June 3, 2019

Notes: Amber Race, Exploring Service APIs Through Test Automation using Postman

Want to learn about testing REST APIs? Make sure to check out Amber Race's Exploring Service APIs Through Test Automation, part of Angie Jones' free Test Automation University. Amber is a Software Development Engineer in Test at Big Fish Games and blogs about her work at AmberTests.com.




Amber talks about testing tricks such as:
  • Exploring public APIs such as Spotify where you can get a musical artist's album information.
  • Importing API data into Postman by capturing information seen in Google Developer Tools -> Network by the "Copy as cURL" command. Importing the cURL commands into Postman by "Paste as Raw Text".
  • Practicing API testing with Mark Winteringham's Restful-Booker API Playground which has some bugs built into it you can try to find.  
  • Setting up Get, Post, Put and Patch requests using the Restful Booking API Docs, setting up a token to get authorization.
Amber walks you through setting up the NodeJS Restful-Booker app locally so we have more opportunities to set up tests in Postman. Amber has a companion project stored in GitHub, with content such as the RestfulBooker Postman Collection all set up.

POISED


What I loved most of all? Amber showcases her POISED mnemonic to describe API Testing: Parameters, Output, Interop, Security, Errors and Data.
Parameters: What happens if you replace, say, a first name field with an empty field, nulls, spaces? Does the API catch errors as you think they should? Do they match the spec? If you leave off a required field, does it throw the expected error? What happens if you insert strings for booleans or numbers? See how the system reacts, and see if it throws 500 errors

Output: What kind of HTTP Status Codes, Error Messages, or Logging is thrown? Do you get the proper 200 OK status when something happens? Or do you get weird codes such as 201? If you choose to get reports, setting Headings to "Accept" from "application/xml" or "application/json", does that feature work for both types? Do your logs have extra information if there are 500 errors?

Interop: Test the Interoperability between services, that systems can get the information that they need. What happens if YYYY-MM-DD is changed from the United States MM-DD-YYYY and the European DD-MM-YYYY? When getting data such as users, are we given an understandable first and last name, or do we get a user id where we now need to search another table?

Security: If you are supposed to have an authorization or a cookie header in order to log into the API, does that work? Turn Authorization type to "No Auth" and see what happens. For Cross Site Scripting (XSS) attack simulation, submit into a text field "<script>alert(\"gotcha"\")</script>" and see if you can get the API to execute code. Check for validation, such as having angle brackets not allowed.

Errors: Testing Errors and Exception Handling, if you submit bad credentials (a 401 Unauthorized Response), does it give an error message of "Bad credentials" but a "200 OK" error code? Try to match up the error conditions with the codes. And try to avoid the cryptic "500 Internal Server Error". There should be exception messages or debug logs describing what happened so developers can troubleshoot. If you post to an API and received an error message, is a new record erroneously created?

Data: Did a record return a user id? Track down all ids represent the records that are supposed to be displayed. Don't assume that everything is correct just because you get a 200 OK. With Currency, does it list whether it is USD or GBP? What happens if you have 100, 1000, or 10000 users in the database? How about a million? How many milliseconds does it take for the data to return?

Data Driven Testing

Amber also walks the user through automating all these tests in Postman, how Postman handles data driven testing, and set the tests up with Continuous Integration with Newman.

There is a lot of content here! Make sure to spend time practicing the techniques listed, checking to see if you can find other errors in the Restful-Booker API Playground.

Happy Testing!

-T.J. Maher
Sr. QA Engineer, Software Engineer in Test
Meetup Organizer, Ministry of Testing - Boston

Twitter | YouTubeLinkedIn | Articles

No comments: