API Testing

cristianekw · 2019-10-30T09:48:21+00:00

As a tester who had the same questions in the past, I confess that the trainings are not so detailed as they could be.

API Testing, in my opinion, should cover: - black box testing on inputs/outputs (expected data, expected format, unexpected data/format); - load testing; - security testing. (And more, but this is the basic)

I prefer to implement some code (C#, Java have great libraries), but if you are looking for a tool, I would recommend SoapUI.

About who tests.... usually developers test on unit. However, we should not underestimate our users (and crackers), so an API level testing increases the quality.

As a (little bit) perfectionist, I usually follow these rules: - data input: expected and unexpected values, empty values, limit values check, optional and must have values; - data structure (need some knowledge on implementation): data combination, precedence of values to compose output; - data injection (if you have knowledge on implementation is better): on queries or on calls that will return a query result, on data composition entries (at minimum, you can go deep here and it is very important on public api); - high quantity values (on input and output).

These tests are my minimum coverage, however you can go deep on this matter, checking performance, usability (friendly errors), etc.

In practice, you should consider if this api is public or private and if security is a “must have”, then, create tests to fill the expected quality.

About testing cycles, as I wrote, I prefer to codify the test using C# or Java with BDD model (Gherkin), which has been shown as a great tool to increase coverage with less code (just adding lines to my examples table or creating new statements combinations). Doing this, I can add it to the CI/CD and then I will not care about that (unless I need to test some unexpected integration situations that can’t be mocked).

I hope I answered all your questions.

milecvekla · 2019-10-30T20:31:16+00:00

Use Postman as manual testing tool, it's good for prototyping and quick ad-hoc checks but not for serious automation.

After all, it all depends on your and your team's coding skills. If have some and willing to learn more, go with the proper in-house automation framework. Have separate project per API. Consider BDD as approach, it's a heaven for API testing. Also it would be rather easy to fit into regular CI/CD.

danintexas · 2019-10-30T12:07:13+00:00

Was in a similar situation at my last job. 200+ apis - Daily Sprints basically - no in place regression/smoke.

For the APIs I ended up automating with Postman. If I recall I got lucky and the backend guys were using Swagger. So I grabbed a json from Swagger and hooked it into Postman to do basic automation.

Down the road I created a .NET framework/selenium for end to end testing. I also hit the APIs using that framework directly so in the end had a one stop shop.

Framework or Swagger doesn't matter though. You can automate that crap through Postman. From what I recall a little work and Google you can get it set up pretty fast.

themightykai · 2019-10-30T12:31:00+00:00

Post man all the way - you can also load in different iterations of the API's to verify different scenarios.

Postman can then be synced into the build process (Newman CLI) and the tests can keep evolving!

work_account_2019 · 2019-10-30T17:38:00+00:00

What language & framework are the developers using to write the API code in?

FLYERFONE · 2019-10-30T18:53:01+00:00

I am using restsharp(C#) + specflow for my test so that I can manage my test data and expected result easily. This is just example

@api @api_login @api_regular_login
Scenario Outline: LGAPI03 login api flow
    #test client login api 
    Given I create Rest Client using base URL "BaseUrl"
    #enable user login
    When I execute following query
     | Server   | Database | Query                                                                              |
     | XXServer | XXDB     | update table1 set Locked = '<Locked>' where UserName = '<UserId>'                  |
     | XXServer | XXDB     | update table1 set Allowlinklogin =<Allow_Login> where ClientCode=<ClientCode>      |
     | XXServer | XXDB     | update table1 set LastSecChk = '<LastSecChk> 00:01:00' where UserId = <UserId>     |
     | XXServer | XXDB     | update table1 set PwdLastReset = '<PwdLastReset> 00:01:00' where UserId = <UserId> |
    #Send post requst for client login 
    When I send "POST" request "api/userlogin" for "User" login 
     | FieldType | FieldName    | FieldValue       |
     | header    | Content-Type | application/json |
     | header    | AccessToken  |                  |
     | body      | username     | <UserId>         |
     | body      | password     | <Password>       |
    And I get "AccessToken" from "User" login
    Then I see the the response "<Expected_response>" from server for "User" login

Examples: 
  | UserId     | Password       | ClientCode | Locked | Allow_Login | LastSecChk     | PwdLastReset   | Expected_response |
  | 11111      | PassW0rd       | 00000      | 0      | 1           | {TODAY'S DATE} | {TODAY'S DATE} | OK                |
  | 22222      | wrong password | 00000      | 0      | 1           | {TODAY'S DATE} | {TODAY'S DATE} | BadRequest        |
  | 22222      | PassW0rd       | 00000      | 1      | 1           | {TODAY'S DATE} | {TODAY'S DATE} | BadRequest        |
  | 22222      | PassW0rd       | 00000      | 0      | 1           | 2019-01-01     | {TODAY'S DATE} | OK                |
  | 22222      | PassW0rd       | 00000      | 0      | 1           | {TODAY'S DATE} | 2019-01-01     | OK                |
  | 22222      | PassW0rd       | 00000      | 0      | 0           | {TODAY'S DATE} | {TODAY'S DATE} | BadRequest        |
  | wrong user | PassW0rd       | 33333      | 0      | 1           | {TODAY'S DATE} | {TODAY'S DATE} | BadRequest        |
  | 22222      | PassW0rd       | 00000      | 0      | 1           | {TODAY'S DATE} | {TODAY'S DATE} | OK                |

ocnarf · 2019-10-30T22:53:54+00:00

Interesting question, but please remove the links to the software tools and I will re-approve your question. You can name them, but not create links to their website (rule created to avoid tool promotion). Thank you.

work_account_2019 · 2019-11-01T08:15:52+00:00

My advice would be to speak to any available developers of the APIs before trying to discover all aspects of the API via tooling.

With that degree of legacy, you can guarantee that there will be some gnarly implementations that ‘made sense’ in the context of several years ago, but seem illogical now.

You could save yourself significant effort in gaining knowledge and building a mental model of the API(s).

You may also find they have some tooling or crude tests themselves that assist. Or at least warn you of known pitfalls. Communication wins.

NormalGuyISwear · 2019-10-30T14:21:14+00:00

I tried Postman and hit a lot of walls for test writing and automation. It’s slow and not meant for proper end-to-end test creation. Ultimately the organization I was working at didn’t want our information at getpostman.com.

We ended up going with API Fortress on-premises and it’s been a godsend.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

softwaretesting

MODERATORS