We have been using postman for our Rest API testing but to make it more of an e2e data driven tool, we have a requirement to:
- Make postman grab data from our database and feed it to the API calls
- Run some api calls based on that data
- Query DB again to check the sanity of the data after REST POST requests for example
I know postman is for client side interactions. Is there a way to make postman to talk to DB somehow? I have came across "volos-mysql" and "dreamFactory" but problem is how to load an external module inside postman script?
Related
Salutations!
I have just completed my first REST API, deployed on heroku, and I decided it would be cool to make $0 a month through rapidAPI.
The rapidAPI testing dashboard passes the tests successfully - with one of their keys being a requirement for an API call.
However when I access the site on a browser or on Postman, there is no need for an API key and therefore no restrictions in get requests.
I have noticed that the test code makes a fetch request to the rapidAPI url for the project but how can I make the heroku url accessible only from rapidAPI?
I know it's extremely unlikely someone will find my heroku app url but it is technically possible.
I appreciate your time and insights.
RapidAPI provides 2 security features to support this:
set X-RapidAPI-Proxy-Secretin the API Dashboard: this token is added in the X-RapidAPI-Proxy-Secret HTTP header for each request. You should validate this for every API call. This is the default measure in place.
the list of IP addresses used by RapidAPI is provided: you can check/validate for every API call.
There might be Heroku Addon to help with the IP filtering, but those are typically enterprise-plugin (with associated cost).
RapidAPI allows you to add secret headers and/or query string parameters to API requests. The RapidAPI proxy adds these secrets to every request, but are hidden from the API consumers.
Find more details in this page: https://docs.rapidapi.com/docs/secret-headers-parameters
I am attempting to create a dynamic responsive server which is able to:
read a request
store the token in an environment variable
use that environment variable in the response back to the source
I am unsure where to begin with this, I have had a look at some API tools such as PostMan and Insomnia but although I can set up a mock server which would receive the responses, the data I want to save is not being stored in the variable and thus is not being used in the response.
Some guidance would be appreciated.
Thank you
What language and platform you are using?
If you are using any of the major public cloud options, (AWS, Google, Azure), there are easy to deploy API Gateway Services that required minimal code to get started and supports environment variables.
If you are using a local development only,
then you can get started with ASP .NET Core Web API: https://learn.microsoft.com/en-us/aspnet/core/tutorials/first-web-api?view=aspnetcore-3.1&tabs=visual-studio
Then use environment variable:
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/environments?view=aspnetcore-3.1
Or instead once you setup your API running locally, you can use Postman variables:
https://learning.postman.com/docs/sending-requests/variables/
I have recorded a login flow of an application and found some URIs like below:
/api/oauth2/initiate GET
/oauth2/authorize GET
/api/v1/oauth2/authorize GET
/api/v1/oauth2/authenticate POST
{"username":"${Username}","password":"${Password}","client_id":"${client_Id}","response_type":"code","redirect_uri":"${scheme}://${host}/api/oauth2/callback","server_id":"${server_Id}"}
When I am hitting above in sequence via JMeter I am getting 200 response. Just like JMeter I tried recording in Postman and it worked same, but instead of JSON it gave response in XML format.
It doesn't generate a access_token, it works via session cookies.
My question is - Do I really have API access or it is just browser record n play? If Yes, Does this mean I can get access to any API, if I am a registered user of that application? For ex: Facebook, YouTube or any startup website.
JMeter works on the protocol level. This means that whatever request you are generating. Say a simple browser request or an API call, you can do that easily.
Now the thing is replicating requests. You don't need to record the requests necessarily using the browser. You need to analyze the few things that are required. Say Postman is generating a request. You specify the things you want to send and you use the API Token there. The same things can be specified there as well. It all depends on how you are understanding the concept of request generation.
You simply need to replicate the samplers and the parameters. And the request headers in postman can be replicated here in the same way.
For each HTTP Request Sampler make sure you add a corresponding child HTTP Header Manager config element.
Headers basically tell the server that what client we are using and in what form data is being sent and then server responds accordingly with the information.
What you're recorded is OAuth2 flow and you won't be able to replay it without correlating the dynamic values.
You can have access to Google API or Facebook Graph API given you have proper access_token but I don't think you should be testing them directly, you should focus on solely your application.
I am trying to implement testing POST request for my APIs using KARATE, but getting 403 - expected csrf token not found.
However, I am able to perform POST Request using Jmeter - Login to the application, perform GET request and get the XSRF Token from GET request RESPONSE HEADERS and pass it in the POST request in Header Manager in Jmeter. That way, I am able to create a new resource using POST. I am not sure why this approach isn't working in Karate.
You must be missing some header. The fastest way you can solve this is by collaborating with someone on the server-side dev team.
Refer to this example in the Karate demos that uses CSRF:
I'm trying to implement the Rest API for Yodlee using Spring RestTemplate.
For starter I'm trying to use the simple chrome extenuation to test the API but it doesn't seem to work.
(see image url here)
https://www.evernote.com/shard/s3/sh/3c42d3fb-e69f-49c4-ab80-e4b607aca13e/03aea0e891c1f2c40414fcc992f2c307
The content type needs to be application/x-www-form-urlencoded and the request needs to be properly formatted.For example:
cobrandLogin=yourCobrandLogin&cobrandPassword=yourCobrandPassword
I've noticed that the error messages for the rest api are extremely unhelpful.