accidentally pay the same lightning network invoice simultaneously?

If multiple Lightning nodes attempt to pay the same invoice (using the same payment request), is it absolutely necessary that no more than one of the attempts will succeed (that is, only one payer will learn the preimage)?

I’d expect that clients try to not make multiple payments happen. What I’m willing to learn is whether it’s actually impossible by protocol design.

What payment information does apple give to third parties? [on hold]

When using an app on an iOS device downloaded and installed from the app store you often have the ability to make in app purchases through the app store.

What information exactly is given by apple to the third party when doing so? Is billing information (credit card numbers) or user account names / emails handed over?

Is there a way to use AWS for asymmetric encryption by multiple parties? [on hold]

I need to encrypt some data with one EC2 instance and decrypt it from another EC2 instance. I believe that asymmetric encryption would be best for this problem to help the security of the system. Is there a way to save the 2 keys on AWS and have them have different user roles or something like that, so that only the one can get the encryption key and the other can get the decryption key?

How can I run a session where two parties play at the same time?

A player of mine had an interesting concept where two parties who are opposed to each other would play at the same time in the same session. In essence the plot would be a group of thieves have been hired to steal some kind of magical artefact from a castle, and the first part of the session would be this group infiltrating the castle and getting to the artefact.

Once they remove it however, of course alarms will go off, or a pair of patrolling guards will see it’s missing on their next rotation. This would then introduce the second party who are a group of elite guards.

I was thinking the easiest way to run it would be to give each group 30 seconds to decide their course of action, and then act upon it. The guards will have a map so they can point out to the DM where they want to move next, and the thieves wil have a map revealed to them as they travel along that they can point at to try and avoid metagaming as well as other punishments for metagaming. Naturally the two parties will e at opposite ends of the room.

How can I run a session like this where there are two different parties in the same session?