API Testing – Part 3 – Testing on Postman

Tram Ho

Authorization with Postman

In all previous examples, it was possible to send requests or post data without authentication. This is uncommon for web services or websites. There are many options and technologies for authorization / authentication, learn some of them.

Authorization settings on collections

In Postman, you can set the required authentication variables and set up each request separately. But when you are checking the API and have a collection, you should make general settings for all the requirements in the collection.

  1. When you open the sidebar in Postman and move the cursor over the saved collection, a new “…” button will appear with access to the Gallery settings:

  1. Select “Edit” from the “more actions” menu to enter the collection settings:

Basic Auth

Select “Basic Auth” from the list. Basic access authentication is an authorization method that you may have encountered. In your web browser, calling any Basic Auth-protected page or directory will create a popup window with a login form:

  1. Enter the username and password as shown, then click Update:

  1. To test the configuration, make a GET request to a protected page:

  1. To verify that the authorization configuration is active, turn off Basic Auth and resend the request to the same page
    • Go to the Authorization tab of the request and select “No Auth” from the dropdown:

  1. The web server will now display an error because the request has not been authenticated, but the directory requires Basic Auth authentication.
  2. After setting the Authorization type back to the default value “Inherit auth from parent”, looking at the code you can see this authentication method works by sending a new request header containing the username and password in the form Base64 encoded:

Bearer Token

  • Bearer Token is quite similar to the basic Auth, in that it will be transmitted as a required header. But instead of “Authorization: Basic”, it will use “Authorization: Bearer EXAMPLETOKEN”

  • Bearer Token is a security token that implies that any party that owns it (an online encryption bearer) has access to the protected resource. Usually, it will be created by the server to respond to the login request

Try Bearer Token:

  1. Before you can check the Bearer Token authorization, you will first have to undo the collection authorization setting. On the other hand, the server will try to apply Basic Auth to all the folders that you try to access and fail, because they don’t have the same username / password combination for other folders:

  1. Now, first create a POST login request to request the Bearer Token:

  1. When you click Send, the token “EXAMPLETOKEN” will be displayed in the response.
  2. If you submit an invalid username / password combination, the server will show you an alternate login form.
  3. Use the token returned in the new GET request:

  1. When you submit this request (don’t forget to save it in your collection), the response will let you know if the request was successful:

Tested on Postman

Most of the testing methods from website functional testing can also be applied to API function testing.

Input validation (negative testing)

After testing for expected results, try different values ​​in a request:

  • Send a random piece of text in a date field and check for feedback
    • Is there an unexpected error?
    • Can web services handle failures?
  • Submit request with required fields missing or too large

Authentication

How is handling API requests when you don’t authenticate correctly? Is there an unexpected error or even a stack trace of output?

Verify API updated data structure

  • When you POST data and check for updated data (in a corresponding GET request, or a response message):
    • Are all inputs implemented are through?
    • Is something truncated or lost?
  • After deleting a resource, verify that it no longer exists and has been deleted properly

Verify all limits

Many actions are allowed to be performed only once. Make sure the limits cannot be broken and nothing is broken when you are still trying to break it. For example:

  • You can usually only mark one active shipping address at an online store
  • You may only submit your order (at the last step) once

Performance (if allowed)

If the customer doesn’t prohibit performance testing, you can check:

  • What happens when you submit the same request multiple times in a short period of time, especially large requests
  • Other performance related items

Does the API work according to the specification?

Verify with API API documentation that all requests work as specified.

–Continue —

Reference source:

Translated from: https://www.utest.com/academy/tracks/28/courses/authorization-with-postman

Share the news now

Source : Viblo