How to perform REST API Testing
What is an API?
API is a software intermediary that allows two applications to interact with each other i.e. it let your product communicate with the other products without having to know how these are implemented.APIs are used to aid server-client communication.
A Third-Party API is an API created by the third party (Target), these are sets of rules and regulations through which a partial access (depending on the authentication and query passed) to the First Party(Source) system or program can be gained
REST API Methods
REST API Methods are used to perform specific actions on the target resources which can be any Entity residing under the Third-Party i.e. Users, Projects, Work Items, etc. (In case of DevOps).
These are the REST API methods:
GET — Used to fetch the Record details just for representational purpose i.e. cannot be modified
Getting list of all the Users
- GET https://domainURL /users/{id}
Getting properties related to a User based on its ID
POST — Used to create a new Record
PUT — Used to update an existing Record. Here we need to pass the unique property of Record which needs to be updated
DELETE — Used to delete any Record. Here we need to pass the unique property of Record which needs to be deleted
- DELETE https://domainURL/users/123
PATCH — Used to update any Record partially. PUT is more suitable when we want to replace the entire Record. To perform PATCH operation first we need to know about the Record’s property and can use GET for this.
- Lets say GET https://domainURL/GET/users/123 produces this response:
{id: 1, username: ‘admin’, email: ‘email@example.org’}
Now if we need to update the email then following will be the request:
HTTP PATCH /users/1 [ {“op”: “replace”, “path”: “/email”, “value”: “NewEmailID @example.org”}]
Now the question arises that how we will know the exact endpoint (where the resource lives)? The answer is through the API Documentation of the Third Party.
API Documentation
- API documentations is a kind of manual containing all the information, which is essential to work with API, it illustrates how to use them or integrate with them.
- To put in other words, it is the main resource to illustrate what can be done with API and how to get started.
- For example: There is an open source tool named as Swagger Editor. This tool automatically creates API documentation by generating client libraries for the API which creates possibilities like automated testing
From the screenshot, you can see that user can get the list of all APIs endpoints and supported methods for the same.
What is Authentication in REST API and why is this needed?
Authentication is the act of validating that users are who they claim to be and if the request to access the Resource can be granted.
Types of Authentication Required:
- No Auth:
No Authentication is a type where User from the Source system does not have to pass any sort of information to prove their identity.Following are the sites which provides access to its API endpoints where no authentication is required.
https://reqres.in/api/users?page=2
https://cat-fact.herokuapp.com/facts
- Basic Auth
In the Basic authentication, we use a special HTTP header where we add Username and Password (User Credentials of the Third Party) and send it along with the request.For instance, Freshdesk is a help desk or customer support software that allows companies or enterprises to manage their customer care effectively. Basic authentication uses username and password for making the API calls. But the problem with Basic Auth is that IDand password are passed over the network as clear text and hence is not much secure
- OAuth (Implicit)
In the Implicit flow, the access token is sent while making API call without any further authorization of exchanging client secret. Here unlike Basic Auth, Username and Password are directly entered under the third-party application instead of adding under HTTP header and sending along with the request.It is not suggested to use the implicit flow as access token is sent back directly without confirmation of client to access the resource. The API does not know who is calling it and hence anyone with that access token can now gain access to the Third-Party Data.
- OAuth (Code Grant)
OAuth Code grant Authentication is secured as user has to provide client secret to get access to prove his authorization. The “client” of the API (usually your web server) exchanges the code obtained for an access token, authenticating itself with a client id and client secret. It then can call the API with the access token.Hence, there is double check from both sides i.e. resource and client using API.Both are validated for access to be granted. Notice the “authorization” nature of OAuth here: user grants
access to his resource (through the code returned after authentication) to an app, the app gets an access token, and calls on the user’s behalf.For example, JIRA is a tool which is used for bug tracking, issue tracking,and project management and Its support the Authorization Code Grant flow.
Registration of App under 3rd Party Application
Registering of application is required for OAuth based Authentication to authenticate the Users and request access to resources via REST API.
For example, in case of Azure DevOps Services first, register your web app and get an app ID from Azure DevOps Services. Using that app ID, send your users to Azure DevOps Services to authorize your app to access their organizations. Next, use that authorization to get an access token for that user. When you call Azure DevOps Services APIs for that user, use that user’s access token. Access tokens expire, so refresh the access token if it’s expired.
Performing operation on 3rd Party Data with POST/DELETE/GET/UPDATE Request using Postman tool
Testing GET Requests
Get requests fetches the information of resource and to test this, we will pass the sample request, for sample requests, let’s use https://reqres.in/
For making the first HTTP request (GET):
- First enter https://reqres.in/api/users?page=1in the “Enter Request URL” text box.
- Select on “Send” Button
-> You should be able to see the below response in the Body section:
Testing POST Requests
With the help of POST request, we can create a user into an application by sending data or parameter in the body and in response API sends back the data which shows the data has been created. The response message can be id of data and time when it was created or success message.
For making the first HTTP request (POST):
- Select POST method
- Enter https://reqres.in/api/users in the “Enter Request URL”
- Click on Body Tab and then select “Raw” option.
- In the text box, paste :
{
“name”: “John”,
”job”: “QA”
}
- Click on “Send”button and then User should see the below response
-> Also, verify status code is correct or not, in this case you should get: ‘Status:201 Created’
We can successfully test our PUT, DELETE request too with similar steps
- Check for expected response.
- Check for correct status code.
- Check for Response Time
Verifying if Data coming from the 3rd Party is Valid or not
We can ask these questions to verify that
- whether the required fields are coming
- Whether the data format of the field is as per the requirement (e.g. the Price is required to be in number format but if it is coming as string that would be a red flag)
- Verify the HTTP status code is as expected.For example, Status code 201 should be reflected when a resource is created or when a resource is not found then status code 404 Not Found should be reflected.
- Verify the payload responses which consist of data format like JSON, XML and error responses.
- Verify the response headers where Headers are displayed as key-value pairs.
- Check the basic performance sanity i.e. If an action is executed successfully but took a lot of time, then we can say the test is failed.
Conclusion
To sum it up, I would say both positive and negative scenarios should be covered to improve testing coverage and tools like Postman, Swagger makes it easier to test your applications.
