API testing with Bearer token

 

API testing with Bearer token 


HTTP Authentication Schemes:

  HTTP Authentication verifies the user's eligibility to access the web resource. It involves HTTP header-based communication between the client and the server, with the server requesting the user's credentials for authentication.




I'll start by writing about bearer tokens because I recently learnt about them. 



 When a user logs in, the authentication server generates a token known as a bearer token. This token should be sent in the header of the client's subsequent calls .This token will shortly expire; in such circumstances, a new token must be generated.



Application using Bearer token:


The Contact List App is a small program that Kristin Jackvony created for testing. The APIs for this application authenticate users using bearer tokens.


API documentation can be found https://documenter.getpostman.com/view/4012288/TzK2bEa8


I started by exploring the app's functionality , making a list of prospective test scenarios.


  1. The User signups with an email and password. 

  2. Then with that User id, login to the application. 

  3. Add contacts (First Name,Last Name are required fields), Date of birth, Email,Phone ,Address 1, City,State,Postal code, Country. 

  4. The added contact can be edited (First Name,Last Name are required fields) and other fields are not mandatory.

  5. Delete a contact.

  6. Viewing User’s profile, Editing and Deleting user can not be done from the UI. Per documentation, this can be done via API.


 




















For my API testing, I also used the same test scenarios.


API test cases:

Use Case 1

Login  to get Bearer Token

API Documentation

https://documenter.getpostman.com/view/4012288/TzK2bEa8#3ec4f31e-3ce0-4edf-9f3a-e3ec6461e4e6

HTTP Verb 

Post

Payload

Username and Password  as JSON

Headers

Content-Type: 'application/json

URL

https://thinking-tester-contact-list.herokuapp.com/users/login


Expected Response:


Status Code 

200 OK, if login is successful.

Response Cookie 

Token


I did this in Python as well:


Use Case 2

Create a new User

API Documentation

https://documenter.getpostman.com/view/4012288/TzK2bEa8#bcd848eb-d7ae-4b73-9a0c-59eb2254017e

HTTP Verb 

Post

Headers

Content-Type: 'application/json

Authorization : Bearer token.

URL

https://thinking-tester-contact-list.herokuapp.com/users

Body/Payload

Body: 

   {

    "firstName": "Test",

    "lastName": "User",

    "email": "test@fake.com",

    "password": "myPassword"

}



I discovered that this “create User” API needs a Bearer Token as I read the API documentation. I had to login with a user I created from the UI in order to obtain the Bearer token. I therefore made the POST API Login call and received the bearer token in return. When creating a user API request, use this token:




In Python:


Use Case 3

Add new contact

API Documentation

https://documenter.getpostman.com/view/4012288/TzK2bEa8#abe537df-fccc-4ee6-90d2-7513e3024d6b

HTTP Verb 

Post

Payload

{

    "firstName": "John",

    "lastName": "Doe",

    "birthdate": "1970-01-01",

    "email": "jdoe@fake.com",

    "phone": "8005555555",

    "street1": "1 Main St.",

    "street2": "Apartment A",

    "city": "Anytown",

    "stateProvince": "KS",

    "postalCode": "12345",

    "country": "USA"

}

Headers

Content-Type: 'application/json

Authorization : Bearer token.

URL

https://thinking-tester-contact-list.herokuapp.com/contacts


Here also use the same bearer token we received for the new user we created in Use Case 2.





Here, ADD contact test can be sent with only the required fields, without the required fields, with valid and invalid data, etc..


Once the contact was created, I sent a GET request with the contact ID retrieved from ADD contact to verify the contact's creation. 


Then I updated the contact with the contact ID retrieved from ADD contacts.

Similarly I deleted the added contact as well. 

Updating, and deleting user profiles would be added later to the tests.

The full code 

import requests

import json

import random


contact_id={}

bearer_token = ""

user_name ="nsuba.skannan@gmail.com"

new_user = "ab"+str(random.randint(1,1000))+"@abc.com"


# This function logs in to contact list application and returns bearer token for the user.

# The token is sent in headers of all other actions :

# Add user,Add a new contact to the list, get the new contact ID,Update the newly created contact

# Delete the newly created contact



def user_login(user_name):

   url = "https://thinking-tester-contact-list.herokuapp.com/users/login"

   payload = json.dumps({

       "email": user_name,

       "password": "Sivaom1$"

   })

   headers = {'Content-Type': 'application/json'}

   response = requests.request("POST", url, headers=headers, data=payload)

   json_response = response.json()

   #print (response.text)

   bearer_token = json_response['token']

   #print(bearer_token)

   return bearer_token


#add New user

def addUser_profile():

   url = "https://thinking-tester-contact-list.herokuapp.com/users"

   token = user_login(user_name)


   payload=json.dumps({

   'firstName': 'fkjhjk',

   'lastName': 'fkgjlk',

   'email': new_user,

   'password': 'Sivaom1$'

   })


   headers = {

       'Authorization': 'Bearer '+token,

       'Content-Type': 'application/json'

   }

   print (payload)

   response = requests.request("POST", url, headers=headers, data=payload)

   print(response.text)


def getContacts():

   url = "https://thinking-tester-contact-list.herokuapp.com/contacts"

   token=user_login(new_user)

   payload = {}

   headers = {

       'Authorization': 'Bearer '+token

   }

   response = requests.request("GET", url, headers=headers, data=payload)

   print("Contacts List")

   print(response.text)



def addContacts():

   url = "https://thinking-tester-contact-list.herokuapp.com/contacts"

   token = user_login(new_user)

   #print(token)


   payload = json.dumps({

       "firstName": "John",

       "lastName": "Doe",

       "birthdate": "1970-01-01",

       "email": "jdoe@fake.com",

       "phone": "8005555555",

       "street1": "1 Main St.",

       "street2": "Apartment A",

       "city": "Anytown",

       "stateProvince": "KS",

       "postalCode": "12345",

       "country": "USA"

   })

   headers = {

       'Authorization': 'Bearer '+token,

       'Content-Type': 'application/json'

   }

   response = requests.request("POST", url, headers=headers, data=payload)

   print("New Contact Added: ")

   print(response.text)

   json_response = response.json()

   contact_id["id"]=json_response["_id"]




def updateContact():


   url = "https://thinking-tester-contact-list.herokuapp.com/contacts/"+contact_id['id']

   token = user_login(new_user)

   payload = json.dumps({

       "firstName": "Nathan"

   })

   headers = {

       'Authorization': 'Bearer ' + token,

       'Content-Type': 'application/json'

   }

   response = requests.request("PATCH", url, headers=headers, data=payload)

   print("New Contact Updated: ")

   print(response.text)



def deleteContact():

   url = "https://thinking-tester-contact-list.herokuapp.com/contacts/"+contact_id['id']

   token = user_login(new_user)


   headers = {

       'Authorization': 'Bearer ' + token,

       'Content-Type': 'application/json'

   }

   response = requests.request("DELETE", url, headers=headers)

   print(response.text)


addUser_profile()

addContacts()

getContacts()

updateContact()

getContacts()

deleteContact()

getContacts()

Comments

Post a Comment

Popular posts from this blog

  What I noticed after starting to blog    “ Reading maketh a full man; conference a ready man; and writing an exact man” –Francis Bacon  In summer 2022, I was on the lookout for ways to improve my testing skills. From LinkedIn, I found various testers talking about getting trained by Ajay Balamurugadas . I reached out to Ajay. After a meeting, he agreed to train me 😀.  The training started, and I was making steady progress. Ajay questioned me after a few sessions if I had ever written a blog and urged me to do so right away. I wasn’t ready for it. Here is why...   Usually, Slack and email are the places where I write (or type 😜). Most of my responses would consist of no more than four words per sentence!!  My status reports and testing notes are the longest documents I produce. Naturally, I wasn't prepared, so when I heard about starting a blog, I found it amusing. One fine day I sat and started, I was just typing and deleting.. Couldn’t move past the first sentence (or word :-)
Read more

My first time attending a software launch party

Image
  Postman celebrated the introduction of Postman Flows this week in San Francisco, on August 16th 2023. Following the release of Postman Flows a few months ago, Beth Marshall posted a YouTube video explaining how testers might use it for API testing procedures.   Ever since I started my API testing journey, I've been watching for Postman's announcements, challenges, You Tube Live sessions, and demonstrations. So I made the decision to go to this event as well.    When I arrived , Postman Flow was being used to welcome every registered guest. My name flashed on the welcome board when I clicked Run on their flow they had created after signing in (I forgot to take a picture of it). Greetings flow Two customers demonstrated how they are utilizing Flows to address issues and open up new possibilities. One of them includes a flow designed specifically for integration testing.   I was able to use Flows to design my very own, uniquely branded Postman YETI and select the swag I wanted (
Read more
  Observation: How it has helped me as a tester? In one of the chapters of her book, "Explore IT," Elizabeth Hendrickson discusses observation and how it is crucial for exploratory testing. Checking logs for surprises is one technique to observe during testing. I was brought back to my days as a mid-level test engineer while reading it. On the user's side, the product appeared to be relatively straightforward, but it actually had a sophisticated architecture and a lot of moving components. For this product, there were very few user interactions; everything took place in the background, and logs were essential for troubleshooting. When I first discovered a bug, I would gather proof—reproducing steps, error logs—most often grep 'error' log files—and screenshots—and be prepared to report the issue. My manager would ping me with questions like, "Did you try to reproduce the bug in another test combination?" and "Did you check that?" and “Did you tr
Read more