June 3, 2019

Notes: Amber Race, Exploring Service APIs Through Test Automation using Postman

Want to learn about testing REST APIs? Make sure to check out Amber Race's Exploring Service APIs Through Test Automation, part of Angie Jones' free Test Automation University. Amber is a Software Development Engineer in Test at Big Fish Games and blogs about her work at AmberTests.com.

Amber talks about testing tricks such as:
  • Exploring public APIs such as Spotify where you can get a musical artist's album information.
  • Importing API data into Postman by capturing information seen in Google Developer Tools -> Network by the "Copy as cURL" command. Importing the cURL commands into Postman by "Paste as Raw Text".
  • Practicing API testing with Mark Winteringham's Restful-Booker API Playground which has some bugs built into it you can try to find.  
  • Setting up Get, Post, Put and Patch requests using the Restful Booking API Docs, setting up a token to get authorization.
Amber walks you through setting up the NodeJS Restful-Booker app locally so we have more opportunities to set up tests in Postman. Amber has a companion project stored in GitHub, with content such as the RestfulBooker Postman Collection all set up.


What I loved most of all? Amber showcases her POISED mnemonic to describe API Testing: Parameters, Output, Interop, Security, Errors and Data.
Parameters: What happens if you replace, say, a first name field with an empty field, nulls, spaces? Does the API catch errors as you think they should? Do they match the spec? If you leave off a required field, does it throw the expected error? What happens if you insert strings for booleans or numbers? See how the system reacts, and see if it throws 500 errors

Output: What kind of HTTP Status Codes, Error Messages, or Logging is thrown? Do you get the proper 200 OK status when something happens? Or do you get weird codes such as 201? If you choose to get reports, setting Headings to "Accept" from "application/xml" or "application/json", does that feature work for both types? Do your logs have extra information if there are 500 errors?

Interop: Test the Interoperability between services, that systems can get the information that they need. What happens if YYYY-MM-DD is changed from the United States MM-DD-YYYY and the European DD-MM-YYYY? When getting data such as users, are we given an understandable first and last name, or do we get a user id where we now need to search another table?

Security: If you are supposed to have an authorization or a cookie header in order to log into the API, does that work? Turn Authorization type to "No Auth" and see what happens. For Cross Site Scripting (XSS) attack simulation, submit into a text field "<script>alert(\"gotcha"\")</script>" and see if you can get the API to execute code. Check for validation, such as having angle brackets not allowed.

Errors: Testing Errors and Exception Handling, if you submit bad credentials (a 401 Unauthorized Response), does it give an error message of "Bad credentials" but a "200 OK" error code? Try to match up the error conditions with the codes. And try to avoid the cryptic "500 Internal Server Error". There should be exception messages or debug logs describing what happened so developers can troubleshoot. If you post to an API and received an error message, is a new record erroneously created?

Data: Did a record return a user id? Track down all ids represent the records that are supposed to be displayed. Don't assume that everything is correct just because you get a 200 OK. With Currency, does it list whether it is USD or GBP? What happens if you have 100, 1000, or 10000 users in the database? How about a million? How many milliseconds does it take for the data to return?

Data Driven Testing

Amber also walks the user through automating all these tests in Postman, how Postman handles data driven testing, and set the tests up with Continuous Integration with Newman.

There is a lot of content here! Make sure to spend time practicing the techniques listed, checking to see if you can find other errors in the Restful-Booker API Playground.

Happy Testing!

-T.J. Maher
Sr. QA Engineer, Software Engineer in Test
Meetup Organizer, Ministry of Testing - Boston

Twitter | YouTubeLinkedIn | Articles

1 comment:

Georgina Alexis said...

We are the world best leading online newspaper portal. You all are the most welcome in our newspaper.If you want to get regular newslatter from our newspaper, please go home page sports news and click the below subscribe button.

World News :
View CNN world news today for international news and videos from Europe, Asia, Africa, the Middle East and the Americas. Visit world news live for up-to-the-minute news, breaking news, video, audio and feature stories.

Politics News :
Politics at CNN has news, opinion and analysis of American and global politics Find news and video about elections, the White House, the U.N and much more. What You Need To Know About politics news today.

Sports News :
Latest sports news soccer from around the world with in-depth analysis, features, photos and videos covering football, tennis, motorsport, golf, rugby, sailing, skiing, horse racing and equestrian.

Entertainment News :
View entertainment news today and videos for the latest movie, music, TV and celebrity headlines on usacnnnews.com
Technology News :
Get the latest CNN technology news websites : breaking news and analysis on computing, the web, blogs, games, gadgets, social media, broadband and more.

Science News :
Get the latest CNN Science and Environment News: breaking news, analysis and debate on science news bbc and nature in the UK and around the world.

Health News :
Get the latest CNN health news : breaking health and medical news from the UK and around the world, with in-depth features on well-being and lifestyle.

Daily Life :
What You Need To Know About daily life quotes ? Get the latest lifestyle news with articles and videos on pets, parenting, fashion, beauty, food, travel, relationships and more on CNN news.