When I run the quick start scan with the configuration the authentication tester found, it doesn't seem to actually find much, which makes me suspect it fails to login, and running the AJAX spider scan manually in non-headless mode seem to just loop on the login form forever (It keeps login in and then just closes and reopens and does it again...)
I would be glad with some help on how to configure this correctly. The app uses firebase-js-sdk which saves the actual token in IndexedDB and passes it manually in JavaScript when using the FIrebase API's which are hosted on a different domain from the app. There is no server side rendering and the token isn't passed in any other server requests to the app, so there isn't any obvious URL I can request to check if the app is authenticated outside the browser. So it should be the same as the firebase auth UI demo
https://fir-ui-demo-84a6c.firebaseapp.com/.
Also a few other questions:
1. If you manually explore your app, can you somehow export the discovered URLs to be used by an automated scan?
2. Since ZAP is looking into HTTP stuff, our Vite dev server isn't configured with all the security stuff a deployed app is configured with... I'm wondering what's the best practice here? Should I fully deploy the app to a separate deployment for automated testing? Or should I try and configure a local preview server that is as close as possible to the deployed config?
3. What's the current recommended way to run ZAP automatically? And how to exclude/mark false positive some alerts in such a configuration so that such a job will only really alert when something new/actual is detected?