I'm currently blackbox testing a React SPA (the login page is located at the root of the url, e.g. https://myapp.com). The Webapp authenticates with Firebase and the session token is stored in the Indexed DB of the application.
The React app routes the request based to the authenticated section based on whether the session token is present in this part of the storage or not. Now I try to scan the authenticated section of the Webapp.
I've tried creating multiple authentication scripts for this problem. My first approach was to record a ZEST script. While it recorded the post requests to get the tokens just fine, I still couldn't scan the authenticated part.
Then I found this google forum where a user had a similar problem. I created a new login script which entered the login details and clicked the login button as described. While testing, I correctly launched a browser, logged in and got redirected to the correct page. When trying to use this method with an ajax spider, for every crawled URL a browser was launched, which logged in correctly, but in the background the spider still only crawled the non authenticated website and didn't use the authenticated site that was presented after the script has run.
As far as I understood I would need to extract the session token and then I can include this token in all my authenticated http requests. Unfortunately I still cannot access the restricted part of the webapp, as the ajax spider does not know that it has to put the session token in the local storage of the app.
How can I achieve this or is it somehow possible to spawn a browser which logs in with the script and then uses this spawned browser to continue with an ajax spider?