December 8th, 2020 by inflectra
During the recent EuroSTAR 2020 Virtual Conference, Adam Sandman, Director of Technology at Inflectra presented a session on Testing APIs in the Wild. During this talk, there were many questions from the attendees, but unfortunately during the session, there was only time to answer a few of them. In this blog, Adam covers some of the remaining questions.
The following questions were raised by the attendees of the session at EuroSTAR:
Authentication is the checking that a user is who they say they are, i.e., are they a valid user of the system. For APIs that is done using one of many possible authentication methods such as using a login and password (basic authentication), using a trusted protocol such as OAuth, a secure certificate, a valid session cookie, or some other method that guarantees that a user is real and valid to access the system (e.g., biometrics, retina scans, etc.)
On the other hand, authorization is the checking that a user who is already authenticated has access to perform a specific operation. For APIs, that usually means that the user is allowed to call the specific API endpoint with the specific method (GET, POST, PUT, etc.), and the data passed in affects the part of the system the user has access to (e.g., a valid account number for that user).
I am a big proponent of maintaining guaranteed interfaces for APIs so that once you release a set of API endpoints, you don't keep breaking compatibility and requiring the clients to have to change their code. To me, that is simply a failure in API design. One solution is to have the clients propose the Contracts and have the testers create their API tests based on these contracts (consumer-driven contract testing). However, I think the most important thing is that testers get the contracts and write automated tests against those, and refuse to change them just because the developers want to.
So alternatives to having the contracts be consumer-driven would be to have a set of versioned APIs instead. That way, when customers have new requests, you can add new versions and still maintain the old versions for backward compatibility. That is my preference, to be honest.
Absolutely, I would recommend that you potentially combine API testing with UI testing so that you can load in data through the API and then check that it appears in the application correctly. You could use an automated UI tool such as Selenium to do this. However, Rapise from Inflectra can do both API and UI testing in the same test.
That's a loaded question. However, I would recommend tools such as Rapise, Postman, SoupUI, and some others:
Check our whitepaper - "What is API Testing?".
I have a whole separate presentation about load testing and security testing of APIs, come to a future talk, and I'll be happy to share that with you.
However, in a nutshell, when you have APIs, you don't want to end up with a data breach because they are insecure, especially since they are easier to hack than a UI because they are so automatable. Also, for performance, if your API goes down, you may hobble hundreds of other websites and customers, which is potentially worse than if just one application is unavailable.
That is a good question, assuming you are referring to REST APIs that are being called by the native app, then you can use tools like Fiddler to spy on the network traffic from the mobile application. Unlike a browser where you can just click F12 and use the Network tab to see the HTTP/HTTPS requests and inspect the payload, you will need to use a proxy to redirect the traffic and allow you to inspect what is sent to/from the mobile app and the server. There is a good article on Medium about this approach.
I agree there is a trade-off, but with good automated tests, it's not so bad. I would make your developers rewrite every plugin that needs to be changed if you don't maintain an old version, that for us, has been a very good incentive. SpiraTeam, our flagship tool, has APIs that go back 15 years.
It still has an important function because otherwise, the systems connecting to your API may fail and not be detected. However, you could limit your testing to more 'happy path' cases, and you wouldn't need to worry about compatibility and contracts, so you could only have one version of the API to test. That way, the API could change, and you just update the tests and consuming applications in-house.
It makes sense; however, I think there could be value in testing that API calls result in the valid data being displayed in the UI and vice versa.
If you would like to learn more about APIs and API Testing, please check out our whitepaper on API testing.
Ask an Inflectra expert:
SpiraTest combines test management, requirements traceability & bug-tracking
SpiraTeam brings your teams together, managing the entire application lifecycle
SpiraPlan lets you manage your programs and portfolio of projects like never before
Orchestrates your automated regression testing, functional, load and performance
The ultimate test automation platform for web, mobile, and desktop applications
The help desk system, designed specifically for software support teams
Cloud hosted, secure source code management - Git and Subversion
Exploratory testing capture tool that automatically records your testing activity
Let us deal with the IT pain so you don't have to. Or use on-premise if you prefer.
Our customers work in every industry imaginable. From financial services to healthcare and biotech to government and defense and more, we work with our customers to address their specific needs.
Our products do not enforce a methodology on you, instead they let you work your way. Whether you work in agile development, Scrum and XP, Kanban and Lean, Waterfall, hybrid, or Scaled Agile Inflectra can help.
If you want to learn more about application delivery, testing, and more take a look at our whitepapers, videos, background papers, blog, and presentations.
Customers use our tools to help automate repetitive tasks and streamline their business processes using our Robotic Process Automation (RPA) solutions.
We collaborate with a wide range of teams to bring our customers a range of services (including load testing, training, and consultation), complimentary technologies, and specialized tools for specific industries.
Learn how different organizations have benefited from using Inflectra products to manage their software testing and application develooment.
Outstanding support is the foundation of our company. We make support a priority over all other work. Take a look at our support policy.
Discover great tips, discussions, and technical solutions from fellow customers and Inflectra's technical experts.
If you can't find the answer you're looking for, please get in touch with us: over email, phone, or online.
We are constantly creating new videos to help customers learn about our products, including through in depth webinars, all freely available along with a wide selection of presentations.
We provide a number of resources to help customers learn how to get the most out of our products, with free online resources, virtual classrooms, and face to face.
Read about Inflectra, our manifesto, and values. Meet our incredible customers who are building awesome things. We are focused on their success using our tools.
The Inflectra Blog contains articles on all aspects of the software lifecycle.
In addition we have whitepapers,
background articles, videos and
presentations to help get you started.
Events are a big part of our awesome customer service. They are a chance to learn more about us, our products, and how to level up your skills with our tools.
We partner with educational institutions and individuals all over the world. We are also a great place to work and encourage you to explore joining our team.
Please contact us with your questions, feedback, comments, or suggestions. We'll get back to you as soon as possible.
When you need additional assistance (be it training, consulting, or integration services) our global certified solution provider partner network is ready to help.
At Inflectra, we are fully committed to provide our customers with the very best products and customer service.
We want to help developers extend and customize our tools to fit in with their needs. We provide robust APIs, sample code, and open source projects.