I am trying to implement testing POST request for my APIs using KARATE, but getting 403 - expected csrf token not found.
However, I am able to perform POST Request using Jmeter - Login to the application, perform GET request and get the XSRF Token from GET request RESPONSE HEADERS and pass it in the POST request in Header Manager in Jmeter. That way, I am able to create a new resource using POST. I am not sure why this approach isn't working in Karate.
You must be missing some header. The fastest way you can solve this is by collaborating with someone on the server-side dev team.
Refer to this example in the Karate demos that uses CSRF:
Related
I have an application that uses NestJS and Angular. I am currently using #auth0/auth0-angular on the frontend to log users in and out. I want to write e2e tests with Supertest using the Authorization Code Flow and according to the Auth0 docs (https://auth0.com/docs/get-started/authentication-and-authorization-flow/add-login-auth-code-flow#parameters), I have to:
1) Authorize the user by sending the user to the authorization URL
2) If all goes well, I should receive an HTTP 302 response which includes an authorization
code
3) Exchange this authorization code for tokens by POSTing to the token URL
('https://YOUR_DOMAIN/oauth/token').
4) If all goes well, I should receive an HTTP 200 response with a payload containing the
tokens.
However, since I’m writing tests with Supertest on the backend, I can’t send a user to the authorization url and have the user handle authentication. Is there a way to get around this and get an authorization code (perhaps fake the authorization code somehow?) so that I can POST to the token url in order to get the tokens?
I initially tried to use the Auth0.js SDK but turns out that was only for browsers (can't use it since I'm writing Supertest tests on backend). Auth0 docs haven't been too helpful either and there seems to be very limited resources on using Supertest with Auth0.
I think I tried all the possible combinations of headers and body for my POST request in JMeter but is giving me 400 Bad Request saying that the languagePairID parameter from the body is invalid even tho it is exactly same as in Postman.
My headers:
And the request:
Meanwhile in Postman in works perfectly fine:
I tried checking and unchecking the multipart/form-data and browser-compatible headers, but nothing seems to help. I read that using Wireshark might be useful in such cases but I think for this one is not possible as it is HTTPS. I will be very grateful for any advice.
Uncheck "Use mutipart/form-data"
Remove everything from the "Body Data" tab
Switch to "Parameters" tab and put your parameters there:
Going forward be informed that you can easily convert your Postman script into JMeter:
Start JMeter's HTTP(S) Test Script Recorder
Import JMeter's certificate to Postman
Configure Postman to use JMeter as the proxy
Run your request in Postman
JMeter will capture the request and generate relevant HTTP Request sampler and HTTP Header Manager
More information: How to Convert Your Postman API Tests to JMeter for Scaling
I have recorded a login flow of an application and found some URIs like below:
/api/oauth2/initiate GET
/oauth2/authorize GET
/api/v1/oauth2/authorize GET
/api/v1/oauth2/authenticate POST
{"username":"${Username}","password":"${Password}","client_id":"${client_Id}","response_type":"code","redirect_uri":"${scheme}://${host}/api/oauth2/callback","server_id":"${server_Id}"}
When I am hitting above in sequence via JMeter I am getting 200 response. Just like JMeter I tried recording in Postman and it worked same, but instead of JSON it gave response in XML format.
It doesn't generate a access_token, it works via session cookies.
My question is - Do I really have API access or it is just browser record n play? If Yes, Does this mean I can get access to any API, if I am a registered user of that application? For ex: Facebook, YouTube or any startup website.
JMeter works on the protocol level. This means that whatever request you are generating. Say a simple browser request or an API call, you can do that easily.
Now the thing is replicating requests. You don't need to record the requests necessarily using the browser. You need to analyze the few things that are required. Say Postman is generating a request. You specify the things you want to send and you use the API Token there. The same things can be specified there as well. It all depends on how you are understanding the concept of request generation.
You simply need to replicate the samplers and the parameters. And the request headers in postman can be replicated here in the same way.
For each HTTP Request Sampler make sure you add a corresponding child HTTP Header Manager config element.
Headers basically tell the server that what client we are using and in what form data is being sent and then server responds accordingly with the information.
What you're recorded is OAuth2 flow and you won't be able to replay it without correlating the dynamic values.
You can have access to Google API or Facebook Graph API given you have proper access_token but I don't think you should be testing them directly, you should focus on solely your application.
I am trying to utilize the OroCommerce Web API which was introduced to interact with my clients.
The first step of oauth2-token seems to be working well, but he consequent requests to the api's such as customers GET, customerusers GET etc all end up with 401-Unauthorized Error.
I am trying to test the whole flow through the POSTMAN.
I have checked the Web API access is enabled and also verified that the guest users are enabled.
What's strange is the the /api/doc seems to be working well, but when I try to mimic the same via POSTMAN, it always ends up with 401 -Unauthorized Access.
Any idea why it could be failing?
Make sure you included Content-Type and Bearer prefixed Authorization headers in the request built using POSTMAN. Like explained in the OroCommerce documentation.
The authentication with Bearer header also explained in POSTMAN documentation.
I am trying to use the Cloudcontrol REST API.
Has anybody used that API? I did not find out how to authenticate.
As an example, I tried https://api.devcctrl.com/app/APPMNAME/deployment/default/error/
I found : https://api.devcctrl.com/doc/#Token but I don't understand how exactly to use it.
An example would be great.
What I really want to do: I want to deploy an app using REST API. I cannot use the CLI tools due to missing python installation.
Thanks
Mike
First, in order to get the token, you need to send a HTTP POST request to api.cloudcontrol.com/token/using Basic Authentication using the email and password of your cloudControl account. You will get a JSON response like this:
{"token": "<TOKEN_KEY>"}'
You need this token key to authenticate for all other requests to the API. To do so, add an Authorization Header to your request with this content:
Authorization -> "cc_auth_token="<TOKEN_KEY>""
Furthermore, you might also need to set up some other headers for PUT or POST requests, like:
Content-Type -> "application/x-www-form-urlencoded"
Content-Length -> <length of your parametrized url values, e.g. bar=baz&foo=qux>
Accept-Encoding -> "compress, gzip"
You can find examples of this usage in the pycclib (Python) or gocclib (Go) libraries.