‭E‬‭ND‬ ‭TO‬ ‭E‭N

‬ D‬ ‭API T‬‭ESTING‬ ‭&‬

‭I‬‭NTERVIEW‬ ‭Q‬‭UESTIONS‬
‭N‭O
‬ TES‬

‭End to End API Testing, Automation API Test With Cucumber, Mock Interview Question for API Testing for‬
‭Backend Engineer, SDET, Software Quality Engineer, Software Quality Assurance, Software Test Engineer, and‬
‭Test Engineer‬

‭Curated by Lamhot Siagian‬

‭PART 1:‬
‭Version 1.0‬

‭End to End API Testing‬

‭Automation API Test With Cucumber‬

‭Mock Interview Question for API Testing‬

‭Contact Information:‬

‭Email:‬‭[email protected]‬
‭ ite:‬‭https://lamhotjm.github.io‬
S
‭Linkedin:‬‭https://www.linkedin.com/in/lamhotsiagian‬
‭ ips or Buy me a coffee:‬‭https://buymeacoffee.com/lamhot‬
T
 ‭TABLE OF CONTENTS‬

‭ reface‬
P ‭‬
1
‭Introduction to APIs and API Testing‬ ‭3‬
‭Understanding APIs‬ ‭3‬
‭Importance of API Testing‬ ‭5‬
‭Types of APIs‬ ‭7‬
‭Overview of API Testing Techniques‬ ‭9‬
‭Common Interview Questions and Answers Related to Basic APIs‬ ‭11‬
‭Setting Up Your API Testing Environment‬ ‭14‬
‭Choose Your API Testing Tool‬ ‭14‬
‭1. Postman‬ ‭14‬
‭2. Insomnia‬ ‭14‬
‭3. Swagger UI‬ ‭15‬
‭4. SoapUI‬ ‭15‬
‭5. HTTPie‬ ‭15‬
‭6. Paw‬ ‭16‬
‭7. JMeter‬ ‭16‬
‭Install and Set Up the Tool‬ ‭17‬
‭1. Installing Postman‬ ‭17‬
‭2. Configuring Postman‬ ‭18‬
‭3. Organize Your Requests‬ ‭18‬
‭Using Collections‬ ‭18‬
‭4. Configure and Send Requests‬ ‭19‬
‭5. Validate Responses‬ ‭19‬
‭6. Documentation and Collaboration‬ ‭20‬
‭7. Advanced Features‬ ‭20‬
‭Common Interview Questions & Answers Related to API Test Tools‬ ‭21‬
‭Basic Questions‬ ‭21‬
‭Intermediate Questions‬ ‭21‬
‭Advanced Questions‬ ‭22‬
‭Practical Questions‬ ‭22‬
‭Troubleshooting Questions‬ ‭23‬
‭Integration Questions‬ ‭24‬

‭2‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Understanding API Requests and Responses‬ 2‭ 5‬

‭HTTP Methods‬ ‭25‬
‭1. GET‬ ‭25‬
‭2. POST‬ ‭26‬
‭3. PUT‬ ‭26‬
‭4. DELETE‬ ‭26‬
‭5. PATCH‬ ‭27‬
‭6. HEAD‬ ‭27‬
‭7. OPTIONS‬ ‭27‬
‭8. CONNECT‬ ‭27‬
‭9. TRACE‬ ‭28‬
‭Comparison of HTTP methods‬ ‭28‬
‭Request Headers and Parameters‬ ‭29‬
‭Request Headers‬ ‭29‬
‭Request Parameters‬ ‭29‬
‭Query Parameter‬ ‭30‬
‭Fragment Parameters‬ ‭31‬
‭Character Encoding‬ ‭31‬
‭Size Limits‬ ‭32‬
‭3.3. Response Codes and Their Meanings‬ ‭33‬
‭1xx Informational Responses‬ ‭33‬
‭2xx Success‬ ‭33‬
‭3xx Redirection‬ ‭34‬
‭4xx Client Errors‬ ‭34‬
‭5xx Server Errors‬ ‭35‬
‭How to Test HTTP Method‬ ‭37‬
‭Analyzing Response Body‬ ‭40‬
‭Common Interview Questions & Answers Related to API Request and Response‬ ‭41‬
‭Security Testing of APIs‬ ‭43‬
‭Types API security testing‬ ‭43‬
‭Dynamic Application Security Testing (DAST)‬ ‭43‬
‭Software Composition Analysis (SCA)‬ ‭43‬
‭Authentication‬ ‭43‬
‭Authorization‬ ‭44‬
‭Common API Security Risks‬ ‭45‬
‭4.3.Preparing for API Security Testing‬ ‭46‬
‭Steps to Follow for API Security Testing‬ ‭48‬
‭Step 1: Understanding API Endpoints‬ ‭48‬
‭Step 2: Authentication and Authorization Testing‬ ‭48‬
‭Step 3: Input Validation‬ ‭49‬

‭3‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭ tep 4: Error Handling and Exception Management‬

S 5‭ 1‬
‭Step 5: Rate-limiting and Throttling‬ ‭52‬
‭Step 6: API Abuse and Security Testing Automation‬ ‭54‬
‭Step 7: Session Management Testing‬ ‭54‬
‭Step 8: Business Logic Testing‬ ‭55‬
‭Best Practices for API Security Testing‬ ‭56‬
‭Common Interview Questions and answers related to API security testing‬ ‭57‬
‭Authentication Testing‬ ‭57‬
‭Authorization Testing‬ ‭57‬
‭Input Validation Testing‬ ‭57‬
‭Rate Limiting and Throttling Testing‬ ‭58‬
‭Error Handling and Logging Testing‬ ‭58‬
‭Data Protection and Privacy Testing‬ ‭58‬
‭API Endpoint Testing‬ ‭59‬
‭Session Management Testing‬ ‭59‬
‭Business Logic Testing‬ ‭59‬
‭General Security Practices‬ ‭60‬
‭Writing Basic API Test Cases‬ ‭62‬
‭Best Practices To Write A Good Test Case‬ ‭62‬
‭Test Cases For API Functional Testing‬ ‭62‬
‭Introduction to Behavior-Driven Development (BDD)‬ ‭64‬
‭Writing Tests for CRUD Operations using BDD‬ ‭64‬
‭POST‬ ‭64‬
‭PUT‬ ‭65‬
‭GET‬ ‭66‬
‭PATCH‬ ‭68‬
‭DELETE‬ ‭69‬
‭Response Format Validation Using BDD‬ ‭71‬
‭Sorting Validation using BDD‬ ‭72‬
‭Pagination Validation Using BDD‬ ‭72‬
‭Authentication Handling Validation Using BDD‬ ‭72‬
‭Input Validation Using DDD‬ ‭74‬
‭Common Interview Questions and answers related to Writing Basic API Test Cases‬ ‭76‬
‭Questions and Answers on HTTP Methods (POST, PUT, GET, PATCH, DELETE)‬ ‭76‬
‭Questions and Answers on Response Format Validation‬ ‭77‬
‭Questions and Answers on Sorting Validation‬ ‭77‬
‭Questions and Answers on Pagination Validation‬ ‭77‬
‭Questions and Answers on Authentication Handling Validation‬ ‭77‬
‭Questions and Answers on Input Validation‬ ‭78‬
‭Questions and Answers on General API Testing‬ ‭78‬

‭4‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭ uestions and Answers on Specific Use Cases‬

Q 7‭ 9‬
‭Automating API Tests‬ ‭80‬
‭TestNG BDD API Testing‬ ‭80‬
‭Prerequisites‬ ‭80‬
‭Setting Up the Project‬ ‭80‬
‭Project Structure‬ ‭81‬
‭Writing Feature Files‬ ‭82‬
‭Writing Step Definitions‬ ‭83‬
‭Writing the Test Runner‬ ‭84‬
‭Running the Tests‬ ‭84‬
‭Common Interview Questions and Answers Related to Automation API Test‬ ‭85‬
‭How do you validate JSON response in BDD API testing?‬ ‭91‬
‭Performance Testing of APIs using JMeter‬ ‭94‬
‭Install Apache JMeter‬ ‭94‬
‭Install Java‬ ‭94‬
‭Download JMeter‬ ‭94‬
‭Install JMeter‬ ‭94‬
‭Set Up Environment Variables (Optional)‬ ‭94‬
‭Launch JMeter‬ ‭95‬
‭Verify Installation‬ ‭95‬
‭JMeter Components‬ ‭97‬
‭1. Test Plan‬ ‭97‬
‭2. Thread Group‬ ‭97‬
‭3. Samplers‬ ‭97‬
‭4. Logic Controllers‬ ‭98‬
‭5. Listeners‬ ‭98‬
‭6. Timers‬ ‭98‬
‭7. Assertions‬ ‭98‬
‭8. Configuration Elements‬ ‭99‬
‭9. Pre-Processors and Post-Processors‬ ‭99‬
‭10. Test Fragments‬ ‭99‬
‭Guide to Creating Performance Test Script‬ ‭99‬
‭Create a Test Plan‬ ‭99‬
‭Add a Thread Group‬ ‭100‬
‭Add an HTTP Request‬ ‭100‬
‭Add a Listener‬ ‭101‬
‭Run the Test‬ ‭102‬
‭Example Configuration‬ ‭102‬
‭Common Interview Questions and Answers Related to Performance Testing of APIs‬ ‭103‬
‭How do you simulate a heavy load in JMeter?‬ ‭104‬

‭5‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Organizing a test framework for API Testing‬ 1‭ 06‬

‭Project Structure‬ ‭106‬
‭Dependencies‬ ‭107‬
‭Configuration‬ ‭108‬
‭Exception Handling‬ ‭108‬
‭Models‬ ‭108‬
‭Utility Classes‬ ‭109‬
‭API client Util‬ ‭110‬
‭Authentication Util‬ ‭110‬
‭Logger Util‬ ‭110‬
‭Test Util‬ ‭111‬
‭Response Processor‬ ‭111‬
‭Feature File‬ ‭112‬
‭Step Definitions‬ ‭113‬
‭Test Runner‬ ‭113‬
‭Test Driver‬ ‭114‬
‭Common Interview Questions and Answers Related to Organizing a Test Framework‬ ‭115‬
‭General Framework Design‬ ‭115‬
‭Request and Response Handling‬ ‭115‬
‭Exception Handling‬ ‭115‬
‭Configurations‬ ‭116‬
‭User Authentication‬ ‭116‬
‭Processor and Models‬ ‭116‬
‭Test Assertions‬ ‭117‬
‭Logger‬ ‭117‬
‭Utilities‬ ‭117‬
‭Test Execution‬ ‭117‬
‭Continuous Integration and Continuous Deployment (CI/CD) with API Testing‬ ‭119‬
‭Introduction to CI/CD‬ ‭119‬
‭Importance of CI/CD for API Testing‬ ‭119‬
‭CD Tools‬ ‭120‬
‭Jenkins‬ ‭120‬
‭GitLab CI/CD‬ ‭120‬
‭AWS CodePipeline‬ ‭121‬
‭Travis CI‬ ‭121‬
‭CircleCI‬ ‭122‬
‭Bamboo‬ ‭123‬
‭GitHub Actions‬ ‭123‬
‭Step-by-Step Guide to Setting Up a Basic CI Pipeline with Maven and BDD‬ ‭124‬
‭1. Connecting to a VCS‬ ‭124‬

‭6‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭ . Setting Up Your Maven Project for BDD‬

2 1‭ 24‬
‭3. Creating Feature Files and Step Definitions‬ ‭126‬
‭4. Configuring the CI Pipeline‬ ‭128‬
‭Common Interview Questions and Answers Related to CI/CD‬ ‭130‬
‭Test Driven Development for Spring Micro Service with Cucumber‬ ‭134‬
‭Introduction to Test Driven Development (TDD)‬ ‭134‬
‭What is Test Driven Development (TDD)?‬ ‭134‬
‭Principles of TDD‬ ‭134‬
‭Benefits of TDD‬ ‭134‬
‭Overview of the TDD Cycle‬ ‭134‬
‭Introduction to Microservice‬ ‭135‬
‭Getting started with microservices using Spring Boot‬ ‭135‬
‭1. Setup Your Development Environment‬ ‭135‬
‭2. Create a Spring Boot Application‬ ‭135‬
‭3. Building Your First Microservice‬ ‭136‬
‭1. Set Up Your Spring Boot Application‬ ‭136‬
‭2. Create the User Entity‬ ‭137‬
‭3. Create the User Repository‬ ‭138‬
‭4. Create the User Service‬ ‭138‬
‭5. Create the User Controller‬ ‭139‬
‭6. Configure H2 Database‬ ‭140‬
‭7. Define the Application Class‬ ‭141‬
‭8. Run your app and make sure the app is running.‬ ‭142‬
‭Write BDD Tests‬ ‭144‬
‭1. Update your pom.xml‬ ‭144‬
‭2. Create a feature file src/test/resources/features/user.feature:‬ ‭144‬
‭3. Create Step Definitions‬ ‭145‬
‭4. Create Test Runner‬ ‭147‬
‭ eferences‬
R ‭148‬

‭7‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Preface‬

‭ elcome‬ ‭to‬ ‭End‬ ‭to‬ ‭End‬ ‭API‬‭Testing‬‭&‬‭Interview‬‭Questions‬‭Notes‬‭,‬‭a‬‭comprehensive‬‭guide‬‭designed‬‭to‬‭assist‬

W
‭you‬ ‭in‬ ‭mastering‬ ‭API‬ ‭testing‬ ‭and‬ ‭preparing‬ ‭for‬ ‭technical‬ ‭interviews‬ ‭in‬ ‭API‬ ‭testing‬ ‭roles.‬ ‭With‬ ‭the‬
‭increasing‬‭reliance‬‭on‬‭APIs‬‭in‬‭modern‬‭software‬‭architectures,‬‭understanding‬‭how‬‭to‬‭test‬‭APIs‬‭is‬‭becoming‬
‭more crucial than ever for QA professionals and software testers.‬

‭ his‬ ‭book‬ ‭is‬ ‭structured‬ ‭to‬ ‭provide‬ ‭both‬ ‭practical‬ ‭knowledge‬ ‭and‬ ‭insights‬ ‭into‬ ‭real-world‬ ‭API‬ ‭testing‬
T
‭scenarios.‬‭The‬‭chapters‬‭are‬‭meticulously‬‭organized‬‭to‬‭take‬‭you‬‭from‬‭the‬‭basics‬‭of‬‭API‬‭testing‬‭to‬‭advanced‬
‭topics such as security, performance testing, and automation. Here's a brief overview of the chapters:‬

‭1.‬ I‭ ntroduction to APIs and API Testing‬

‭Understand the fundamentals of APIs and the significance of testing in ensuring the reliability and‬
‭security of software applications.‬
‭2.‬ ‭Setting Up Your API Testing Environment‬
‭Learn how to configure and prepare your environment for efficient API testing, focusing on tools‬
‭and technologies.‬
‭3.‬ ‭Understanding API Requests and Responses‬
‭Gain a detailed understanding of API communication, including request methods, headers,‬
‭parameters, and response structures.‬
‭4.‬ ‭Security Testing of APIs‬
‭Explore key concepts in API security testing, such as authentication, authorization, and‬
‭vulnerability detection.‬
‭5.‬ ‭Writing Basic API Test Cases‬
‭Start writing your first API test cases, including functional and negative test cases.‬
‭6.‬ ‭Automating API Tests‬
‭Delve into automating API test cases with tools such as Cucumber and Maven, enabling fast and‬
‭consistent test execution.‬
‭7.‬ ‭Performance Testing of APIs using JMeter‬
‭Learn how to evaluate the performance and load capacity of your APIs using tools like JMeter.‬
‭8.‬ ‭Organizing a Test Framework for API Testing‬
‭Discover how to structure a scalable and maintainable API test framework, with practical tips on‬
‭test organization and data management.‬
‭9.‬ ‭Continuous Integration and Continuous Deployment (CI/CD) with API Testing‬
‭Explore how to integrate API testing into a CI/CD pipeline for rapid development cycles, using‬
‭tools such as GitHub Actions and Jenkins.‬
‭10.‬ ‭Test Driven Development for Spring Microservices with Cucumber‬
‭Get hands-on experience with TDD for microservices, learning how to write tests for Spring-based‬
‭APIs using Cucumber.‬

‭1‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Interview Preparation‬

‭ ach‬‭chapter‬‭contains‬‭a‬‭set‬‭of‬‭interview‬‭questions‬‭and‬‭sample‬‭answers,‬‭helping‬‭you‬‭prepare‬‭for‬‭API‬‭testing‬
E
‭roles‬ ‭in‬ ‭Backend‬ ‭Engineering,‬ ‭SDET‬ ‭(Software‬ ‭Development‬ ‭Engineer‬ ‭in‬ ‭Test),‬ ‭Software‬ ‭Quality‬
‭Assurance,‬ ‭and‬ ‭Test‬ ‭Engineering‬ ‭positions.‬ ‭These‬ ‭questions‬ ‭are‬ ‭inspired‬ ‭by‬ ‭my‬ ‭own‬ ‭experiences‬ ‭from‬
‭years of technical interviews in the United States and other resources.‬

‭ ver‬ ‭the‬ ‭past‬ ‭seven‬ ‭years,‬ ‭I've‬ ‭meticulously‬ ‭gathered‬ ‭notes‬ ‭and‬ ‭questions‬ ‭from‬ ‭each‬ ‭interview,‬
O
‭summarizing‬‭them‬‭into‬‭this‬‭guide.‬‭Whether‬‭you‬‭are‬‭a‬‭fresh‬‭graduate‬‭or‬‭an‬‭experienced‬‭tester,‬‭these‬‭notes‬
‭will‬‭help‬‭you‬‭solidify‬‭your‬‭understanding‬‭of‬‭key‬‭concepts‬‭while‬‭giving‬‭you‬‭the‬‭confidence‬‭to‬‭face‬‭any‬‭API‬
‭testing interview.‬

‭Who This Notes is For‬

‭This book is tailored for:‬

‭‬ E
● ‭ nd-to-end API testers seeking practical insights and automation tips‬
‭●‬ ‭QA professionals looking to enhance their API testing skills with Cucumber and Java‬
‭●‬ ‭Candidates preparing for backend testing roles, including SDET, Software Quality Engineers, and‬
‭Test Engineers‬
‭●‬ ‭Individuals seeking mock interview questions and answers to prepare for technical interviews‬

‭ PI‬ ‭testing‬ ‭has‬ ‭been‬ ‭increasingly‬ ‭recognized‬ ‭for‬ ‭its‬ ‭efficiency,‬ ‭flexibility,‬ ‭and‬ ‭integration‬ ‭capabilities,‬
A
‭making‬‭it‬‭a‬‭vital‬‭part‬‭of‬‭any‬‭software‬‭testing‬‭strategy.‬‭I‬‭hope‬‭this‬‭book‬‭helps‬‭you‬‭gain‬‭a‬‭strong‬‭foundation‬
‭in‬‭API‬‭testing,‬‭and‬‭I‬‭trust‬‭that‬‭the‬‭included‬‭interview‬‭questions‬‭and‬‭answers‬‭will‬‭be‬‭a‬‭valuable‬‭resource‬‭for‬
‭your career progression.‬

‭Happy learning, and good luck with your API testing journey!‬

‭Lamhot Siagian‬

‭Software Engineer in Test Consultant‬

‭2‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Chapter 1‬

‭Introduction to APIs and API Testing‬

‭Understanding APIs‬

‭ PIs‬ ‭(Application‬ ‭Programming‬ ‭Interfaces)‬ ‭is‬ ‭fundamental‬ ‭for‬ ‭modern‬ ‭software‬ ‭development,‬ ‭as‬ ‭they‬
A
‭enable‬‭different‬‭software‬‭systems‬‭to‬‭communicate‬‭with‬‭each‬‭other.‬‭Here’s‬‭a‬‭detailed‬‭overview‬‭to‬‭help‬‭you‬
‭understand what APIs are, how they work, and why they are important.‬

‭What is an API?‬

‭ n‬ ‭API,‬ ‭or‬ ‭application‬ ‭programming‬ ‭interface,‬ ‭is‬ ‭a‬ ‭set‬ ‭of‬ ‭rules‬ ‭or‬ ‭protocols‬ ‭that‬ ‭enables‬ ‭software‬
A
‭applications to communicate with each other to exchange data, features and functionality..‬

‭How Do APIs Work?‬

I‭ t’s‬ ‭useful‬ ‭to‬ ‭think‬ ‭about‬ ‭API‬ ‭communication‬ ‭in‬ ‭terms‬ ‭of‬ ‭a‬ ‭request‬ ‭and‬ ‭response‬ ‭between‬ ‭a‬ ‭client‬ ‭and‬
‭server.‬‭The‬‭application‬‭submitting‬‭the‬‭request‬‭is‬‭the‬‭client,‬‭and‬‭the‬‭server‬‭provides‬‭the‬‭response.‬‭The‬‭API‬‭is‬
‭the bridge establishing the connection between them.‬

‭ ‬ ‭simple‬ ‭way‬ ‭to‬ ‭understand‬ ‭how‬ ‭APIs‬ ‭work‬ ‭is‬ ‭to‬ ‭look‬ ‭at‬ ‭a‬ ‭common‬ ‭example—third-party‬ ‭payment‬
A
‭processing.‬‭When‬‭a‬‭user‬‭purchases‬‭a‬‭product‬‭on‬‭an‬‭e-commerce‬‭site,‬‭the‬‭site‬‭might‬‭prompt‬‭the‬‭user‬‭to‬‭“Pay‬
‭with PayPal” or another type of third-party system. This function relies on APIs to make the connection.‬

‭-‬ ‭ hen‬ ‭the‬ ‭buyer‬ ‭clicks‬ ‭the‬ ‭payment‬ ‭button,‬ ‭an‬ ‭API‬‭call‬‭is‬‭sent‬‭to‬‭retrieve‬‭information.‬‭This‬‭is‬‭the‬
W
‭request.‬‭This‬‭request‬‭is‬‭processed‬‭from‬‭an‬‭application‬‭to‬‭the‬‭web‬‭server‬‭through‬‭the‬‭API’s‬‭Uniform‬
‭Resource Identifier (URI) and includes a request verb, headers, and sometimes, a request body.‬
‭-‬ ‭After‬‭receiving‬‭a‬‭valid‬‭request‬‭from‬‭the‬‭product‬‭webpage,‬‭the‬‭API‬‭calls‬‭to‬‭the‬‭external‬‭program‬‭or‬
‭web server, in this case, the third-party payment system.‬
-‭ ‬ ‭The server sends a response to the API with the requested information.‬
‭-‬ ‭The API transfers the data to the initial requesting application, in this case, the product website‬‭1‬

‭Components of an API‬

‭ .‬
1 ‭ ndpoints‬‭: URLs that provide access to specific resources‬‭or functionalities.‬
E
‭2.‬ ‭Methods/HTTP Verbs‬‭: Actions that can be performed‬‭(e.g., GET, POST, PUT, DELETE).‬
‭3.‬ ‭Requests‬‭: Data sent by the client to the server.‬
‭4.‬ ‭Responses‬‭: Data sent back by the server to the client.‬
‭5.‬ ‭Headers‬‭: Metadata about the request or response (e.g.,‬‭authentication tokens, content type).‬

‭1‬
‭https://www.ibm.com/topics/api‬

‭3‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭6.‬ ‭Payload/Body‬‭: Data being sent with the request (typically in JSON or XML format).‬

‭Benefits of Using APIs‬

‭APIs offer significant benefits, including:‬

‭ .‬
1 ‭ utomation‬‭: Streamlines repetitive tasks, boosting‬‭productivity.‬
A
‭2.‬ ‭Innovation‬‭: Enables external teams to innovate by‬‭leveraging existing functionalities.‬
‭3.‬ ‭Security‬‭: Adds a layer of protection by requiring‬‭authentication and authorization.‬
‭4.‬ ‭Cost Efficiency‬‭: Reduces expenses by using third-party tools instead of developing in-house‬
‭systems.‬‭2‬

‭API Use Cases‬

‭1.‬ I‭ ntegration‬‭: Connecting different applications and‬‭services, such as integrating payment gateways‬
‭into e-commerce platforms.‬
‭2.‬ ‭Automation‬‭: Automating repetitive tasks, such as deploying‬‭code, managing resources, or data‬
‭synchronization.‬
‭3.‬ ‭Data Access‬‭: Providing access to data from different‬‭sources, such as retrieving weather data or‬
‭financial information.‬
‭4.‬ ‭Third-Party Services‬‭: Enabling third-party developers‬‭to build applications that interact with your‬
‭services, such as social media apps using Facebook or Twitter APIs.‬
‭5.‬ ‭Microservices Architecture‬‭: Facilitating communication‬‭between microservices in a distributed‬
‭system.‬

‭API Documentation‬

‭ ood‬ ‭API‬ ‭documentation‬ ‭is‬ ‭essential‬ ‭for‬ ‭developers‬ ‭to‬ ‭understand‬ ‭how‬ ‭to‬ ‭use‬ ‭the‬ ‭API‬ ‭effectively.‬ ‭It‬
G
‭typically includes:‬

‭ .‬
1 ‭ ndpoint Descriptions‬‭: Detailed information about‬‭available endpoints and their purposes.‬
E
‭2.‬ ‭HTTP Methods‬‭: The methods supported by each endpoint‬‭(e.g., GET, POST).‬
‭3.‬ ‭Parameters‬‭: Required and optional parameters for each‬‭endpoint.‬
‭4.‬ ‭Request and Response Formats‬‭: Examples of request‬‭payloads and expected responses.‬
‭5.‬ ‭Authentication‬‭: Information about authentication and‬‭authorization mechanisms.‬
‭6.‬ ‭Error Handling‬‭: Common error codes and messages, along‬‭with troubleshooting information.‬

‭2‬
‭https://www.postman.com/what-is-an-api/#benefits-of-apis‬

‭4‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Importance of API Testing‬

‭ PI‬ ‭testing‬ ‭is‬ ‭a‬ ‭crucial‬ ‭aspect‬ ‭of‬ ‭software‬ ‭development,‬ ‭offering‬ ‭numerous‬ ‭benefits‬ ‭and‬ ‭addressing‬ ‭key‬
A
‭challenges‬ ‭that‬ ‭can‬ ‭significantly‬ ‭impact‬ ‭the‬ ‭quality,‬ ‭reliability,‬ ‭and‬‭performance‬‭of‬‭software‬‭applications.‬
‭Here are the primary reasons why API testing is important:‬

‭1. Ensures Functionality‬

‭●‬ V ‭ erification of Requirements‬‭: API testing ensures‬‭that the API functions according to the specified‬
‭requirements. This involves checking that the endpoints are working correctly, the data is being‬
‭processed as expected, and the correct responses are returned.‬
‭●‬ ‭Detection of Errors Early‬‭: By testing APIs early in‬‭the development cycle, errors can be detected‬
‭and fixed before they become more difficult and costly to resolve.‬

‭2. Improves Reliability‬

‭●‬ C ‭ onsistent Performance‬‭: Regular API testing helps‬‭ensure that the API performs consistently‬
‭under various conditions, reducing the likelihood of unexpected failures in production‬
‭environments.‬
‭●‬ ‭Regression Testing‬‭: API tests can be automated and‬‭included in regression testing to ensure that‬
‭new changes do not break existing functionality.‬

‭3. Enhances Security‬

‭●‬ I‭ dentification of Vulnerabilities‬‭: API testing can‬‭reveal security vulnerabilities such as SQL‬
‭injection, cross-site scripting (XSS), and other common exploits.‬
‭●‬ ‭Validation of Authentication and Authorization‬‭: Ensures‬‭that security mechanisms like‬
‭authentication and authorization are working correctly, protecting sensitive data and functionality‬
‭from unauthorized access.‬

‭4. Boosts Performance‬

‭●‬ L ‭ oad and Stress Testing‬‭: API testing includes performance‬‭tests such as load and stress testing,‬
‭which help determine how well the API performs under heavy traffic and identify potential‬
‭bottlenecks.‬
‭●‬ ‭Scalability Assessment‬‭: Helps in assessing whether‬‭the API can scale effectively to handle‬
‭increased load as the user base grows.‬

‭5. Enhances User Experience‬

‭●‬ E ‭ nsures Smooth Integration‬‭: For APIs that are consumed‬‭by external developers or third-party‬
‭applications, thorough testing ensures that these integrations work smoothly, providing a better‬
‭user experience.‬
‭●‬ ‭Reduces Downtime‬‭: By identifying and resolving issues‬‭early, API testing helps reduce the chances‬
‭of downtime, ensuring that end-users experience fewer disruptions.‬

‭5‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭6. Facilitates Continuous Integration/Continuous Deployment (CI/CD)‬

‭●‬ A ‭ utomated Testing‬‭: API tests can be automated and integrated into CI/CD pipelines, providing‬
‭quick feedback to developers and ensuring that changes do not introduce new issues.‬
‭●‬ ‭Continuous Monitoring‬‭: Ongoing API testing helps monitor‬‭the API's health and performance‬
‭continuously, allowing for rapid response to issues.‬

‭7. Supports Development and Debugging‬

‭●‬ I‭ mproved Debugging‬‭: API tests provide detailed information‬‭about failures, making it easier for‬
‭developers to debug and resolve issues.‬
‭●‬ ‭Documentation and Clarity‬‭: Writing API tests often‬‭helps clarify the API's functionality and‬
‭expected behavior, which can improve the quality of documentation and assist other developers in‬
‭understanding how to use the API.‬

‭8. Reduces Costs‬

‭●‬ L ‭ ower Maintenance Costs‬‭: Identifying and fixing issues‬‭early in the development process reduces‬
‭the costs associated with post-release maintenance and support.‬
‭●‬ ‭Fewer Production Issues‬‭: Well-tested APIs are less‬‭likely to cause issues in production, leading to‬
‭reduced costs related to bug fixes and customer support.‬

‭9. Ensures Compliance and Standardization‬

‭●‬ A ‭ dherence to Standards‬‭: API testing ensures that the‬‭API complies with industry standards and‬
‭protocols, which is particularly important for APIs in regulated industries.‬
‭●‬ ‭Contract Testing‬‭: Validates that the API contracts‬‭(the agreed-upon schema and behavior between‬
‭API consumers and providers) are maintained, ensuring compatibility and reliability.‬

‭6‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Types of APIs‬

‭ PIs‬‭come‬‭in‬‭various‬‭forms,‬‭each‬‭with‬‭its‬‭own‬‭strengths‬‭and‬‭purposes.‬‭Understanding‬‭these‬‭differences‬‭is‬
A
‭essential‬‭for‬‭picking‬‭the‬‭right‬‭API‬‭for‬‭your‬‭project‬‭and‬‭ensuring‬‭your‬‭application‬‭is‬‭effective,‬‭scalable,‬‭and‬
‭reliable.‬‭Let’s‬‭look‬‭at‬‭the‬‭different‬‭types‬‭of‬‭APIs,‬‭exploring‬‭what‬‭makes‬‭each‬‭unique‬‭and‬‭how‬‭they‬‭fit‬‭into‬
‭modern software development.‬

‭This table provides a high-level overview of various API types, their descriptions, and examples.‬‭3‬

‭API type‬ ‭Description‬ ‭Examples‬

‭ ibrary-based‬
L ‭ art of software libraries,‬
P J‭ ava API for Android app development, .NET‬
‭APIs‬ ‭language-specific, range from basic‬ ‭libraries used in Windows applications‬
‭utilities to complex GUI components‬

‭ perating‬
O ‭ rovide interfaces for OS interaction,‬
P ‭ indows API for Windows OS interaction,‬
W
‭system APIs‬ ‭manage hardware resources and‬ ‭POSIX API for UNIX-like systems‬
‭processes‬

‭Database APIs‬ E
‭ nable interaction with database‬
‭management systems, facilitate data‬
‭querying and manipulation‬
‭ QL API for relational databases, Oracle’s‬
S
‭OCI for Oracle databases‬

‭ ardware‬
H ‭ llow communication with hardware‬
A I‭ oT device APIs for smart home systems,‬
‭APIs‬ ‭devices, direct control over hardware‬ ‭Printer APIs for document processing‬
‭functions‬

‭Cloud APIs‬ ‭ rovided by cloud service platforms,‬

P ‭ mazon Web Services (AWS) API, Microsoft‬
A
‭enable interaction with cloud-based‬ ‭Azure API for cloud-based solutions‬
‭resources and services‬

‭ TTP APIs‬
H ‭ acilitate client-server communication‬ W
F ‭ eb services, mobile apps, IoT devices, social‬
‭(web API)‬ ‭over the web, use standard HTTP‬ ‭media platforms, content management‬
‭methods, lightweight and flexible‬ ‭systems‬

‭ EST APIs‬
R ‭ se HTTP requests for data‬
U ‭ eb services accessible via the web, social‬
W
‭(web API)‬ ‭operations, stateless and separate‬ ‭media APIs, cloud services‬
‭client-server concerns‬

‭ OAP APIs‬
S ‭ se service interfaces to expose‬
U ‭ nterprise-level services like banking,‬
E
‭(web API)‬ ‭business logic, high security, suitable‬ ‭healthcare, where security and transactions‬
‭for enterprise-level organizations‬ ‭are critical‬

‭ raphQL‬
G ‭ lients request only needed data,‬
C ‭ omplex data-driven web and mobile‬
C
‭APIs (web‬ ‭reduce data transfer over the network,‬ ‭applications, ad-hoc queries by the client‬
‭API)‬ ‭support multiple responses in one‬
‭request‬

‭3‬
‭https://www.nylas.com/api-guide/types-of-apis/‬

‭7‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭ pen APIs‬
O ‭ ccessible by third-party developers,‬
A ‭ witter API for tweets, Stripe API for‬
T
‭(public APIs)‬ ‭typically for external users, require‬ ‭payments, providing data or services to‬
‭API keys‬ ‭external developers‬

I‭ nternal APIs‬ ‭ esigned for internal use within an‬

D ‭ inking HR systems to internal employee‬
L
‭(private APIs)‬ ‭organization, enhance integration‬ ‭directories, improving internal efficiency and‬
‭between systems‬ ‭data security‬

‭Partner APIs‬ ‭ vailable to strategic business‬

A I‭ ntegration of supply chain systems, service‬
‭partners, require specific entitlements‬ ‭expansion to partners, creating revenue‬
‭channels, controlled data sharing with trusted‬
‭partners‬

‭ omposite‬
C ‭ ombine different data and service‬
C ‭ ggregating various services in a single call‬
A
‭APIs‬ ‭APIs, access multiple endpoints in one‬ ‭for smoother user experience, commonly used‬
‭call‬ ‭in microservices architectures‬

J‭ SON-RPC‬ ‭ ncode data as JSON or XML for‬

E ‭ emote procedure calls with simple‬
R
‭and XML-RPC‬ ‭remote procedure calls, send lists of‬ ‭request/response model, suitable for basic‬
‭APIs‬ ‭commands‬ ‭request/response scenarios‬

‭ ynchronous‬
S ‭ ynchronous: Request-response‬
S ‭ ynchronous: Essential data retrieval, web‬
S
‭and‬ ‭model, Asynchronous: Non-blocking,‬ ‭page loading, Asynchronous: Background‬
‭asynchronous‬ ‭no immediate response required‬ ‭tasks, real-time data streams‬

‭ ibrary-based‬
L ‭ art of software libraries,‬
P J‭ ava API for Android app development, .NET‬
‭APIs‬ ‭language-specific, range from basic‬ ‭libraries used in Windows applications‬
‭utilities to complex GUI components‬

‭8‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Overview of API Testing Techniques‬

‭1. Unit Testing‬

‭‬ O
● ‭ bjective‬‭: Test individual API components in isolation.‬
‭●‬ ‭Tools‬‭: JUnit (Java), NUnit (C#), pytest (Python).‬
‭●‬ ‭Description‬‭: Unit tests are typically written by developers‬‭to test the functionality of specific‬
‭methods or functions in the API, ensuring that each part works as intended.‬

‭2. Functional Testing‬

‭‬ O
● ‭ bjective‬‭: Verify that the API performs its intended‬‭functions correctly.‬
‭●‬ ‭Tools‬‭: Postman, SoapUI, REST Assured.‬
‭●‬ ‭Description‬‭: Functional tests validate the API against‬‭the functional requirements and‬
‭specifications. This includes testing endpoints, methods (GET, POST, PUT, DELETE), and responses.‬

‭3. Integration Testing‬

‭‬ O
● ‭ bjective‬‭: Ensure that the API interacts correctly‬‭with other components and systems.‬
‭●‬ ‭Tools‬‭: Postman, SoapUI, JUnit (with integration test‬‭configurations).‬
‭●‬ ‭Description‬‭: Integration tests evaluate the interactions‬‭between different parts of the API and other‬
‭services or databases to ensure that integrated parts work together as expected.‬

‭4. Performance Testing‬

‭‬ O
● ‭ bjective‬‭: Assess the API’s performance under various‬‭conditions.‬
‭●‬ ‭Tools‬‭: JMeter, LoadRunner, Gatling.‬
‭●‬ ‭Description‬‭: Performance tests include load testing‬‭(to check API behavior under expected load),‬
‭stress testing (to determine the API’s breaking point), and endurance testing (to evaluate‬
‭performance over an extended period).‬

‭5. Security Testing‬

‭‬ O
● ‭ bjective‬‭: Identify vulnerabilities and ensure the‬‭API is secure.‬
‭●‬ ‭Tools‬‭: OWASP ZAP, Burp Suite, Postman (with security‬‭extensions).‬
‭●‬ ‭Description‬‭: Security testing involves checking for‬‭common vulnerabilities like SQL injection,‬
‭cross-site scripting (XSS), and ensuring proper authentication and authorization mechanisms are in‬
‭place.‬

‭6. Usability Testing‬

‭‬ O
● ‭ bjective‬‭: Ensure the API is easy to use and well-documented.‬
‭●‬ ‭Tools‬‭: Swagger, Postman.‬
‭●‬ ‭Description‬‭: Usability testing focuses on the API’s‬‭user experience, ensuring that the‬
‭documentation is clear, the endpoints are intuitive, and error messages are helpful.‬

‭9‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭7. Validation Testing‬

‭‬ O
● ‭ bjective‬‭: Validate the API’s functionality, performance, and security comprehensively.‬
‭●‬ ‭Tools‬‭: Postman, SoapUI.‬
‭●‬ ‭Description‬‭: Validation testing ensures that the API‬‭meets the business requirements and‬
‭expectations, combining functional, performance, and security testing aspects.‬

‭8. Compliance Testing‬

‭‬ O
● ‭ bjective‬‭: Ensure the API complies with industry standards‬‭and regulations.‬
‭●‬ ‭Tools‬‭: Postman, SoapUI, custom scripts.‬
‭●‬ ‭Description‬‭: Compliance testing checks if the API‬‭adheres to legal and regulatory requirements,‬
‭such as GDPR, HIPAA, and other industry-specific standards.‬

‭9. Mocking and Virtualization‬

‭‬ O
● ‭ bjective‬‭: Test the API in isolated environments by‬‭simulating dependencies.‬
‭●‬ ‭Tools‬‭: WireMock, MockServer, Postman (mock servers).‬
‭●‬ ‭Description‬‭: Mocking and virtualization allow testers‬‭to simulate the behavior of the API’s‬
‭dependencies, enabling testing in scenarios where real dependencies are unavailable or difficult to‬
‭configure.‬

‭10. Regression Testing‬

‭‬ O
● ‭ bjective‬‭: Ensure new changes do not negatively affect‬‭existing functionality.‬
‭●‬ ‭Tools‬‭: Postman, SoapUI, automated test scripts.‬
‭●‬ ‭Description‬‭: Regression testing involves re-running‬‭previously conducted tests to verify that new‬
‭code changes have not introduced any new bugs or issues.‬

‭Best Practices for API Testing‬

‭‬
● ‭ utomation‬‭: Automate as many tests as possible to‬‭ensure efficiency and repeatability.‬
A
‭●‬ ‭Version Control‬‭: Keep track of API versions and ensure‬‭tests are updated accordingly.‬
‭●‬ ‭Environment Management‬‭: Use consistent environments‬‭for testing to avoid discrepancies.‬
‭●‬ ‭Data Management‬‭: Use realistic data for testing to‬‭uncover potential issues.‬
‭●‬ ‭Continuous Integration/Continuous Deployment (CI/CD)‬‭:‬‭Integrate API testing into the CI/CD‬
‭pipeline to catch issues early.‬

‭10‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Common Interview Questions and Answers Related to Basic APIs‬

‭1. What is an API?‬

‭ nswer:‬ ‭An‬ ‭API‬‭(Application‬‭Programming‬‭Interface)‬‭is‬‭a‬‭set‬‭of‬‭rules‬‭and‬‭protocols‬‭that‬‭allows‬‭different‬

A
‭software‬ ‭applications‬ ‭to‬ ‭communicate‬ ‭with‬ ‭each‬ ‭other.‬ ‭APIs‬ ‭define‬ ‭the‬ ‭methods‬ ‭and‬ ‭data‬ ‭formats‬ ‭that‬
‭applications can use to request and exchange information.‬

‭2. Can you explain the difference between REST and SOAP APIs?‬

‭Answer:‬

‭●‬ ‭REST (Representational State Transfer)‬‭:‬

‭○‬ ‭Uses standard HTTP methods (GET, POST, PUT, DELETE).‬
‭○‬ ‭Stateless, meaning each request from a client to a server must contain all the information‬
‭needed to understand and process the request.‬
‭○‬ ‭Typically uses JSON or XML for data interchange.‬
‭○‬ ‭It is easier to implement and more scalable for web services.‬
‭●‬ ‭SOAP (Simple Object Access Protocol)‬‭:‬
‭○‬ ‭A protocol-based approach that relies on XML for message format.‬
‭○‬ ‭Includes built-in error handling and supports more complex operations.‬
‭○‬ ‭Uses stricter standards and can work over several protocols (HTTP, SMTP, TCP).‬
‭○‬ ‭Generally more secure with built-in security features.‬

‭3. What are the main HTTP methods used in RESTful APIs and what are their purposes?‬

‭Answer:‬

‭‬
● ‭ ET‬‭: Retrieve data from the server.‬
G
‭●‬ ‭POST‬‭: Submit data to the server to create a new resource.‬
‭●‬ ‭PUT‬‭: Update an existing resource on the server.‬
‭●‬ ‭DELETE‬‭: Remove a resource from the server.‬
‭●‬ ‭PATCH‬‭: Apply partial modifications to a resource.‬

‭4. What is an API endpoint?‬

‭ nswer:‬‭An‬‭API‬‭endpoint‬‭is‬‭a‬‭specific‬‭URL‬‭that‬‭provides‬‭access‬‭to‬‭a‬‭particular‬‭resource‬‭or‬‭functionality‬‭of‬
A
‭the‬‭API.‬‭It‬‭represents‬‭one‬‭of‬‭the‬‭discrete‬‭units‬‭of‬‭interaction‬‭in‬‭an‬‭API‬‭and‬‭is‬‭typically‬‭a‬‭combination‬‭of‬‭the‬
‭base URL and a resource path.‬

‭5. Explain the concept of RESTful API statelessness.‬

‭ nswer:‬ ‭Statelessness‬ ‭in‬ ‭RESTful‬ ‭APIs‬‭means‬‭that‬‭each‬‭request‬‭from‬‭a‬‭client‬‭to‬‭a‬‭server‬‭must‬‭contain‬‭all‬

A
‭the‬ ‭information‬ ‭needed‬ ‭to‬ ‭understand‬ ‭and‬ ‭process‬ ‭the‬ ‭request.‬ ‭The‬ ‭server‬ ‭does‬‭not‬‭store‬‭any‬‭context‬‭or‬

‭11‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

s‭ ession‬ ‭information‬ ‭about‬ ‭the‬ ‭client‬ ‭between‬ ‭requests,‬ ‭making‬ ‭each‬ ‭request‬ ‭independent‬ ‭and‬
‭self-contained.‬

‭6. What is an API key and why is it used?‬

‭ nswer:‬‭An‬‭API‬‭key‬‭is‬‭a‬‭unique‬‭identifier‬‭used‬‭to‬‭authenticate‬‭a‬‭client‬‭accessing‬‭an‬‭API.‬‭It‬‭helps‬‭track‬‭and‬
A
‭control‬ ‭how‬ ‭the‬ ‭API‬ ‭is‬ ‭used,‬ ‭ensuring‬ ‭that‬ ‭only‬ ‭authorized‬ ‭users‬ ‭can‬ ‭make‬ ‭requests.‬ ‭API‬ ‭keys‬ ‭are‬
‭commonly used for security purposes to prevent misuse and limit the number of requests from a client.‬

‭7. What is CORS and why is it important in web APIs?‬

‭ nswer:‬ ‭CORS‬ ‭(Cross-Origin‬ ‭Resource‬ ‭Sharing)‬ ‭is‬ ‭a‬ ‭security‬ ‭feature‬ ‭implemented‬ ‭by‬ ‭web‬ ‭browsers‬ ‭to‬
A
‭prevent‬‭web‬‭pages‬‭from‬‭making‬‭requests‬‭to‬‭a‬‭different‬‭domain‬‭than‬‭the‬‭one‬‭that‬‭served‬‭the‬‭web‬‭page.‬‭It‬‭is‬
‭important‬ ‭in‬ ‭web‬‭APIs‬‭because‬‭it‬‭enables‬‭servers‬‭to‬‭specify‬‭who‬‭can‬‭access‬‭their‬‭resources,‬‭ensuring‬‭that‬
‭only trusted domains can make cross-origin requests.‬

‭8. What are some common status codes returned by APIs, and what do they mean?‬

‭Answer:‬

‭‬
● ‭ 00 OK‬‭: The request was successful.‬
2
‭●‬ ‭201 Created‬‭: A new resource was successfully created.‬
‭●‬ ‭204 No Content‬‭: The request was successful, but there‬‭is no content to return.‬
‭●‬ ‭400 Bad Request‬‭: The request was invalid or cannot‬‭be processed.‬
‭●‬ ‭401 Unauthorized‬‭: Authentication is required and has‬‭failed or not been provided.‬
‭●‬ ‭403 Forbidden‬‭: The server understands the request‬‭but refuses to authorize it.‬
‭●‬ ‭404 Not Found‬‭: The requested resource could not be‬‭found.‬
‭●‬ ‭500 Internal Server Error‬‭: An error occurred on the‬‭server side.‬

‭9. What is the purpose of API versioning and how can it be implemented?‬

‭ nswer:‬‭API‬‭versioning‬‭ensures‬‭that‬‭changes‬‭in‬‭the‬‭API‬‭do‬‭not‬‭break‬‭existing‬‭client‬‭applications.‬‭It‬‭allows‬
A
‭developers‬ ‭to‬ ‭introduce‬ ‭new‬ ‭features‬ ‭and‬‭improvements‬‭without‬‭disrupting‬‭the‬‭current‬‭functionality‬‭for‬
‭existing users. Versioning can be implemented in several ways:‬

‭‬ U
● ‭ RL Path: Including the version number in the URL (e.g., /v1/users).‬
‭●‬ ‭Query Parameters: Adding a version parameter in the query string (e.g., ?version=1).‬
‭●‬ ‭Headers: Using a custom header to specify the version (e.g., Accept:‬
‭application/vnd.myapi.v1+json).‬

‭10. What are the differences between synchronous and asynchronous API calls?‬

‭Answer:‬

‭●‬ ‭Synchronous API Calls‬‭:‬

‭12‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭‬ T
○ ‭ he client sends a request and waits for the server to respond.‬
‭○‬ ‭The client is blocked until the response is received.‬
‭○‬ ‭Simple and straightforward but can lead to inefficiencies if the server takes a long time to‬
‭respond.‬
‭ ‬ ‭Asynchronous API Calls‬‭:‬
●
‭○‬ ‭The client sends a request and continues processing other tasks.‬
‭○‬ ‭The client is notified (usually via a callback or promise) when the response is ready.‬
‭○‬ ‭More efficient for long-running operations, as it doesn't block the client.‬

‭11. What is rate limiting in APIs and why is it important?‬

‭Answer:‬‭Rate‬‭limiting‬‭is‬‭a‬‭mechanism‬‭to‬‭control‬‭the‬‭number‬‭of‬‭requests‬‭a‬‭client‬‭can‬‭make‬‭to‬‭an‬‭API‬‭within‬
‭ certain time period. It is important for:‬
a

‭●‬ P ‭ reventing Abuse‬‭: Protects the API from being overwhelmed‬‭by too many requests from a single‬
‭client.‬
‭●‬ ‭Ensuring Fair Usage‬‭: Ensures that all clients have‬‭fair access to the API.‬
‭●‬ ‭Maintaining Performance‬‭: Helps maintain the API's‬‭performance and availability by avoiding‬
‭excessive load.‬

‭12. Explain the concept of API throttling.‬

‭ nswer:‬ ‭API‬ ‭throttling‬ ‭is‬ ‭a‬ ‭technique‬ ‭used‬ ‭to‬ ‭control‬ ‭the‬ ‭usage‬ ‭of‬ ‭an‬ ‭API‬ ‭by‬ ‭limiting‬ ‭the‬ ‭number‬ ‭of‬
A
‭requests‬ ‭that‬ ‭can‬ ‭be‬ ‭made‬ ‭in‬ ‭a‬‭specific‬‭time‬‭frame.‬‭It‬‭helps‬‭in‬‭managing‬‭the‬‭load‬‭on‬‭the‬‭server,‬‭ensuring‬
‭service‬‭availability,‬‭and‬‭preventing‬‭abuse.‬‭Throttling‬‭can‬‭be‬‭implemented‬‭by‬‭setting‬‭a‬‭limit‬‭on‬‭the‬‭number‬
‭of requests per minute, hour, or day.‬

‭13‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Chapter 2‬

‭Setting Up Your API Testing Environment‬

‭Choose Your API Testing Tool‬

‭ anual‬‭API‬‭testing‬‭tools‬‭are‬‭designed‬‭to‬‭allow‬‭testers‬‭to‬‭interact‬‭with‬‭APIs‬‭in‬‭an‬‭intuitive,‬‭often‬‭graphical‬
M
‭interface,‬ ‭providing‬ ‭the‬ ‭capability‬ ‭to‬ ‭send‬‭requests,‬‭inspect‬‭responses,‬‭and‬‭validate‬‭functionality‬‭without‬
‭writing code. Here are some popular manual API testing tools along with their key features:‬

‭1. Postman‬

‭Postman‬‭is one of the most widely used tools for API‬‭testing.‬

‭Features:‬

‭‬ U
● ‭ ser-Friendly Interface‬‭: Intuitive interface for creating,‬‭saving, and organizing API requests.‬
‭●‬ ‭Support for Various HTTP Methods‬‭: Supports GET, POST,‬‭PUT, DELETE, PATCH, and more.‬
‭●‬ ‭Environment Variables‬‭: Allows setting up different‬‭environments (e.g., development, testing,‬
‭production) and switching between them easily.‬
‭●‬ ‭Collections‬‭: Organize requests into collections and‬‭folders.‬
‭●‬ ‭Automated Testing‬‭: Basic automated testing capabilities‬‭using JavaScript.‬
‭●‬ ‭Mock Servers‬‭: Create mock servers to simulate endpoints‬‭and responses.‬
‭●‬ ‭Collaboration‬‭: Team collaboration features to share‬‭collections and environments.‬

‭Website‬‭:‬‭Postman‬

‭2. Insomnia‬

‭Insomnia‬‭is another popular API client that emphasizes‬‭simplicity and ease of use.‬

‭Features:‬

‭‬
● ‭ imple Interface‬‭: Clean and straightforward interface‬‭for creating and managing requests.‬
S
‭●‬ ‭Environment Variables‬‭: Support for environment variables‬‭to manage different configurations.‬
‭●‬ ‭GraphQL Support‬‭: Native support for GraphQL queries‬‭and mutations.‬
‭●‬ ‭Plugins‬‭: Extend functionality with community plugins.‬
‭●‬ ‭Scripting‬‭: Pre-request scripts and response templating‬‭with Nunjucks.‬

‭Website‬‭:‬‭Insomnia‬

‭14‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭3. Swagger UI‬

‭Swagger UI‬‭allows you to visualize and interact with API documentation.‬

‭Features:‬

‭●‬ I‭ nteractive API Documentation‬‭: Automatically generate‬‭interactive API documentation from‬

‭OpenAPI specifications.‬
‭●‬ ‭Try It Out‬‭: Provides an interface to send requests‬‭directly from the documentation.‬
‭●‬ ‭Customization‬‭: Customizable look and feel.‬

‭Website‬‭: Swagger UI‬

‭4. SoapUI‬

‭SoapUI‬‭is a comprehensive tool for testing SOAP and‬‭RESTful APIs.‬

‭Features:‬

‭‬
● ‭ xtensive Protocol Support‬‭: Supports REST, SOAP, GraphQL,‬‭and other protocols.‬
E
‭●‬ ‭Data-Driven Testing‬‭: Supports data-driven testing‬‭using various data sources.‬
‭●‬ ‭Assertions‬‭: Rich set of assertions for validating‬‭responses.‬
‭●‬ ‭Automation‬‭: Scripting support with Groovy.‬
‭●‬ ‭Load Testing‬‭: Built-in capabilities for performance‬‭and load testing.‬

‭Website‬‭:‬‭SoapUI‬

‭5. HTTPie‬

‭ TTPie‬ ‭is‬ ‭a‬ ‭command-line‬ ‭HTTP‬ ‭client‬ ‭designed‬ ‭to‬ ‭make‬ ‭CLI‬ ‭interaction‬ ‭with‬ ‭web‬ ‭services‬ ‭as‬
H
‭human-friendly as possible.‬

‭Features:‬

‭‬
● ‭ ser-Friendly CLI‬‭: Simple syntax for making requests‬‭and viewing responses.‬
U
‭●‬ ‭JSON Support‬‭: Automatically formats JSON responses.‬
‭●‬ ‭Plugins‬‭: Extensible with plugins.‬
‭●‬ ‭Scripting‬‭: Suitable for inclusion in shell scripts‬‭for automated testing.‬

‭Website‬‭:‬‭HTTPie‬

‭15‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭6. Paw‬

‭Paw‬‭is a full-featured API client for Mac.‬

‭Features:‬

‭‬
● ‭ ac Integration‬‭: Explicitly designed for macOS, with‬‭native look and feel.‬
M
‭●‬ ‭Environment Variables‬‭: Support for environments and‬‭variables.‬
‭●‬ ‭Extensions‬‭: Create custom Paw extensions using JavaScript.‬
‭●‬ ‭Response Rendering‬‭: View responses in various formats‬‭(e.g., JSON, XML, HTML).‬

‭Website‬‭:‬‭Paw‬

‭7. JMeter‬

J‭ Meter,‬ ‭an‬ ‭open-source‬ ‭project,‬ ‭is‬ ‭renowned‬ ‭for‬ ‭its‬ ‭performance‬ ‭testing‬ ‭capabilities,‬ ‭though‬ ‭it‬ ‭also‬
‭effortlessly‬ ‭accommodates‬ ‭API‬ ‭testing.‬ ‭It‬ ‭features‬ ‭a‬ ‭user-friendly‬ ‭interface‬ ‭that‬ ‭simplifies‬ ‭the‬ ‭creation‬‭of‬
‭complex tests.‬

‭Features of JMeter:‬

‭●‬ E ‭ asy‬‭to‬‭set‬‭up:‬‭Setting‬‭up‬‭JMeter‬‭is‬‭straightforward.‬‭It‬‭just‬‭requires‬‭downloading‬‭the‬‭JMeter‬‭jar‬‭to‬
‭start testing.‬
‭●‬ ‭Open-source‬‭:‬ ‭Being‬‭open‬‭source,‬‭JMeter‬‭offers‬‭all‬‭its‬‭features‬‭for‬‭free,‬‭making‬‭it‬‭an‬‭accessible‬‭tool‬
‭for everyone.‬
‭●‬ ‭Powerful‬ ‭CLI‬ ‭tool:‬ ‭Beyond‬ ‭its‬ ‭UI,‬ ‭JMeter‬ ‭can‬ ‭execute‬ ‭tests‬ ‭via‬ ‭its‬ ‭command-line‬ ‭interface,‬
‭providing users extensive options, including reporting functionalities.‬
‭●‬ ‭Extensible:‬ ‭The‬ ‭tool's‬ ‭capabilities‬ ‭can‬ ‭be‬ ‭expanded‬ ‭through‬ ‭numerous‬ ‭plugins,‬ ‭which‬ ‭users‬ ‭can‬
‭easily download and integrate.‬
‭●‬ ‭Multiple‬ ‭operating‬ ‭systems‬ ‭support:‬ ‭As‬ ‭a‬ ‭Java‬ ‭(jar)‬ ‭application,‬ ‭JMeter‬ ‭is‬ ‭compatible‬ ‭with‬ ‭any‬
‭operating system that supports Java, broadening its usability.‬

‭Pricing:‬

J‭ Meter‬ ‭is‬ ‭an‬ ‭open-source‬ ‭tool;‬ ‭hence,‬ ‭it‬ ‭is‬‭available‬‭for‬‭free.‬‭Users‬‭can‬‭leverage‬‭all‬‭of‬‭its‬‭features‬‭without‬

‭cost, making it an economical choice for individuals and small organizations.‬

‭Who′s It For?‬

J‭ Meter‬ ‭is‬ ‭suitable‬ ‭for‬ ‭developers‬ ‭and‬ ‭testers‬ ‭who‬ ‭require‬ ‭a‬ ‭robust‬ ‭performance‬ ‭and‬ ‭API‬ ‭testing‬ ‭tool.‬‭Its‬
‭extensibility‬ ‭and‬ ‭support‬ ‭for‬ ‭multiple‬ ‭operating‬ ‭systems‬ ‭make‬ ‭it‬ ‭a‬ ‭versatile‬ ‭choice‬ ‭for‬ ‭many‬ ‭users.‬
‭However,‬ ‭due‬ ‭to‬ ‭its‬ ‭complexity‬ ‭and‬ ‭high‬ ‭memory‬ ‭consumption,‬ ‭it‬ ‭might‬ ‭be‬ ‭more‬ ‭suited‬ ‭for‬ ‭those‬‭with‬
‭more experience in testing or those willing to invest time in learning the tool.‬

‭16‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Install and Set Up the Tool‬

‭We'll use Postman for this guide due to its widespread use and comprehensive features.‬

‭1. Installing Postman‬

‭ .‬ D
1 ‭ ownload Postman‬‭from the official website:‬‭Postman‬‭Download.‬
‭2.‬ ‭Install‬‭the application by following the installation instructions for your operating system‬
‭(Windows, macOS, Linux).‬
‭3.‬ ‭Sign up‬‭for a Postman account (optional but recommended‬‭for saving and syncing your work).‬

‭Install the Postman CLI‬‭4‬

‭ ou can download and install the Postman CLI manually or programmatically (with a script or the‬
Y
‭command line).‬

‭System requirements‬

‭ he Postman CLI supports the exact operating system requirements as the Postman desktop app. For a‬
T
‭complete list of system requirements, see Installing and updating Postman.‬

‭Windows installation‬

‭ un the following commands to install the Postman CLI for Windows. This will download an install script‬
R
‭and run it. The install script creates a %USERPROFILE%\AppData\Local\Microsoft\WindowsApps‬
‭directory if it doesn't exist yet, then installs a postman binary there.‬

‭ owershell.exe -NoProfile -InputFormat None -ExecutionPolicy AllSigned -Command‬

p
‭"[System.Net.ServicePointManager]::SecurityProtocol = 3072; iex ((New-Object‬
‭System.Net.WebClient).DownloadString('https://dl-cli.pstmn.io/install/win64.ps1'))"‬

‭Mac (Apple silicon) installation‬

‭ un the following command to install the Postman CLI for Macs with an Apple silicon processor. This will‬
R
‭download an install script and run it. The install script creates a‬‭/usr/local/bin‬‭directory if it doesn't‬‭exist‬
‭yet, then installs a postman binary there.‬

‭Copycurl -o- "https://dl-cli.pstmn.io/install/osx_arm64.sh" | sh‬

‭Mac (Intel) installation‬

‭ un the following command to install the Postman CLI for Macs with Intel chips. This will download an‬
R
‭install script and run it. The install script creates a‬‭/usr/local/bin‬‭directory if it doesn't exist yet,‬‭then installs‬
‭a postman binary there.‬

‭4‬
‭https://learning.postman.com/docs/postman-cli/postman-cli-installation/‬

‭17‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Copycurl -o- "https://dl-cli.pstmn.io/install/osx_64.sh" | sh‬

‭Linux installation‬

‭ un the following command to install the Postman CLI for the latest Linux version. This will download an‬
R
‭install script and run it. The install script creates a /usr/local/bin directory if it doesn't exist yet, then‬
‭installs a postman binary there.‬

‭Copycurl -o- "https://dl-cli.pstmn.io/install/linux64.sh" | sh‬

‭Update your CLI installation‬

‭ o update your Postman CLI installation to the latest version, run the same command you used to install.‬
T
‭The new version will overwrite the earlier version.‬

‭2. Configuring Postman‬

‭ .‬ O
1 ‭ pen Postman‬‭.‬
‭2.‬ ‭Create a New Workspace‬‭:‬
‭○‬ ‭Click on your workspace name in the top left.‬
‭○‬ ‭Select "Create Workspace".‬
‭○‬ ‭Name your workspace and provide a description (optional).‬
‭○‬ ‭Choose the visibility (Personal, Team, Public).‬
‭3.‬ ‭Set Up Environments‬‭:‬
‭○‬ ‭Click on the gear icon in the top right corner and select "Manage Environments".‬
‭○‬ ‭Click "Add" to create a new environment.‬
‭‬ A
○ baseUrl‬
‭ dd variables such as‬‭ apiKey‬
‭,‬‭ ‭, etc.‬
‭○‬ ‭Save the environment.‬

‭3. Organize Your Requests‬

‭Using Collections‬

‭1.‬ ‭Create a New Collection‬‭:‬

‭○‬ ‭Click on the Collections tab on the left sidebar.‬
‭○‬ ‭Click "New Collection".‬
‭○‬ ‭Name your collection and add a description (optional).‬
‭2.‬ ‭Add Requests to the Collection‬‭:‬
‭○‬ ‭Click on your collection.‬
‭○‬ ‭Click "Add Request".‬
‭○‬ ‭Name your request and specify the HTTP method (GET, POST, etc.).‬

‭18‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭○‬ ‭Enter the request URL using environment variables if needed (e.g.,‬
‭{baseUrl}}/endpoint‬
{ ‭).‬
‭3.‬ ‭Organize Requests‬‭:‬
‭○‬ ‭Create folders within collections to group related requests.‬
‭○‬ ‭Drag and drop requests into folders for better organization.‬

‭4. Configure and Send Requests‬

‭1.‬ ‭Set Up Request Headers‬‭:‬

‭○‬ ‭Click on the "Headers" tab in the request editor.‬
‭○‬ ‭Add necessary headers, such as Content-Type, Authorization, etc.‬
‭○‬ ‭Use environment variables for dynamic values (e.g., {{apiKey}}).‬
‭2.‬ ‭Set Up Request Body‬‭(for POST, PUT, PATCH requests):‬
‭○‬ ‭Click on the "Body" tab.‬
‭○‬ ‭Choose the appropriate format (raw, form-data, x-www-form-urlencoded).‬
‭○‬ ‭Enter the request payload. Select "raw" and "JSON" for JSON payloads and input the JSON‬
‭data.‬
‭3.‬ ‭Send the Request‬‭:‬
‭○‬ ‭Click the "Send" button.‬
‭○‬ ‭Review the response in the "Response" section, which includes the status code, headers, and‬
‭body.‬

‭5. Validate Responses‬

‭1.‬ C ‭ heck Status Codes‬‭: Ensure the API returns the expected‬‭HTTP status code (e.g., 200 for success,‬
‭404 for not found).‬
‭2.‬ ‭Validate Response Body‬‭:‬
‭○‬ ‭Check that the response body contains the expected data.‬
‭○‬ ‭Use Postman’s built-in JSON viewer for easy navigation.‬
‭3.‬ ‭Use Tests for Validation‬‭:‬
‭○‬ ‭Click on the "Tests" tab in the request editor.‬
‭○‬ ‭Write JavaScript code to perform assertions on the response.‬

‭Example:‬

‭pm.test("Status code is 200", function () {‬

‭pm.response.to.have.status(200);‬
‭});‬
‭pm.test("Response body has userId", function () {‬
‭var jsonData = pm.response.json();‬
‭pm.expect(jsonData).to.have.property("userId");‬
‭});‬

‭19‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭6. Documentation and Collaboration‬

‭1.‬ ‭Document Your API‬‭:‬

‭○‬ ‭Add detailed descriptions to your requests and collections.‬
‭○‬ ‭Use Markdown in descriptions for better formatting.‬
‭2.‬ ‭Share Collections‬‭:‬
‭○‬ ‭Click on the ellipsis (three dots) next to your collection.‬
‭○‬ ‭Select "Share Collection".‬
‭○‬ ‭Share via a link, export to a file, or use Postman’s built-in collaboration features if you’re in a‬
‭team workspace.‬

‭7. Advanced Features‬

‭1.‬ E ‭ nvironment and Global Variables‬‭: Manage different environments (e.g., development, staging,‬
‭production) using environment variables. Define global variables for values that are used across‬
‭multiple environments.‬
‭2.‬ ‭Pre-Request Scripts‬‭: Write JavaScript code to execute‬‭before a request is sent. Useful for setting‬
‭dynamic variables.‬
‭3.‬ ‭Mock Servers‬‭: Create mock servers to simulate API‬‭endpoints and responses.‬

‭20‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Common Interview Questions & Answers Related to API Test Tools‬

‭ ere‬‭are‬‭common‬‭interview‬‭questions‬‭related‬‭to‬‭manual‬‭API‬‭testing‬‭tools,‬‭along‬‭with‬‭brief‬‭answers‬‭to‬‭help‬
H
‭you prepare for interviews:‬

‭Basic Questions‬

‭1.‬ ‭What is Postman?‬

‭ ostman is a popular API development and testing tool that allows users to create, test, document,‬
P
‭and share APIs.‬

‭2.‬ ‭How do you install Postman?‬

‭ ou can install Postman by downloading it from the Postman website and following the installation‬
Y
‭instructions for your operating system.‬

‭3.‬ ‭What is a Postman Collection?‬

‭ collection in Postman is a group of related API requests that can be organized into folders and‬
A
‭subfolders. It helps in organizing and managing your API tests efficiently.‬

‭4.‬ ‭How do you create a new request in Postman?‬

‭ lick on the "New" button, select "Request," enter a request name, and specify the HTTP method‬
C
‭and URL.‬

‭5.‬ ‭What HTTP methods can you use in Postman?‬

‭ ostman supports all standard HTTP methods, including GET, POST, PUT, DELETE, PATCH,‬
P
‭HEAD, OPTIONS.‬

‭Intermediate Questions‬

‭6.‬ ‭How do you manage environments in Postman?‬

‭Click the gear icon, select "Manage Environments," and create new environments by defining‬
baseUrl‬
‭variables like‬‭ apiKey‬
‭,‬‭ ‭, etc.‬

‭7.‬ ‭What are environment variables in Postman?‬

‭ nvironment variables are placeholders for values that can change depending on the environment‬
E
‭(e.g., development, staging, production). They make requests reusable across different‬
‭environments.‬

‭8.‬ ‭How do you add headers to a request in Postman?‬

‭21‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭In the request editor, go to the "Headers" tab and add key-value pairs for headers such as‬
Content-Type‬
‭ Authorization‬
‭,‬‭ ‭, etc.‬

‭9.‬ ‭How do you handle authentication in Postman?‬

‭ se the "Authorization" tab in the request editor to set up authentication mechanisms like Basic‬
U
‭Auth, Bearer Token, OAuth, API Key, etc.‬

‭10.‬ ‭What is the use of the "Tests" tab in Postman?‬

‭ he "Tests" tab allows you to write JavaScript code to perform assertions on the response, validate‬
T
‭data, and automate test scripts.‬

‭Advanced Questions‬

‭11.‬ ‭How do you use Postman for automated testing?‬

‭ rite test scripts in the "Tests" tab and use the Postman CLI tool, Newman, to run collections from‬
W
‭the command line for automated testing.‬

‭12.‬ ‭What is Newman?‬

‭ ewman is a command-line collection runner for Postman, allowing you to run and test Postman‬
N
‭collections directly from the CLI.‬

‭13.‬ ‭How do you run a collection in Newman?‬

‭Install Newman using‬

npm install -g newman‬

‭

‭then run a collection using‬

newman run <collection-file>.‬

‭

‭14.‬ ‭How do you use pre-request scripts in Postman?‬

‭ se the "Pre-request Script" tab to write JavaScript code that executes before the request is sent,‬
U
‭helpful in setting dynamic variables and pre-request logic.‬

‭15.‬ ‭What are Postman variables?‬

‭ ariables in Postman can be defined at different scopes: global, environment, collection, and local.‬
V
‭They store values that can be reused in requests and scripts.‬

‭Practical Questions‬

‭22‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭16.‬ ‭How do you export a Postman collection?‬

‭Click on the collection, select "Export," and choose the format (v2.1 or v2.0) to save it as a JSON file.‬

‭17.‬ ‭How do you import a collection into Postman?‬

‭ lick on the "Import" button, select the file or paste the raw text of the collection JSON, and import‬
C
‭it.‬

‭18.‬ ‭What is a Postman monitor?‬

‭ ostman monitors are automated runs of your Postman collections at scheduled intervals to check‬
P
‭the performance and health of your APIs.‬

‭19.‬ ‭How do you create a mock server in Postman?‬

‭ avigate to the "Mock Server" section, create a new mock server, and associate it with an existing‬
N
‭collection to simulate endpoints and responses.‬

‭20.‬ ‭How can you document APIs using Postman?‬

‭ dd detailed descriptions to requests and collections, use Markdown for formatting, and generate‬
A
‭documentation using Postman's built-in documentation feature.‬

‭Troubleshooting Questions‬

‭21.‬ ‭How do you debug a failing request in Postman?‬

‭ heck the response status code, headers, and body. Use console logs in test scripts and the Postman‬
C
‭console to debug issues.‬

‭22.‬ ‭What are some common HTTP status codes you might encounter?‬

‭ ommon status codes include 200 OK, 201 Created, 400 Bad Request, 401 Unauthorized, 403‬
C
‭Forbidden, 404 Not Found, and 500 Internal Server Error.‬

‭23.‬ ‭How do you handle dynamic data in Postman?‬

‭ se pre-request scripts and environment variables to generate and store dynamic data, such as‬
U
‭timestamps or random values.‬

‭24.‬ ‭How do you validate the structure of a JSON response?‬

‭ rite JavaScript test scripts to check if the response body contains the expected JSON structure and‬
W
‭values.‬

‭25.‬ ‭What is the difference between global and environment variables in Postman?‬

‭23‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭ lobal variables are available across all collections and environments, while environment variables‬
G
‭are specific to a particular environment.‬

‭Integration Questions‬

‭26.‬ ‭How do you integrate Postman with CI/CD pipelines?‬

‭ se Newman to run Postman collections in CI/CD pipelines by integrating it with tools like‬
U
‭Jenkins, GitLab CI, Travis CI, etc.‬

‭27.‬ ‭What is the purpose of the Postman API?‬

‭ he Postman API allows you to programmatically access and manage Postman resources, such as‬
T
‭collections, environments, and monitors.‬

‭28.‬ ‭How do you handle rate limiting in Postman?‬

I‭ mplement delay logic in test scripts or pre-request scripts to wait between requests, or configure‬
‭Postman monitors to run at intervals within the rate limits.‬

‭29.‬ ‭How can you share Postman collections with your team?‬

‭ hare collections by generating a shareable link, exporting the collection file, or using Postman’s‬
S
‭built-in team workspaces for collaboration.‬

‭30.‬ ‭What are Postman workspaces, and how do they help in collaboration?‬

‭ orkspaces in Postman are collaborative spaces where team members can share collections,‬
W
‭environments, and other resources, making it easier to work together on API development and‬
‭testing.‬

‭24‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Chapter 3‬

‭Understanding API Requests and Responses‬

‭HTTP Methods‬

‭ EST‬ ‭stands‬ ‭for‬ ‭Representational‬ ‭State‬ ‭Transfer‬ ‭and‬ ‭is‬‭an‬‭architectural‬‭pattern‬‭for‬‭creating‬‭web‬‭services.‬

R
‭Web‬‭services‬‭that‬‭adhere‬‭to‬‭REST‬‭principles‬‭are‬‭known‬‭as‬‭RESTful‬‭web‬‭services.‬‭These‬‭services‬‭are‬‭widely‬
‭used‬ ‭by‬ ‭application‬ ‭developers‬ ‭due‬ ‭to‬ ‭their‬ ‭simplicity‬ ‭in‬ ‭enabling‬ ‭communication‬ ‭between‬ ‭servers‬ ‭on‬
‭different machines.‬

‭ EST‬‭facilitates‬‭easy‬‭data‬‭sharing‬‭between‬‭clients‬‭and‬‭servers.‬‭RESTful‬‭applications‬‭utilize‬‭HTTP‬‭methods‬
R
‭such as GET, POST, DELETE, and PUT to perform CRUD (Create, Read, Update, Delete) operations.‬

‭ y‬ ‭now,‬ ‭you‬ ‭should‬ ‭understand‬ ‭how‬ ‭the‬ ‭HTTP‬ ‭protocol‬ ‭operates,‬ ‭including‬‭the‬‭various‬‭HTTP‬‭methods‬
B
‭and‬ ‭their‬ ‭appropriate‬ ‭uses.‬ ‭This‬ ‭section‬ ‭will‬ ‭delve‬ ‭deeper‬‭into‬‭each‬‭process,‬‭starting‬‭with‬‭GET,‬‭the‬‭most‬
‭commonly used HTTP method. So, let's dive in!‬

‭1. GET‬

‭‬ P
● ‭ urpose:‬‭Retrieve data from a server.‬
‭●‬ ‭Usage:‬‭Requests data from a specified resource.‬
‭●‬ ‭Idempotent:‬‭Yes, calling GET multiple times does not‬‭change the resource state.‬

‭25‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭2. POST‬

‭‬ P
● ‭ urpose:‬‭Send data to the server to create a new resource.‬
‭●‬ ‭Usage:‬‭Submits data to be processed to a specified resource, often causing a change in state or side‬
‭effects on the server.‬
‭●‬ ‭Idempotent:‬‭No, multiple POST requests may result‬‭in multiple resource creations.‬

‭3. PUT‬

‭‬ P
● ‭ urpose:‬‭Update or replace an existing resource or‬‭create a new one if it does not exist.‬
‭●‬ ‭Usage:‬‭Sends data to a specified resource, often replacing‬‭the resource entirely.‬
‭●‬ ‭Idempotent:‬‭Yes, multiple PUT requests with the same‬‭data result in the same resource state.‬

‭4. DELETE‬

‭‬ P
● ‭ urpose:‬‭Remove a specified resource from the server.‬
‭●‬ ‭Usage:‬‭Deletes the specified resource.‬
‭●‬ ‭Idempotent:‬‭Yes, deleting a resource multiple times‬‭has the same effect as deleting it once.‬

‭26‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭5. PATCH‬

‭‬ P
● ‭ urpose:‬‭Apply partial modifications to a resource.‬
‭●‬ ‭Usage:‬‭Sends partial data to update an existing resource.‬
‭●‬ ‭Idempotent:‬‭Yes, applying the same PATCH multiple‬‭times will result in the same state.‬

‭6. HEAD‬

‭‬ P
● ‭ urpose:‬‭Retrieve headers for a resource, similar‬‭to GET but without the response body.‬
‭●‬ ‭Usage:‬‭Used to obtain metadata about a resource, such‬‭as headers.‬
‭●‬ ‭Idempotent:‬‭Yes, calling HEAD multiple times does‬‭not change the resource state.‬

‭7. OPTIONS‬

‭‬ P
● ‭ urpose:‬‭Describe the communication options for the‬‭target resource.‬
‭●‬ ‭Usage:‬‭Used to determine the HTTP methods and other‬‭options supported by a web server.‬
‭●‬ ‭Idempotent:‬‭Yes, it does not change the resource state.‬

‭8. CONNECT‬

‭●‬ ‭Purpose:‬‭Establish a tunnel to the server identified‬‭by the target resource.‬

‭27‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭●‬ U ‭ sage:‬‭Mainly used for tunneling, such as establishing a VPN or SSL connection through an HTTP‬
‭proxy.‬
‭●‬ ‭Idempotent:‬‭Yes, it establishes a connection but does not change the resource state.‬

‭9. TRACE‬

‭‬ P
● ‭ urpose:‬‭Perform a message loop-back test along the‬‭path to the target resource.‬
‭●‬ ‭Usage:‬‭Used for diagnostic purposes to trace the path‬‭of a request.‬
‭●‬ ‭Idempotent:‬‭Yes, it is a diagnostic method and does‬‭not alter the resource state.‬

‭Comparison of HTTP methods‬‭5‬

‭ equest‬
R ‭RFC‬ ‭ equest has‬
R ‭ esponse has‬
R ‭Safe‬ ‭Idempotent‬ ‭Cacheable‬
‭method‬ ‭payload body‬ ‭payload body‬

‭GET‬ ‭RFC‬‭9110‬ ‭Optional‬ ‭Yes‬ ‭Yes‬ ‭Yes‬ ‭Yes‬

‭HEAD‬ ‭RFC‬‭9110‬ ‭Optional‬ ‭No‬ ‭Yes‬ ‭Yes‬ ‭Yes‬
‭POST‬ ‭RFC‬‭9110‬ ‭Yes‬ ‭Yes‬ ‭No‬ ‭No‬ ‭Yes‬
‭PUT‬ ‭RFC‬‭9110‬ ‭Yes‬ ‭Yes‬ ‭No‬ ‭Yes‬ ‭No‬
‭DELETE‬ ‭RFC‬‭9110‬ ‭Optional‬ ‭Yes‬ ‭No‬ ‭Yes‬ ‭No‬
‭CONNECT‬ ‭RFC‬‭9110‬ ‭Optional‬ ‭Yes‬ ‭No‬ ‭No‬ ‭No‬
‭OPTIONS‬ ‭RFC‬‭9110‬ ‭Optional‬ ‭Yes‬ ‭Yes‬ ‭Yes‬ ‭No‬
‭TRACE‬ ‭RFC‬‭9110‬ ‭No‬ ‭Yes‬ ‭Yes‬ ‭Yes‬ ‭No‬
‭PATCH‬ ‭RFC‬‭5789‬ ‭Yes‬ ‭Yes‬ ‭No‬ ‭No‬

‭5‬
‭https://en.wikipedia.org/wiki/HTTP‬

‭28‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Request Headers and Parameters‬

‭ equest‬ ‭headers‬ ‭and‬ ‭parameters‬ ‭are‬ ‭essential‬ ‭components‬ ‭of‬ ‭an‬ ‭HTTP‬ ‭request.‬ ‭They‬ ‭convey‬ ‭additional‬
R
‭information about the request and the client making it. Here's a breakdown of each:‬

‭Request Headers‬

‭ TTP‬ ‭headers‬ ‭are‬ ‭key-value‬ ‭pairs‬ ‭sent‬ ‭between‬ ‭the‬ ‭client‬ ‭and‬ ‭the‬ ‭server‬ ‭along‬ ‭with‬ ‭the‬ ‭request‬ ‭or‬
H
‭response.‬‭They‬‭provide‬‭metadata‬‭about‬‭the‬‭request‬‭or‬‭the‬‭data‬‭being‬‭sent.‬‭Some‬‭common‬‭request‬‭headers‬
‭include:‬

‭●‬ U ‭ ser-Agent‬‭: Identifies the client making the request,‬‭often containing information about the user‬
‭agent's software and operating system.‬
‭●‬ ‭Host‬‭: Specifies the domain name of the server being‬‭requested.‬
‭●‬ ‭Accept‬‭: Informs the server about the types of media‬‭that the client can process.‬
‭●‬ ‭Content-Type‬‭: Specifies the media type of the request‬‭body, typically used in POST and PUT‬
‭requests.‬
‭●‬ ‭Authorization‬‭: Contains credentials for authenticating‬‭the client with the server, often used with‬
‭Basic or Bearer authentication.‬
‭●‬ ‭Cookie‬‭: Contains stored HTTP cookies previously sent‬‭by the server with the Set-Cookie header.‬

‭Request Parameters‬

‭ equest‬‭parameters‬‭are‬‭key-value‬‭pairs‬‭sent‬‭in‬‭the‬‭URL‬‭query‬‭string‬‭or‬‭in‬‭the‬‭request‬‭body.‬‭They‬‭provide‬
R
‭additional‬ ‭data‬ ‭to‬ ‭the‬ ‭server,‬ ‭often‬ ‭used‬ ‭for‬ ‭filtering,‬ ‭sorting,‬ ‭or‬ ‭providing‬ ‭context‬ ‭to‬ ‭the‬ ‭request.‬ ‭Some‬
‭common types of request parameters include:‬

‭●‬ Q
‭ uery Parameters‬‭: Appended to the end of the URL after‬‭a question mark (?), query parameters are‬
‭key-value pairs separated by ampersands (&). For example,‬
‭ttps://example.com/search?q=term&page=1‬
h ‭.‬
‭ ‬ ‭Path Parameters‬‭: Used to parameterize parts of the‬‭URL path, typically denoted by placeholders in‬
●
t‭ he URL. For example,‬‭https://example.com/users/{id}‬ ‭.‬
‭ ‬ ‭Form Data‬‭: Sent in the body of POST requests, form‬‭data consists of key-value pairs encoded in‬
●
application/x-www-form-urlencoded‬‭or‬‭
‭either‬‭ multipart/form-data‬ ‭.‬
‭●‬ J‭ SON/XML Data‬‭: In RESTful APIs, data can be sent in‬‭JSON or XML format in the request body.‬

‭Example Request:‬

‭29‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Here's an example of an HTTP request with headers and parameters:‬

‭GET /search?q=example HTTP/1.1‬

‭Host: example.com‬

‭ ser-Agent:‬ ‭Mozilla/5.0‬ ‭(Windows‬ ‭NT‬ ‭10.0;‬ ‭Win64;‬ ‭x64)‬ ‭AppleWebKit/537.36‬ ‭(KHTML,‬ ‭like‬ ‭Gecko)‬
U
‭Chrome/91.0.4472.124 Safari/537.36‬

‭Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8‬

‭Accept-Language: en-US,en;q=0.9‬

‭Query Parameter‬

‭ uery‬ ‭parameters‬ ‭are‬ ‭key-value‬ ‭pairs‬ ‭appended‬‭to‬‭the‬‭end‬‭of‬‭a‬‭URL,‬‭typically‬‭after‬‭a‬‭question‬‭mark‬‭(?).‬

Q
‭They provide additional information to a web server about the request being made. Here's an overview:‬

‭Structure:‬

‭‬ Q
● ‭ uery parameters are separated by an ampersand (&) if there are multiple parameters.‬
‭●‬ ‭Each parameter consists of a key and a value, separated by an equals sign (=).‬

‭Example:‬

‭Consider the following URL:‬

https://api.example.com/search?q=example&limit=10&page=2‬
‭

‭In this URL:‬

‭●‬ ‭
https://api.example.com/search‬‭is the base URL.‬
‭●‬ ‭
q=example‬ limit=10‬
‭,‬‭ page=2‬‭are query parameters.‬
‭, and‬‭
q=example‬
‭●‬ ‭The key-value pairs are‬‭ limit=10‬
‭,‬‭ page=2‬
‭, and‬‭ ‭.‬
q‭,‬‬‭
‭●‬ ‭The keys are‬‭ limit‬ page‬
‭, and‬‭ example‬
‭, and their respective‬‭values are‬‭ 10‬
‭,‬‭ 2‭.‬‬
‭, and‬‭

‭Usage:‬

‭●‬ ‭Filtering‬‭: Query parameters are commonly used for‬‭filtering data. For example,‬
?category=books‬‭to filter products by category.‬
‭
‭●‬ P page‬‭and‬‭
‭ agination‬‭: Parameters like‬‭ limit‬‭are frequently‬‭used for pagination to retrieve a subset‬
‭of results.‬

‭30‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

q‬‭are used to specify search queries.‬

‭●‬ ‭Search‬‭: Parameters like‬‭

‭Fragment Parameters‬

‭ ragment‬‭parameters,‬‭also‬‭known‬‭as‬‭fragment‬‭identifiers‬‭or‬‭hash‬‭fragments,‬‭are‬‭components‬‭of‬‭a‬‭URL‬‭that‬
F
‭appear‬‭after‬‭a‬‭hash‬‭symbol‬‭(#).‬‭They‬‭are‬‭commonly‬‭used‬‭to‬‭specify‬‭a‬‭specific‬‭section‬‭or‬‭resource‬‭within‬‭a‬
‭web page, especially in client-side scripting and navigation.‬

‭Structure:‬

‭‬ F
● ‭ ragment parameters are appended to the end of a URL after a hash symbol (#).‬
‭●‬ ‭They typically consist of key-value pairs or identifiers that denote a specific section or resource‬
‭within a document.‬
‭●‬ ‭Fragment parameters do not get transmitted to the server; they are processed exclusively by the‬
‭client-side browser.‬

‭Example:‬

‭Consider the following URL:‬

https://example.com/page#section1‬
‭

‭In this URL:‬

‭●‬ ‭
https://example.com/page‬‭is the base URL.‬
‭●‬ ‭
#section1‬‭is the fragment parameter.‬
section1‬
‭●‬ I‭ t denotes that the browser should navigate to or highlight the section with the identifier‬‭
‭within the document.‬

‭Character Encoding‬
‭ pecial‬‭characters‬‭are‬‭encoded‬‭in‬‭the‬‭URL,‬‭by‬‭a‬‭mechanism‬‭called‬‭“percent‬‭encoding”.‬‭In‬‭this‬‭mechanism‬
S
‭any‬ ‭character‬ ‭can‬ ‭be‬ ‭replaced‬ ‭by‬ ‭the‬ ‭percent‬ ‭symbol,‬ ‭followed‬ ‭by‬ ‭a‬ ‭two-digit‬ ‭hexadecimal‬ ‭value‬ ‭of‬ ‭the‬
‭encoded‬ ‭character.‬ ‭If‬ ‭special‬ ‭characters‬ ‭(such‬ ‭as‬ ‭the‬ ‭hash‬ ‭character)‬ ‭need‬ ‭to‬ ‭be‬ ‭sent‬ ‭as‬ ‭actual‬ ‭data,‬‭they‬
‭must be encoded. All other characters can optionally be encoded.‬

‭ haracter‬ ‭encoding‬ ‭is‬ ‭a‬ ‭process‬ ‭used‬ ‭to‬ ‭represent‬ ‭characters‬ ‭in‬ ‭a‬ ‭computer's‬ ‭memory‬ ‭or‬ ‭storage‬ ‭by‬
C
‭assigning‬ ‭each‬ ‭character‬ ‭a‬‭unique‬‭numerical‬‭value.‬‭This‬‭allows‬‭computers‬‭to‬‭store,‬‭transmit,‬‭and‬‭display‬
‭textual data in various human-readable languages and scripts. Here's an overview:‬

‭Unicode:‬

‭31‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭ nicode‬‭is‬‭the‬‭most‬‭commonly‬‭used‬‭character‬‭encoding‬‭standard‬‭today.‬‭It‬‭assigns‬‭unique‬‭numerical‬‭values‬
U
‭(code‬ ‭points)‬ ‭to‬ ‭characters‬ ‭from‬ ‭virtually‬ ‭all‬ ‭writing‬ ‭systems‬ ‭and‬ ‭symbols‬ ‭used‬ ‭worldwide.‬ ‭Unicode‬
‭supports over 143,000 characters, covering various scripts, symbols, emoji, and special characters.‬

‭UTF-8:‬

‭ TF-8‬‭(Unicode‬‭Transformation‬‭Format-8)‬‭is‬‭a‬‭variable-width‬‭character‬‭encoding‬‭that‬‭represents‬‭Unicode‬
U
‭characters‬‭using‬‭8-bit‬‭code‬‭units.‬‭It's‬‭the‬‭most‬‭widely‬‭used‬‭encoding‬‭on‬‭the‬‭internet‬‭due‬‭to‬‭its‬‭compatibility‬
‭with‬‭ASCII‬‭(American‬‭Standard‬‭Code‬‭for‬‭Information‬‭Interchange)‬‭and‬‭its‬‭ability‬‭to‬‭represent‬‭all‬‭Unicode‬
‭characters efficiently.‬

‭Other Encodings:‬

‭●‬ U ‭ TF-16‬‭: Represents Unicode characters using 16-bit‬‭code units. It's commonly used in‬
‭environments that require fixed-width characters, such as Windows operating systems.‬
‭●‬ ‭ISO 8859-1 (Latin-1)‬‭: A widely used single-byte encoding that supports Western European‬
‭languages. It's not as versatile as Unicode and may not support characters from other writing‬
‭systems.‬
‭●‬ ‭ASCII‬‭: A 7-bit character encoding standard that represents‬‭basic English characters, symbols, and‬
‭control characters. It's compatible with UTF-8, making it a subset of Unicode.‬

‭Size Limits‬

‭ hile‬ ‭the‬ ‭URI‬ ‭standard‬ ‭remains‬ ‭silent‬ ‭on‬ ‭prescribing‬ ‭a‬ ‭maximum‬ ‭URL‬ ‭size,‬ ‭many‬ ‭clients‬ ‭impose‬ ‭an‬
W
‭arbitrary‬ ‭limit‬ ‭of‬ ‭2000‬ ‭characters.‬ ‭When‬ ‭handling‬ ‭data‬ ‭that's‬ ‭intricate‬ ‭or‬ ‭exceeds‬ ‭this‬ ‭threshold,‬ ‭it's‬
‭advisable‬‭to‬‭transmit‬‭it‬‭within‬‭the‬‭body‬‭of‬‭the‬‭request.‬‭This‬‭is‬‭particularly‬‭relevant‬‭when‬‭dealing‬‭with‬‭data‬
‭that's challenging to represent hierarchically.‬

‭ s‬ ‭we‬ ‭explored‬ ‭in‬ ‭the‬ ‭SOAP‬ ‭vs.‬ ‭REST‬ ‭comparison,‬ ‭the‬ ‭request's‬ ‭body‬ ‭offers‬ ‭a‬ ‭versatile‬ ‭canvas‬ ‭for‬
A
‭structuring‬ ‭data,‬ ‭accommodating‬ ‭various‬ ‭machine-readable‬ ‭formats.‬ ‭While‬ ‭XML‬ ‭and‬ ‭JSON‬ ‭formats‬ ‭are‬
‭prevalent, the flexibility also extends to other formats.‬

‭ y‬‭leveraging‬‭the‬‭request‬‭body‬‭for‬‭transmitting‬‭sizable‬‭or‬‭complex‬‭data,‬‭APIs‬‭can‬‭sidestep‬‭the‬‭constraints‬
B
‭posed‬ ‭by‬ ‭URL‬ ‭character‬ ‭limits.‬ ‭This‬ ‭approach‬ ‭not‬ ‭only‬ ‭fosters‬ ‭cleaner,‬ ‭more‬ ‭maintainable‬‭APIs‬‭but‬‭also‬
‭enhances interoperability and scalability.‬

‭32‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭3.3. Response Codes and Their Meanings‬

‭ TTP‬‭status‬‭codes‬‭are‬‭standardized‬‭numerical‬‭codes‬‭that‬‭indicate‬‭the‬‭outcome‬‭of‬‭an‬‭HTTP‬‭request.‬‭They‬
H
‭provide‬‭information‬‭about‬‭the‬‭result‬‭of‬‭the‬‭request‬‭and‬‭whether‬‭it‬‭was‬‭successful‬‭or‬‭encountered‬‭an‬‭error.‬
‭Here are some common HTTP status codes and their meanings:‬

‭1xx Informational Responses‬

‭●‬ 1 ‭ 00 Continue‬‭: The server has received the initial‬‭part of the request and is willing to accept further‬
‭processing.‬
‭●‬ ‭101 Switching Protocols‬‭: The server is indicating‬‭a change in protocol requested by the client (e.g.,‬
‭switching from HTTP to WebSocket).‬
‭●‬ ‭102 Processing‬‭(WebDAV; RFC 2518): A WebDAV request‬‭may contain many sub-requests‬
‭involving file operations, requiring a long time to complete the request.‬
‭●‬ ‭103 Early Hints‬‭(RFC 8297): Used to return some response‬‭headers before final HTTP message.‬

‭2xx Success‬

‭‬ 2
● ‭ 00 OK‬‭: The request was successful.‬
‭●‬ ‭201 Created‬‭: The request has been fulfilled, and a‬‭new resource has been created.‬
‭●‬ ‭202‬ A
‭ ccepted:‬ ‭The‬ ‭request‬ ‭has‬ ‭been‬ ‭accepted‬ ‭for‬ ‭processing,‬ ‭but‬ ‭the‬ ‭processing‬ ‭has‬ ‭not‬ ‭been‬
‭completed.‬

‭●‬ ‭204 No Content:‬‭The server successfully processed‬‭the request but is not returning any content.‬

‭●‬ 2‭ 05‬ ‭Reset‬ ‭Content‬‭:‬ ‭The‬ ‭server‬ ‭successfully‬ ‭processed‬ ‭the‬ ‭request,‬‭asks‬‭that‬‭the‬‭requester‬‭reset‬‭its‬
‭document‬ ‭view,‬‭and‬‭is‬‭not‬‭returning‬‭any‬‭content.‬‭This‬‭status‬‭code‬‭is‬‭typically‬‭used‬‭in‬‭conjunction‬
‭with form submissions.‬

‭●‬ 2‭ 06‬‭Partial‬‭Content‬‭:‬‭The‬‭server‬‭is‬‭delivering‬‭only‬‭part‬‭of‬‭the‬‭resource‬‭(byte‬‭serving)‬‭due‬‭to‬‭a‬‭range‬
‭header‬ ‭sent‬‭by‬‭the‬‭client.‬‭This‬‭status‬‭code‬‭is‬‭commonly‬‭used‬‭for‬‭resuming‬‭interrupted‬‭downloads‬
‭or splitting a download into multiple simultaneous streams.‬

‭●‬ 2‭ 07‬‭Multi-Status‬‭:‬‭This‬‭status‬‭code,‬‭defined‬‭in‬‭WebDAV‬‭(RFC‬‭4918),‬‭indicates‬‭that‬‭the‬‭message‬‭body‬
‭contains‬ ‭an‬ ‭XML‬ ‭message‬ ‭by‬‭default‬‭and‬‭can‬‭contain‬‭several‬‭separate‬‭response‬‭codes,‬‭depending‬
‭on how many sub-requests were made.‬

‭●‬ 2‭ 08‬‭Already‬‭Reported‬‭:‬‭Defined‬‭in‬‭WebDAV‬‭(RFC‬‭5842),‬‭this‬‭status‬‭code‬‭indicates‬‭that‬‭the‬‭members‬
‭of‬ ‭a‬ ‭DAV‬ ‭binding‬ ‭have‬ ‭already‬ ‭been‬ ‭enumerated‬ ‭in‬ ‭a‬‭preceding‬‭part‬‭of‬‭the‬‭response‬‭and‬‭are‬‭not‬
‭being included again.‬

‭●‬ 2‭ 26‬‭IM‬‭Used‬‭:‬‭Defined‬‭in‬‭RFC‬‭3229,‬‭this‬‭status‬‭code‬‭indicates‬‭that‬‭the‬‭server‬‭has‬‭fulfilled‬‭a‬‭request‬
‭for‬ ‭the‬ ‭resource,‬ ‭and‬ ‭the‬ ‭response‬ ‭is‬ ‭a‬ ‭representation‬ ‭of‬ ‭the‬ ‭result‬ ‭of‬ ‭one‬ ‭or‬ ‭more‬
‭instance-manipulations‬ ‭applied‬ ‭to‬ ‭the‬ ‭current‬ ‭instance.‬ ‭It's‬ ‭used‬ ‭in‬ ‭conjunction‬ ‭with‬
‭instance-manipulation applied to the resource.‬

‭33‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭3xx Redirection‬

‭‬
● ‭ 00 Multiple Choices‬‭: Indicates multiple options for‬‭the resource that the client may follow.‬
3
‭●‬ ‭301 Moved Permanently‬‭: The requested resource has been permanently moved to a new URL.‬
‭●‬ ‭302 Found‬‭: The requested resource temporarily resides‬‭under a different URL.‬
‭●‬ ‭304‬‭Not‬‭Modified‬‭:‬‭The‬‭client's‬‭cached‬‭copy‬‭of‬‭the‬‭requested‬‭resource‬‭is‬‭still‬‭valid.‬‭This‬‭status‬‭code‬
‭indicates‬ ‭that‬ ‭the‬ ‭resource‬ ‭has‬ ‭not‬ ‭been‬ ‭modified‬ ‭since‬ ‭the‬ ‭last‬‭request,‬‭and‬‭the‬‭client‬‭can‬‭use‬‭its‬
‭cached copy.‬

‭●‬ 3‭ 05‬‭Use‬‭Proxy‬‭:‬‭This‬‭status‬‭code‬‭is‬‭provided‬‭in‬‭the‬‭response‬‭to‬‭indicate‬‭that‬‭the‬‭requested‬‭resource‬‭is‬
‭only‬‭available‬‭through‬‭a‬‭proxy‬‭server.‬‭However,‬‭many‬‭HTTP‬‭clients‬‭do‬‭not‬‭obey‬‭this‬‭status‬‭code‬‭for‬
‭security reasons.‬

‭●‬ 3‭ 06‬ ‭Switch‬ ‭Proxy‬‭:‬ ‭This‬ ‭status‬ ‭code‬ ‭is‬ ‭no‬ ‭longer‬ ‭used.‬ ‭It‬ ‭was‬ ‭originally‬ ‭intended‬ ‭to‬ ‭instruct‬
‭subsequent requests to use the specified proxy.‬

‭●‬ 3‭ 07‬‭Temporary‬‭Redirect‬‭:‬‭In‬‭this‬‭case,‬‭the‬‭request‬‭should‬‭be‬‭repeated‬‭with‬‭another‬‭URI,‬‭but‬‭future‬
‭requests‬ ‭should‬ ‭still‬ ‭use‬ ‭the‬ ‭original‬ ‭URI.‬ ‭Unlike‬ ‭the‬ ‭302‬ ‭status‬ ‭code,‬ ‭the‬ ‭request‬ ‭method‬ ‭is‬ ‭not‬
‭allowed‬ ‭to‬ ‭change‬ ‭when‬ ‭reissuing‬ ‭the‬ ‭original‬ ‭request.‬ ‭For‬‭example,‬‭if‬‭the‬‭original‬‭request‬‭was‬‭a‬
‭POST request, it should be repeated using another POST request.‬

‭●‬ 3‭ 08‬‭Permanent‬‭Redirect‬‭:‬‭This‬‭status‬‭code,‬‭like‬‭307,‬‭indicates‬‭that‬‭future‬‭requests‬‭should‬‭be‬‭directed‬
‭to‬ ‭the‬ ‭given‬ ‭URI.‬ ‭However,‬ ‭unlike‬ ‭307,‬ ‭308‬ ‭does‬ ‭not‬ ‭allow‬ ‭the‬ ‭HTTP‬ ‭method‬ ‭to‬ ‭change.‬ ‭So,‬ ‭for‬
‭example,‬ ‭submitting‬ ‭a‬‭form‬‭to‬‭a‬‭permanently‬‭redirected‬‭resource‬‭may‬‭continue‬‭smoothly‬‭without‬
‭changing the method.‬

‭4xx Client Errors‬

‭‬
● ‭ 00 Bad Request‬‭: The server could not understand the‬‭request due to invalid syntax.‬
4
‭●‬ ‭401 Unauthorized‬‭: The request requires user authentication.‬
‭●‬ ‭403 Forbidden‬‭: The server understood the request but‬‭refuses to authorize it.‬
‭●‬ ‭404 Not Found‬‭: The requested resource could not be‬‭found on the server.‬
‭●‬ ‭405 Method Not Allowed‬‭: The request method is not‬‭supported for the specified resource.‬
‭●‬ ‭405 Method Not Allowed‬‭: The request method is not‬‭supported for the requested resource. For‬
‭example, trying to perform a GET request on a resource that only allows POST requests.‬
‭●‬ ‭406 Not Acceptable‬‭: The requested resource is capable‬‭of generating only content that is not‬
‭acceptable according to the Accept headers sent in the request.‬
‭‬
● ‭407 Proxy Authentication Required‬‭: The client must‬‭first authenticate itself with the proxy.‬
‭●‬ ‭408 Request Timeout‬‭: The server timed out waiting‬‭for the request. The client may repeat the‬
‭request without modifications at any later time.‬
‭●‬ ‭409 Conflict‬‭: Indicates that the request could not‬‭be processed because of a conflict in the current‬
‭state of the resource.‬
‭●‬ ‭410 Gone‬‭: Indicates that the resource requested was‬‭previously in use but is no longer available and‬
‭will not be available again.‬

‭34‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭●‬ 4 ‭ 11 Length Required‬‭: The request did not specify the length of its content, which is required by the‬
‭requested resource.‬
‭●‬ ‭412 Precondition Failed‬‭: The server does not meet‬‭one of the preconditions that the requester put‬
‭on the request header fields.‬
‭●‬ ‭413 Payload Too Large‬‭: The request is larger than‬‭the server is willing or able to process.‬
‭●‬ ‭414 URI Too Long‬‭: The URI provided was too long for‬‭the server to process.‬
‭●‬ ‭415 Unsupported Media Type‬‭: The request entity has a media type which the server or resource‬
‭does not support.‬
‭●‬ ‭416 Range Not Satisfiable‬‭: The client has asked for‬‭a portion of the file, but the server cannot‬
‭supply that portion.‬
‭●‬ ‭417 Expectation Failed‬‭: The server cannot meet the‬‭requirements of the Expect request-header field.‬
‭●‬ ‭418 I'm a teapot‬‭: A humorous status code, not intended‬‭to be implemented by actual HTTP servers.‬
‭●‬ ‭421 Misdirected Request‬‭: The request was directed‬‭at a server that is not able to produce a‬
‭response.‬
‭●‬ ‭422 Unprocessable Content‬‭: The request was well-formed‬‭but could not be processed.‬
‭●‬ ‭423 Locked‬‭: The resource that is being accessed is‬‭locked.‬
‭●‬ ‭424 Failed Dependency‬‭: The request failed because‬‭it depended on another request and that‬
‭request failed.‬
‭●‬ ‭425 Too Early‬‭: Indicates that the server is unwilling‬‭to risk processing a request that might be‬
‭replayed.‬
‭●‬ ‭426 Upgrade Required‬‭: The client should switch to‬‭a different protocol given in the Upgrade‬
‭header field.‬
‭●‬ ‭428 Precondition Required‬‭: The origin server requires‬‭the request to be conditional.‬
‭●‬ ‭429 Too Many Requests‬‭: The user has sent too many‬‭requests in a given amount of time.‬
‭●‬ ‭431 Request Header Fields Too Large‬‭: The server is‬‭unwilling to process the request because an‬
‭individual or all header fields are too large.‬
‭●‬ ‭451 Unavailable For Legal Reasons‬‭: A server operator‬‭has received a legal demand to deny access‬
‭to the resource.‬

‭5xx Server Errors‬

‭●‬ 5 ‭ 00 Internal Server Error‬‭: A generic error message‬‭indicating that the server encountered an‬
‭unexpected condition.‬
‭●‬ ‭501 Not Implemented‬‭: The server does not support the‬‭functionality required to fulfill the request.‬
‭●‬ ‭502 Bad Gateway‬‭: The server received an invalid response‬‭from an upstream server while acting as‬
‭a gateway or proxy.‬
‭●‬ ‭503 Service Unavailable‬‭: The server is currently unable‬‭to handle the request due to temporary‬
‭overloading or maintenance of the server.‬
‭●‬ ‭504 Gateway Timeout‬‭: The server, acting as a gateway‬‭or proxy, did not receive a timely response‬
‭from the upstream server.‬
‭●‬ ‭505 HTTP Version Not Supported‬‭: The server does not‬‭support the HTTP version used in the‬
‭request.‬

‭35‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭●‬ 5 ‭ 06 Variant Also Negotiates‬‭: Transparent content negotiation for the request results in a circular‬
‭reference.‬
‭●‬ ‭507 Insufficient Storage‬‭: The server is unable to‬‭store the representation needed to complete the‬
‭request.‬
‭●‬ ‭508 Loop Detected‬‭: The server detected an infinite‬‭loop while processing the request.‬
‭●‬ ‭510 Not Extended‬‭: Further extensions to the request‬‭are required for the server to fulfill it.‬
‭●‬ ‭511 Network Authentication Required‬‭: The client needs‬‭to authenticate to gain network access.‬
‭This is often used by intercepting proxies to control access to the network, such as "captive portals"‬
‭requiring agreement to Terms of Service before granting full Internet access via a Wi-Fi hotspot.‬

‭36‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭How to Test HTTP Method‬

‭How to test an API with a GET method?‬

‭ hen‬‭we‬‭want‬‭to‬‭test‬‭an‬‭API,‬‭the‬‭most‬‭popular‬‭method‬‭that‬‭we‬‭would‬‭use‬‭is‬‭the‬‭GET‬‭method.‬‭Therefore,‬
W
‭We expect the following to happen.‬

‭ ‬ I‭ f the resource is accessible, the API returns the 200 Status Code, which means OK.‬
●
‭●‬ ‭Along‬ ‭with‬ ‭the‬ ‭200‬ ‭Status‬ ‭Code,‬ ‭the‬ ‭server‬ ‭usually‬ ‭returns‬ ‭a‬ ‭response‬ ‭body‬ ‭in‬ ‭XML‬ ‭or‬ ‭JSON‬
f‭ ormat.‬ ‭So,‬ ‭for‬ ‭example,‬ ‭we‬ ‭expect‬ ‭the‬ ‭[GET]‬ ‭/members‬ ‭endpoint‬ ‭to‬ ‭return‬ ‭a‬ ‭list‬ ‭of‬ ‭members‬‭in‬
‭XML or JSON.‬
‭ ‬ ‭If‬ ‭the‬ ‭server‬ ‭does‬ ‭not‬ ‭support‬ ‭the‬ ‭endpoint,‬ ‭the‬‭server‬‭returns‬‭the‬‭404‬‭Status‬‭Code,‬‭which‬‭means‬
●
‭Not Found.‬
‭●‬ ‭If‬ ‭we‬ ‭send‬ ‭the‬ ‭request‬ ‭in‬ ‭the‬ ‭wrong‬ ‭syntax,‬ ‭the‬ ‭server‬‭returns‬‭the‬‭400‬‭Status‬‭Code,‬‭which‬‭means‬
‭Bad Request.‬
‭●‬ ‭curl -v -X GET https://api.example.com/resource‬

‭How to test a POST endpoint?‬

‭ ince‬ ‭the‬ ‭POST‬ ‭method‬ ‭creates‬ ‭data,‬ ‭we‬ ‭must‬ ‭be‬ ‭cautious‬ ‭about‬ ‭changing‬ ‭data;‬ ‭testing‬ ‭all‬ ‭the‬ ‭POST‬
S
‭methods‬ ‭in‬ ‭APIs‬ ‭is‬ ‭highly‬ ‭recommended.‬ ‭Moreover,‬ ‭make‬ ‭sure‬ ‭to‬ ‭delete‬ ‭the‬ ‭created‬‭resource‬‭once‬‭your‬
‭testing is finished.‬

‭Here are some suggestions that we can do for testing APIs with POST methods:‬

‭●‬ ‭Create a resource with the POST method, and it should return the 201 Status Code.‬

‭●‬ ‭Perform‬‭the‬‭GET‬‭method‬‭to‬‭check‬‭if‬‭it‬‭created‬‭the‬‭resource‬‭was‬‭successfully‬‭created.‬‭You‬‭should‬‭get‬
‭the 200 status code, and the response should contain the created resource.‬

‭●‬ ‭Perform the POST method with incorrect or wrong formatted data to check if the operation fails.‬

‭●‬ ‭curl‬ ‭-v‬ ‭-X‬ ‭POST‬ ‭https://api.example.com/resource‬ ‭-H‬ ‭"Content-Type:‬ ‭application/json"‬ ‭-d‬
‭'{"key":"value"}'‬

‭How to test an API with a PUT method?‬

‭ he‬‭PUT‬‭method‬‭is‬‭idempotent,‬‭and‬‭it‬‭modifies‬‭the‬‭entire‬‭resources,‬‭so‬‭to‬‭test‬‭that‬‭behavior,‬‭we‬‭make‬‭sure‬
T
‭to do the following operations:‬

‭●‬ ‭Send a PUT request to the server many times, and it should always return the same result.‬

‭●‬ ‭When‬ ‭the‬ ‭server‬ ‭completes‬ ‭the‬ ‭PUT‬ ‭request‬ ‭and‬ ‭updates‬‭the‬‭resource,‬‭the‬‭response‬‭should‬‭come‬
‭with 200 or 204 status codes.‬

‭37‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭●‬ ‭After‬ ‭the‬ ‭server‬ ‭completes‬ ‭the‬ ‭PUT‬ ‭request,‬ ‭make‬ ‭a‬ ‭GET‬ ‭request‬ ‭to‬ ‭check‬ ‭if‬ ‭the‬ ‭data‬ ‭is‬‭updated‬
‭correctly on the resource.‬

‭●‬ ‭If the input is invalid or has the wrong format, the resource must not be updated.‬

‭●‬ ‭curl‬ ‭-v‬ ‭-X‬ ‭PUT‬ ‭https://api.example.com/resource/123‬ ‭-H‬ ‭"Content-Type:‬ ‭application/json"‬ ‭-d‬
‭'{"key":"value"}'‬

‭How to test an API with a PATCH method?‬

‭ o‬ ‭test‬ ‭an‬‭API‬‭with‬‭the‬‭PATCH‬‭method,‬‭follow‬‭the‬‭steps‬‭discussed‬‭in‬‭this‬‭article‬‭for‬‭the‬‭testing‬‭API‬‭with‬
T
‭the PUT and the POST methods. Consider the following results:‬

‭●‬ ‭Send‬‭a‬‭PATCH‬‭request‬‭to‬‭the‬‭server;‬‭the‬‭server‬‭will‬‭return‬‭the‬‭2xx‬‭HTTP‬‭status‬‭code,‬‭which‬‭means:‬
‭the request is successfully received, understood, and accepted.‬

‭●‬ ‭Perform the GET request and verify that the content is updated correctly.‬

‭●‬ ‭If the request payload is incorrect or ill-formatted, the operation must fail.‬

‭●‬ ‭curl‬ ‭-v‬ ‭-X‬ ‭PATCH‬ ‭https://api.example.com/resource/123‬ ‭-H‬ ‭"Content-Type:‬ ‭application/json"‬‭-d‬

‭'{"key":"new value"}'‬

‭How to test a DELETE endpoint?‬

‭ hen‬‭it‬‭comes‬‭to‬‭deleting‬‭something‬‭on‬‭the‬‭server,‬‭we‬‭should‬‭be‬‭cautious.‬‭We‬‭are‬‭deleting‬‭data,‬‭and‬‭it‬‭is‬
W
‭critical. First, make sure that deleting data is acceptable, then perform the following actions.‬

‭●‬ ‭Call‬‭the‬‭POST‬‭method‬‭to‬‭create‬‭a‬‭new‬‭resource.‬‭Never‬‭test‬‭DELETE‬‭with‬‭actual‬‭Data.‬‭For‬‭example,‬
‭first, create a new customer and then try to delete the customer you just created.‬

‭●‬ ‭Make‬‭the‬‭DELETE‬‭request‬‭for‬‭a‬‭specific‬‭resource.‬‭For‬‭example,‬‭the‬‭request‬‭[DELETE]‬‭/customers/‬
‭{customer-id} deletes a customer with thee specified customer Id.‬

‭●‬ ‭Call‬‭the‬‭GET‬‭method‬‭for‬‭the‬‭deleted‬‭customer,‬‭which‬‭should‬‭return‬‭404,‬‭as‬‭the‬‭resource‬‭no‬‭longer‬
‭exists.‬

‭●‬ ‭curl -v -X DELETE‬‭https://api.example.com/resource/123‬

‭●‬ ‭Testfully’s‬‭Multi-step‬‭tests‬‭allow‬‭you‬‭to‬‭create‬‭resources‬‭on‬‭the‬‭fly‬‭and‬‭use‬‭them‬‭for‬‭testing‬‭DELETE‬
‭endpoints.‬

‭How to test a HEAD endpoint?‬

‭38‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭ ne‬‭of‬‭the‬‭advantages‬‭of‬‭the‬‭HEAD‬‭method‬‭is‬‭that‬‭we‬‭can‬‭test‬‭the‬‭server‬‭if‬‭it‬‭is‬‭available‬‭and‬‭accessible‬‭as‬
O
‭long‬ ‭as‬ ‭the‬ ‭API‬ ‭supports‬ ‭it,‬ ‭and‬ ‭it‬‭is‬‭much‬‭faster‬‭than‬‭the‬‭GET‬‭method‬‭because‬‭it‬‭has‬‭no‬‭response‬‭body.‬
‭The‬ ‭status‬ ‭code‬ ‭we‬ ‭expect‬ ‭to‬ ‭get‬ ‭from‬‭the‬‭API‬‭is‬‭200.‬‭Before‬‭every‬‭other‬‭HTTP‬‭method,‬‭we‬‭can‬‭first‬‭test‬
‭API with the HEAD method.‬

‭●‬ ‭curl -I‬‭https://api.example.com/resource‬

‭How to test an OPTIONS endpoint?‬

‭ epending‬ ‭on‬ ‭whether‬ ‭the‬‭server‬‭supports‬‭the‬‭OPTIONS‬‭method,‬‭we‬‭can‬‭test‬‭the‬‭server‬‭for‬‭the‬‭times‬‭of‬
D
‭FATAL failure with the OPTIONS method. To try it, consider the following.‬

‭●‬ ‭Make an OPTIONS request and check the header and the status code that returns.‬

‭●‬ ‭Test the case of failure with a resource that doesn’t support the OPTIONS method.‬

‭●‬ ‭curl -v -X OPTIONS https://api.example.com/resource‬

‭How to test an API with a TRACE method?‬

‭●‬ ‭Make a standard HTTP request like a GET request to /api/status‬

‭●‬ ‭Replace GET with the TRACE and send it again.‬

‭●‬ ‭Check‬‭what‬‭the‬‭server‬‭returns.‬‭If‬‭the‬‭response‬‭has‬‭the‬‭same‬‭information‬‭as‬‭the‬‭original‬‭request,‬‭the‬
‭TRACE ability is enabled in the server and works correctly.‬

‭●‬ ‭curl -v -X TRACE https://api.example.com/resource‬

‭How to test an API with a CONNECT method?‬

‭ esting‬ ‭the‬ ‭HTTP‬ ‭CONNECT‬ ‭method‬ ‭can‬ ‭be‬ ‭done‬ ‭using‬ ‭tools‬ ‭that‬ ‭support‬‭raw‬‭HTTP‬‭requests,‬‭such‬‭as‬
T
‭cURL,‬‭Telnet,‬‭or‬‭specific‬‭network‬‭diagnostic‬‭tools.‬‭The‬‭CONNECT‬‭method‬‭is‬‭primarily‬‭used‬‭to‬‭establish‬‭a‬
‭network‬‭connection‬‭to‬‭a‬‭resource,‬‭often‬‭through‬‭a‬‭proxy‬‭server.‬‭Here's‬‭how‬‭you‬‭can‬‭test‬‭it‬‭using‬‭different‬
‭tools:‬

‭●‬ ‭curl -v -X CONNECT https://example.com:443‬

‭39‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Analyzing Response Body‬

‭ nalyzing‬ ‭response‬ ‭bodies‬ ‭during‬ ‭testing‬ ‭ensures‬ ‭that‬ ‭APIs‬ ‭function‬ ‭correctly‬ ‭and‬ ‭return‬ ‭the‬ ‭expected‬
A
‭data. Here's how to approach this aspect of API testing:‬

‭1.‬ V‭ alidate‬‭Structure‬‭:‬‭Check‬‭that‬‭the‬‭response‬‭body‬‭follows‬‭the‬‭expected‬‭structure‬‭defined‬‭in‬‭the‬‭API‬
‭documentation‬ ‭or‬ ‭specifications.‬ ‭This‬ ‭includes‬ ‭verifying‬ ‭the‬ ‭presence‬ ‭of‬ ‭required‬ ‭fields,‬ ‭nested‬
‭objects, arrays, and data types.‬

‭2.‬ P‭ arse‬ ‭JSON/XML‬‭:‬ ‭If‬ ‭the‬ ‭response‬ ‭body‬ ‭is‬ ‭in‬ ‭JSON‬ ‭or‬ ‭XML‬ ‭format,‬ ‭parse‬ ‭it‬ ‭programmatically‬‭to‬
‭extract‬ ‭relevant‬ ‭data‬ ‭for‬ ‭validation.‬ ‭Use‬ ‭libraries‬ ‭or‬ ‭tools‬ ‭appropriate‬ ‭for‬ ‭your‬ ‭programming‬
‭language to parse and manipulate the response.‬

‭3.‬ V‭ erify‬‭Data‬‭Integrity:‬‭Ensure‬‭that‬‭the‬‭data‬‭returned‬‭in‬‭the‬‭response‬‭body‬‭is‬‭accurate‬‭and‬‭consistent‬
‭with‬ ‭the‬ ‭input‬‭provided‬‭in‬‭the‬‭request.‬‭Compare‬‭the‬‭response‬‭data‬‭against‬‭the‬‭expected‬‭values‬‭or‬
‭data retrieved from the database.‬

‭4.‬ H‭ andle‬ ‭Pagination:‬ ‭If‬ ‭the‬ ‭API‬ ‭supports‬ ‭pagination,‬ ‭analyze‬ ‭the‬ ‭response‬ ‭body‬ ‭to‬ ‭ensure‬ ‭that‬
‭pagination‬‭parameters‬‭such‬‭as‬‭page‬‭numbers,‬‭page‬‭size,‬‭and‬‭total‬‭count‬‭are‬‭correctly‬‭returned.‬‭Test‬
‭scenarios involving navigating through multiple pages of results.‬

‭5.‬ T‭ est‬ ‭Edge‬ ‭Cases:‬ ‭Evaluate‬ ‭how‬ ‭the‬ ‭API‬ ‭handles‬ ‭edge‬ ‭cases‬ ‭and‬ ‭boundary‬ ‭conditions‬ ‭in‬ ‭the‬
‭response‬ ‭body.‬ ‭This‬ ‭includes‬ ‭scenarios‬ ‭such‬ ‭as‬ ‭empty‬ ‭responses,‬ ‭null‬ ‭values,‬ ‭maximum‬ ‭and‬
‭minimum values, and unexpected input data.‬

‭6.‬ C‭ heck‬ ‭Error‬ ‭Responses:‬ ‭Verify‬ ‭that‬ ‭error‬ ‭responses‬ ‭include‬ ‭meaningful‬ ‭error‬ ‭messages‬ ‭and‬
‭appropriate‬ ‭HTTP‬ ‭status‬ ‭codes.‬ ‭Analyze‬ ‭the‬ ‭response‬ ‭body‬ ‭for‬ ‭error‬ ‭details‬ ‭such‬ ‭as‬ ‭error‬ ‭codes,‬
‭descriptions, and troubleshooting instructions.‬

‭7.‬ E‭ valuate‬ ‭Performance:‬ ‭Analyze‬ ‭the‬ ‭size‬ ‭and‬ ‭complexity‬ ‭of‬ ‭the‬ r‭ esponse‬ ‭body‬ ‭to‬ ‭assess‬
‭performance‬ ‭implications,‬ ‭especially‬ ‭for‬ ‭large‬ ‭datasets‬ ‭or‬ ‭complex‬ ‭object‬ ‭structures.‬ ‭Monitor‬
‭response times and network traffic during performance testing.‬

‭8.‬ H‭ andle‬‭Localization:‬‭If‬‭the‬‭API‬‭supports‬‭localization‬‭or‬‭internationalization,‬‭analyze‬‭the‬‭response‬
‭body‬ ‭to‬ ‭ensure‬ ‭that‬ ‭localized‬ ‭content‬ ‭is‬ ‭correctly‬ ‭returned‬ ‭based‬ ‭on‬ ‭the‬ ‭client's‬ ‭language‬
‭preferences specified in the request.‬

‭9.‬ T‭ est‬ ‭Content‬ ‭Negotiation:‬ ‭If‬ ‭the‬ ‭API‬ ‭supports‬ ‭content‬ ‭negotiation,‬ ‭test‬ ‭scenarios‬ ‭where‬ ‭clients‬
‭request‬‭specific‬‭media‬‭types‬‭(e.g.,‬‭JSON,‬‭XML)‬‭in‬‭the‬‭Accept‬‭header.‬‭Analyze‬‭the‬‭response‬‭body‬‭to‬
‭verify that the requested content type is returned.‬

‭10.‬ ‭Validate‬ ‭Hypermedia‬ ‭Controls:‬ ‭If‬ ‭the‬ ‭API‬ ‭follows‬ ‭the‬ ‭HATEOAS‬ ‭principle‬ ‭(Hypermedia‬ ‭as‬ ‭the‬
‭Engine‬ ‭of‬ ‭Application‬ ‭State),‬ ‭analyze‬ ‭the‬ ‭response‬ ‭body‬ ‭to‬ ‭ensure‬ ‭that‬ ‭hypermedia‬ ‭links‬ ‭and‬
‭controls are correctly included, allowing clients to navigate the API dynamically.‬

‭ y‬‭thoroughly‬‭analyzing‬‭response‬‭bodies‬‭during‬‭testing,‬‭you‬‭can‬‭identify‬‭issues,‬‭validate‬‭data‬‭correctness,‬
B
‭and‬ ‭ensure‬ ‭that‬ ‭the‬ ‭API‬ ‭behaves‬ ‭as‬ ‭expected‬ ‭in‬ ‭various‬ ‭scenarios.‬ ‭This‬ ‭helps‬ ‭maintain‬ ‭the‬ ‭reliability,‬
‭usability, and performance of the API for end-users.‬

‭40‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Common Interview Questions & Answers Related to API Request and Response‬

‭1. What is a Safe HTTP method?‬

‭ ‬ ‭safe‬‭method‬‭is‬‭a‬‭method‬‭that‬‭doesn’t‬‭change‬‭data‬‭on‬‭the‬‭server.‬‭For‬‭example,‬‭GET‬‭and‬‭HEAD‬‭are‬‭safe‬
A
‭methods because the user or an application does not request side effects on the server when calling them.‬

‭2. What is an Idempotent method?‬

‭ n‬ ‭Idempotent‬ ‭method‬ ‭means‬ ‭it‬ ‭returns‬ ‭the‬ ‭same‬ ‭response‬ ‭no‬ ‭matter‬ ‭how‬ ‭many‬ ‭times‬ ‭it‬ ‭runs.‬ ‭For‬
A
‭example,‬ ‭The‬ ‭PUT‬ ‭and‬ ‭DELETE‬ ‭methods‬ ‭share‬ ‭this‬ ‭property.‬ ‭However,‬ ‭it‬ ‭is‬ ‭possible‬ ‭that‬‭a‬‭sequence‬‭of‬
‭several‬‭requests‬‭is‬‭not‬‭idempotent,‬‭even‬‭if‬‭all‬‭of‬‭the‬‭methods‬‭executed‬‭in‬‭that‬‭sequence‬‭are‬‭idempotent.‬‭So,‬
‭a series of requests is idempotent if a single execution of the entire series always returns the same result.‬

‭3. What are HTTP methods and their significance in API development?‬

‭ nswer: HTTP methods (GET, POST, PUT, DELETE, PATCH, etc.) specify the action to be performed on a‬
A
‭resource. They are essential for defining the behavior of APIs and determining how clients interact with‬
‭resources.‬

‭4. What is the difference between GET and POST requests?‬

‭ nswer: GET requests are used to retrieve data from the server, while POST requests are used to submit‬
A
‭data to the server for processing or storage.‬

‭5. Explain the purpose of HTTP headers in an API request.‬

‭ nswer: HTTP headers provide additional information about the request or the data being sent, such as‬
A
‭content type, authentication credentials, and caching directives.‬

‭6. What is a query parameter in an API request?‬

‭ nswer: A query parameter is a key-value pair appended to the end of a URL that provides additional‬
A
‭information to the server about the request, such as filtering or pagination criteria.‬

‭7. What is the role of HTTP status codes in API responses?‬

‭ nswer: HTTP status codes indicate the outcome of an API request, such as success, failure, or redirection.‬
A
‭They help clients understand how to process the response.‬

‭8. Explain the purpose of HTTP headers in an API response.‬

‭ nswer: HTTP headers provide metadata about the response, such as content type, caching directives, and‬
A
‭server information.‬

‭41‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭9. What is content negotiation in API responses?‬

‭ nswer: Content negotiation is the process of selecting the appropriate representation of a resource based‬
A
‭on the client's preferences specified in the request headers.‬

‭10. What are common HTTP status codes for error responses?‬

‭ nswer: Common HTTP status codes for error responses include 400 Bad Request, 404 Not Found, 500‬
A
‭Internal Server Error, etc.‬

‭11. How do you handle errors in API responses?‬

‭ nswer: Errors in API responses should be handled gracefully by providing informative error messages,‬
A
‭appropriate HTTP status codes, and troubleshooting guidance to the client.‬

‭42‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Chapter 4‬

‭Security Testing of APIs‬

‭ PI‬‭Security‬‭Testing‬‭goes‬‭a‬‭long‬‭way‬‭in‬‭avoiding‬‭API‬‭breaches‬‭by‬‭preventing‬‭security‬‭vulnerabilities‬‭from‬
A
‭ever‬ ‭reaching‬ ‭production‬ ‭environments.‬ ‭Noname‬ ‭Active‬‭Testing‬‭focuses‬‭on‬‭finding‬‭and‬‭remediating‬‭API‬
‭security vulnerabilities during the development phase of the SDLC, before they can be exploited.‬

‭ ecurity‬ ‭testing‬ ‭of‬ ‭APIs‬ ‭(Application‬ ‭Programming‬ ‭Interfaces)‬ ‭is‬ ‭crucial‬ ‭to‬ ‭ensure‬ ‭that‬ ‭the‬ ‭data‬ ‭and‬
S
‭functionalities‬‭exposed‬‭by‬‭these‬‭interfaces‬‭are‬‭protected‬‭from‬‭various‬‭threats‬‭and‬‭vulnerabilities.‬‭Here‬‭is‬‭a‬
‭comprehensive overview of security testing for APIs:‬

‭Types API security testing‬

‭Dynamic Application Security Testing (DAST)‬

‭ AST‬‭testing,‬‭or‬‭dynamic‬‭application‬‭security‬‭testing,‬‭is‬‭different‬‭than‬‭SAST‬‭in‬‭that‬‭API‬‭testing‬‭take‬‭place‬
D
‭in‬‭production.‬‭Testers‬‭identify‬‭problems‬‭that‬‭occur‬‭during‬‭use‬‭and‬‭then‬‭trace‬‭them‬‭back‬‭to‬‭their‬‭origins‬‭in‬
‭the software design, rather than detecting issues linked to a code module.‬

‭Software Composition Analysis (SCA)‬

‭ CA,‬ ‭or‬ ‭Software‬ ‭composition‬ ‭analysis,‬ ‭is‬ ‭a‬ ‭software‬ ‭engineering‬ ‭technique‬ ‭that‬ ‭helps‬ ‭to‬ ‭identify‬ ‭the‬
S
‭software‬ ‭components‬ ‭and‬ ‭their‬ ‭relationships.‬ ‭It‬ ‭can‬ ‭be‬ ‭used‬ ‭for‬ ‭analyzing‬ ‭the‬ ‭design‬ ‭of‬ ‭an‬ ‭application,‬
‭identifying code smells, or finding out how much code is needed for a given task.‬

‭Authentication‬

‭ uthentication‬‭is‬‭the‬‭process‬‭of‬‭verifying‬‭the‬‭identity‬‭of‬‭a‬‭user‬‭or‬‭device,‬‭and‬‭it‬‭is‬‭used‬‭to‬‭access‬‭a‬‭system,‬
A
‭service,‬ ‭or‬ ‭network.‬ ‭It’s‬ ‭an‬ ‭important‬ ‭part‬ ‭of‬ ‭any‬ ‭application‬ ‭and‬ ‭can‬ ‭be‬ ‭done‬ ‭in‬ ‭many‬ ‭ways‬ ‭such‬ ‭as‬
‭username and password authentication, two-factor authentication, and API authentication.‬

‭ PI‬ ‭authentication‬ ‭uses‬ ‭an‬ ‭API‬ ‭key‬ ‭to‬ ‭verify‬ ‭the‬ ‭identity‬ ‭of‬ ‭the‬ ‭user.‬ ‭This‬ ‭type‬‭of‬‭authentication‬‭can‬‭be‬
A
‭used for both public and private APIs.‬

‭Objective:‬‭Ensure only authorized users can access‬‭the API.‬

‭43‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭ ethods:‬‭Check the implementation of authentication mechanisms such as OAuth, JWT, API keys, and‬
M
‭basic auth.‬

‭Tests:‬‭Validate token expiration, token revocation, replay attacks, and credential brute-forcing.‬

‭Authorization‬

‭ he‬‭API‬‭authorization‬‭is‬‭a‬‭process‬‭of‬‭checking‬‭the‬‭identity‬‭of‬‭the‬‭user‬‭and‬‭authorizing‬‭them‬‭to‬‭access‬‭the‬
T
‭application.‬‭It’s‬‭a‬‭common‬‭practice‬‭in‬‭web‬‭applications‬‭and‬‭can‬‭be‬‭done‬‭by‬‭sending‬‭an‬‭HTTP‬‭request‬‭with‬
‭the‬ ‭appropriate‬ ‭header‬ ‭and‬ ‭token‬ ‭in‬ ‭it.‬ ‭The‬ ‭API‬ ‭will‬ ‭then‬ ‭return‬ ‭a‬ ‭response‬ ‭with‬ ‭information‬ ‭about‬
‭whether or not the request was successful or not.‬

‭Objective:‬‭Verify that users have permission to access‬‭resources and perform actions.‬

‭Methods:‬‭Role-based access control (RBAC), attribute-based‬‭access control (ABAC).‬

‭ ests:‬‭Check for privilege escalation, verify access‬‭control rules, and ensure that users cannot access data‬
T
‭belonging to other users.‬

‭44‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Common API Security Risks‬

‭ espite‬ ‭their‬ ‭benefits,‬ ‭APIs‬ ‭can‬ ‭be‬ ‭vulnerable‬ ‭to‬ ‭various‬ ‭security‬ ‭risks.‬ ‭Some‬ ‭common‬ ‭vulnerabilities‬
D
‭include:‬

‭Injection Attacks:‬

‭APIs‬ ‭can‬ ‭be‬ ‭vulnerable‬ ‭to‬ ‭injection‬ ‭attacks,‬ ‭where‬ ‭malicious‬ ‭code‬ ‭or‬ ‭commands‬ ‭are‬ ‭injected‬ ‭into‬ ‭API‬
r‭ equests. This can lead to unauthorized data exposure, compromised systems, or a takeover.‬

‭Broken Authentication and Session Management:‬

‭ eak‬ ‭authentication‬ ‭mechanisms,‬ ‭improper‬ ‭session‬ ‭handling,‬ ‭or‬ ‭inadequate‬ ‭access‬ ‭controls‬ ‭can‬ ‭expose‬
W
‭APIs‬ ‭to‬ ‭authentication‬ ‭and‬ ‭session-related‬ ‭vulnerabilities.‬ ‭Attackers‬ ‭may‬ ‭exploit‬ ‭these‬ ‭weaknesses‬ ‭to‬
‭impersonate legitimate users, hijack sessions, or gain unauthorized access to sensitive data.‬

‭Insecure Direct Object References (IDOR):‬

‭ PIs‬ ‭that‬ ‭expose‬ ‭internal‬ ‭references,‬ ‭such‬ ‭as‬ ‭database‬ ‭IDs‬ ‭or‬ ‭file‬ ‭paths,‬ ‭without‬ ‭proper‬ ‭authorization‬
A
‭checks‬ ‭can‬ ‭be‬ ‭prone‬ ‭to‬ ‭IDOR‬ ‭vulnerabilities.‬ ‭Attackers‬ ‭can‬ ‭manipulate‬ ‭these‬ ‭references‬ ‭to‬ ‭access‬
‭unauthorized resources or sensitive information.‬

‭Denial-of-Service (DoS) Attacks:‬

‭ PIs‬ ‭can‬ ‭be‬‭targeted‬‭with‬‭DoS‬‭attacks,‬‭where‬‭attackers‬‭overwhelm‬‭the‬‭API‬‭infrastructure‬‭with‬‭a‬‭flood‬‭of‬

A
‭requests,‬ ‭rendering‬ ‭the‬ ‭API‬ ‭unresponsive‬‭or‬‭unavailable.‬‭This‬‭disrupts‬‭services,‬‭impacts‬‭user‬‭experience,‬
‭and potentially leads to financial losses.‬

‭45‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭4.3.Preparing for API Security Testing‬

‭ nsuring‬ ‭the‬ ‭security‬ ‭of‬ ‭APIs‬ ‭is‬ ‭crucial‬ ‭to‬ ‭protect‬ ‭sensitive‬ ‭data‬ ‭and‬ ‭prevent‬ ‭potential‬ ‭breaches.‬ ‭API‬
E
‭security‬ ‭testing‬ ‭plays‬ ‭a‬ ‭vital‬ ‭role‬ ‭in‬ ‭identifying‬ ‭vulnerabilities‬ ‭and‬ ‭weaknesses‬ ‭in‬ ‭API‬ ‭implementations.‬
‭Following are some pointers to consider when preparing for API security testing:‬

‭Setting up the Testing Environment‬

‭ stablishing‬ ‭a‬ ‭robust‬ ‭testing‬ ‭environment‬‭that‬‭closely‬‭resembles‬‭the‬‭production‬‭environment‬‭is‬‭essential.‬

E
‭Here are key considerations:‬

‭Isolate the Testing Environment:‬

‭ reate‬ ‭a‬ ‭separate,‬ ‭isolated‬ ‭environment‬ ‭dedicated‬ ‭explicitly‬ ‭to‬ ‭API‬ ‭security‬ ‭testing.‬ ‭This‬ ‭prevents‬ ‭any‬
C
‭accidental impact on the production systems and ensures a controlled testing environment.‬

‭Replicate Production Configuration:‬

‭ eplicate‬ ‭the‬ ‭configuration‬ ‭of‬ ‭the‬ ‭production‬ ‭environment‬ ‭as‬ ‭closely‬ ‭as‬ ‭possible,‬ ‭including‬ ‭the‬ ‭server‬
R
‭setup,‬‭network‬‭architecture,‬‭and‬‭infrastructure‬‭components.‬‭This‬‭ensures‬‭that‬‭the‬‭security‬‭tests‬‭accurately‬
‭reflect real-world scenarios.‬

‭Utilize Virtualization or Containerization:‬

‭ everage‬ ‭virtualization‬ ‭technologies‬ ‭like‬ ‭virtual‬ ‭machines‬ ‭or‬ ‭containerization‬ ‭platforms‬ ‭(e.g.,‬‭Docker)‬‭to‬
L
‭create‬ ‭a‬ ‭scalable‬ ‭and‬ ‭reproducible‬ ‭testing‬ ‭environment.‬ ‭This‬ ‭enables‬ ‭the‬ ‭easy‬ ‭setup‬ ‭of‬ ‭multiple‬ ‭testing‬
‭instances and facilitates efficient testing of different API configurations.‬

‭Identifying the Scope of Testing‬

‭ efining‬ ‭the‬ ‭scope‬ ‭of‬ ‭API‬ ‭security‬ ‭testing‬‭is‬‭vital‬‭to‬‭ensure‬‭focused‬‭efforts‬‭and‬‭comprehensive‬‭coverage.‬

D
‭Consider the following factors:‬

‭APIs and Endpoints:‬

‭ etermine‬ ‭which‬ ‭APIs‬ ‭and‬ ‭specific‬ ‭endpoints‬ ‭will‬ ‭be‬ ‭included‬ ‭in‬ ‭the‬ ‭testing.‬ ‭It’s‬ ‭essential‬ ‭to‬ ‭consider‬
D
‭internal‬ ‭and‬ ‭external-facing‬ ‭APIs‬ ‭and‬ ‭any‬ ‭public‬ ‭APIs‬ ‭that‬ ‭may‬ ‭expose‬ ‭sensitive‬ ‭data‬ ‭or‬ ‭critical‬
‭functionalities.‬

‭46‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Authentication and Authorization Mechanisms:‬

‭ ssess‬ ‭the‬ ‭APIs’‬ ‭various‬ ‭authentication‬ ‭and‬ ‭authorization‬ ‭mechanisms.‬ ‭Include‬ ‭scenarios‬ ‭like‬ ‭API‬‭keys,‬
A
‭tokens, or user credentials to evaluate the security measures thoroughly.‬

‭Data Validation and Input Handling:‬

‭ nalyze‬‭how‬‭APIs‬‭handle‬‭data‬‭validation‬‭and‬‭input‬‭handling.‬‭Assess‬‭how‬‭they‬‭respond‬‭to‬‭input‬‭formats,‬
A
‭including invalid or unexpected data. Pay special attention to potential injection vulnerabilities.‬

‭Error Handling and Exception Management:‬

‭Evaluate‬ ‭how‬ ‭APIs‬ ‭handle‬ ‭errors‬ ‭and‬ ‭exceptions.‬ ‭Test‬ ‭their‬ ‭response‬ ‭to‬ ‭different‬ ‭error‬ ‭conditions‬ ‭and‬
e‭ nsure that sensitive information is not leaked in error messages.‬

‭Gathering Necessary Tools and Resources‬

‭ quipping‬ ‭your‬ ‭API‬ ‭security‬ ‭testing‬ ‭efforts‬ ‭with‬ ‭the‬ ‭right‬ ‭tools‬ ‭and‬ ‭resources‬ ‭is‬ ‭essential‬ ‭for‬ ‭effective‬
E
‭testing. Consider the following:‬

‭API Testing Tools:‬

‭ xplore‬ ‭and‬ ‭select‬‭appropriate‬‭API‬‭testing‬‭tools‬‭that‬‭support‬‭security‬‭testing,‬‭such‬‭as‬‭OWASP‬‭ZAP,‬‭Burp‬

E
‭Suite,‬ ‭or‬ ‭Postman.‬ ‭These‬ ‭tools‬ ‭offer‬ ‭features‬ ‭like‬ ‭vulnerability‬ ‭scanning,‬ ‭fuzz‬ ‭testing,‬ ‭and‬ ‭API‬ ‭traffic‬
‭interception for comprehensive testing.‬

‭Security Testing Frameworks:‬

‭ amiliarize‬ ‭yourself‬ ‭with‬ ‭security‬ ‭testing‬ ‭frameworks,‬ ‭such‬ ‭as‬ ‭the‬ ‭OWASP‬ ‭API‬ ‭Security‬ ‭Top‬ ‭10,‬ ‭which‬
F
‭guides‬‭the‬‭most‬‭critical‬‭API‬‭security‬‭risks.‬‭These‬‭frameworks‬‭serve‬‭as‬‭invaluable‬‭references‬‭throughout‬‭the‬
‭testing process.‬

‭Documentation and Specifications:‬

‭ btain‬ ‭the‬ ‭API‬ ‭documentation,‬ ‭specifications,‬ ‭and‬ ‭relevant‬ ‭security‬ ‭requirements.‬ ‭Thoroughly‬ ‭review‬
O
‭them to understand the expected behavior, expected security measures, and any specific test cases.‬

‭Security Testing Checklist:‬

‭ evelop‬ ‭a‬ ‭comprehensive‬ ‭security‬ ‭testing‬ ‭checklist‬ ‭encompassing‬ ‭various‬ ‭aspects‬ ‭of‬ ‭API‬ ‭security,‬
D
‭including‬ ‭authentication,‬ ‭authorization,‬ ‭input‬ ‭validation,‬ ‭error‬ ‭handling,‬ ‭and‬ ‭encryption.‬ ‭This‬ ‭checklist‬
‭will serve as a roadmap for your testing efforts.‬

‭47‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Steps to Follow for API Security Testing‬

‭Step 1: Understanding API Endpoints‬

‭Objective:‬‭Ensure endpoints are secured and not publicly‬‭exposed unnecessarily.‬

‭Methods:‬‭Use API gateway, limit endpoint exposure.‬

‭ ests:‬‭Enumerate API endpoints, verify the necessity‬‭of exposed endpoints, and check for hidden or‬
T
‭undocumented endpoints.‬

‭API endpoints serve as the entry points for interactions with an API. To conduct effective security testing:‬

‭Define API Endpoints:‬

I‭ dentify‬‭and‬‭document‬‭all‬‭API‬‭endpoints.‬‭Categorize‬‭them‬‭based‬‭on‬‭functionality,‬‭sensitivity,‬‭and‬‭potential‬
‭security risks.‬

‭Identify Sensitive Endpoints and Vulnerabilities:‬

‭Determine‬ ‭which‬ ‭endpoints‬ ‭handle‬ ‭sensitive‬ ‭data,‬ ‭perform‬ ‭critical‬ ‭operations,‬ ‭or‬ ‭involve‬ ‭user‬
‭ uthentication. These endpoints may be more prone to security vulnerabilities and require rigorous testing.‬
a

‭Map API Endpoints:‬

‭ reate‬ ‭a‬ ‭comprehensive‬ ‭map‬ ‭of‬ ‭API‬ ‭endpoints,‬ ‭including‬ ‭the‬ ‭request‬ ‭and‬ ‭response‬ ‭types,‬ ‭expected‬
C
‭behavior,‬ ‭and‬ ‭associated‬ ‭security‬ ‭controls.‬ ‭This‬ ‭map‬ ‭will‬ ‭serve‬ ‭as‬ ‭a‬ ‭reference‬ ‭during‬ ‭testing‬ ‭to‬ ‭ensure‬
‭thorough coverage.‬

‭Step 2: Authentication and Authorization Testing‬

‭ uthentication‬ ‭and‬ ‭authorization‬ ‭mechanisms‬ ‭play‬ ‭a‬ ‭vital‬ ‭role‬ ‭in‬ ‭securing‬ ‭APIs.‬‭When‬‭testing,‬‭consider‬
A
‭the following:‬

‭48‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Evaluate Authentication Effectiveness:‬

‭ ssess‬ ‭the‬ ‭strength‬ ‭and‬ ‭effectiveness‬ ‭of‬ ‭authentication‬ ‭mechanisms,‬ ‭such‬ ‭as‬ ‭API‬ ‭keys,‬ ‭tokens,‬ ‭or‬
A
‭multifactor authentication. Verify that only authenticated users can access protected resources.‬

‭Examine Authorization Controls:‬

‭ est‬ ‭the‬ ‭authorization‬ ‭controls‬ ‭to‬ ‭ensure‬ ‭only‬ ‭authorized‬ ‭users‬‭or‬‭roles‬‭can‬‭perform‬‭specific‬‭actions.‬‭Pay‬

T
‭attention‬ ‭to‬ ‭privilege‬ ‭escalation‬ ‭risks,‬ ‭such‬ ‭as‬ ‭bypassing‬ ‭authorization‬ ‭checks‬ ‭or‬ ‭gaining‬ ‭unauthorized‬
‭access to sensitive data.‬

‭Test for Improper Access Controls:‬

I‭ dentify‬ ‭potential‬ ‭security‬ ‭misconfigurations‬ ‭or‬ ‭improper‬ ‭access‬ ‭controls‬ ‭that‬ ‭may‬ ‭allow‬ ‭unauthorized‬
‭access to sensitive endpoints or operations. Thoroughly examine access control rules and configurations.‬

‭Step 3: Input Validation‬

‭Objective:‬‭Protect the API from malicious input.‬

‭Methods:‬‭Implement whitelisting, sanitization, and‬‭validation of inputs.‬

‭ ests:‬‭Inject various forms of input such as SQL injection,‬‭XSS (cross-site scripting), command injection,‬
T
‭and XML external entity (XXE) attacks.‬

‭Here some tips on how to implement input validation for your APIs to make sure it’s as secure as possible.‬

‭1. Validate Content-Type Header and Data Format‬

‭ he‬ ‭Content-Type‬ ‭header‬ ‭indicates‬ ‭what‬ ‭media‬ ‭type‬ ‭will‬ ‭be‬ ‭transmitted‬ ‭from‬ ‭an‬ ‭HTTP‬ ‭request‬ ‭or‬
T
‭response.‬‭Verifying‬‭the‬‭Content-Type‬‭to‬‭ensure‬‭that‬‭the‬‭posted‬‭data‬‭matches‬‭the‬‭expected‬‭format‬‭is‬‭one‬‭of‬
‭the most straightforward ways to protect an API from invalid or malicious data.‬

I‭ magine‬ ‭an‬ ‭API‬ ‭endpoint‬ ‭that‬ ‭expects‬ ‭a‬ ‭JSON‬ ‭object‬ ‭for‬ ‭a‬ ‭specific‬ ‭application.‬‭Verifying‬‭the‬‭header‬‭and‬
‭that‬‭the‬‭request‬‭is‬‭in‬‭JSON‬‭format‬‭protects‬‭your‬‭API‬‭from‬‭data‬‭corruption‬‭or‬‭injection‬‭attacks,‬‭among‬‭other‬
‭things.‬

‭2. Prevent Entity Expansion‬

‭ enial‬‭of‬‭service‬‭(DoS)‬‭attacks‬‭like‬‭A‬‭Billion‬‭Laughs‬‭or‬‭XML‬‭bomb‬‭attacks‬‭rely‬‭on‬‭vulnerable‬‭XML‬‭parsers.‬
D
‭The‬‭attack‬‭involves‬‭sending‬‭an‬‭XML‬‭file‬‭with‬‭a‬‭large‬‭number‬‭of‬‭nested‬‭entities,‬‭resulting‬‭in‬‭the‬‭XML‬‭parser‬
‭expanding‬ ‭each‬ ‭entity‬ ‭and‬ ‭consuming‬ ‭an‬ ‭excessive‬ ‭amount‬ ‭of‬ ‭resources.‬ ‭Simply‬ ‭limiting‬ ‭the‬‭number‬‭of‬
‭entities that can be opened by the parser eliminates this type of DoS attack entirely.‬

‭3. Limit the Size of Posted Data‬

‭49‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭ hen‬ ‭users‬ ‭can‬ ‭interact‬ ‭with‬ ‭your‬ ‭API‬ ‭via‬ ‭input‬‭forms,‬‭file‬‭uploads,‬‭or‬‭POST‬‭requests,‬‭it’s‬‭important‬‭to‬

W
‭restrict‬ ‭how‬ ‭much‬ ‭data‬ ‭can‬ ‭be‬ ‭sent.‬ ‭Prohibitively‬ ‭large‬ ‭files‬ ‭can‬ ‭consume‬ ‭excess‬ ‭resources,‬ ‭increase‬
‭processing time, or even, in some circumstances, cause an API to crash.‬

‭4. Compare User Input Against Injection Flaws‬

I‭ njection‬ ‭flaws‬ ‭are‬ ‭pervasive‬ ‭in‬ ‭SQL,‬ ‭LDAP,‬ ‭or‬ ‭NoSQL‬ ‭queries,‬ ‭OS‬‭commands,‬‭XML‬‭parsers,‬‭and‬‭ORM.‬
‭They’re‬ ‭very‬ ‭easy‬ ‭to‬ ‭discover,‬ ‭as‬ ‭well,‬ ‭using‬ ‭tools‬ ‭like‬ ‭scanners‬ ‭or‬ ‭fuzzers.‬ ‭Injection‬ ‭flaws‬ ‭are‬ ‭when‬ ‭an‬
‭attacker‬ ‭can‬ ‭run‬ ‭malicious‬ ‭code‬ ‭through‬ ‭an‬‭external‬‭application.‬‭This‬‭can‬‭result‬‭in‬‭both‬‭a‬‭backend‬‭being‬
‭compromised as well as third-party clients connected to the affected application.‬

‭ o‬‭help‬‭prevent‬‭the‬‭risk‬‭due‬‭to‬‭injection‬‭flaws,‬‭you‬‭should‬‭validate‬‭input‬‭from‬‭every‬‭potentially‬‭untrusted‬
T
‭source.‬‭This‬‭includes‬‭everything‬‭from‬‭internet-facing‬‭web‬‭clients‬‭to‬‭backend‬‭feeds‬‭over‬‭extranets‬‭and‬‭data‬
‭from suppliers, vendors, or regulators. Any of these could be compromised, putting your system at risk.‬

‭5. Validate All Levels‬

‭ o‬ ‭help‬ ‭ensure‬ ‭API‬ ‭security‬‭,‬ ‭input‬ ‭validation‬ ‭should‬ ‭be‬ ‭performed‬ ‭on‬‭both‬‭the‬‭syntactical‬‭and‬‭semantic‬
T
‭levels.‬‭Syntactic‬‭level‬‭validation‬‭should‬‭check‬‭to‬‭see‬‭that‬‭structured‬‭fields‬‭are‬‭formatted‬‭correctly,‬‭such‬‭as‬
‭ensuring‬ ‭the‬ ‭right‬ ‭currency‬ ‭symbols‬ ‭are‬ ‭used,‬ ‭for‬ ‭example,‬ ‭or‬ ‭that‬ ‭the‬ ‭proper‬ ‭hyphenated‬ ‭structure‬ ‭is‬
‭followed‬‭for‬‭things‬‭like‬‭phone‬‭or‬‭social‬‭security‬‭numbers.‬‭Semantic‬‭input‬‭validation‬‭checks‬‭to‬‭ensure‬‭data‬
‭falls within a specific context, such as a particular date or price range.‬

‭6. Choose The Right Implementation For Your Programming Language‬

‭ ost‬ ‭programming‬ ‭languages‬ ‭and‬ ‭frameworks‬‭have‬‭some‬‭method‬‭for‬‭input‬‭validation.‬‭Django‬‭supports‬

M
‭Django‬‭Validators‬‭,‬‭for‬‭instance,‬‭while‬‭Apache‬‭Commons‬‭Validators‬‭are‬‭useful‬‭for‬‭Java-based‬‭applications.‬
‭Java‬ ‭also‬ ‭allows‬ ‭for‬ ‭type‬ ‭conversion,‬ ‭using‬ ‭functions‬ ‭like‬ ‭Integer.parseInt(),‬ ‭as‬ ‭does‬ ‭Python,‬ ‭using‬ ‭int().‬
‭Input‬ ‭can‬ ‭be‬ ‭checked‬ ‭against‬ ‭JSON‬ ‭and‬ ‭XML‬ ‭schema,‬ ‭as‬ ‭well.‬ ‭Arrays‬ ‭can‬ ‭be‬ ‭used‬ ‭for‬ ‭small‬ ‭sets‬ ‭of‬
‭parameters, like days of the week or time of day.‬

‭7. Use Allow Lists Instead Of Block Lists‬

‭ any‬ ‭developers‬ ‭use‬ ‭block‬ ‭lists‬ ‭to‬ ‭try‬ ‭and‬ ‭prevent‬ ‭common‬ ‭attack‬ ‭patterns,‬ ‭such‬ ‭as‬ ‭the‬ ‭apostrophe‬ ‭‘‬
M
‭character,‬‭the‬‭1=1‬‭string,‬‭or‬‭<script>‬‭tags.‬‭This‬‭approach‬‭is‬‭easy‬‭for‬‭attackers‬‭to‬‭circumvent,‬‭though.‬‭Valid‬
‭inputs can trigger the filter, too, as in the case of last names like O’Grady.‬

‭ sing‬ ‭allow‬ ‭lists‬ ‭is‬ ‭a‬ ‭better‬ ‭approach‬ ‭for‬ ‭user‬ ‭inputs.‬ ‭They‬ ‭let‬ ‭you‬ ‭specify‬ ‭what‬ ‭is‬ ‭allowed‬ ‭rather‬ ‭than‬
U
‭trying‬‭to‬‭prevent‬‭any‬‭potential‬‭risk.‬‭This‬‭is‬‭easy‬‭to‬‭implement‬‭for‬‭structured‬‭data,‬‭like‬‭addresses‬‭or‬‭social‬
‭security‬‭numbers.‬‭Input‬‭fields‬‭with‬‭limited‬‭options,‬‭like‬‭a‬‭drop-down‬‭menu,‬‭are‬‭even‬‭easier‬‭to‬‭validate,‬‭as‬
‭the selection needs to exactly match one of the available options.‬

‭8. Validate Free-Form UNICODE Input Properly‬

‭ ree-form‬ ‭inputs,‬ ‭such‬ ‭as‬ ‭text,‬ ‭have‬ ‭a‬ ‭reputation‬ ‭of‬ ‭being‬‭the‬‭most‬‭difficult‬‭to‬‭validate,‬‭as‬‭there’s‬‭such‬‭a‬
F
‭wide‬ ‭range‬ ‭of‬ ‭possible‬ ‭variables.‬ ‭To‬ ‭validate‬ ‭free-form‬ ‭UNICODE‬ ‭inputs,‬ ‭you‬ ‭should‬ ‭practice‬
‭normalization‬ ‭to‬ ‭ensure‬ ‭no‬ ‭invalid‬ ‭characters‬ ‭are‬ ‭present.‬ ‭You‬ ‭should‬ ‭create‬ ‭an‬ ‭allow-list‬‭for‬‭acceptable‬

‭50‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

c‭ haracter‬ ‭categories,‬ ‭such‬ ‭as‬ ‭Arabic‬ ‭or‬ ‭Cyrillic‬ ‭alphabets.‬ ‭You‬ ‭can‬ ‭also‬ ‭create‬ ‭allow-lists‬ ‭for‬ ‭individual‬
‭characters, like the apostrophe in a name field.‬

‭9. Validate on the Server Side As Well As the Client Side‬

J‭ avaScript‬‭input‬‭validation‬‭is‬‭easily‬‭bypassed‬‭by‬‭attackers,‬‭who‬‭can‬‭either‬‭disable‬‭JavaScript‬‭or‬‭use‬‭a‬‭Web‬
‭Proxy. Validating input on the client side adds an invaluable extra layer of protection.‬

‭10. Manage User Uploads Properly‬

‭ e‬‭already‬‭mentioned‬‭how‬‭attackers‬‭can‬‭use‬‭uploads‬‭for‬‭DoS‬‭attacks.‬‭Putting‬‭size‬‭limits‬‭on‬‭user‬‭uploads‬
W
‭is‬‭just‬‭one‬‭approach‬‭for‬‭validating‬‭user‬‭uploads,‬‭though.‬‭If‬‭your‬‭API‬‭only‬‭accepts‬‭certain‬‭file‬‭types,‬‭you‬‭can‬
‭use‬ ‭input‬ ‭validation‬ ‭to‬ ‭make‬ ‭sure‬ ‭the‬ ‭uploaded‬ ‭file‬ ‭matches‬ ‭the‬ ‭expected‬ ‭file‬ ‭type.‬ ‭Once‬ ‭the‬ ‭file’s‬
‭uploaded,‬ ‭though,‬ ‭make‬ ‭sure‬‭to‬‭change‬‭the‬‭file’s‬‭name‬‭in‬‭your‬‭system.‬‭They‬‭should‬‭also‬‭be‬‭analyzed‬‭for‬
‭malicious content, such as malware. The user shouldn’t be able to dictate where the file is stored, either.‬

‭Step 4:‬‭Ensure Data Integrity‬

‭Verify‬‭that‬‭the‬‭API‬‭performs‬‭proper‬‭validation,‬‭sanitization,‬‭and‬‭encoding‬‭of‬‭user-supplied‬‭data‬‭to‬‭prevent‬
‭ ata corruption or tampering. Validate the integrity of data transmitted between the client and server.‬
d

‭Test for Data Leakage and Exposure Risks:‬

I‭ dentify‬‭potential‬‭data‬‭leakages‬‭risks,‬‭such‬‭as‬‭inadvertently‬‭disclosing‬‭sensitive‬‭information‬‭in‬‭responses‬‭or‬
‭error messages. Test for scenarios where sensitive data may be unintentionally exposed.‬

‭Step 4: Error Handling and Exception Management‬

‭Objective:‬‭Ensure errors and logs do not expose sensitive‬‭information.‬

‭Methods:‬‭Implement proper error messages and logging‬‭practices.‬

‭ ests:‬‭Generate various errors and examine responses‬‭for sensitive data leakage, verify logging‬
T
‭configurations, and check for proper log sanitization.‬

‭ roper error handling and exception management improve an API’s overall security and robustness. When‬
P
‭conducting testing:‬

‭Assess Error Handling Mechanisms:‬

‭ valuate‬ ‭how‬ ‭the‬ ‭API‬ ‭handles‬ ‭errors‬ ‭and‬ ‭exceptions.‬ ‭Test‬ ‭for‬ ‭proper‬ ‭error‬‭codes,‬‭informative‬‭messages,‬
E
‭and appropriate logging practices.‬

‭Test for Information Disclosure Vulnerabilities:‬

‭ ook‬ ‭for‬ ‭potential‬ ‭information‬ ‭disclosure‬ ‭vulnerabilities‬ ‭in‬ ‭error‬ ‭responses‬ ‭or‬ ‭stack‬ ‭traces.‬ ‭Ensure‬ ‭that‬
L
‭error messages do not expose sensitive information that could aid attackers.‬

‭51‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Evaluate Exception Management Practices:‬

‭ ssess‬ ‭how‬ ‭the‬ ‭API‬ ‭handles‬ ‭unexpected‬ ‭situations,‬ ‭such‬ ‭as‬ ‭unhandled‬ ‭exceptions‬ ‭or‬ ‭denial-of-service‬
A
‭attacks. Verify that the API gracefully handles exceptions and does not expose system vulnerabilities.‬

‭Step 5: Rate-limiting and Throttling‬

‭Objective:‬‭Prevent abuse of API services through excessive‬‭requests.‬

‭Methods:‬‭Implement rate limiting, quota management,‬‭and throttling policies.‬

‭ ests:‬‭Simulate high request rates, verify the enforcement of rate limits, and check for DoS (Denial of‬
T
‭Service) vulnerabilities. Rate limiting and throttling mechanisms protect APIs against abuse and‬
‭denial-of-service attacks. During testing:‬

‭Understand the Importance of Rate Limiting:‬

‭ ecognize‬ ‭the‬ ‭significance‬ ‭of‬ ‭rate‬ ‭limiting‬ ‭and‬ ‭throttling‬ ‭to‬ ‭prevent‬ ‭abuse,‬ ‭brute-force‬ ‭attacks,‬ ‭or‬ ‭DoS‬
R
‭scenarios. Familiarize yourself with industry best practices.‬

‭Test for Bypassing Rate Limits:‬

‭ ttempt‬ ‭to‬ ‭bypass‬ ‭rate‬ ‭limits‬ ‭and‬ ‭verify‬ ‭if‬ ‭the‬ ‭API‬ ‭enforces‬ ‭them‬ ‭consistently.‬ ‭Check‬ ‭for‬ ‭potential‬
A
‭vulnerabilities that allow attackers to circumvent rate limits and overload the system.‬

‭Verify Effectiveness of Rate-limiting Mechanisms:‬

‭ est‬‭the‬‭API‬‭under‬‭various‬‭load‬‭conditions‬‭to‬‭ensure‬‭that‬‭rate-limiting‬‭and‬‭throttling‬‭mechanisms‬‭function‬
T
‭as expected. Measure the API’s response time and stability during high-volume traffic.‬

‭API Rate Limiting vs. API Throttling: Comparison Table‬

‭FEATURE‬ ‭API RATE LIMITING‬ ‭API THROTTLING‬

‭ o‬ ‭prevent‬‭abuse‬‭and‬‭ensure‬‭equitable‬
T ‭ o‬‭maintain‬‭system‬‭performance‬‭and‬
T
‭access‬ ‭to‬ ‭resources‬ ‭by‬ ‭limiting‬ ‭the‬ ‭stability‬‭by‬‭dynamically‬‭adjusting‬‭the‬
‭ rimary‬
P
‭number‬ ‭of‬ ‭requests‬ ‭a‬ ‭user‬ ‭or‬ ‭service‬ ‭rate‬ ‭of‬ ‭incoming‬ ‭requests‬ ‭based‬ ‭on‬
‭Objective‬
‭can‬ ‭make‬ ‭within‬ ‭a‬ ‭specified‬ ‭time‬ ‭current‬ ‭system‬ ‭load‬ ‭or‬ ‭predefined‬
‭frame.‬ ‭rules.‬

I‭ mplements‬ ‭fixed‬ ‭thresholds‬ ‭for‬ ‭the‬ ‭ tilizes‬ ‭algorithms‬ ‭to‬ ‭dynamically‬

U
‭ ontrol‬
C ‭number‬ ‭of‬ ‭requests‬ ‭that‬ ‭can‬ ‭be‬ ‭made‬ ‭adjust‬ ‭request‬ ‭limits‬ ‭in‬ ‭real‬ ‭time,‬
‭Mechanism‬ ‭over‬ ‭a‬ ‭set‬ ‭time‬ ‭period‬ ‭(e.g.,‬ ‭1000‬ ‭based‬‭on‬‭system‬‭performance‬‭metrics‬
‭requests per hour per user).‬ ‭and predefined priorities.‬

‭52‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭ ims‬‭to‬‭optimize‬‭the‬‭flow‬‭of‬‭requests‬
A
‭ ocuses‬ ‭on‬ ‭enforcing‬ ‭fairness‬ ‭and‬
F ‭to‬ ‭prevent‬ ‭system‬ ‭overloads‬ ‭while‬
‭ perational‬
O
‭preventing‬ ‭system‬ ‭overload‬ ‭by‬‭setting‬ ‭accommodating‬ ‭fluctuating‬ ‭demand‬
‭Focus‬
‭clear, predefined limits on API usage.‬ ‭and‬ ‭ensuring‬ ‭critical‬ ‭requests‬ ‭are‬
‭processed efficiently.‬

‭ hrottling‬ ‭may‬ ‭slow‬ ‭down‬ ‭the‬

T
‭ nce‬ ‭the‬ ‭rate‬ ‭limit‬ ‭is‬ ‭reached,‬ ‭further‬
O ‭processing‬ ‭of‬ ‭requests‬ ‭rather‬ ‭than‬
‭requests‬ ‭are‬ ‭blocked‬ ‭until‬ ‭the‬ ‭limit‬ ‭outright‬ ‭blocking‬ ‭them,‬ ‭leading‬ ‭to‬
‭User Impact‬
‭resets,‬ ‭potentially‬ ‭leading‬ ‭to‬ ‭service‬ ‭increased‬ ‭response‬ ‭times‬ ‭but‬
‭interruptions for the user.‬ ‭generally‬ ‭avoiding‬ ‭complete‬ ‭service‬
‭interruptions.‬

‭ ore‬ ‭flexible‬ ‭and‬ ‭adaptive,‬ ‭as‬‭it‬‭can‬

M
‭ enerally‬ ‭less‬ ‭flexible,‬ ‭as‬ ‭limits‬ ‭are‬
G
‭adjust‬ ‭allowed‬ ‭request‬ ‭rates‬ ‭in‬ ‭real‬
‭Flexibility‬ ‭fixed‬ ‭and‬ ‭do‬ ‭not‬ ‭adapt‬ ‭to‬ ‭changes‬ ‭in‬
‭time‬ ‭based‬ ‭on‬ ‭the‬ ‭current‬ ‭system‬
‭system load or demand.‬
‭load, demand, and predefined rules.‬

‭ ay‬ ‭use‬ ‭complex‬ ‭algorithms‬ ‭that‬

M
‭ ften‬ ‭implemented‬ ‭using‬ ‭a‬ ‭token‬
O
‭take‬ ‭into‬ ‭account‬ ‭current‬ ‭system‬
‭bucket‬ ‭or‬ ‭fixed‬ ‭window‬ ‭counter‬
I‭ mplementation‬ ‭load,‬‭user‬‭priorities,‬‭and‬‭other‬‭factors‬
‭algorithm,‬ ‭which‬ ‭allows‬ ‭for‬ ‭a‬ ‭simple‬
‭Detail‬ ‭to‬ ‭dynamically‬ ‭adjust‬ ‭request‬
‭and‬ ‭straightforward‬ ‭enforcement‬ ‭of‬
‭handling,‬ ‭such‬ ‭as‬ ‭weighted‬ ‭fair‬
‭rate limits.‬
‭queuing.‬

‭ eedback‬ ‭mechanisms‬ ‭may‬ ‭include‬

F
‭ ypically‬‭provides‬‭feedback‬‭to‬‭the‬‭user‬
T
‭HTTP‬ ‭headers‬ ‭indicating‬ ‭current‬
‭via‬ ‭HTTP‬ ‭headers,‬ ‭informing‬ ‭them‬ ‭of‬
‭ eedback‬
F ‭request‬ ‭processing‬ ‭times‬ ‭and‬
‭their‬‭current‬‭rate‬‭limit‬‭status,‬‭including‬
‭Mechanisms‬ ‭expected‬ ‭delays,‬ ‭allowing‬ ‭users‬ ‭to‬
‭the‬ ‭remaining‬ ‭number‬‭of‬‭requests‬‭and‬
‭adjust‬ ‭their‬ ‭request‬ ‭patterns‬
‭time until the limit resets.‬
‭accordingly.‬

‭ est‬ ‭suited‬ ‭for‬ ‭systems‬ ‭where‬ ‭load‬

B
I‭ deal‬ ‭for‬ ‭APIs‬ ‭where‬ ‭it‬ ‭is‬ ‭crucial‬ ‭to‬
‭can‬ ‭vary‬ ‭dramatically‬ ‭and‬ ‭where‬
‭prevent‬‭abuse‬‭and‬‭ensure‬‭that‬‭all‬‭users‬
‭maintaining‬ ‭performance‬ ‭and‬
‭Use Cases‬ ‭or‬ ‭services‬ ‭have‬ ‭equitable‬ ‭access‬ ‭to‬
‭availability‬ ‭is‬ ‭critical,‬ ‭such‬ ‭as‬ ‭real‬
‭resources,‬ ‭such‬ ‭as‬ ‭public‬ ‭web‬ ‭services‬
‭time‬ ‭applications‬ ‭or‬ ‭services‬ ‭with‬
‭or multi-tenant applications.‬
‭highly variable demand.‬

‭53‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭ hrottling‬ ‭rules‬ ‭can‬ ‭be‬ ‭adjusted‬

T
‭ ate‬ ‭limits‬ ‭are‬ ‭typically‬ ‭configured‬
R ‭automatically‬ ‭in‬ ‭real-time,‬ ‭allowing‬
‭ imit‬
L ‭statically‬‭but‬‭can‬‭be‬‭adjusted‬‭manually‬ ‭the‬‭system‬‭to‬‭respond‬‭immediately‬‭to‬
‭Adjustment‬ ‭as‬‭needed‬‭based‬‭on‬‭long-term‬‭trends‬‭in‬ ‭changes‬ ‭in‬ ‭load‬ ‭or‬ ‭performance‬
‭usage or system capacity.‬ ‭conditions‬ ‭without‬ ‭manual‬
‭intervention‬

‭Step 6: API Abuse and Security Testing Automation‬

‭ everage‬ ‭automation‬ ‭techniques‬ ‭for‬ ‭API‬ ‭security‬ ‭testing‬ ‭to‬ ‭maximize‬ ‭efficiency‬ ‭and‬ ‭coverage.‬ ‭When‬
L
‭testing, consider the following:‬

‭Explore Techniques to Identify and Prevent API Abuse:‬

‭Learn‬ ‭about‬ ‭common‬ ‭API‬ ‭abuse‬ ‭scenarios,‬ ‭such‬ ‭as‬ ‭parameter‬ ‭tampering,‬ ‭replay‬ ‭attacks,‬ ‭or‬ ‭API‬ ‭key‬
e‭ xposure. Develop test cases to identify and mitigate these risks.‬

‭Implement Automated Security Testing:‬

‭ tilize‬‭automated‬‭tools‬‭and‬‭frameworks,‬‭such‬‭as‬‭OWASP‬‭ZAP‬‭or‬‭Burp‬‭Suite,‬‭to‬‭streamline‬‭security‬‭testing‬
U
‭efforts.‬ ‭Automate‬ ‭vulnerability‬ ‭scanning,‬ ‭fuzz‬ ‭testing,‬ ‭and‬ ‭security‬ ‭checks‬ ‭to‬ ‭achieve‬ ‭comprehensive‬
‭coverage.‬

‭Leverage Tools and Frameworks:‬

‭ everage‬ ‭open-source‬ ‭tools‬ ‭and‬ ‭frameworks‬ ‭tailored‬ ‭for‬ ‭API‬ ‭security‬ ‭testing.‬ ‭These‬ ‭resources‬ ‭provide‬‭a‬
L
‭wealth of knowledge, best practices, and test scripts to enhance the effectiveness of your testing efforts.‬

‭Tools for API Security Testing:‬

‭‬
● ‭ urp Suite‬‭: Comprehensive web vulnerability scanner‬‭with plugins for API testing.‬
B
‭●‬ ‭OWASP ZAP‬‭: Open-source tool for finding vulnerabilities‬‭in web applications and APIs.‬
‭●‬ ‭Postman‬‭: API development environment with security‬‭testing capabilities.‬
‭●‬ ‭SoapUI‬‭: Functional testing tool for SOAP and REST‬‭APIs.‬
‭●‬ ‭Insomnia‬‭: API client for testing and debugging with‬‭security testing extensions.‬
‭●‬ ‭Fiddler‬‭: Web debugging proxy for capturing and manipulating‬‭API requests and responses.‬
‭●‬ ‭JMeter‬‭: Performance testing tool with capabilities‬‭for API security testing.‬

‭Step 7: Session Management Testing‬

‭Objective:‬‭Ensure secure session handling mechanisms.‬

‭54‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Methods:‬‭Implement secure cookie attributes, session timeouts.‬

‭Tests:‬‭Verify session expiration, test session fixation‬‭and hijacking, and ensure proper session termination.‬

‭Step 8: Business Logic Testing‬

‭Objective:‬‭Ensure the API’s business logic is secure‬‭and robust.‬

‭Methods:‬‭Review business logic for flaws.‬

‭Tests:‬‭Perform scenario-based testing to identify‬‭logic flaws, race conditions, and bypasses.‬

‭55‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Best Practices for API Security Testing‬

‭‬
● ‭ hift Left Security‬‭: Integrate security testing early‬‭in the development lifecycle.‬
S
‭●‬ ‭Use Security Standards‬‭: Follow OWASP API Security‬‭Top 10 guidelines.‬
‭●‬ ‭Regular Audits and Penetration Testing‬‭: Conduct periodic‬‭security audits and penetration tests.‬
‭●‬ ‭Secure Development Practices‬‭: Adopt secure coding‬‭practices and conduct code reviews.‬
‭●‬ ‭Following Industry Standards and Guidelines:‬‭To ensure‬‭robust API security, it is vital to follow‬
‭industry standards and guidelines. These standards provide a framework for implementing‬
‭adequate security controls and mitigating common vulnerabilities. By adhering to these standards,‬
‭organizations can align their security practices with industry best practices and reduce the risk of‬
‭potential breaches.‬
‭●‬ ‭Keeping Up with Evolving Threats and Security Practices:‬‭It is another critical aspect of API‬
‭security. The threat landscape constantly evolves, with new attack vectors and techniques emerging‬
‭regularly. Staying updated on the latest threats allows organizations to identify and address‬
‭vulnerabilities proactively before they can be exploited. By actively participating in security‬
‭communities, attending conferences, and leveraging threat intelligence sources, organizations can‬
‭stay one step ahead of attackers and implement timely security measures.‬
‭ ‬ ‭Continuous Monitoring and Retesting for Ongoing Security‬‭:‬‭These are essential for maintaining‬
●
‭ongoing security. It is not enough to perform security testing once and consider the job done. APIs‬
‭and their associated threats evolve. Organizations can detect and respond to potential security‬
‭incidents in real-time by implementing continuous monitoring. Additionally, regular retesting helps‬
‭identify new vulnerabilities that may have been introduced due to system updates or changes in the‬
‭threat landscape. This iterative approach ensures that APIs remain secure and protected against‬
‭emerging risks. : Automate security tests within CI/CD pipelines.‬

‭56‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Common Interview Questions and answers related to API security testing‬

‭Authentication Testing‬

‭1.‬ ‭Q: What is the difference between authentication and authorization?‬

‭ :‬‭Authentication verifies the identity of a user,‬‭while authorization determines what resources and‬
A
‭actions the authenticated user is allowed to access.‬

‭2.‬ ‭Q: How can you test if an API properly handles JWT (JSON Web Tokens)?‬

‭ :‬‭Validate token structure, check for proper expiration‬‭handling, ensure the token signature is‬
A
‭verified, and test for token revocation.‬

‭3.‬ ‭Q: What are common methods for API authentication?‬

‭A:‬‭OAuth, JWT, API keys, and basic authentication.‬

‭Authorization Testing‬

‭4.‬ ‭Q: How do you test for privilege escalation in an API?‬

‭ :‬‭Attempt to access higher-privilege resources with‬‭lower-privilege credentials and verify that‬

A
‭access is denied.‬

‭5.‬ ‭Q: What is role-based access control (RBAC) in API security?‬

‭ :‬‭RBAC assigns permissions to users based on their‬‭roles within an organization, ensuring they‬
A
‭can only access resources necessary for their role.‬

‭6.‬ ‭Q: How can you ensure API endpoints are not publicly accessible?‬

‭A:‬‭Use API gateways, apply IP whitelisting, and implement‬‭proper access control policies.‬

‭Input Validation Testing‬

‭7.‬ ‭Q: Why is input validation important for APIs?‬

‭ :‬‭It prevents malicious input that can lead to security‬‭vulnerabilities like SQL injection, XSS, and‬
A
‭command injection.‬

‭8.‬ ‭Q: What are common injection attacks you should test against in APIs?‬

‭A:‬‭SQL injection, XSS, command injection, and XML‬‭external entity (XXE) attacks.‬

‭9.‬ ‭Q: How do you test for SQL injection vulnerabilities in an API?‬

‭57‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭ :‬‭Inject SQL payloads into API parameters and observe if the API behaves unexpectedly or returns‬
A
‭database errors.‬

‭Rate Limiting and Throttling Testing‬

‭10.‬ ‭Q: What is rate limiting in API security?‬

‭ :‬‭Rate limiting controls the number of requests a‬‭client can make to the API within a specified time‬
A
‭period to prevent abuse.‬

‭11.‬ ‭Q: How can you test the effectiveness of rate limiting?‬

‭ :‬‭Simulate high request rates from a single client‬‭and verify that the API enforces rate limits by‬
A
‭returning appropriate error responses (e.g., HTTP 429 Too Many Requests).‬

‭12.‬ ‭Q: What is the difference between rate limiting and throttling?‬

‭ :‬‭Rate limiting restricts the number of requests‬‭over time, while throttling limits the bandwidth or‬
A
‭processing capacity available to a client.‬

‭Error Handling and Logging Testing‬

‭13.‬ ‭Q: Why is proper error handling important in APIs?‬

‭ :‬‭To avoid exposing sensitive information through‬‭error messages and ensure the API gracefully‬
A
‭handles unexpected conditions.‬

‭14.‬ ‭Q: How can you test for information leakage in error messages?‬

‭ :‬‭Intentionally cause errors and analyze the API‬‭responses for detailed error messages that reveal‬
A
‭implementation details or sensitive information.‬

‭15.‬ ‭Q: What should you check in API logs for security?‬

‭ :‬‭Ensure logs do not contain sensitive information‬‭like passwords or tokens, and verify that‬
A
‭logging complies with privacy regulations.‬

‭Data Protection and Privacy Testing‬

‭16.‬ ‭Q: How do you ensure data in transit is protected in an API?‬

‭A:‬‭Use encryption protocols such as TLS/SSL to encrypt‬‭data during transmission.‬

‭17.‬ ‭Q: What are common methods for encrypting data at rest in an API?‬

‭A:‬‭Use encryption algorithms like AES to encrypt sensitive‬‭data stored in databases or file systems.‬

‭58‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭18.‬ ‭Q: How can you test if data is properly encrypted in transit?‬

‭ :‬‭Inspect network traffic using tools like Wireshark‬‭to verify that data is encrypted during‬
A
‭transmission.‬

‭API Endpoint Testing‬

‭19.‬ ‭Q: How do you discover hidden or undocumented API endpoints?‬

‭ :‬‭Use tools like Burp Suite or OWASP ZAP to spider‬‭the API and look for endpoints that are not‬
A
‭documented.‬

‭20.‬ ‭Q: Why is it important to limit endpoint exposure?‬‭A:‬‭To reduce the attack surface and prevent‬
‭unauthorized access to sensitive resources.‬
‭21.‬ ‭Q: What should you verify in API endpoint testing?‬

‭ :‬‭Ensure only necessary endpoints are exposed, endpoints‬‭require proper authentication and‬
A
‭authorization, and input is properly validated.‬

‭Session Management Testing‬

‭22.‬ ‭Q: How do you test for session fixation vulnerabilities in an API?‬

‭ :‬‭Attempt to set or reuse session identifiers and‬‭verify that the API properly generates new session‬
A
‭IDs after authentication.‬

‭23.‬ ‭Q: What is a secure cookie attribute and how is it tested?‬

‭ :‬‭Attributes like Secure and HttpOnly ensure cookies‬‭are only transmitted over HTTPS and are not‬
A
‭accessible via JavaScript. Test by examining cookie properties in browser developer tools.‬

‭24.‬ ‭Q: Why is session timeout important and how do you test it?‬

‭ :‬‭To minimize the risk of session hijacking. Test‬‭by leaving a session inactive for a period and‬
A
‭verifying that the session is invalidated after the timeout.‬

‭Business Logic Testing‬

‭25.‬ ‭Q: What is business logic testing in API security?‬

‭ :‬‭Testing the API’s functionality to ensure it enforces‬‭business rules and processes correctly‬
A
‭without security flaws.‬

‭26.‬ ‭Q: How do you identify business logic vulnerabilities in an API?‬

‭59‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭ :‬‭Perform scenario-based testing to simulate real-world usage and identify logic flaws, race‬
A
‭conditions, and bypasses.‬

‭27.‬ ‭Q: What are examples of business logic flaws in APIs?‬

‭ :‬‭Incorrectly processed transactions, unauthorized‬‭data modification, and failure to enforce‬

A
‭workflow constraints.‬

‭General Security Practices‬

‭28.‬ ‭Q: What is OWASP API Security Top 10?‬

‭ :‬‭A list of the top ten security risks for APIs published by the Open Web Application Security‬
A
‭Project (OWASP), providing guidelines for securing APIs.‬

‭29.‬ ‭Q: How can you integrate security testing into the development lifecycle?‬

‭ :‬‭Use a shift-left approach by incorporating security‬‭tests in CI/CD pipelines, conducting code‬

A
‭reviews, and performing regular security assessments.‬

‭30.‬ ‭Q: Why is continuous monitoring important for API security?‬

‭ :‬‭To detect and respond to security incidents in‬‭real-time, ensuring the API remains secure against‬
A
‭emerging threats.‬

‭31.‬ ‭Q:When is the best time to perform API security testing?‬

‭ :‬‭So when should you conduct API security testing?‬‭The best answer is “as early as possible.” This‬
A
‭means testing pre-production. Like other security testing done in software development, API‬
‭security testing should “shift left,” meaning it should move to the earliest possible stage in the‬
‭development cycle. That’s the time when developers are most likely to be familiar with the recent‬
‭code they wrote rather than the code they wrote a month or 6 months ago. This way, testers can‬
‭catch and remediate security issues before they go into production.‬

‭ nce an application is in production, it becomes more expensive and disruptive to fix a security‬
O
‭problem. With CI/CD, a new vulnerability can go into production every hour, so it’s really helpful‬
‭to be on top of API security testing before code reaches the end of the CI/CD pipeline. A further‬
‭best practice is to follow up with post-production API security testing. Security testing at this‬
‭juncture catches security flaws that arise in production, but which may be difficult to detect in‬
‭pre-production, such as production configuration issues.‬

‭32.‬ ‭Q: Why you need API Security Testing?‬

‭ :‬‭The earlier you catch security vulnerabilities,‬‭the better. From both a cost perspective and‬
A
‭remediation angle, it is much easier to correct issues during the development process of the API‬
‭than after it has been released into production and is being actively used. It allows organizations to‬

‭60‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭ ore confidently and efficiently deliver applications to the business and remain competitive‬
m
‭securely.‬

‭33.‬ ‭Q: How to perform API security testing‬‭?‬

‭ :‬‭Developers, security teams and more, can now avail‬‭themselves of a new generation of API‬
A
‭security testing tools. As exemplified by Noname Security Active Testing, they can run numerous‬
‭dynamic API security tests on an application. Active Testing offers a purpose-built API security‬
‭testing solution that takes into account the user’s unique business logic. It provides comprehensive‬
‭coverage of API-specific vulnerabilities, including the OWASP API Top Ten security issues. The‬
‭suite can help align API security tests with business objectives and team structures. These latter two‬
‭factors are important in making the “shift left” approach viable because making API security testing‬
‭part of the dev cycle takes people and processes.‬

‭ PI security testing is critical for protecting modern web applications in this era of CI/CD. It‬
A
‭should occur as “far to the left” as possible in the development process. API testing should entail‬
‭scanning for known API vulnerabilities, such as those referenced in the OWASP list, as well as other‬
‭security problems. With the right testing tools, it is possible to conduct thorough API security‬
‭testing early in development—detecting and remediating problems before they go into production.‬

‭61‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Chapter 5‬

‭Writing Basic API Test Cases‬

‭Best Practices To Write A Good Test Case‬

‭ ith‬ ‭those‬ ‭test‬ ‭case‬ ‭templates‬ ‭downloaded,‬ ‭you‬ ‭can‬ ‭now‬ ‭start‬ ‭to‬ ‭document‬ ‭all‬ ‭of‬‭the‬‭test‬‭cases‬‭you‬‭are‬
W
‭working‬ ‭on‬‭for‬‭a‬‭more‬‭structured‬‭and‬‭comprehensive‬‭view.‬‭Here‬‭are‬‭some‬‭best‬‭practices‬‭and‬‭tips‬‭to‬‭help‬
‭you best utilize the template we provide:‬

‭‬ Y
● ‭ ou can clone the template and have separate test case sheets for different areas of the software‬
‭●‬ ‭Follow a consistent naming convention for test cases to make them easily searchable.‬
‭●‬ ‭You can group similar test cases together under a common feature/scenario‬
‭●‬ ‭Familiarize‬ ‭yourself‬ ‭with‬ ‭the‬ ‭requirement‬ ‭or‬ ‭feature‬‭you're‬‭testing‬‭before‬‭creating‬‭the‬‭test‬‭case‬‭so‬
‭that you’ll know what information to include‬
‭●‬ ‭Use‬‭action‬‭verbs‬‭at‬‭the‬‭start‬‭of‬‭each‬‭test‬‭step‬‭like‬‭“Click”,‬‭“Enter”‬‭or‬‭“Validate”.‬‭If‬‭needed,‬‭you‬‭may‬
‭even‬‭create‬‭a‬‭semantic‬‭structure‬‭to‬‭describe‬‭your‬‭test‬‭case.‬‭You‬‭can‬‭check‬‭out‬‭how‬‭it‬‭is‬‭done‬‭in‬‭BDD‬
‭testing‬‭.‬
‭●‬ ‭Include any setup or prerequisites needed‬‭before executing‬‭the test‬‭.‬
‭●‬ ‭Ensure‬‭that‬‭the‬‭test‬‭cases‬‭you‬‭included‬‭are‬‭not‬‭only‬‭the‬‭“common”‬‭scenarios‬‭but‬‭also‬‭the‬‭negative‬
‭scenarios that users don’t typically face but do happen in the system‬
‭●‬ ‭Use formatting to make your test cases easier to read and follow‬
‭●‬ ‭Make sure to update your test cases regularly‬

‭Test Cases For API Functional Testing‬

‭ unctionality‬‭is‬‭the‬‭core‬‭of‬‭any‬‭Application‬‭Under‬‭Test‬‭(AUT),‬‭and‬‭API‬‭is‬‭no‬‭exception.‬‭Their‬‭most‬
F
‭basic‬‭and‬‭foundational‬‭functionality‬‭is‬‭data‬‭retrieval‬‭and‬‭data‬‭sending,‬‭and‬‭API‬‭functional‬‭testing‬‭should‬
‭revolve‬‭around‬‭those‬‭2‬‭domains.‬‭Check‬‭out‬‭the‬‭following‬‭functional‬‭test‬‭cases‬‭and‬‭see‬‭how‬‭you‬‭can‬‭apply‬
‭them to your own testing project:‬

‭1.‬ S ‭ tatus‬ ‭Code‬ ‭Validation‬ ‭for‬ ‭Valid‬ ‭Requests‬‭:‬ ‭Verify‬ ‭that‬ ‭the‬‭API‬‭consistently‬‭returns‬‭the‬‭expected‬
‭response status code, such as "200 OK," for valid and properly formatted requests.‬
‭2.‬ ‭Authentication‬ ‭Handling‬ ‭with‬ ‭Invalid‬ ‭Credentials‬‭:‬ ‭Test‬ ‭the‬ ‭API's‬‭response‬‭when‬‭provided‬‭with‬
‭invalid‬‭authentication‬‭credentials,‬‭ensuring‬‭it‬‭consistently‬‭returns‬‭a‬‭"401‬‭Unauthorized"‬‭status‬‭code‬
‭as expected.‬
‭3.‬ ‭Graceful‬ ‭Handling‬ ‭of‬ ‭Missing‬ ‭or‬ ‭Invalid‬ ‭Parameters:‬ ‭Verify‬ ‭that‬ ‭the‬ ‭API‬ ‭handles‬ ‭missing‬ ‭or‬
‭invalid‬‭request‬‭parameters‬‭gracefully‬‭and‬‭returns‬‭clear‬‭and‬‭user-friendly‬‭error‬‭messages‬‭that‬‭aid‬‭in‬
‭troubleshooting.‬
‭4.‬ ‭Input‬‭Data‬‭Validation‬‭with‬‭Malformed‬‭Data:‬‭Test‬‭the‬‭API's‬‭input‬‭validation‬‭by‬‭submitting‬‭various‬
‭forms‬ ‭of‬ ‭malformed‬ ‭data,‬ ‭such‬ ‭as‬ ‭invalid‬ ‭email‬ ‭formats,‬ ‭and‬ ‭confirm‬ ‭that‬ ‭it‬‭properly‬‭rejects‬‭and‬
‭responds to these inputs.‬

‭62‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭5.‬ T ‭ imeout‬ ‭Handling‬ ‭under‬ ‭Load:‬ ‭Confirm‬ ‭that‬ ‭the‬ ‭API‬ ‭correctly‬ ‭handles‬ ‭timeouts‬ ‭by‬ ‭simulating‬
‭requests that take longer to process, ensuring that it remains responsive and does not hang.‬
‭6.‬ ‭Pagination‬ ‭Functionality‬ ‭Verification:‬ ‭Test‬ ‭the‬ ‭API's‬ ‭pagination‬ ‭functionality‬ ‭by‬ ‭requesting‬
‭specific‬‭pages‬‭of‬‭results‬‭and‬‭verifying‬‭that‬‭the‬‭responses‬‭contain‬‭the‬‭expected‬‭data‬‭and‬‭pagination‬
‭information.‬
‭7.‬ ‭Concurrency‬ ‭Testing‬ ‭without‬ ‭Data‬ ‭Corruption:‬ ‭Verify‬ ‭that‬ ‭the‬ ‭API‬ ‭handles‬ ‭concurrent‬ ‭requests‬
‭from multiple users without data corruption or conflicts, ensuring data integrity.‬
‭8.‬ ‭Response‬ ‭Format‬ ‭Adherence‬ ‭(JSON/XML):‬ ‭Ensure‬ ‭that‬ ‭the‬‭API‬‭consistently‬‭returns‬‭responses‬‭in‬
‭the specified format (e.g., JSON or XML) and adheres to the defined schema for data structure.‬
‭9.‬ ‭Caching‬ ‭Mechanism‬‭Evaluation‬‭with‬‭Repeated‬‭Requests‬‭:‬‭Evaluate‬‭the‬‭API's‬‭caching‬‭mechanism‬
‭by making repeated requests and verifying that the cache headers are correctly set and honored.‬
‭10.‬ ‭Rate‬ ‭Limiting‬ ‭Assessment:‬ ‭Test‬ ‭the‬ ‭API's‬ ‭rate‬ ‭limiting‬ ‭by‬‭sending‬‭requests‬‭at‬‭a‬‭rate‬‭that‬‭exceeds‬
‭the‬ ‭defined‬ ‭limits‬ ‭and‬ ‭checking‬ ‭for‬ ‭the‬ ‭expected‬ ‭rate-limiting‬ ‭responses,‬ ‭ensuring‬ ‭that‬ ‭limits‬ ‭are‬
‭enforced.‬
‭11.‬ ‭HTTP‬ ‭Method‬ ‭Support‬ ‭for‬ ‭CRUD‬ ‭Operations:‬ ‭Verify‬ ‭that‬ ‭the‬ ‭API‬ ‭supports‬ ‭a‬ ‭variety‬ ‭of‬ ‭HTTP‬
‭methods‬ ‭(GET,‬ ‭POST,‬ ‭PUT,‬ ‭DELETE)‬ ‭for‬ ‭Create,‬‭Read,‬‭Update,‬‭and‬‭Delete‬‭operations,‬‭and‬‭that‬‭it‬
‭returns appropriate responses for each.‬
‭12.‬ ‭Error‬ ‭Handling‬ ‭Capabilities‬ ‭for‬ ‭Meaningful‬ ‭Messages:‬ ‭Evaluate‬ ‭the‬ ‭API's‬ ‭error-handling‬
‭capabilities‬ ‭by‬ ‭intentionally‬ ‭causing‬ ‭errors,‬ ‭such‬ ‭as‬ ‭invalid‬ ‭inputs‬ ‭or‬ ‭unexpected‬ ‭situations,‬ ‭and‬
‭confirm that it consistently returns meaningful error messages for troubleshooting.‬
‭13.‬ ‭Conditional‬ ‭Request‬ ‭Handling‬ ‭(If-Modified-Since,‬ ‭If-None-Match):‬ ‭Test‬ ‭the‬ ‭API's‬ ‭support‬ ‭for‬
‭conditional‬ ‭requests‬ ‭using‬ ‭headers‬ ‭like‬ ‭If-Modified-Since‬ ‭and‬ ‭If-None-Match,‬ ‭ensuring‬ ‭that‬
‭responses are handled appropriately.‬
‭14.‬ ‭Sorting‬ ‭and‬ ‭Filtering‬ ‭Validation‬ ‭for‬ ‭Resource‬ ‭Listings:‬ ‭Verify‬ ‭that‬ ‭the‬ ‭API‬ ‭correctly‬ ‭sorts‬ ‭and‬
‭filters resource listings based on specified parameters, maintaining data accuracy.‬
‭15.‬ ‭Handling‬‭Long‬‭or‬‭Complex‬‭Data‬‭without‬‭Data‬‭Corruption:‬‭Ensure‬‭that‬‭the‬‭API‬‭properly‬‭handles‬
‭long or complex strings, such as URLs or text fields, without truncating or corrupting the data.‬
‭16.‬ ‭Content‬‭Negotiation‬‭Support‬‭for‬‭Multiple‬‭Formats:‬‭Test‬‭the‬‭API's‬‭support‬‭for‬‭content‬‭negotiation‬
‭by‬ ‭specifying‬ ‭different‬ ‭Accept‬ ‭headers‬ ‭(e.g.,‬ ‭JSON,‬ ‭XML)‬ ‭and‬ ‭verifying‬ ‭that‬ ‭the‬ ‭response‬ ‭format‬
‭matches the requested format.‬
‭17.‬ ‭Resource‬ ‭Not‬ ‭Found‬ ‭Handling‬ ‭(404‬ ‭Not‬ ‭Found):‬ ‭Confirm‬ ‭that‬ ‭the‬ ‭API‬ ‭consistently‬ ‭returns‬ ‭the‬
‭appropriate "404 Not Found" response when attempting to access a non-existent resource.‬
‭18.‬ ‭Response‬‭Time‬‭Measurement‬‭for‬‭Various‬‭Requests:‬‭Measure‬‭the‬‭API's‬‭response‬‭time‬‭for‬‭different‬
‭types of requests to assess its performance and responsiveness.‬
‭19.‬ ‭Handling‬‭Large‬‭Payloads‬‭(File‬‭Uploads):‬‭Verify‬‭that‬‭the‬‭API‬‭can‬‭handle‬‭large‬‭payloads,‬‭such‬‭as‬‭file‬
‭uploads, without encountering errors or significant performance degradation.‬
‭20.‬ ‭Compatibility‬ ‭with‬ ‭Client‬ ‭Libraries‬ ‭and‬ ‭SDKs:‬ ‭Evaluate‬ ‭the‬ ‭API's‬ ‭compatibility‬ ‭with‬ ‭different‬
‭client‬ ‭libraries‬ ‭or‬ ‭SDKs‬ ‭to‬ ‭ensure‬ ‭seamless‬ ‭integration‬ ‭with‬ ‭various‬ ‭platforms‬ ‭and‬ ‭programming‬
‭languages.‬

‭63‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Introduction to Behavior-Driven Development‬‭(BDD)‬

‭ ehavior-Driven‬ ‭Development‬ ‭(BDD)‬ ‭is‬ ‭a‬ ‭software‬ ‭development‬ ‭process‬ ‭that‬ ‭encourages‬
B
‭collaboration‬ ‭among‬ ‭developers,‬ ‭testers,‬ ‭and‬ ‭business‬ ‭stakeholders.‬ ‭BDD‬ ‭extends‬ ‭Test-Driven‬
‭Development‬‭(TDD)‬‭by‬‭writing‬‭test‬‭cases‬‭in‬‭a‬‭natural‬‭language‬‭that‬‭non-technical‬‭stakeholders‬
‭can‬‭understand.‬‭Cucumber‬‭is‬‭one‬‭of‬‭the‬‭most‬‭popular‬‭tools‬‭for‬‭BDD,‬‭which‬‭allows‬‭you‬‭to‬‭write‬
‭tests in a human-readable Gherkin syntax.‬

‭Writing Tests for CRUD Operations‬ ‭using BDD‬

‭POST‬
‭Postive Test‬

‭ eature: User Management‬

F
‭Scenario: Create a new user‬
‭Given the API endpoint is set to "/api/users"‬
‭When I send a POST request with the following details‬
‭| name | job |‬
‭| John | Developer |‬
‭Then the response status code should be 201‬
‭And the response body should contain the following‬
‭| name | job |‬
‭| John | Developer |‬

‭Negative Test‬

‭Feature: Invalid Payload Handling for POST API‬

‭In order to ensure the API correctly handles invalid payloads‬
‭As an API consumer‬
‭I want to validate various invalid payload scenarios‬

‭Scenario: Missing required fields‬

‭Given the API endpoint is set to "/api/resource"‬
‭When I send a POST request with missing required fields‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Missing required fields"‬

‭Scenario: Invalid data types‬

‭Given the API endpoint is set to "/api/resource"‬
‭When I send a POST request with invalid data types‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Invalid data types"‬

‭Scenario: Extra unexpected fields‬

‭64‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭ iven the API endpoint is set to "/api/resource"‬

G
‭When I send a POST request with extra unexpected fields‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Unexpected fields"‬

‭Scenario: Empty payload‬

‭Given the API endpoint is set to "/api/resource"‬
‭When I send a POST request with an empty payload‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Empty payload"‬

‭Scenario: Malformed JSON‬

‭Given the API endpoint is set to "/api/resource"‬
‭When I send a POST request with malformed JSON‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Malformed JSON"‬

‭PUT‬
‭Posive Test‬

‭Feature: User Management‬

‭Scenario: Update an existing user‬
‭Given the API endpoint is set to "/api/users/2"‬
‭When I send a PUT request with the following details‬
‭| name | job |‬
‭| John | Manager |‬
‭Then the response status code should be 200‬
‭And the response body should contain the following‬
‭| name | job |‬
‭| John | Manager |‬

‭Negative Test‬

‭Feature: Invalid Payload Handling for PUT API‬

‭In order to ensure the API correctly handles invalid payloads for PUT requests‬
‭As an API consumer‬
‭I want to validate various invalid payload scenarios‬

‭Scenario: Missing required fields‬

‭Given the API endpoint is set to "/api/resource/1"‬
‭When I send a PUT request with missing required fields‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Missing required fields"‬

‭65‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Scenario: Invalid data types‬

‭Given the API endpoint is set to "/api/resource/1"‬
‭When I send a PUT request with invalid data types‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Invalid data types"‬

‭Scenario: Extra unexpected fields‬

‭Given the API endpoint is set to "/api/resource/1"‬
‭When I send a PUT request with extra unexpected fields‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Unexpected fields"‬

‭Scenario: Empty payload‬

‭Given the API endpoint is set to "/api/resource/1"‬
‭When I send a PUT request with an empty payload‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Empty payload"‬

‭Scenario: Malformed JSON‬

‭Given the API endpoint is set to "/api/resource/1"‬
‭When I send a PUT request with malformed JSON‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Malformed JSON"‬

‭Scenario: Invalid resource ID‬

‭Given the API endpoint is set to "/api/resource/invalidID"‬
‭When I send a PUT request with valid payload‬
‭Then the response status code should be 404‬
‭And the response should contain an error message "Resource not found"‬

‭Scenario: Unauthorized access‬

‭Given the API endpoint is set to "/api/resource/1"‬
‭When I send a PUT request without authentication‬
‭Then the response status code should be 401‬
‭And the response should contain an error message "Unauthorized"‬

‭GET‬
‭Positive Test‬

‭Feature: User Management‬

‭Scenario: Get an existing user‬
‭Given the API endpoint is set to "/api/users/2"‬
‭When I send a GET request‬
‭Then the response status code should be 200‬

‭66‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭And the response body should contain the following‬

‭| id | email |‬
‭| 2 | [email protected] |‬

‭Negative Test‬

‭Feature: Invalid Payload Handling for GET API‬

‭In order to ensure the API correctly handles invalid scenarios for GET requests‬
‭As an API consumer‬
‭I want to validate various invalid GET request scenarios‬

‭Scenario: Invalid resource ID‬

‭Given the API endpoint is set to "/api/resource/invalidID"‬
‭When I send a GET request‬
‭Then the response status code should be 404‬
‭And the response should contain an error message "Resource not found"‬

‭Scenario: Unauthorized access‬

‭Given the API endpoint is set to "/api/resource/1"‬
‭When I send a GET request without authentication‬
‭Then the response status code should be 401‬
‭And the response should contain an error message "Unauthorized"‬

‭Scenario: Forbidden access‬

‭Given the API endpoint is set to "/api/resource/1"‬
‭When I send a GET request with insufficient permissions‬
‭Then the response status code should be 403‬
‭And the response should contain an error message "Forbidden"‬

‭Scenario: Invalid query parameters‬

‭Given the API endpoint is set to "/api/resource"‬
‭When I send a GET request with invalid query parameters‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Invalid query parameters"‬

‭Scenario: Non-existent resource‬

‭Given the API endpoint is set to "/api/resource/99999"‬
‭When I send a GET request‬
‭Then the response status code should be 404‬
‭And the response should contain an error message "Resource not found"‬

‭Scenario: Malformed request‬

‭Given the API endpoint is set to "/api/resource/%G"‬
‭When I send a GET request‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Malformed request"‬

‭67‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭PATCH‬
‭Positive Test‬

‭Feature: User Management‬

‭Scenario: Update an existing user partially‬
‭Given the API endpoint is set to "/api/users/2"‬
‭When I send a PATCH request with the following details‬
‭| name | job |‬
‭| Jane | Developer |‬
‭Then the response status code should be 200‬
‭And the response body should contain the following‬
‭| name | job |‬
‭| Jane | Developer |‬

‭Negative Test‬

‭Feature: Invalid Payload Handling for PATCH API‬

‭In order to ensure the API correctly handles invalid payloads for PATCH requests‬
‭As an API consumer‬
‭I want to validate various invalid payload scenarios‬

‭Scenario: Missing required fields‬

‭Given the API endpoint is set to "/api/resource/1"‬
‭When I send a PATCH request with missing required fields‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Missing required fields"‬

‭Scenario: Invalid data types‬

‭Given the API endpoint is set to "/api/resource/1"‬
‭When I send a PATCH request with invalid data types‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Invalid data types"‬

‭Scenario: Extra unexpected fields‬

‭Given the API endpoint is set to "/api/resource/1"‬
‭When I send a PATCH request with extra unexpected fields‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Unexpected fields"‬

‭Scenario: Empty payload‬

‭Given the API endpoint is set to "/api/resource/1"‬

‭68‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭ hen I send a PATCH request with an empty payload‬

W
‭Then the response status code should be 400‬
‭And the response should contain an error message "Empty payload"‬

‭Scenario: Malformed JSON‬

‭Given the API endpoint is set to "/api/resource/1"‬
‭When I send a PATCH request with malformed JSON‬
‭Then the response status code should be 400‬
‭And the response should contain an error message "Malformed JSON"‬

‭Scenario: Invalid resource ID‬

‭Given the API endpoint is set to "/api‬

‭DELETE‬
‭Positive Test‬

‭​‬Feature: User Management‬

‭Scenario: Delete an existing user‬
‭Given the API endpoint is set to "/api/users/2"‬
‭When I send a DELETE request‬
‭Then the response status code should be 204‬

‭Negative Test‬

‭Scenario 1: Attempting to Delete a Non-Existent Resource‬

12345‬‭does not exist in the‬‭system‬

‭Given‬‭a resource with ID‬‭
/resources/12345‬
‭When‬‭I send a DELETE request to‬‭
404 Not Found‬
‭ hen‬‭the response status code should be‬‭
T
‭And‬‭the response message should indicate that the‬‭resource was not found‬

‭Scenario 2: Deleting a Resource without Authorization‬

‭Given‬‭I am not authenticated‬

/resources/67890‬
‭When‬‭I send a DELETE request to‬‭
401 Unauthorized‬
‭ hen‬‭the response status code should be‬‭
T
‭And‬‭the response message should indicate that authentication‬‭is required‬

‭Scenario 3: Deleting a Resource with Insufficient Permissions‬

‭69‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Given‬‭I am authenticated as a user with insufficient permissions‬

/resources/13579‬
‭When‬‭I send a DELETE request to‬‭
403 Forbidden‬
‭ hen‬‭the response status code should be‬‭
T
‭And‬‭the response message should indicate that I do‬‭not have permission to delete the resource‬

‭Scenario 4: Invalid Resource ID Format‬

‭Given‬‭the resource ID format is invalid‬

/resources/invalid-id‬
‭When‬‭I send a DELETE request to‬‭
400 Bad Request‬
‭ hen‬‭the response status code should be‬‭
T
‭And‬‭the response message should indicate that the‬‭resource ID is invalid‬

‭Scenario 5: Missing Resource ID‬

‭Given‬‭the resource ID is missing in the request URL‬

/resources/‬
‭When‬‭I send a DELETE request to‬‭
404 Not Found‬
‭ hen‬‭the response status code should be‬‭
T
‭And‬‭the response message should indicate that the‬‭resource ID is required‬

‭Scenario 6: Server Error During Deletion‬

‭Given‬‭there is a server error when trying to delete‬‭the resource‬

/resources/24680‬
‭When‬‭I send a DELETE request to‬‭
500 Internal‬‭
‭ hen‬‭the response status code should be‬‭
T Server Error‬
‭And‬‭the response message should indicate that an error‬‭occurred on the server‬

‭Scenario 7: Deleting a Resource with Dependencies‬

‭Given‬‭the resource has dependent resources that prevent‬‭deletion‬

/resources/97531‬
‭When‬‭I send a DELETE request to‬‭
409 Conflict‬
‭ hen‬‭the response status code should be‬‭
T
‭And‬‭the response message should indicate that the‬‭resource has dependencies and cannot be deleted‬

‭Scenario 8: Deleting a Resource After Timeout‬

‭Given‬‭the resource deletion request exceeds the allowable‬‭timeout period‬

/resources/86420‬
‭When‬‭I send a DELETE request to‬‭
504 Gateway‬‭
‭ hen‬‭the response status code should be‬‭
T Timeout‬
‭And‬‭the response message should indicate that the‬‭request timed out‬

‭Scenario 9: Unsupported Media Type in Request‬

‭70‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Given‬‭the DELETE request contains an unsupported media‬‭type in the header‬

/resources/11223‬‭with‬‭
‭When‬‭I send a DELETE request to‬‭ Content-Type: application/xml‬
415 Unsupported‬‭
‭ hen‬‭the response status code should be‬‭
T Media Type‬
‭And‬‭the response message should indicate that the‬‭media type is not supported‬

‭Scenario 10: Too Many Requests‬

‭Given‬‭I have exceeded the rate limit for DELETE requests‬

/resources/44556‬
‭When‬‭I send a DELETE request to‬‭
429 Too Many‬‭
‭ hen‬‭the response status code should be‬‭
T Requests‬
‭And‬‭the response message should indicate that the‬‭rate limit has been exceeded‬

‭Response Format Validation Using BDD‬

‭Feature: User Management Response Format Validation‬

‭In order to ensure the API returns the correct response format‬
‭As an API consumer‬
‭I want to validate the response format for user management endpoints‬

‭Scenario: Validate the response format of GET user request‬

‭Given the API endpoint is set to "/api/users/2"‬
‭When I send a GET request‬
‭Then the response status code should be 200‬
‭And the response should have the following structure‬
‭| id | Integer |‬
‭| email | String |‬
‭| first_name| String |‬
‭| last_name | String |‬
‭| avatar | String |‬

‭Scenario: Validate the response format of POST user request‬

‭Given the API endpoint is set to "/api/users"‬
‭When I send a POST request with the following details‬
‭| name | job |‬
‭| John | Developer |‬
‭Then the response status code should be 201‬
‭And the response should have the following structure‬
‭| id | Integer |‬
‭| name | String |‬
‭| job | String |‬
‭| createdAt | String |‬

‭71‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Sorting Validation using BDD‬

‭Feature: User Management Sorting Validation‬

‭In order to ensure the API returns sorted data correctly‬
‭As an API consumer‬
‭I want to validate the sorting functionality for user management endpoints‬

‭Scenario: Validate sorting of users by first name in ascending order‬

‭Given the API endpoint is set to "/api/users"‬
‭When I send a GET request with query parameter "sort=first_name&order=asc"‬
‭Then the response status code should be 200‬
‭And the users should be sorted by "first_name" in ascending order‬

‭Scenario: Validate sorting of users by last name in descending order‬

‭Given the API endpoint is set to "/api/users"‬
‭When I send a GET request with query parameter "sort=last_name&order=desc"‬
‭Then the response status code should be 200‬
‭And the users should be sorted by "last_name" in descending order‬

‭Pagination Validation Using BDD‬

‭Feature: User Management Pagination Validation‬

‭In order to ensure the API handles pagination correctly‬
‭As an API consumer‬
‭I want to validate the pagination functionality for user management endpoints‬

‭Scenario: Validate pagination of users‬

‭Given the API endpoint is set to "/api/users"‬
‭When I send a GET request with query parameters "page=1&per_page=3"‬
‭Then the response status code should be 200‬
‭And the response should contain 3 users‬
‭And the pagination metadata should be correct‬

‭Authentication Handling Validation Using BDD‬

‭Feature: Authentication Handling‬

‭In order to protect resources‬
‭As an API consumer‬
‭I want to ensure authentication mechanisms are working correctly‬

‭72‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Scenario: Successful login‬

‭Given the API endpoint is set to "/api/login"‬
‭When I send a POST request with the following credentials‬
‭| username | password |‬
‭| testuser | password123 |‬
‭Then the response status code should be 200‬
‭And the response should contain a token‬

‭Scenario: Login with invalid credentials‬

‭Given the API endpoint is set to "/api/login"‬
‭When I send a POST request with the following credentials‬
‭| username | password |‬
‭| testuser | wrongpassword |‬
‭Then the response status code should be 401‬
‭And the response should contain an error message "Invalid credentials"‬

‭Scenario: Access protected resource with valid token‬

‭Given I have a valid authentication token‬
‭And the API endpoint is set to "/api/protected"‬
‭When I send a GET request with the token‬
‭Then the response status code should be 200‬
‭And the response should contain the protected data‬

‭Scenario: Access protected resource without token‬

‭Given the API endpoint is set to "/api/protected"‬
‭When I send a GET request without a token‬
‭Then the response status code should be 401‬
‭And the response should contain an error message "Unauthorized"‬

‭Scenario: Access protected resource with expired token‬

‭Given I have an expired authentication token‬
‭And the API endpoint is set to "/api/protected"‬
‭When I send a GET request with the expired token‬
‭Then the response status code should be 401‬
‭And the response should contain an error message "Token expired"‬

‭Authorization‬‭Validation Using BDD‬

‭Feature: Authorization Handling‬

‭In order to protect resources based on user roles‬
‭As an API consumer‬
‭I want to ensure authorization mechanisms are working correctly‬

‭Scenario: Access admin resource with admin role‬

‭Given the API endpoint is set to "/api/admin/resource"‬
‭And I have a valid admin authentication token‬
‭When I send a GET request with the token‬

‭73‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭ hen the response status code should be 200‬

T
‭And the response should contain the admin resource data‬

‭Scenario: Access admin resource with user role‬

‭Given the API endpoint is set to "/api/admin/resource"‬
‭And I have a valid user authentication token‬
‭When I send a GET request with the token‬
‭Then the response status code should be 403‬
‭And the response should contain an error message "Forbidden"‬

‭Scenario: Access user resource with user role‬

‭Given the API endpoint is set to "/api/user/resource"‬
‭And I have a valid user authentication token‬
‭When I send a GET request with the token‬
‭Then the response status code should be 200‬
‭And the response should contain the user resource data‬

‭Scenario: Access user resource with admin role‬

‭Given the API endpoint is set to "/api/user/resource"‬
‭And I have a valid admin authentication token‬
‭When I send a GET request with the toke‬

‭Input Validation Using DDD‬

‭ or a POST API where a field, such as‬‭

F name‬ ‭, requires‬‭input validation, it's important to cover a range of‬
‭invalid input scenarios to ensure data integrity and robust error handling. Here are various invalid input‬
name‬‭field in a BDD (Behavior-Driven‬‭Development) format:‬
‭validation scenarios for the‬‭

‭Scenario 1: Missing Name Field‬

name‬‭field‬
‭ iven‬‭the request body is missing the‬‭
G
‭When‬‭I send a POST request to‬‭ /resources‬‭with an empty‬‭ name‬‭field‬
400 Bad Request‬
‭Then‬‭the response status code should be‬‭
name‬‭field is required‬
‭And‬‭the response message should indicate that the‬‭

‭Scenario 2: Name Field Exceeds Maximum Length‬

‭ iven‬‭the‬‭
G name‬‭field has a maximum length of 50 characters‬
‭When‬‭I send a POST request to‬‭ /resources‬‭with a‬‭name‬‭that is 51 characters long‬
400 Bad Request‬
‭Then‬‭the response status code should be‬‭
name‬‭field exceeds the maximum length‬
‭And‬‭the response message should indicate that the‬‭

‭Scenario 3: Name Field Contains Special Characters‬

‭74‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭ iven‬‭the‬‭
G name‬‭field should only contain alphabetic characters‬
‭When‬‭I send a POST request to‬‭ /resources‬‭with a‬‭ name‬‭that contains special characters like‬‭
@‭,‬‬‭
#‭,‬‬‭
$‬
‭Then‬‭the response status code should be‬‭ 400 Bad Request‬
‭And‬‭the response message should indicate that the‬‭name‬‭field contains invalid characters‬

‭Scenario 4: Name Field is Numeric‬

‭ iven‬‭the‬‭
G name‬‭field should not be numeric‬
‭When‬‭I send a POST request to‬‭ /resources‬‭with a‬‭name‬‭that is a number like‬‭
12345‬
400 Bad Request‬
‭Then‬‭the response status code should be‬‭
name‬‭field should be alphabetic‬
‭And‬‭the response message should indicate that the‬‭

‭Scenario 5: Name Field is Null‬

‭ iven‬‭the‬‭
G name‬‭field should not be null‬
‭When‬‭I send a POST request to‬‭ /resources‬‭with a‬‭name‬‭field set to‬‭
null‬
‭Then‬‭the response status code should be‬‭ 400 Bad Request‬
name‬‭field cannot be null‬
‭And‬‭the response message should indicate that the‬‭

‭Scenario 6: Name Field is an Empty String‬

‭ iven‬‭the‬‭
G name‬‭field should not be an empty string‬
‭When‬‭I send a POST request to‬‭ /resources‬‭with a‬‭ name‬‭field that is an empty string‬
‭Then‬‭the response status code should be‬‭ 400 Bad Request‬
‭And‬‭the response message should indicate that the‬‭name‬‭field cannot be empty‬

‭Scenario 7: Name Field Contains HTML/Script Tags‬

‭ iven‬‭the‬‭
G name‬‭field should not contain HTML or script‬‭tags‬
‭When‬‭I send a POST request to‬‭ /resources‬‭with a‬‭name‬‭field that contains‬
<script>alert('XSS')</script>‬
‭
‭Then‬‭the response status code should be‬‭ 400 Bad Request‬
name‬‭field contains invalid characters‬
‭And‬‭the response message should indicate that the‬‭

‭Scenario 8: Name Field Contains SQL Injection Attempt‬

‭ iven‬‭the‬‭
G name‬‭field should be validated against SQL‬‭injection attempts‬
‭When‬‭I send a POST request to‬‭ /resources‬‭with a‬‭ name‬‭field that contains‬‭
'; DROP TABLE users;‬
--‬
‭
‭Then‬‭the response status code should be‬‭ 400 Bad Request‬
‭And‬‭the response message should indicate that the‬‭name‬‭field contains invalid characters‬

‭Scenario 9: Name Field is Too Short‬

name‬‭field should have a minimum length‬‭of 3 characters‬

‭ iven‬‭the‬‭
G
‭When‬‭I send a POST request to‬‭/resources‬‭with a‬‭
name‬‭field that is 2 characters long‬

‭75‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

400 Bad Request‬

‭ hen‬‭the response status code should be‬‭
T
name‬‭field is too short‬
‭And‬‭the response message should indicate that the‬‭

‭Scenario 10: Name Field Contains Leading or Trailing Spaces‬

‭ iven‬‭the‬‭
G name‬‭field should not contain leading or‬‭trailing spaces‬
‭When‬‭I send a POST request to‬‭ /resources‬‭with a‬‭ name‬‭field that contains leading or trailing spaces‬
‭Then‬‭the response status code should be‬‭ 400 Bad Request‬
‭And‬‭the response message should indicate that the‬‭name‬‭field cannot contain leading or trailing spaces‬

name‬‭field are thoroughly tested, helping‬‭to‬

‭ hese scenarios ensure that various invalid inputs for the‬‭
T
‭maintain data integrity and security in the system.‬

‭Common Interview Questions and answers related to Writing Basic API Test Cases‬

‭ ere‬ ‭are‬ ‭30‬ ‭popular‬ ‭interview‬ ‭questions‬ ‭and‬ ‭answers‬ ‭related‬ ‭to‬ ‭POST,‬ ‭PUT,‬ ‭GET,‬ ‭PATCH,‬ ‭DELETE,‬
H
‭response‬ ‭format‬ ‭validation,‬ ‭sorting‬ ‭validation,‬ ‭pagination‬ ‭validation,‬‭authentication‬‭handling‬‭validation,‬
‭and input validation for API testing:‬

‭Questions and Answers on HTTP Methods (POST, PUT, GET, PATCH, DELETE)‬

‭1.‬ ‭Q: What is the difference between POST and PUT methods?‬
‭○‬ ‭A:‬‭POST is used to create a new resource, while PUT‬‭is used to update an existing resource‬
‭or create a resource if it does not exist. POST requests are not idempotent, meaning‬
‭subsequent identical requests will result in different outcomes, whereas PUT requests are‬
‭idempotent.‬
‭2.‬ ‭Q: When should you use the PATCH method?‬
‭○‬ ‭A:‬‭PATCH is used to make partial updates to a resource.‬‭Unlike PUT, which requires the‬
‭entire resource data for the update, PATCH allows updating only the fields that need to be‬
‭changed.‬
‭3.‬ ‭Q: How does the DELETE method work in RESTful APIs?‬
‭○‬ ‭A:‬‭DELETE is used to remove a specified resource from‬‭the server. The server should‬
204 No‬
‭respond with a status code indicating the result of the operation, typically‬‭
‭ontent‬‭for a successful deletion.‬
C
‭4.‬ ‭Q: What is the purpose of the GET method in RESTful services?‬
‭○‬ ‭A:‬‭The GET method is used to retrieve data from the‬‭server. It should not alter the state of‬
‭the resource, making it a safe and idempotent operation.‬
‭ .‬ ‭Q: Can you explain idempotency with an example?‬
5
‭○‬ ‭A:‬‭Idempotency means that making the same request‬‭multiple times will result in the same‬
‭outcome. For example, sending a PUT request to update a user's email address to‬
‭"[email protected]" will result in the email being set to "[email protected]"‬
‭regardless of how many times the request is made.‬

‭76‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Questions and Answers on Response Format Validation‬

‭6.‬ ‭Q: How do you validate the response format of an API?‬

‭○‬ ‭A:‬‭To validate the response format, you can check‬‭the Content-Type header to ensure it‬
m application/json‬
‭ atches the expected format (e.g.,‬‭ ‭).‬‭Additionally, you can use JSON‬
‭schema validation to ensure the structure and data types in the response match the expected‬
‭schema.‬
‭7.‬ Q
‭ : What is the significance of the Content-Type header in API responses?‬
‭○‬ ‭A:‬‭The Content-Type header indicates the media type‬‭of the resource. It helps the client‬
‭ nderstand how to process the data in the response, for example,‬‭
u application/json‬‭for‬
‭JSON data.‬
‭8.‬ ‭Q: How would you handle a response that is not in the expected format?‬
‭○‬ ‭A:‬‭If the response is not in the expected format,‬‭you can log the error, notify the client with‬
‭an appropriate error message, and potentially raise an exception. It's also important to‬
‭validate the API implementation and ensure the server is configured to return the correct‬
‭format.‬

‭Questions and Answers on Sorting Validation‬

‭9.‬ ‭Q: How do you test sorting functionality in an API?‬

‭○‬ ‭A:‬‭To test sorting, you can send requests with different‬‭sort parameters (e.g.,‬
‭sort=name&order=asc‬
? ‭) and verify that the returned‬‭data is correctly sorted according to‬
‭the specified fields and order.‬
‭10.‬ ‭Q: What are common issues you might encounter with sorting in APIs?‬
‭○‬ ‭A:‬‭Common issues include incorrect sorting order,‬‭case sensitivity affecting the sort order,‬
‭improper handling of null values, and performance degradation with large datasets.‬

‭Questions and Answers on Pagination Validation‬

‭11.‬ ‭Q: What is pagination and why is it important in APIs?‬

‭○‬ ‭A:‬‭Pagination is the process of dividing a large dataset‬‭into smaller, manageable chunks. It is‬
‭important in APIs to improve performance and reduce the load on the server and client by‬
‭only retrieving a subset of the data at a time.‬
‭12.‬ ‭Q: How would you validate pagination in an API?‬
‭○‬ ‭A:‬‭To validate pagination, you can verify the response‬‭metadata (e.g., total items, total‬
‭pages), check the consistency of data across pages, ensure correct handling of page limits‬
‭and offsets, and validate edge cases like the first and last pages.‬

‭Questions and Answers on Authentication Handling Validation‬

‭13.‬ ‭Q: What are common methods for API authentication?‬

‭○‬ ‭A:‬‭Common methods include Basic Authentication, Token-based‬‭Authentication (e.g., JWT),‬
‭OAuth, and API Keys.‬
‭14.‬ ‭Q: How do you test API endpoints that require authentication?‬

‭77‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭○‬ ‭A:‬‭To test authenticated endpoints, you can include valid and invalid credentials in the‬
‭request, check for the appropriate status codes (‬‭
200‬‭
OK‬‭for successful authentication,‬‭
401‬
‭nauthorized‬‭for missing/invalid credentials), and‬‭validate the response data.‬
U
‭15.‬ ‭Q: What is the difference between authentication and authorization?‬
‭○‬ ‭A:‬‭Authentication verifies the identity of a user‬‭or client, while authorization determines the‬
‭permissions and access rights of the authenticated user to specific resources or actions.‬

‭Questions and Answers on Input Validation‬

‭16.‬ ‭Q: Why is input validation important in APIs?‬

‭○‬ ‭A:‬‭Input validation ensures that the data received‬‭by the API is in the correct format,‬
‭prevents security vulnerabilities like SQL injection, and improves data integrity by ensuring‬
‭only valid data is processed.‬
‭17.‬ ‭Q: How would you validate an input field in an API request?‬
‭○‬ ‭A:‬‭You can validate input fields by checking data‬‭types, ensuring required fields are present,‬
‭enforcing value ranges and formats, and using regular expressions for pattern matching‬
‭(e.g., email addresses).‬
‭18.‬ ‭Q: How do you handle invalid input in an API?‬
‭○‬ A 400 Bad Request‬‭status code‬
‭ :‬‭When invalid input is detected, the API should‬‭return a‬‭
‭with a descriptive error message indicating which fields are invalid and why.‬

‭Questions and Answers on General API Testing‬

‭19.‬ ‭Q: What is the purpose of API testing?‬

‭○‬ ‭A:‬‭API testing ensures that the API behaves as expected,‬‭meets functional and‬
‭non-functional requirements, handles edge cases gracefully, and provides secure and‬
‭reliable interactions between different software components.‬
‭20.‬ ‭Q: What tools can you use for API testing?‬
‭○‬ ‭A:‬‭Popular tools for API testing include Postman,‬‭SoapUI, JMeter, RestAssured, and‬
‭Swagger.‬
‭21.‬ ‭Q: How do you ensure your API tests are comprehensive?‬
‭○‬ ‭A:‬‭Ensure comprehensive testing by covering various‬‭scenarios such as happy paths, edge‬
‭cases, negative tests, performance tests, security tests, and testing different combinations of‬
‭input parameters.‬
‭22.‬ ‭Q: What is a mock API and when would you use it?‬
‭○‬ ‭A:‬‭A mock API simulates the behavior of a real API.‬‭It is used during development and‬
‭testing when the real API is not available, to test client-side code or to validate the‬
‭integration between components.‬
‭23.‬ ‭Q: How do you handle rate limiting in API testing?‬
‭○‬ ‭A:‬‭To handle rate limiting, you can include test cases‬‭to validate the API's response to‬
e‭ xcessive requests, check the appropriate status code (‬‭
429 Too Many Requests‬ ‭), and‬
‭verify the Retry-After header for the wait time before subsequent requests can be made.‬
‭24.‬ ‭Q: What are common security issues to test for in APIs?‬

‭78‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭○‬ A
‭ :‬‭Common security issues include SQL injection, cross-site scripting (XSS), cross-site‬
‭request forgery (CSRF), improper authentication/authorization, and data leakage through‬
‭improper error handling.‬

‭Questions and Answers on Specific Use Cases‬

‭25.‬ ‭Q: How do you validate a POST request with a complex JSON payload?‬
‭○‬ ‭A:‬‭Validate a POST request with a complex JSON payload‬‭by checking each field's presence,‬
‭data type, value range, format, and ensuring nested structures conform to the expected‬
‭schema.‬
‭26.‬ ‭Q: What status code should be returned for a successful POST request?‬
‭○‬ A 201 Created‬‭status code, indicating that the‬
‭ :‬‭A successful POST request should return a‬‭
‭resource has been successfully created.‬
‭27.‬ ‭Q: How do you handle versioning in APIs?‬
‭○‬ A ‭ :‬‭Handle versioning by including version information‬‭in the URL (e.g.,‬‭ /v1/resources‬ ‭),‬
‭in the request header, or as a query parameter. This allows clients to specify which version‬
‭of the API they want to use.‬
‭28.‬ ‭Q: What is the purpose of the OPTIONS HTTP method?‬
‭○‬ ‭A:‬‭The OPTIONS HTTP method is used to describe the‬‭communication options for the‬
‭target resource. It is commonly used for CORS (Cross-Origin Resource Sharing) preflight‬
‭requests.‬
‭29.‬ ‭Q: How do you test the resilience of an API?‬
‭○‬ ‭A:‬‭Test the resilience of an API by simulating network‬‭issues, server failures, high loads, and‬
‭other adverse conditions. Validate the API's ability to handle these scenarios gracefully and‬
‭recover.‬
‭30.‬ ‭Q: What is HATEOAS and why is it important in RESTful APIs?‬
‭○‬ ‭A:‬‭HATEOAS (Hypermedia As The Engine Of Application‬‭State) is a constraint of RESTful‬
‭APIs where the client interacts with the application entirely through hypermedia provided‬
‭dynamically by application servers. It is important because it provides discoverability and‬
‭navigability of the API, allowing clients to dynamically follow links to other resources and‬
‭actions.‬

‭ hese‬‭questions‬‭and‬‭answers‬‭should‬‭provide‬‭a‬‭solid‬‭foundation‬‭for‬‭understanding‬‭various‬‭aspects‬‭of‬‭API‬
T
‭testing,‬ ‭including‬ ‭HTTP‬ ‭methods,‬ ‭response‬ ‭validation,‬ ‭sorting,‬ ‭pagination,‬ ‭authentication,‬ ‭and‬ ‭input‬
‭validation.‬

‭79‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Chapter 6‬

‭Automating API Tests‬

‭TestNG BDD API Testing‬

‭ DD‬ ‭(Behavior-Driven‬ ‭Development)‬ ‭is‬ ‭a‬ ‭software‬ ‭development‬ ‭approach‬ ‭that‬ ‭enhances‬ ‭collaboration‬
B
‭between‬‭developers,‬‭testers,‬‭and‬‭business‬‭stakeholders.‬‭It‬‭involves‬‭writing‬‭test‬‭cases‬‭in‬‭a‬‭natural‬‭language‬
‭that‬ ‭non-programmers‬ ‭can‬ ‭read.‬ ‭Combining‬ ‭TestNG‬ ‭with‬ ‭BDD‬ ‭for‬ ‭API‬ ‭testing‬ ‭provides‬ ‭a‬ ‭structured‬
‭approach to testing while leveraging the powerful features of TestNG.‬

‭In this guide, we'll integrate BDD into API testing using TestNG and the Rest Assured library.‬

‭Prerequisites‬

‭ .‬ J‭ ava‬‭: Ensure Java is installed and configured on your‬‭machine.‬

1
‭2.‬ ‭Maven‬‭: Maven should be installed for managing dependencies.‬
‭3.‬ ‭IDE‬‭: Use an IDE like IntelliJ IDEA or Eclipse.‬

‭Setting Up the Project‬

‭1.‬ ‭Create a Maven Project‬‭: Open your IDE and create a‬‭new Maven project.‬
‭2.‬ A pom.xml‬‭with the necessary‬‭dependencies for TestNG, Rest‬
‭ dd Dependencies‬‭: Update your‬‭
‭Assured, and Cucumber (for BDD).‬

<‭
‭p
‬roject‬‭
xmlns‬
="http://maven.apache.org/POM/4.0.0"‬
‭
xmlns:‬
‭ xsi‬
‭ ="http://www.w3.org/2001/XMLSchema-instance"‬
‭
xsi‬
‭ :schemaLocation‬
‭ ="http://maven.apache.org/POM/4.0.0‬
‭
http://maven.apache.org/maven-v4_0_0.xsd"‬
‭ >‬
‭
<‭
‭m
‬odelVersion‬
>4.0.0</‬
‭ modelVersion‬
‭ >‬
‭
<‭
‭g
‬roupId‬
>com.example</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>bdd-api-automation</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>1.0-SNAPSHOT</‬
‭ version‬
‭ >‬
‭

<‭
‭d
‬ependencies‬
>‬
‭
<!-- TestNG Dependency -->‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>org.testng</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>testng</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>7.4.0</‬
‭ version‬
‭ >‬
‭
<‭
‭s
‬cope‬
>test</‬
‭ scope‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<!-- Rest Assured Dependency -->‬
‭
<‭
‭d
‬ependency‬
>‬
‭

‭80‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭‭
<g
‬roupId‬>io.rest-assured</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬>rest-assured</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬>4.3.3</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<!-- Cucumber Dependencies -->‬
‭
<‭
‭d
‬ependency‬>‬
‭
<‭
‭g
‬roupId‬>io.cucumber</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬>cucumber-java</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬>6.10.4</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<‭
‭d
‬ependency‬>‬
‭
<‭
‭g
‬roupId‬>io.cucumber</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬>cucumber-testng</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬>6.10.4</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<!-- JSON Schema Validator Dependency -->‬
‭
<‭
‭d
‬ependency‬>‬
‭
<‭
‭g
‬roupId‬>io.rest-assured</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬>json-schema-validator</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬>4.3.3</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<‭
‭d
‬ependency‬>‬
‭
<‭
‭g
‬roupId‬>org.testng</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬>testng</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬>7.4.0</‬
‭ version‬
‭ >‬
‭
<‭
‭s
‬cope‬>compile</‬
‭ scope‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
</‬
‭ dependencies‬
‭ >‬
‭
<‭
‭p
‬roperties‬
>‬
‭
<‭
‭m
‬aven.compiler.source‬ >17</‬
‭ maven.compiler.source‬
‭ >‬
‭
<‭
‭m
‬aven.compiler.target‬ >17</‬
‭ maven.compiler.target‬
‭ >‬
‭
</‬
‭ properties‬
‭ >‬
‭
</‬
‭ project‬
‭ >‬
‭

‭Project Structure‬

‭ .‬ s‭ rc/test/java‬‭: For Java test classes.‬

1
‭2.‬ ‭src/test/resources‬‭: For feature files.‬

‭81‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Writing Feature Files‬

src/test/resources/features‬
‭Create a feature file in‬‭ ‭.‬

Feature‬
‭ : User API Testing‬
‭

Scenario‬
‭ : Get Users‬
‭
Given‬‭
‭ the API endpoint is "https://reqres.in/api/users?page=2"‬
When‬‭
‭ I send a GET request to the endpoint‬
Then‬‭
‭ the response status code should be 200‬
And‬‭
‭ the response should contain "page"‬

‭82‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Install Gherkin plugin:‬

‭Writing Step Definitions‬

src/test/java/steps‬
‭Create a new Java class for step definitions in‬‭ ‭.‬

package‬‭
‭ steps‬
;‬
‭

‭mport‬‭
i io.restassured.RestAssured‬;‬
‭
import‬‭
‭ io.restassured.response.Response‬
;‬
‭
import‬‭
‭ io.cucumber.java.en.‬
Given‬
‭ ;‬
‭
import‬‭
‭ io.cucumber.java.en.‬
When‬
‭ ;‬
‭
import‬‭
‭ io.cucumber.java.en.‬
Then‬
‭ ;‬
‭
import‬‭
‭ org.testng.Assert‬
;‬
‭

public class‬‭
‭ ApiSteps‬‭
{‬

‭rivate‬‭
p String‬‭
endpoint‬
;‬
‭
private‬‭
‭ Response‬‭
response‬;‬
‭

‭Given‬
@ (‭
‭"
‬the API endpoint is {string}"‬)‬
‭
public void‬‭
‭ theApiEndpointIs‬
(‬
‭ String‬‭
‭ url) {‬
this‬
‭ .‭
‭e
‬ndpoint‬‭
= url;‬

‭83‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

}‬
‭

‭When‬
@ (‭
‭"
‬I send a GET request to the endpoint"‬
)‬
‭
public void‬‭
‭ iSendAGetRequestToTheEndpoint‬
() {‬
‭
response‬‭
‭ =‬‭
RestAssured‬
.‬
‭given‬
‭ ()‬
‭
.get(‬
‭ endpoint‬
‭ );‬
‭
}‬
‭

‭Then‬
@ (‭
‭"
‬the response status code should be {int}"‬ )‬
‭
public void‬‭
‭ theResponseStatusCodeShouldBe‬
(‬
‭ int‬‭
‭ statusCode)‬‭
{‬
Assert‬
‭ .‬
‭assertEquals‬
‭ (‬
‭response‬
‭ .getStatusCode(),‬‭
‭ statusCode);‬
}‬
‭

‭Then‬
@ (‭
‭"
‬the response should contain {string}"‬ )‬
‭
public void‬‭
‭ theResponseShouldContain‬
(‬
‭ String‬‭
‭ content)‬‭
{‬
Assert‬
‭ .‬
‭assertTrue‬
‭ (‬
‭response‬
‭ .asString().contains(content));‬
‭
}‬
‭
}‬
‭

‭Writing the Test Runner‬

src/test/java/runners‬
‭Create a test runner class in‬‭ ‭.‬

package‬‭
‭ runners‬
;‬
‭

‭mport‬‭
i io.cucumber.testng.AbstractTestNGCucumberTests‬
;‬
‭
import‬‭
‭ io.cucumber.testng.‬
CucumberOptions‬
‭ ;‬
‭

@CucumberOptions‬
‭ (‬
‭
features =‬‭
‭ "src/test/resources/features"‬
,‬
‭
glue =‬‭
‭ "steps"‬
)‬
‭
public class‬‭
‭ TestRunner‬‭
extends‬‭
AbstractTestNGCucumberTests‬‭
{‬
}‬
‭

‭Running the Tests‬

TestRunner‬‭class‬‭and select "Run."‬

‭1.‬ ‭Run from IDE‬‭: Right-click on the‬‭

‭84‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭You will see this result:‬

mvn test‬
‭2.‬ ‭Run from Maven‬‭: You can also run the tests using Maven‬‭with the following command:‬‭

‭Common Interview Questions and Answers Related to Automation API Test‬

‭Why Choose TestNG for API Automation?‬

‭1.‬ A
‭ nnotations‬‭: TestNG provides a wide range of annotations‬‭which makes it easier to write tests and‬
‭understand them.‬

‭85‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭2.‬ T ‭ est Configuration‬‭: TestNG allows you to configure your test suites, groups, and test parameters‬
‭easily through XML files.‬
‭3.‬ ‭Parallel Execution‬‭: TestNG supports parallel execution‬‭of tests, which is essential for speeding up‬
‭the testing process.‬
‭4.‬ ‭Data-driven Testing‬‭: It supports data providers for‬‭data-driven testing.‬
‭5.‬ ‭Integration‬‭: TestNG can be easily integrated with‬‭other tools and frameworks like Maven, Jenkins,‬
‭and various reporting tools.‬

‭How do you handle authentication in API testing?‬

‭Answer:‬‭Handling authentication in API testing depends‬‭on the type of authentication used:‬

‭‬
● ‭ asic Authentication‬‭: Include the username and password‬‭in the request header.‬
B
‭●‬ ‭OAuth‬‭: Use tokens obtained through authorization servers.‬
‭●‬ ‭API Keys‬‭: Include the API key in the request header‬‭or URL parameter.‬
‭●‬ ‭JWT (JSON Web Tokens)‬‭: Include the JWT token in the‬‭request header.‬

‭/ Basic Authentication‬
/
given().auth().basic(‬
‭ "username"‬
‭ ,‬‭
‭ "password"‬
).when().get(‬
‭ "/endpoint"‬
‭ );‬
‭

// OAuth‬
‭
given().auth().oauth2(‬
‭ "access_token"‬
‭ ).when().get(‬
‭ "/endpoint"‬
‭ );‬
‭

// API Key‬
‭
given().header(‬
‭ "API-Key"‬
‭ ,‬‭
‭ "your_api_key"‬
).when().get(‬
‭ "/endpoint"‬
‭ );‬
‭

// JWT‬
‭
given().header(‬
‭ "Authorization"‬
‭ ,‬‭
‭ "Bearer‬
your_jwt_token"‬
‭ ).when().get(‬
‭ "/endpoint"‬
‭ );‬
‭

‭How do you validate the response of an API?‬

‭Answer:‬‭Validation involves checking the following:‬

‭‬
● ‭ tatus Code‬‭: Ensure the response code is as expected‬‭(e.g., 200 OK, 404 Not Found).‬
S
‭●‬ ‭Response Body‬‭: Validate the data returned in the response‬‭body.‬
‭●‬ ‭Headers‬‭: Check if the required headers are present‬‭and correct.‬
‭●‬ ‭Schema Validation‬‭: Ensure the response follows a predefined‬‭schema.‬

// Status Code‬
‭
Assert‬
‭ .‬
‭assertEquals‬
‭ (‬
‭ response‬
‭ .getStatusCode(),‬‭
‭ 200‬
);‬
‭

‭86‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

// Response Body‬
‭
Assert‬
‭ .‬
‭assertTrue‬
‭ (‬
‭ response‬
‭ .asString().contains(‬
‭ "expectedValue"‬
‭ ));‬
‭

// Header‬
‭
Assert‬
‭ .‬
‭assertEquals‬
‭ (‬
‭ response‬
‭ .getHeader(‬
‭ "Content-Type"‬
‭ ),‬‭
‭ "application/json"‬
);‬
‭

// Schema Validation‬
‭

response‬
‭ .then().assertThat().body(matchesJsonSchemaInClasspath(‬
‭ "schema.json"‬
‭ ));‬
‭

‭How do you perform data-driven testing in API testing?‬

‭ nswer:‬ ‭Data-driven‬ ‭testing‬ ‭involves‬ ‭running‬ ‭the‬ ‭same‬ ‭test‬ ‭case‬ ‭with‬ ‭multiple‬ ‭sets‬ ‭of‬‭data.‬‭This‬‭can‬‭be‬
A
‭done using external data sources like Excel, CSV files, or databases.‬

‭Example with TestNG and DataProvider:‬

‭DataProvider(name =‬‭
@ "userData"‬
)‬
‭
public‬‭
‭ Object‬
[][] createUserData() {‬
‭
return new‬‭
‭ Object[][]{‬
{‭
‭"
‬John"‬
,‬‭
‭ "Developer"‬
},‬
‭
{‭
‭"
‬Jane"‬
,‬‭
‭ "Tester"‬
}‬
‭
};‬
‭
}‬
‭

‭Test(dataProvider =‬‭
@ "userData"‬)‬
‭
public void‬‭
‭ testCreateUser(‬String‬‭
‭ name,‬‭
String‬‭
job)‬‭
{‬
given().body(‬
‭ "{‬
‭ \"‬
‭ name‬
‭ \"‬
‭ :‬
‭\"‬
‭ "‬‭
‭ + name +‬‭"‬
\"‬
‭ ,‬‭
‭ \"‬
job‬
‭ \"‬
‭ :‬
‭\"‬
‭ "‬‭
‭ + job +‬‭
"‭
\
‬"‬
}"‬
‭ )‬
‭
.when().post(‬
‭ "/users"‬
‭ )‬
‭
.then().statusCode(‬
‭ 201‬
‭ );‬
‭
}‬
‭

‭How do you handle errors in API testing?‬

‭Answer:‬‭Handling errors involves:‬

‭●‬ V ‭ alidating Error Responses‬‭: Ensure the API returns‬‭appropriate error codes and messages (e.g., 400‬
‭Bad Request, 401 Unauthorized).‬
‭●‬ ‭Boundary Testing‬‭: Test the API with edge cases and‬‭invalid inputs.‬
‭●‬ ‭Exception Handling‬‭: Ensure the API gracefully handles‬‭exceptions and returns user-friendly error‬
‭messages.‬

‭Example with Rest Assured:‬

Response response‬‭
‭ = given().when().get(‬
"/invalid-endpoint"‬
‭ );‬
‭

‭87‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭ssert‬
A .‭
‭a
‬ssertEquals‬
(‬
‭response‬
‭ .getStatusCode(),‬‭
‭ 404‬
);‬
‭
Assert‬
‭ .‭
‭a
‬ssertTrue‬
(‭
‭r
‬esponse‬
.asString().contains(‬
‭ "Not‬‭
‭ Found"‬
));‬
‭

‭Explain the concept of pagination in API testing.‬

‭ nswer:‬ ‭Pagination‬ ‭is‬ ‭used‬ ‭to‬ ‭divide‬ ‭large‬‭sets‬‭of‬‭data‬‭into‬‭smaller‬‭chunks‬‭to‬‭improve‬‭performance‬‭and‬

A
‭manageability. It involves:‬

‭‬ L
● ‭ imit and Offset‬‭: Specify the number of records to‬‭return and the starting point.‬
‭●‬ ‭Page and Page Size‬‭: Define the page number and the‬‭number of records per page.‬
‭●‬ ‭Cursor-Based‬‭: Use a pointer to keep track of the current‬‭position in the data set.‬

‭ uring‬ ‭testing,‬ ‭validate‬ ‭that‬ ‭pagination‬‭parameters‬‭work‬‭correctly‬‭and‬‭that‬‭the‬‭API‬‭returns‬‭the‬‭expected‬

D
‭number of records and navigates through pages properly.‬

‭esponse response‬‭
R = given().queryParam(‬"page"‬
‭ ,‬‭
‭ 2‬
).queryParam(‬
‭ "pageSize"‬
‭ ,‬
‭
10‬
‭ ).when().get(‬
‭ "/users"‬
‭ );‬
‭
Assert‬
‭ .‭
‭a
‬ssertEquals‬
(‬
‭response‬
‭ .getStatusCode(),‬‭
‭ 200‬);‬
‭
Assert‬
‭ .‭
‭a
‬ssertTrue‬
(‭
‭r
‬esponse‬.jsonPath().getList(‬
‭ "data"‬
‭ ).size()‬‭
‭ <=‬‭
10‬
);‬
‭

‭What is BDD and how does it relate to API testing?‬

‭ nswer:‬ ‭Behavior-Driven‬ ‭Development‬ ‭(BDD)‬ ‭is‬ ‭a‬ ‭software‬ ‭development‬ ‭approach‬ ‭that‬ ‭encourages‬
A
‭collaboration‬ ‭between‬ ‭developers,‬ ‭testers,‬ ‭and‬ ‭business‬ ‭stakeholders.‬ ‭It‬ ‭involves‬ ‭writing‬ ‭test‬ ‭cases‬ ‭in‬ ‭a‬
‭natural‬ ‭language‬ ‭that‬ ‭is‬ ‭understandable‬ ‭by‬ ‭all‬ ‭stakeholders.‬ ‭In‬ ‭API‬ ‭testing,‬ ‭BDD‬ ‭helps‬ ‭in‬ ‭defining‬ ‭the‬
‭behavior of APIs in a readable format using tools like Cucumber.‬

‭What are the benefits of using BDD for API testing?‬

‭Answer:‬

‭●‬ I‭ mproved Communication‬‭: Ensures clear communication‬‭between technical and non-technical‬

‭stakeholders.‬
‭●‬ ‭Readability‬‭: Tests are written in plain language which‬‭is easy to understand.‬
‭●‬ ‭Living Documentation‬‭: Test cases serve as documentation‬‭for the system's behavior.‬
‭●‬ ‭Early Bug Detection‬‭: Helps identify issues early in‬‭the development cycle.‬

‭What tools are commonly used for BDD API testing?‬

‭Answer:‬

‭88‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭‬
● ‭ ucumber‬‭: For writing BDD tests in Gherkin syntax.‬
C
‭●‬ ‭Rest Assured‬‭: For making HTTP requests and validating‬‭responses.‬
‭●‬ ‭Serenity BDD‬‭: For generating comprehensive test reports.‬
‭●‬ ‭TestNG‬‭: For running tests.‬
‭●‬ ‭JBehave‬‭: Another BDD framework for Java.‬

‭How do you write a feature file for a POST request in BDD?‬

‭Answer:‬‭A feature file for a POST request might look‬‭like this:‬

Feature‬
‭ : Create a new user‬
‭

Scenario‬
‭ : Successful creation of a new user‬
‭
Given‬‭
‭ the API endpoint is "https://reqres.in/api/users"‬
When‬‭
‭ I send a POST request to the endpoint with‬‭
the following details‬
|‬‭
‭ name‬ |‬‭
‭ job‬ |‬
‭
|‬‭
‭ John Doe‬‭
|‬‭
Developer‬‭
|‬
Then‬‭
‭ the response status code should be 201‬
And‬‭
‭ the response should contain "name"‬
And‬‭
‭ the response should contain "job"‬

‭How do you implement step definitions for a POST request in BDD?‬

‭Answer:‬‭Step definitions for the above feature file:‬

‭mport‬‭
i io.restassured.RestAssured;‬
import‬‭
‭ io.restassured.response.Response;‬
import‬‭
‭ io.cucumber.java.en.Given;‬
import‬‭
‭ io.cucumber.java.en.When;‬
import‬‭
‭ io.cucumber.java.en.Then;‬
import‬‭
‭ org.testng.Assert;‬

import‬‭
‭ java.util.Map;‬

public class‬‭
‭ ApiSteps {‬

‭rivate‬‭
p String endpoint;‬
private‬‭
‭ Response response;‬

‭Given(‬
@ "the API endpoint is {string}"‬
‭ )‬
‭
public void‬‭
‭ theApiEndpointIs(String url) {‬
this‬
‭ .endpoint = url;‬
‭
}‬
‭

‭When(‬
@ "I send a POST request to the endpoint with‬‭
‭ the following details"‬
)‬
‭
public void‬‭
‭ iSendAPostRequestToTheEndpointWithTheFollowingDetails(Map<String,‬
String> userDetails) {‬
‭

‭89‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

response = RestAssured‬
‭
.given()‬
‭
.contentType(‬
‭ "application/json"‬
‭ )‬
‭
.body(userDetails)‬
‭
.post(‬
‭ endpoint‬
‭ );‬
‭
}‬
‭

‭Then‬
@ (‭
‭"
‬the response status code should be {int}"‬
)‬
‭
public void‬‭
‭ theResponseStatusCodeShouldBe(‬
int‬‭
‭ statusCode)‬‭
{‬
Assert.assertEquals(response.getStatusCode(), statusCode);‬
‭
}‬
‭

‭Then(‬
@ "the response should contain {string}"‬
‭ )‬
‭
public void‬‭
‭ theResponseShouldContain(String content)‬‭
{‬
Assert.assertTrue(response.asString().contains(content));‬
‭
}‬
‭
}‬
‭

‭How do you configure a test runner for BDD tests?‬

‭Answer:‬‭A test runner using Cucumber and TestNG:‬

package‬‭
‭ runners‬
;‬
‭

‭mport‬‭
i io.cucumber.testng.AbstractTestNGCucumberTests‬
;‬
‭
import‬‭
‭ io.cucumber.testng.‬
CucumberOptions‬
‭ ;‬
‭

@CucumberOptions‬
‭ (‬
‭
features =‬‭
‭ "src/test/resources/features"‬
,‬
‭
glue =‬‭
‭ "steps"‬
)‬
‭
public class‬‭
‭ TestRunner‬‭
extends‬‭
AbstractTestNGCucumberTests‬‭
{‬
}‬
‭

‭What is Gherkin syntax?‬

‭Answer:‬‭Gherkin‬‭is‬‭a‬‭domain-specific‬‭language‬‭for‬‭writing‬‭BDD‬‭test‬‭cases.‬‭It‬‭uses‬‭plain‬‭English‬‭language‬
Feature‬
‭to‬‭define‬‭test‬‭cases‬‭in‬‭a‬‭structured‬‭manner‬‭using‬‭keywords‬‭like‬‭ Scenario‬
‭,‬‭ Given‬
‭,‬‭ When‬
‭,‬‭ Then‬
‭,‬‭ ‭,‬
And‬
‭and‬‭ ‭.‬

‭How do you perform data-driven testing in BDD?‬

Scenario Outline‬‭keyword in Gherkin.‬

‭Answer:‬‭Data-driven testing can be done using the‬‭

Feature‬
‭ : User creation‬
‭

‭90‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

Scenario Outline‬
‭ : Create multiple users‬
‭
Given‬‭
‭ the API endpoint is "https://reqres.in/api/users"‬
When‬‭
‭ I send a POST request to the endpoint with‬‭
the following details‬
|‬‭
‭ name‬ |‬‭
‭ job‬ |‬
‭
|‬‭
‭ <name>‬ ‭|‬‭
<job>‬ |‬
‭
Then‬‭
‭ the response status code should be 201‬
And‬‭
‭ the response should contain "name"‬
And‬‭
‭ the response should contain "job"‬

Examples‬
‭ :‬
‭
|‬‭
‭ name‬ |‬‭
‭ job‬ |‬
‭
|‬‭
‭ John Doe‬‭
|‬‭
Developer‬‭
|‬
|‬‭
‭ Jane Doe‬‭
|‬‭
Tester‬ |‬
‭

‭How do you validate JSON response in BDD API testing?‬

‭Answer:‬‭Rest Assured can validate JSON responses in‬‭your step definitions.‬

‭Then(‬
@ "the response should contain {string}"‬
‭ )‬
‭
public void‬‭
‭ theResponseShouldContain(String content)‬‭
{‬
Assert.assertTrue(response.asString().contains(content));‬
‭
}‬
‭

‭Then(‬
@ "the response should contain the field {string}‬‭
‭ with value {string}"‬
)‬
‭
public void‬‭
‭ theResponseShouldContainTheFieldWithValue(String‬‭
field, String value) {‬
Assert.assertEquals(response.jsonPath().getString(field), value);‬
‭
}‬
‭

‭How do you handle authentication in BDD API tests?‬

‭Answer:‬‭Handle authentication by including necessary‬‭headers or tokens in your request.‬

‭When(‬
@ "I send a POST request to the endpoint with‬‭
‭ the following details and token‬
{string}"‬
‭ )‬
‭
public void‬‭
‭ iSendAPostRequestToTheEndpointWithTheFollowingDetailsAndToken(String‬
token, Map<String, String> userDetails) {‬
‭
response = RestAssured‬
‭
.given()‬
‭
.header(‬
‭ "Authorization"‬
‭ ,‬‭
‭ "Bearer "‬‭
+ token)‬
.contentType(‬
‭ "application/json"‬
‭ )‬
‭
.body(userDetails)‬
‭
.post(endpoint);‬
‭
}‬
‭

‭91‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭How do you ensure the idempotency of API requests?‬

‭Answer:‬‭Ensure idempotency by making repeated requests‬‭and verifying the response is consistent.‬

‭When‬
@ (‭
‭"
‬I send the same POST request multiple times"‬
)‬
‭
public void‬‭
‭ iSendTheSamePostRequestMultipleTimes‬
(Map<‬
‭ String‬
‭ ,‬‭
‭ String‬
> userDetails) {‬
‭
response‬‭
‭ =‬‭
RestAssured‬
.‭
‭g
‬iven‬
()‬
‭
.contentType(‬
‭ "application/json"‬
‭ )‬
‭
.body(userDetails)‬
‭
.post(‬
‭ endpoint‬
‭ );‬
‭

Response responseRepeated‬‭
‭ =‬‭
RestAssured‬
.‭
‭g
‬iven‬
()‬
‭
.contentType(‬
‭ "application/json"‬
‭ )‬
‭
.body(userDetails)‬
‭
.post(‬
‭ endpoint‬
‭ );‬
‭

‭ssert‬
A .‭
‭a
‬ssertEquals‬
(‭
‭r‬esponse‬
.getStatusCode(),‬‭
‭ responseRepeated‬
.getStatusCode());‬
‭
Assert‬
‭ .‭
‭a
‬ssertEquals‬
(‭
‭r‬esponse‬
.asString(),‬‭
‭ responseRepeated‬
.asString());‬
‭
}‬
‭

‭How do you handle rate limiting in API testing?‬

‭Answer:‬‭Handle rate limiting by sending requests in‬‭a loop and checking the response for rate limit errors.‬

‭When‬
@ (‭
‭"
‬I send multiple requests to the endpoint"‬ )‬
‭
public void‬‭
‭ iSendMultipleRequestsToTheEndpoint‬ () {‬
‭
for‬‭
‭ (‭
i
‬nt‬‭
i =‬‭
0‬; i <‬‭
‭ 10‬
; i++) {‬
‭
response‬‭
‭ =‬‭RestAssured‬
.‬
‭ given‬
‭ ().get(‬
‭ endpoint‬
‭ );‬
‭
if‬‭
‭ (‭
r
‬esponse‬.getStatusCode() ==‬‭
‭ 429‬
) {‬‭
‭ // 429‬‭Too Many Requests‬
break‬
‭ ;‬
‭
}‬
‭
}‬
‭
}‬
‭

‭Then‬
@ (‭
‭"
‬I should receive a rate limit error"‬)‬
‭
public void‬‭
‭ iShouldReceiveARateLimitError‬() {‬
‭
Assert‬
‭ .‭
‭a
‬ssertEquals‬(‭
‭r
‬esponse‬
.getStatusCode(),‬‭
‭ 429‬
);‬
‭
Assert‬
‭ .‭
‭a
‬ssertTrue‬
(‬
‭response‬
‭ .asString().contains(‬
‭ "rate‬‭
‭ limit"‬
));‬
‭
}‬
‭

‭How do you perform schema validation in BDD API tests?‬

‭Answer:‬‭Use JSON schema validation to ensure the response‬‭matches the expected schema.‬

‭92‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

import‬‭
‭ io.restassured.module.jsv.JsonSchemaValidator‬
;‬
‭

‭Then‬
@ (‭
‭"
‬the response should match the schema {string}"‬)‬
‭
public void‬‭
‭ theResponseShouldMatchTheSchema‬
(‬
‭ String‬‭
‭ schemaPath) {‬

‭esponse‬
r .then().assertThat().body(JsonSchemaValidator.matchesJsonSchemaInClasspath(sc‬
‭
hemaPath));‬
‭
}‬
‭

‭How do you handle different environments in API testing?‬

‭Answer:‬‭Use environment variables or configuration‬‭files to handle different environments.‬

‭Given‬
@ (‭
‭"
‬the API endpoint is set for {string} environment"‬)‬
‭
public void‬‭
‭ theApiEndpointIsSetForEnvironment‬
(‬
‭ String‬‭
‭ environment) {‬
if‬‭
‭ (environment.equalsIgnoreCase(‬
"production"‬
‭ ))‬‭
‭ {‬
this‬
‭ .‭
‭e
‬ndpoint‬‭
=‬‭
"https://api.production.com/users"‬;‬
‭
}‬‭
‭ else if‬‭
(environment.equalsIgnoreCase(‬
"staging"‬
‭ ))‬‭
‭ {‬
this‬
‭ .‭
‭e
‬ndpoint‬‭
=‬‭
"https://api.staging.com/users"‬;‬
‭
}‬
‭
}‬
‭

‭How do you manage test data for API testing?‬

‭Answer:‬‭Manage test data using external files (CSV,‬‭JSON, Excel) or in-memory data providers.‬

‭DataProvider(name =‬‭
@ "userData"‬
)‬
‭
public‬‭
‭ Object‬
[][]‬‭
‭ createUserData‬() {‬
‭
return new‬‭
‭ Object[][]{‬
{‭
‭"
‬John Doe"‬
,‬‭
‭ "Developer"‬},‬
‭
{‭
‭"
‬Jane Doe"‬
,‬‭
‭ "Tester"‬}‬
‭
};‬
‭
}‬
‭

‭Test(dataProvider =‬‭
@ "userData"‬)‬
‭
public void‬‭
‭ testCreateUser‬(‬
‭String‬‭
‭ name,‬‭
String‬‭
job)‬‭
{‬
given().body(‬
‭ "{‬
‭ \"‬
‭ name‬
‭ \"‬
‭ :‬
‭\"‬
‭ "‬‭
‭ + name +‬‭"‬
\"‬
‭ ,‬‭
‭ \"‬
job‬
‭ \"‬
‭ :‬
‭\"‬
‭ "‬‭
‭ + job +‬‭
"‭
\
‬"‬
}"‬
‭ )‬
‭
.when().post(‬
‭ "/users"‬
‭ )‬
‭
.then().statusCode(‬
‭ 201‬
‭ );‬
‭
}‬
‭

‭93‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Chapter 7‬

‭Performance Testing of APIs using JMeter‬

‭Install Apache JMeter‬

‭Install Java‬

J‭ Meter‬ ‭requires‬ ‭Java‬ ‭to‬ ‭be‬ ‭installed‬ ‭on‬ ‭your‬ ‭machine.‬ ‭Ensure‬ ‭you‬ ‭have‬ ‭the‬ ‭Java‬ ‭Development‬‭Kit‬‭(JDK)‬
‭installed.‬

‭1.‬ ‭Check if Java is already installed:‬‭Open a terminal‬‭(Command Prompt on Windows) and type:‬
‭ava -version‬
j ‭; you will see a version number if Java‬‭is installed.‬
‭2.‬ ‭Download and install Java:‬
‭○‬ ‭If Java is not installed, download the JDK from the‬‭Oracle website‬‭or‬‭OpenJDK‬‭.‬
‭○‬ ‭Follow the installation instructions specific to your operating system.‬

‭Download JMeter‬

‭ .‬ G
1 ‭ o to the‬‭Apache JMeter download page‬‭.‬
‭2.‬ ‭Download the binary (zip or tgz) file from the "Binaries" section.‬

‭Install JMeter‬

‭Extract the downloaded archive:‬

.zip‬‭file‬‭and select "Extract All..."‬

‭For Windows: Right-click the downloaded‬‭

tar‬‭command in the terminal:‬

‭For Mac/Linux: Use the‬‭

tar -xvzf apache-jmeter-<version>.tgz‬

‭

‭Move the extracted folder to a preferred location:‬

apache-jmeter-<version>‬‭folder anywhere on your system.‬

‭You can place the extracted‬‭

‭Set Up Environment Variables (Optional)‬

‭Setting‬ ‭up‬ ‭environment‬ ‭variables‬ ‭allows‬ ‭you‬ ‭to‬ ‭run‬ ‭JMeter‬ ‭from‬ ‭any‬ ‭command‬ ‭prompt‬ ‭or‬ ‭terminal‬
‭ irectory.‬
d

‭94‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Windows:‬

-‭ ‬ ‭ pen the Control Panel, go to System and Security > System > Advanced system settings.‬
O
‭-‬ ‭Click on "Environment Variables".‬
‭-‬ Path‬‭variable,‬‭select it, and click "Edit".‬
‭Under "System variables", find the‬‭
‭-‬ bin‬‭directory of the extracted‬‭JMeter folder (e.g.,‬
‭Add the path to the‬‭
C:\path\to\apache-jmeter-<version>\bin‬
‭ ‭).‬

‭Mac/Linux:‬

‭-‬ ~/.bashrc‬‭(or‬‭
‭ pen your terminal and edit the‬‭
O ~/.bash_profile‬‭or‬‭
~/.zshrc‬‭if using zsh)‬
‭file:‬

nano ~/.bashrc‬
‭

‭-‬ ‭Add the following line:‬

‭xport PATH=$PATH:/path/to/apache-jmeter-<version>/bin‬
e
‭-‬ ‭Save the file and reload the configuration:‬
source ~/.bashrc‬
‭

‭Launch JMeter‬

‭1.‬ ‭Windows:‬
bin‬‭directory inside the JMeter folder.‬
‭○‬ ‭Navigate to the‬‭
jmeter.bat‬‭to launch JMeter.‬
‭○‬ ‭Double-click‬‭
‭2.‬ ‭Mac/Linux:‬
‭○‬ ‭Open a terminal.‬
bin‬‭directory inside the JMeter folder.‬
‭○‬ ‭Navigate to the‬‭
‭○‬ ‭Run the following command:‬‭
./jmeter.sh‬

‭Verify Installation‬

‭After launching JMeter, you should see the JMeter GUI, which indicates that the installation succeeded.‬

‭95‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Tips:‬

‭●‬ ‭Updating JMeter:‬‭To update JMeter, download the latest‬‭version and replace the old folder with the‬
‭ ew one. Ensure that the‬‭
n Path‬‭variable (if set) is‬‭updated accordingly.‬
‭ ‬ ‭Plugins:‬‭Consider installing JMeter plugins for extended‬‭functionality. Visit the‬‭JMeter Plugins‬
●
‭website‬‭for more information.‬

‭96‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭JMeter Components‬

‭6‬

‭ pache JMeter has several key components that you can use to design and execute your performance tests.‬
A
‭Here’s an overview of the main components:‬

‭1. Test Plan‬

‭●‬ D ‭ escription:‬‭A Test Plan is the container for your‬‭entire test script. It includes all the other‬
‭components like Thread Groups, Samplers, Listeners, and more.‬
‭●‬ ‭Usage:‬‭Define the overall structure of your performance‬‭test. Add other components to build your‬
‭test scenario.‬

‭2. Thread Group‬

‭●‬ D ‭ escription:‬‭A Thread Group represents a group of‬‭virtual users that will execute the test scripts. It‬
‭defines the number of users, the ramp-up period, and the loop count.‬
‭●‬ ‭Usage:‬‭Configure how many users will run the test,‬‭how quickly they will start, and how many‬
‭times they will repeat the test.‬

‭3. Samplers‬

‭●‬ D ‭ escription:‬‭Samplers are requests that JMeter sends‬‭to the server. They can be of various types,‬
‭including HTTP requests, FTP requests, JDBC requests, and more.‬
‭●‬ ‭Types of Samplers:‬
‭○‬ ‭HTTP Request:‬‭Used to send HTTP/HTTPS requests.‬
‭○‬ ‭FTP Request:‬‭Used to send FTP commands.‬
‭6‬
‭https://www.devstringx.com/use-jmeter-for-api-load-testing‬

‭97‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭ ‬ J‭ DBC Request:‬‭Used to execute SQL queries.‬

○
‭○‬ ‭SOAP/XML-RPC Request:‬‭Used to send SOAP or XML-RPC‬‭requests.‬

‭4. Logic Controllers‬

‭‬ D
● ‭ escription:‬‭Logic Controllers determine the order‬‭in which Samplers are processed.‬
‭●‬ ‭Types of Logic Controllers:‬
‭○‬ ‭Simple Controller:‬‭Organizes the samplers and other‬‭controllers.‬
‭○‬ ‭Loop Controller:‬‭Runs the samplers a specified number‬‭of times.‬
‭○‬ ‭If Controller:‬‭Executes samplers only if a certain‬‭condition is true.‬
‭○‬ ‭Transaction Controller:‬‭Measures the overall time‬‭taken to complete a set of nested‬
‭samplers.‬
‭○‬ ‭While Controller:‬‭Repeats the nested samplers while‬‭a condition is true.‬

‭5. Listeners‬

‭●‬ D ‭ escription:‬‭Listeners collect and display the results‬‭of the test execution. They provide different‬
‭views of the performance test results.‬
‭●‬ ‭Types of Listeners:‬
‭○‬ ‭View Results Tree:‬‭Shows the results of each sample‬‭in a tree format.‬
‭○‬ ‭Summary Report:‬‭Provides a summary of performance‬‭metrics.‬
‭○‬ ‭Graph Results:‬‭Displays the test results in a graphical‬‭format.‬
‭○‬ ‭Aggregate Report:‬‭Summarizes statistics like average,‬‭min, max, and standard deviation for‬
‭the test samples.‬

‭6. Timers‬

‭●‬ D ‭ escription:‬‭Timers introduce delays between requests.‬‭They help simulate real-world user‬
‭interactions by adding think time.‬
‭●‬ ‭Types of Timers:‬
‭○‬ ‭Constant Timer:‬‭Introduces a fixed delay.‬
‭○‬ ‭Gaussian Random Timer:‬‭Introduces a random delay based‬‭on a Gaussian distribution.‬
‭○‬ ‭Uniform Random Timer:‬‭Introduces a random delay within‬‭a specified range.‬
‭○‬ ‭Constant Throughput Timer:‬‭Controls the throughput‬‭by introducing pauses to maintain a‬
‭specified number of requests per minute.‬

‭7. Assertions‬

‭●‬ D ‭ escription:‬‭Assertions are used to validate the responses‬‭received from the server. They ensure‬
‭that the responses contain the expected data.‬
‭●‬ ‭Types of Assertions:‬
‭○‬ ‭Response Assertion:‬‭Checks for patterns in the response‬‭text.‬
‭○‬ ‭Duration Assertion:‬‭Verifies that the response time‬‭is within a specified limit.‬
‭○‬ ‭Size Assertion:‬‭Ensures that the response is of a‬‭certain size.‬

‭98‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭○‬ ‭XML Assertion:‬‭Validates the response against an XML schema.‬

‭8. Configuration Elements‬

‭●‬ D ‭ escription:‬‭Configuration Elements provide support‬‭data for Samplers and modify the requests‬
‭they send.‬
‭●‬ ‭Types of Configuration Elements:‬
‭○‬ ‭CSV Data Set Config:‬‭Reads data from a CSV file for‬‭parameterization.‬
‭○‬ ‭HTTP Request Defaults:‬‭Sets default values for HTTP‬‭requests.‬
‭○‬ ‭User Defined Variables:‬‭Defines variables that can‬‭be used throughout the test plan.‬
‭○‬ ‭JDBC Connection Configuration:‬‭Configures database‬‭connections.‬

‭9. Pre-Processors and Post-Processors‬

‭●‬ ‭Pre-Processors:‬
‭○‬ ‭Description:‬‭Pre-Processors are actions that are performed‬‭before the sampler request is‬
‭sent.‬
‭○‬ ‭Example:‬‭HTTP URL Re-writing Modifier, Regular Expression‬‭Extractor.‬
‭●‬ ‭Post-Processors:‬
‭○‬ ‭Description:‬‭Post-Processors are actions that are‬‭performed after the sampler request has‬
‭been sent.‬
‭○‬ ‭Example:‬‭Regular Expression Extractor, JSON Path Post-Processor.‬

‭10. Test Fragments‬

‭●‬ D ‭ escription:‬‭Test Fragments are used to define parts‬‭of the test that can be reused in other parts of‬
‭the test plan.‬
‭●‬ ‭Usage:‬‭Useful for modularizing the test plan and reusing‬‭components.‬

‭ hese‬ ‭components‬ ‭allow‬ ‭you‬ ‭to‬ ‭create‬ ‭comprehensive‬ ‭and‬ ‭flexible‬ ‭performance‬ ‭tests‬ ‭in‬ ‭JMeter.‬ ‭By‬
T
‭combining‬ ‭these‬ ‭elements,‬ ‭you‬ ‭can‬ ‭simulate‬ ‭complex‬ ‭scenarios‬ ‭and‬‭gather‬‭detailed‬‭performance‬‭metrics‬
‭for your application.‬

‭Guide to Creating Performance Test Script‬

‭Create a Test Plan‬

File‬‭
‭1.‬ ‭In JMeter, create a new test plan by selecting‬‭ > New‬
‭.‬

‭99‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Add a Thread Group‬

Add > Threads‬‭

‭1.‬ ‭Right-click on the Test Plan and select‬‭ (Users) > Thread Group‬
‭.‬

‭2.‬ ‭Configure the Thread Group:‬

‭○‬ ‭Number of Threads (Users):‬‭This specifies the number‬‭of virtual users.‬
‭○‬ ‭Ramp-Up Period (in seconds):‬‭This is the time JMeter‬‭should take to get all the threads up‬
‭and running.‬
‭○‬ ‭Loop Count:‬‭This specifies how many times to execute‬‭the test.‬

‭Add an HTTP Request‬

Add > Sampler‬‭

‭1.‬ ‭Right-click on the Thread Group and select‬‭ > HTTP Request‬
‭.‬

‭100‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭2.‬ ‭Configure the HTTP Request:‬

‭○‬ ‭Server Name or IP:‬‭Enter the hostname or IP address‬‭of the API server.‬
‭○‬ ‭Port Number:‬‭Enter the port number if required (default‬‭is 80 for HTTP and 443 for HTTPS).‬
‭○‬ ‭HTTP Request:‬‭Specify the method (GET, POST, etc.)‬‭and the path (e.g.,‬
‭api/v1/resource‬
/ ‭).‬
‭ ‬ ‭Parameters:‬‭Add any necessary parameters if the API‬‭requires them.‬
○

‭Add a Listener‬

Add > Listener‬‭

‭1.‬ ‭Right-click on the Thread Group and select‬‭ > View Results Tree‬‭or any‬
Summary Report‬
‭other listener of your choice (e.g.,‬‭ Graph Results‬
‭,‬‭ ‭).‬

‭101‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Run the Test‬

‭ .‬ S
1 File > Save‬
‭ ave the test plan by selecting‬‭ ‭.‬
‭2.‬ ‭Click the green "Start" button (a triangle) in the JMeter toolbar to run the test.‬
‭3.‬ ‭View the results in the Listener you added.‬

‭Example Configuration‬

‭Here’s an example configuration for a simple GET request to‬

http://example.com/api/v1/resource‬
‭ ‭:‬

‭●‬ ‭Thread Group:‬

‭○‬ ‭Number of Threads (Users): 10‬
‭○‬ ‭Ramp-Up Period (in seconds): 5‬
‭○‬ ‭Loop Count: 100‬
‭●‬ ‭HTTP Request:‬
example.com‬
‭○‬ ‭Server Name or IP:‬‭
/api/v1/resource‬
‭○‬ ‭Path:‬‭
GET‬
‭○‬ ‭Method:‬‭

‭102‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Common Interview Questions and Answers Related to Performance Testing of APIs‬

‭What is API performance testing?‬

‭ nswer:‬‭API performance testing involves evaluating‬‭the speed, responsiveness, and stability of an API‬
A
‭under various conditions. It helps ensure the API can handle the expected load and perform efficiently.‬

‭Why is performance testing important for APIs?‬

‭ nswer:‬‭Performance testing ensures that the API can‬‭handle high traffic, provides a good user experience,‬
A
‭identifies potential bottlenecks, and meets the performance criteria before going live.‬

‭What tools can be used for API performance testing?‬

‭Answer:‬‭Common tools include Apache JMeter, Postman,‬‭SoapUI, LoadRunner, and Gatling.‬

‭What is the difference between load testing and stress testing?‬

‭ nswer:‬‭Load testing measures the system’s performance‬‭under expected user loads, while stress testing‬
A
‭evaluates how the system behaves under extreme or beyond expected loads.‬

‭How do you set up a basic API performance test in JMeter?‬

‭ nswer:‬‭Create a Test Plan, add a Thread Group, configure‬‭the number of threads and ramp-up period,‬
A
‭add an HTTP Request sampler, specify the API details, and add a Listener to capture the results.‬

‭What are some common metrics to measure in API performance testing?‬

‭ nswer:‬‭Key metrics include response time, throughput,‬‭error rate, latency, and resource utilization (CPU,‬
A
‭memory).‬

‭What is a throughput in performance testing?‬

‭ nswer:‬‭Throughput refers to the number of requests‬‭processed by the API per unit of time, usually‬
A
‭measured in transactions per second (TPS).‬

‭What is a latency in performance testing?‬

‭ nswer:‬‭Latency is the time taken for a request to‬‭travel from the client to the server and back. It is the‬
A
‭delay between the request and the first byte of the response.‬

‭How do you handle dynamic parameters in JMeter?‬

‭ nswer:‬‭Use the Regular Expression Extractor to capture‬‭dynamic values from the response and store‬
A
‭them in variables for use in subsequent requests.‬

‭103‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭What is the purpose of a Listener in JMeter?‬

‭ nswer:‬‭Listeners capture and display the results‬‭of the test execution. They provide various reports and‬
A
‭visualizations to analyze the performance data.‬

‭How do you simulate a heavy load in JMeter?‬

‭ nswer:‬‭Increase the number of threads (users) in‬‭the Thread Group, adjust the ramp-up period, and‬
A
‭configure the loop count to simulate a high load on the API.‬

‭What is the significance of the ramp-up period in JMeter?‬

‭ nswer:‬‭The ramp-up period defines the time taken‬‭to start all threads. It helps in gradually increasing the‬
A
‭load on the server to avoid sudden spikes.‬

‭How do you identify performance bottlenecks in an API?‬

‭ nswer:‬‭Analyze metrics such as response time, CPU‬‭and memory usage, throughput, and error rates. Use‬
A
‭profiling tools to pinpoint slow-performing code or database queries.‬

‭What is a distributed testing in JMeter?‬

‭ nswer:‬‭Distributed testing involves using multiple‬‭machines to generate a higher load than a single‬
A
‭machine can handle. It allows for testing larger-scale scenarios.‬

‭What are the different types of performance testing?‬

‭ nswer:‬‭The main types are load testing, stress testing,‬‭endurance testing, spike testing, and volume‬
A
‭testing.‬

‭How do you ensure the accuracy of performance test results?‬

‭ nswer:‬‭Ensure a controlled environment, use realistic‬‭test data, run multiple iterations, monitor system‬
A
‭resources, and analyze results to identify any anomalies.‬

‭What is a correlation in performance testing?‬

‭ nswer:‬‭Correlation involves capturing and reusing‬‭dynamic values from the server response in‬
A
‭subsequent requests. It ensures that the test script accurately simulates real-world scenarios.‬

‭What is the purpose of the ‘Think Time’ in JMeter?‬

‭ nswer:‬‭Think Time simulates the real user’s wait‬‭time between actions. It adds pauses in the test script to‬
A
‭mimic user interactions more accurately.‬

‭How do you perform a spike test in JMeter?‬

‭104‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭ nswer:‬‭Increase the number of threads abruptly in a short period to simulate a sudden spike in traffic and‬
A
‭observe how the API handles the load.‬

‭What are the best practices for API performance testing?‬

‭Answer:‬‭Best practices include:‬

‭‬
● ‭ efine clear performance criteria and goals.‬
D
‭●‬ ‭Use realistic test data and scenarios.‬
‭●‬ ‭Run tests in a production-like environment.‬
‭●‬ ‭Monitor and analyze system resources.‬
‭●‬ ‭Perform tests iteratively and continuously.‬

‭105‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Chapter 8‬

‭Organizing a test framework for API Testing‬

‭ o‬‭create‬‭a‬‭comprehensive‬‭and‬‭well-organized‬‭test‬‭framework‬‭for‬‭API‬‭testing‬‭with‬‭Cucumber,‬‭we‬‭need‬‭to‬
T
‭consider‬ ‭several‬ ‭aspects:‬ ‭request‬ ‭handling,‬ ‭response‬ ‭verification,‬ ‭exception‬ ‭management,‬ ‭configurations,‬
‭user‬‭authentication,‬‭processing,‬‭modeling,‬‭test‬‭framework‬‭setup,‬‭test‬‭assertions,‬‭logging,‬‭utility‬‭functions,‬
‭test execution, debugging configurations, and a test driver.‬

‭Here’s a detailed structure and guide for setting up such a framework:‬

‭Project Structure‬

‭Organize your project structure to keep it modular and maintainable:‬

s‭ rc‬
‭├── main‬
‭│ └── java‬
‭│ └── com/yourcompany/yourproject‬
‭│ ├── config‬
‭│ │ └── Config.java‬
‭│ ├── exceptions‬
‭│ │ └── ApiException.java‬
‭│ ├── model‬
‭│ │ └── ApiResponse.java‬
‭│ ├── processor‬
‭│ │ └── ResponseProcessor.java‬
‭│ ├── util‬
‭│ │ ├── ApiClient.java‬
‭│ │ ├── AuthenticationUtil.java‬
‭│ │ ├── LoggerUtil.java‬
‭│ │ └── TestUtil.java‬
‭│ └── driver‬
‭│ └── TestDriver.java‬
‭└── test‬
‭└── java‬
‭└── com/yourcompany/yourproject‬
‭├── features‬
‭│ └── api.feature‬
‭├── runners‬
‭│ └── TestRunner.java‬
‭└── stepdefinitions‬
‭└── ApiStepDefinitions.java‬

‭106‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Dependencies‬
<‭
‭p
‬roject‬‭
xmlns‬
="http://maven.apache.org/POM/4.0.0"‬
‭
xmlns:‬
‭ xsi‬
‭ ="http://www.w3.org/2001/XMLSchema-instance"‬
‭
xsi‬
‭ :schemaLocation‬
‭ ="http://maven.apache.org/POM/4.0.0‬
‭
http://maven.apache.org/maven-v4_0_0.xsd"‬
‭ >‬
‭
<‭
‭m
‬odelVersion‬
>4.0.0</‬
‭ modelVersion‬
‭ >‬
‭
<‭
‭g
‬roupId‬
>com.example</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>bdd-api-automation</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>1.0-SNAPSHOT</‬
‭ version‬
‭ >‬
‭

<‭
‭d
‬ependencies‬
>‬
‭
<!-- TestNG Dependency -->‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>org.testng</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>testng</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>7.4.0</‬
‭ version‬
‭ >‬
‭
<‭
‭s
‬cope‬
>test</‬
‭ scope‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<!-- Rest Assured Dependency -->‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>io.rest-assured</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>rest-assured</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>4.3.3</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<!-- Cucumber Dependencies -->‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>io.cucumber</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>cucumber-java</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>6.10.4</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>io.cucumber</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>cucumber-testng</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>6.10.4</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<!-- JSON Schema Validator Dependency -->‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>io.rest-assured</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>json-schema-validator</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>4.3.3</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>org.testng</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>testng</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>7.4.0</‬
‭ version‬
‭ >‬
‭
<‭
‭s
‬cope‬
>compile</‬
‭ scope‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<!-- JUnit for running tests -->‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>junit</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>junit</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>4.13.2</‬
‭ version‬
‭ >‬
‭
<‭
‭s
‬cope‬
>test</‬
‭ scope‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<!-- Logging -->‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>org.slf4j</‬
‭ groupId‬
‭ >‬
‭

‭107‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭‭
<a
‬rtifactId‬>slf4j-api</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬>1.7.30</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<‭
‭d
‬ependency‬>‬
‭
<‭
‭g
‬roupId‬>org.slf4j</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬>slf4j-simple</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬>1.7.30</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
</‬
‭ dependencies‬
‭ >‬
‭
<‭
‭p
‬roperties‬
>‬
‭
<‭
‭m
‬aven.compiler.source‬ >17</‬
‭ maven.compiler.source‬
‭ >‬
‭
<‭
‭m
‬aven.compiler.target‬ >17</‬
‭ maven.compiler.target‬
‭ >‬
‭
</‬
‭ properties‬
‭ >‬
‭
</‬
‭ project‬
‭ >‬
‭

‭Configuration‬
‭ reate a configuration class to manage configurations in‬
C
src/main/java/com/yourcompany/yourproject/config/Config.java‬
‭ .‬
‭

package‬‭
‭ config‬
;‬
‭

public class‬‭
‭ Config‬‭
{‬
public static final‬‭
‭ String‬‭
BASE_URL‬‭
=‬‭
"http://api.yourservice.com"‬
;‬
‭
public static final‬‭
‭ String‬‭
AUTH_TOKEN‬‭
=‬‭
"your-auth-token"‬
;‬
‭
}‬
‭

‭Exception Handling‬
‭Create a custom exception class for API exceptions in‬
src/main/java/com/yourcompany/yourproject/exceptions/ApiException.java‬
‭ ‭.‬

package‬‭
‭ exceptions‬
;‬
‭

public class‬‭
‭ ApiException‬‭extends‬‭
RuntimeException‬‭
{‬
public‬‭
‭ ApiException‬
(‭
‭S‬tring‬‭
message) {‬
super‬
‭ (message);‬
‭
}‬
‭

public‬‭
‭ ApiException‬
(‭
‭S‬tring‬‭
message,‬‭
Throwable‬‭
cause)‬‭
{‬
super‬
‭ (message, cause);‬
‭
}‬
‭
}‬
‭

‭Models‬
‭ odel‬ ‭refers‬ ‭to‬ ‭the‬ ‭representation‬ ‭of‬ ‭the‬ ‭data‬ ‭structures‬‭used‬‭by‬‭the‬‭API.‬‭These‬‭models‬‭are‬‭usually‬‭Java‬
M
‭classes‬ ‭that‬ ‭mirror‬ ‭the‬ ‭JSON‬ ‭or‬ ‭XML‬ ‭payloads‬ ‭exchanged‬ ‭between‬ ‭the‬‭client‬‭and‬‭the‬‭server.‬‭By‬‭creating‬

‭108‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

t‭ hese‬‭model‬‭classes,‬‭you‬‭can‬‭easily‬‭serialize‬‭and‬‭deserialize‬‭API‬‭request‬‭and‬‭response‬‭bodies,‬‭making‬‭the‬
‭test code cleaner and more maintainable.‬

‭ reate a response model class in‬

C
src/main/java/com/yourcompany/yourproject/model/ApiResponse.java‬
‭ .‬
‭

package‬‭
‭ model‬
;‬
‭

public class‬‭
‭ ApiResponse‬‭
{‬
private int‬‭
‭ statusCode‬
;‬
‭
private‬‭
‭ String‬‭
body‬
;‬
‭

‭/ Getters and setters‬

/
public int‬‭
‭ getStatusCode‬
() {‬
‭
return‬‭
‭ statusCode‬
;‬
‭
}‬
‭

public void‬‭
‭ setStatusCode‬
(‬
‭ int‬‭
‭ statusCode) {‬
this‬
‭ .‭
‭s
‬tatusCode‬‭
= statusCode;‬
}‬
‭

public‬‭
‭ String‬‭
getBody‬
() {‬
‭
return‬‭
‭ body‬
;‬
‭
}‬
‭

public void‬‭
‭ setBody‬
(‭
‭S
‬tring‬‭
body) {‬
this‬
‭ .‭
‭b
‬ody‬‭
= body;‬
}‬
‭
}‬
‭

‭Utility Classes‬
‭ tility‬ ‭classes‬ ‭in‬ ‭an‬ ‭automation‬ ‭framework‬ ‭provide‬ ‭common‬ ‭functionalities‬ ‭that‬ ‭can‬ ‭be‬ ‭reused‬ ‭across‬
U
‭different‬‭parts‬‭of‬‭the‬‭test‬‭scripts.‬‭They‬‭help‬‭to‬‭avoid‬‭code‬‭duplication‬‭and‬‭make‬‭the‬‭test‬‭scripts‬‭cleaner‬‭and‬
‭more maintainable.‬

‭109‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭API client Util‬

‭ reate utility classes for API client, authentication, logging, and test utility in‬
C
src/main/java/com/yourcompany/yourproject/util‬
‭ .‬
‭

package‬‭
‭ util‬
;‬
‭

import‬‭
‭ io.restassured.response.Response‬
;‬
‭

import static‬‭
‭ io.restassured.RestAssured‬
.*;‬
‭

public class‬‭
‭ ApiClient‬‭
{‬

public static‬‭
‭ Response‬‭
get‬
(‬
‭ String‬‭
‭ endpoint) {‬
return‬‭
‭ given‬
().when().get(endpoint);‬
‭
}‬
‭

public static‬‭
‭ Response‬‭
post‬
(‭
‭S‬tring‬‭
endpoint,‬‭
Object‬‭
body) {‬
return‬‭
‭ given‬
().body(body).when().post(endpoint);‬
‭
}‬
‭

// Add other methods (put, delete) as needed‬

‭
}‬
‭

‭Authentication Util‬
‭ ser authentication is typically integrated within the request component. However, it should be made‬
U
‭explicit and visible to facilitate future modifications without affecting other components. This clarity also‬
‭simplifies adding support for testing different authentication types.‬

package‬‭
‭ util‬
;‬
‭

import‬‭
‭ config.Config‬
;‬
‭

public class‬‭
‭ AuthenticationUtil‬‭
{‬

public static‬‭
‭ String‬‭
getAuthToken‬
() {‬
‭
// Return auth token from config or fetch dynamically‬
‭
return‬‭
‭ Config‬
.‬
‭AUTH_TOKEN‬
‭ ;‬
‭
}‬
‭
}‬
‭

‭Logger Util‬
‭Logger‬‭support‬‭is‬‭beneficial‬‭for‬‭writing‬‭test‬‭scripts,‬‭though‬‭it's‬‭not‬‭strictly‬‭mandatory.‬‭Log4j‬‭is‬‭widely‬‭used‬
i‭ n Java projects for logging purposes and is especially helpful during debugging.‬

‭110‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

package‬‭
‭ util‬
;‬
‭

‭mport‬‭
i org.slf4j.Logger‬
;‬
‭
import‬‭
‭ org.slf4j.LoggerFactory‬
;‬
‭

public class‬‭
‭ LoggerUtil‬‭
{‬

private static final‬‭

‭ Logger‬‭
logger‬‭
=‬‭
LoggerFactory‬
.‬
‭getLogger‬
‭ (‭
‭L
‬oggerUtil‬
.‬
‭ class‬
‭ );‬
‭

public static void‬‭

‭ logInfo‬(‬
‭String‬‭
‭ message) {‬
logger‬
‭ .info(message);‬
‭
}‬
‭

public static void‬‭

‭ logError‬
(‭
‭ S
‬tring‬‭
message,‬‭
Throwable‬‭
throwable) {‬
logger‬
‭ .error(message, throwable);‬
‭
}‬
‭
}‬
‭

‭Test Util‬
I‭ n‬‭test‬‭scripts,‬‭there‬‭are‬‭often‬‭requirements‬‭to‬‭generate‬‭time‬‭values‬‭in‬‭various‬‭units‬‭(milliseconds,‬‭seconds,‬
‭minutes,‬ ‭hours,‬ ‭etc.),‬ ‭sort‬ ‭responses,‬ ‭or‬ ‭handle‬‭other‬‭routine‬‭tasks‬‭essential‬‭for‬‭application‬‭testing.‬‭These‬
‭functionalities can be efficiently managed within the test framework's utility component.‬

package‬‭
‭ util‬
;‬
‭

import‬‭
‭ org.testng.Assert‬
;‬
‭

public class‬‭
‭ TestUtil‬‭
{‬

public static void‬‭

‭ assertStatusCode‬
(‬
‭ int‬‭
‭ actual,‬‭
int‬‭
expected) {‬
Assert‬
‭ .‬
‭assertEquals‬
‭ (expected, actual);‬
‭
}‬
‭

public static void‬‭

‭ assertResponseContains‬
(‬
‭ String‬‭
‭ response,‬‭
String‬‭
expectedValue) {‬
Assert‬
‭ .‬
‭assertTrue‬
‭ (response.contains(expectedValue));‬
‭
}‬
‭
}‬
‭

‭Response Processor‬
‭ ou‬‭may‬‭need‬‭to‬‭execute‬‭tests‬‭individually,‬‭as‬‭part‬‭of‬‭a‬‭suite,‬‭or‬‭by‬‭running‬‭different‬‭test‬‭methods‬‭within‬‭a‬
Y
‭test‬ ‭class.‬ ‭Ideally,‬ ‭the‬ ‭test‬ ‭framework‬ ‭should‬ ‭provide‬ ‭support‬ ‭for‬ ‭all‬ ‭these‬ ‭scenarios.‬ ‭If‬ ‭it‬ ‭doesn't,‬ ‭you'll‬
‭need to implement the necessary functionality to handle them.‬

‭111‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭ reate a response processor class in‬

C
src/main/java/com/yourcompany/yourproject/processor/ResponseProcessor.java‬
‭ .‬
‭

package‬‭
‭ processor‬
;‬
‭

‭mport‬‭
i io.restassured.response.Response‬
;‬
‭
import‬‭
‭ model.ApiResponse‬
;‬
‭

public class‬‭
‭ ResponseProcessor‬‭
{‬

public static‬‭
‭ ApiResponse‬‭
processResponse‬
(‬
‭Response‬‭
‭ response) {‬
ApiResponse apiResponse‬‭
‭ =‬‭
new‬‭
ApiResponse();‬
apiResponse‬
‭ .setStatusCode(response.getStatusCode());‬
‭
apiResponse‬
‭ .setBody(response.getBody().asString());‬
‭
return‬‭
‭ apiResponse‬
;‬
‭
}‬
‭
}‬
‭

‭Feature File‬
‭Create a feature file in‬‭
src/test/java/com/yourcompany/yourproject/features/api.feature‬
.‬
‭

Feature‬
‭ : API Testing‬
‭

Scenario Outline‬
‭ : Test API with multiple data sets‬
‭
Given‬‭
‭ I set up the API endpoint "<endpoint>"‬
When‬‭
‭ I send a GET request‬
Then‬‭
‭ the response status code should be <statusCode>‬
And‬‭
‭ the response should contain "<expectedValue>"‬

Examples‬
‭ :‬
‭
|‬‭
‭ endpoint‬ ‭‬‭
| statusCode‬‭
|‬‭
expectedValue‬‭
|‬
|‬‭
‭ /api/test/1‬ |‬‭
‭ 200‬ |‬‭
‭ value1‬ |‬
‭
|‬‭
‭ /api/test/2‬ |‬‭
‭ 404‬ |‬‭
‭ error‬ |‬
‭
|‬‭
‭ /api/test/3‬ |‬‭
‭ 200‬ |‬‭
‭ value3‬ |‬
‭

‭112‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Step Definitions‬

I‭ mplement step definitions in‬

src/test/java/com/yourcompany/yourproject/stepdefinitions/ApiStepDefinitions.java‬
‭ .‬
‭

package‬‭
‭ steps‬
;‬
‭

‭mport‬‭
i io.cucumber.java.en.‬
*;‬
‭
import‬‭
‭ model.ApiResponse‬
;‬
‭
import‬‭
‭ processor.ResponseProcessor‬
;‬
‭
import‬‭
‭ util.ApiClient‬
;‬
‭
import‬‭
‭ util.TestUtil‬
;‬
‭

public class‬‭
‭ ApiStepDefinitions‬‭
{‬

‭rivate‬‭
p String‬‭
endpoint‬
;‬
‭
private‬‭
‭ ApiResponse‬‭
apiResponse‬
;‬
‭

‭Given‬
@ (‭
‭"
‬I set up the API endpoint {string}"‬)‬
‭
public void‬‭
‭ i_set_up_the_api_endpoint‬
(‬
‭ String‬‭
‭ endpoint)‬‭
{‬
this‬
‭ .‭
‭e
‬ndpoint‬‭
= endpoint;‬
}‬
‭

‭When‬
@ (‭
‭"
‬I send a GET request"‬
)‬
‭
public void‬‭
‭ i_send_a_get_request‬
() {‬
‭
apiResponse‬‭
‭ =‬‭
ResponseProcessor‬
.‬
‭ processResponse‬
‭ (‬
‭ApiClient‬
‭ .‬
‭ get‬
‭ (‬
‭ endpoint‬
‭ ));‬
‭
}‬
‭

‭Then‬
@ (‭
‭"
‬the response status code should be {int}"‬ )‬
‭
public void‬‭
‭ the_response_status_code_should_be‬(‬
‭int‬‭
‭ statusCode) {‬
TestUtil‬
‭ .‬
‭assertStatusCode‬
‭ (‬
‭ apiResponse‬
‭ .getStatusCode(),‬‭
‭ statusCode);‬
}‬
‭

‭Then‬
@ (‭
‭"
‬the response should contain {string}"‬)‬
‭
public void‬‭
‭ the_response_should_contain‬(‬
‭String‬‭
‭ expectedValue) {‬
TestUtil‬
‭ .‬
‭assertResponseContains‬
‭ (‬
‭ apiResponse‬
‭ .getBody(),‬‭
‭ expectedValue);‬
}‬
‭
}‬
‭

‭Test Runner‬

‭ reate a test runner class in‬

C
src/test/java/com/yourcompany/yourproject/runners/TestRunner.java‬
‭ .‬
‭

package‬‭
‭ runners‬
;‬
‭

import‬‭
‭ org.junit.runner.‬
RunWith‬
‭ ;‬
‭

‭mport‬‭
i io.cucumber.‬
testng.AbstractTestNGCucumberTests;‬
‭
import‬‭
‭ io.cucumber.‬
testng.CucumberOptions;‬
‭

‭113‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

@CucumberOptions(‬
‭
features =‬‭
‭ "src/test/resources/features"‬
,‬
‭
glue =‬‭
‭ "steps"‬
)‬
‭
public class‬‭
‭ TestRunner‬‭
extends‬‭
AbstractTestNGCucumberTests‬‭
{‬
}‬
‭

‭Test Driver‬
‭ reate a test driver class if needed for custom test execution in‬
C
src/main/java/com/yourcompany/yourproject/driver/TestDriver.java‬
‭ .‬
‭

package‬‭
‭ driver‬
;‬
‭

public class‬‭
‭ TestDriver‬‭
{‬

public static void‬‭

‭ main‬
(‬
‭ String‬
‭ [] args) {‬
‭
// Custom test execution logic if needed‬
‭
}‬
‭
}‬
‭

‭114‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Common Interview Questions and Answers Related to Organizing a Test Framework‬

‭General Framework Design‬

‭1.‬ Q ‭ uestion:‬‭How would you design an API test framework‬‭using Cucumber?‬‭Answer:‬‭I would‬
‭design the framework by organizing the project structure into separate packages for features, step‬
‭definitions, and utilities. The features package would contain the Cucumber feature files written in‬
‭Gherkin syntax. The step definitions package would map Gherkin steps to Java methods,‬
‭leveraging libraries like RestAssured for API interactions. The utilities package would include‬
‭common helper classes, such as configuration managers and custom assertions.‬
‭2.‬ ‭Question:‬‭What are the benefits of using Cucumber‬‭for API testing?‬‭Answer:‬‭Cucumber allows for‬
‭Behavior-Driven Development (BDD), making test scenarios readable and understandable by‬
‭non-technical stakeholders. It facilitates collaboration between developers, testers, and business‬
‭analysts. The use of Gherkin syntax ensures that the test scenarios are written in plain language,‬
‭promoting clear communication of requirements and test cases.‬

‭Request and Response Handling‬

‭3.‬ Q ‭ uestion:‬‭How do you structure your request and response‬‭classes in a Cucumber-based API test‬
‭framework?‬‭Answer:‬‭I create model classes that represent‬‭the JSON payloads for requests and‬
‭responses. These model classes are used for serialization and deserialization using libraries like‬
‭Jackson or Gson. The step definitions interact with these model classes to send requests and‬
‭validate responses, ensuring a clean separation of concerns.‬
‭4.‬ ‭Question:‬‭How would you handle different HTTP methods‬‭(GET, POST, PUT, DELETE) in your‬
ApiClientUtil‬
f‭ ramework?‬‭Answer:‬‭I would create a utility class,‬‭such as‬‭ ‭, which provides‬
‭methods for different HTTP methods. Each method would use RestAssured to send the respective‬
‭HTTP request, passing necessary headers, query parameters, and body data. This utility class‬
‭would be reusable across different step definitions.‬

‭Exception Handling‬

‭5.‬ Q‭ uestion:‬‭How do you handle exceptions in your API‬‭test framework?‬‭Answer:‬‭I handle‬

‭exceptions by implementing custom exception classes and using try-catch blocks within the step‬
‭definitions and utility classes. Additionally, I use logging to capture detailed information about‬
‭exceptions for debugging purposes. Custom exception handling ensures that meaningful error‬
‭messages are provided, improving test maintainability and troubleshooting.‬
‭6.‬ ‭Question:‬ ‭Can‬ ‭you‬ ‭provide‬ ‭an‬ ‭example‬ ‭of‬ ‭how‬ ‭to‬ ‭implement‬ ‭custom‬ ‭exception‬ ‭handling‬ ‭in‬ ‭a‬
‭Cucumber step definition?‬‭Answer:‬‭Sure, here’s an‬‭example:‬

‭When(‬
@ "^I send a GET request to the endpoint‬‭
‭ \"‬
([^‬
‭ \"‬
‭ ]*)‬
‭ \"‬
‭ $"‬
‭ )‬
‭
public void‬‭
‭ sendGetRequest‬
(‬
‭ String‬‭
‭ endpoint) {‬
try‬‭
‭ {‬

‭115‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭esponse‬‭
R response‬‭
= ApiClientUtil.get(endpoint);‬
scenarioContext.setResponse(‬
‭ response‬
‭ );‬
‭
}‬‭
‭ catch‬‭
(‬
Exception‬‭
‭ e) {‬
LoggerUtil.logError(‬
‭ "Failed to send GET request"‬
‭ ,‬‭
‭ e);‬
throw new‬‭
‭ CustomException(‬
"Error occurred while‬‭
‭ sending GET request to "‬
+ endpoint, e);‬
‭
}‬
‭
}‬
‭

‭Configurations‬

‭7.‬ ‭Question:‬‭How do you manage different configurations‬‭(e.g., environment URLs, credentials) in‬
ConfigUtil‬
‭your test framework?‬‭Answer:‬‭I use a configuration‬‭utility class, such as‬‭ ‭, that loads‬
p config.properties‬
‭ roperties from a configuration file (e.g.,‬‭ ‭).‬‭This class provides methods to‬
‭retrieve configuration values, making it easy to manage environment-specific settings and‬
‭credentials.‬
‭8.‬ ‭Question:‬‭How would you load configuration properties‬‭dynamically in your tests?‬‭Answer:‬‭I load‬
‭configuration properties dynamically by reading the properties file at the start of the test execution.‬
‭ his can be done in a setup method annotated with‬‭
T @Before‬‭in Cucumber or using a static‬
‭initializer block in the configuration utility class. This ensures that the properties are available‬
‭throughout the test execution.‬

‭User Authentication‬

‭9.‬ ‭Question:‬‭How do you handle user authentication in‬‭your API tests?‬‭Answer:‬‭I handle user‬
a AuthUtil‬
‭ uthentication by creating a utility class, such as‬‭ ‭, that manages the generation and‬
‭management of authentication tokens. This class provides methods to obtain tokens for different‬
‭authentication types (e.g., Basic Auth, OAuth) and includes these tokens in the request headers as‬
‭needed.‬
‭10.‬ ‭Question:‬‭How would you manage different types of‬‭authentication (e.g., Basic Auth, OAuth) in‬
AuthUtil‬‭class for each‬
‭ our test framework?‬‭Answer:‬‭I create separate methods‬‭in the‬‭
y
‭authentication type. For Basic Auth, I encode the credentials and add them to the request headers.‬
‭For OAuth, I implement token retrieval and refresh logic. The step definitions call these methods to‬
‭include the appropriate authentication tokens in the API requests.‬

‭Processor and Models‬

‭11.‬ ‭Question:‬‭What role do model classes play in an API‬‭test framework?‬‭Answer:‬‭Model classes‬

‭represent the structure of the data being sent and received in API requests and responses. They‬
‭enable easy serialization and deserialization of JSON or XML payloads, ensuring that the data‬
‭structures are correctly handled and validated within the tests.‬
‭12.‬ ‭Question:‬‭How would you design a processor class to‬‭handle complex API responses?‬‭Answer:‬‭A‬
‭processor class would encapsulate logic for processing and validating complex API responses. This‬

‭116‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

c‭ lass would take the raw response as input, deserialize it into the corresponding model classes, and‬
‭perform necessary validation or transformation. This design promotes reusability and separation of‬
‭concerns.‬

‭Test Assertions‬

‭13.‬ ‭Question:‬‭What assertion libraries do you use in your‬‭test framework, and why?‬‭Answer:‬‭I use‬
‭assertion libraries like JUnit or TestNG for standard assertions and Hamcrest or AssertJ for more‬
‭expressive and readable assertions. These libraries provide a rich set of assertion methods that help‬
‭in writing clear and concise test validations.‬
‭14.‬ ‭Question:‬‭How do you implement custom assertions in‬‭your API tests?‬‭Answer:‬‭I implement‬
TestUtil‬
c‭ ustom assertions by creating utility methods in a class, such as‬‭ ‭. These methods‬
‭encapsulate complex validation logic, allowing reuse across multiple tests. Custom assertions‬
‭improve test readability and maintainability by abstracting repetitive validation logic.‬

‭Logger‬

‭15.‬ ‭Question:‬‭Why is logging important in an API test‬‭framework?‬‭Answer:‬‭Logging is important‬

‭because it provides detailed information about the test execution flow, including request and‬
‭response data, errors, and other significant events. This information is crucial for debugging and‬
‭troubleshooting issues that arise during testing.‬
‭16.‬ ‭Question:‬‭How do you integrate a logging framework‬‭(e.g., Log4j, SLF4J) into your‬
‭Cucumber-based test framework?‬‭Answer:‬‭I integrate‬‭a logging framework by including the‬
‭necessary dependencies in the project (e.g., Log4j or SLF4J). I then create a utility class, such as‬
‭oggerUtil‬
L ‭, that wraps the logging framework’s methods.‬‭This utility class is used throughout‬
‭the step definitions and utility classes to log messages.‬

‭Utilities‬

‭17.‬ ‭Question:‬‭What are some common utility classes you‬‭have created for your API test framework?‬
ConfigUtil‬‭for configuration management,‬
‭Answer:‬‭Common utility classes include‬‭
ApiClientUtil‬‭for sending API requests,‬‭
‭ AuthUtil‬‭for‬‭handling authentication,‬‭
LoggerUtil‬
TestUtil‬‭for custom assertions and‬‭test-related utilities.‬
f‭ or logging, and‬‭
‭18.‬ ‭Question:‬‭How do you manage reusable utility methods‬‭in your test framework?‬‭Answer:‬‭I‬
‭manage reusable utility methods by organizing them into dedicated utility classes. Each utility class‬
‭focuses on a specific area of functionality, such as configuration management or API requests. This‬
‭modular approach promotes code reuse and maintainability.‬

‭Test Execution‬

‭19.‬ ‭Question:‬‭How do you organize and execute your Cucumber‬‭tests?‬‭Answer:‬‭I organize my‬
src/test/resources‬‭directory and step‬
‭Cucumber tests by placing feature files in the‬‭
src/test/java‬‭directory. I use‬‭a Cucumber runner class annotated with‬
‭definitions in the‬‭

‭117‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭RunWith(Cucumber.class)‬‭to execute the tests. The runner class specifies the location of‬
@
‭feature files and step definitions.‬
‭20.‬ ‭Question:‬‭How do you run your tests in parallel, and‬‭what are the challenges associated with‬
‭parallel test execution?‬‭Answer:‬‭I run tests in parallel‬‭using tools like Cucumber-JVM Parallel‬
‭Plugin or JUnit’s parallel execution features. The challenges include managing shared resources,‬
‭ensuring thread safety, and handling test data dependencies. To address these challenges, I use‬
‭techniques like thread-local variables and isolate test data for each parallel test instance.‬

‭118‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Chapter 9‬

‭Continuous Integration and Continuous Deployment‬

‭(CI/CD) with API Testing‬

‭Continuous‬ ‭Integration‬ ‭(CI)‬ ‭and‬ ‭Continuous‬ ‭Deployment‬ ‭(CD)‬ ‭are‬ ‭key‬ ‭practices‬ ‭in‬ ‭modern‬ ‭software‬
‭ evelopment that help teams deliver code changes more frequently and reliably.‬
d

‭Introduction to CI/CD‬

‭ ontinuous‬ ‭Integration‬ ‭(CI)‬‭:‬ ‭Continuous‬ ‭Integration‬ ‭(CI)‬ ‭is‬ ‭a‬ ‭software‬ ‭development‬ ‭practice‬ ‭where‬
C
‭developers‬ ‭frequently‬ ‭commit‬ ‭code‬ ‭changes‬ ‭to‬ ‭a‬ ‭shared‬ ‭repository.‬ ‭Each‬ ‭commit‬ ‭triggers‬ ‭an‬ ‭automated‬
‭build‬‭and‬‭testing‬‭process,‬‭ensuring‬‭that‬‭the‬‭new‬‭code‬‭integrates‬‭smoothly‬‭with‬‭the‬‭existing‬‭codebase.‬‭The‬
‭goal‬ ‭of‬ ‭CI‬‭is‬‭to‬‭identify‬‭and‬‭fix‬‭integration‬‭issues‬‭early‬‭in‬‭the‬‭development‬‭cycle,‬‭improving‬‭code‬‭quality‬
‭and reducing the time to deliver new features.‬

‭ ontinuous‬ ‭Deployment‬ ‭(CD)‬‭:‬ ‭Continuous‬ ‭Deployment‬ ‭(CD)‬ ‭extends‬ ‭CI‬ ‭by‬ ‭automating‬ ‭the‬ ‭release‬ ‭of‬
C
‭code‬‭changes‬‭to‬‭production‬‭environments.‬‭Once‬‭the‬‭code‬‭passes‬‭all‬‭stages‬‭of‬‭testing‬‭in‬‭the‬‭CI‬‭pipeline,‬‭it‬‭is‬
‭automatically‬‭deployed‬‭to‬‭production.‬‭Continuous‬‭Deployment‬‭aims‬‭to‬‭minimize‬‭manual‬‭intervention‬‭and‬
‭accelerate the delivery of new features to users, maintaining high quality and reliability.‬

‭Importance of CI/CD for API Testing‬

‭ PI‬ ‭testing‬ ‭is‬ ‭crucial‬ ‭in‬ ‭ensuring‬ ‭that‬ ‭the‬ ‭communication‬ ‭between‬ ‭different‬‭software‬‭systems‬‭is‬‭reliable,‬
A
‭efficient, and secure. Integrating API testing into a CI/CD pipeline brings several benefits:‬

‭1.‬ E ‭ arly Detection of Issues‬‭: Automated API tests run‬‭with every code commit, identifying problems‬
‭early in the development cycle. This reduces the risk of deploying faulty APIs to production.‬
‭2.‬ ‭Consistency and Reliability‬‭: CI/CD ensures that API‬‭tests are executed consistently, leading to‬
‭more reliable and stable APIs. Automated tests can cover a wide range of scenarios and edge cases,‬
‭which might be missed during manual testing.‬
‭3.‬ ‭Faster Feedback Loop‬‭: Developers receive immediate‬‭feedback on the impact of their changes on‬
‭the API, allowing them to address issues promptly. This speeds up the development process and‬
‭reduces the time spent on debugging and fixing errors.‬
‭4.‬ ‭Improved Collaboration‬‭: CI/CD fosters better collaboration‬‭among development, QA, and‬
‭operations teams. Automated tests provide a common ground for verifying code quality, reducing‬
‭the chances of miscommunication and misunderstandings.‬
‭5.‬ ‭Scalability‬‭: As the number of APIs and their complexity‬‭grow, manual testing becomes impractical.‬
‭CI/CD pipelines can scale to handle large volumes of API tests, ensuring comprehensive coverage‬
‭without increasing manual effort.‬

‭119‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭6.‬ R ‭ egression Testing‬‭: Automated API tests ensure that new code changes do not break existing‬
‭functionality. Regression tests run automatically in the CI/CD pipeline, providing confidence that‬
‭the application remains stable over time.‬
‭7.‬ ‭Continuous Improvement‬‭: CI/CD pipelines facilitate‬‭continuous improvement by integrating new‬
‭tests and updating existing ones as the API evolves. This iterative approach helps maintain‬
‭high-quality APIs and adapts to changing requirements.‬
‭8.‬ ‭Reduced Deployment Risks‬‭: By automating the deployment‬‭process, CD reduces the risk of‬
‭human errors during releases. APIs are deployed to production only after passing all automated‬
‭tests, ensuring a higher level of reliability.‬
‭9.‬ ‭Enhanced Security‬‭: Automated API tests can include‬‭security tests to identify vulnerabilities and‬
‭ensure compliance with security standards. CI/CD pipelines can integrate tools for static and‬
‭dynamic analysis, improving the overall security posture of the API.‬

‭CD Tools‬

‭ D‬‭(Continuous‬‭Delivery)‬‭tools‬‭are‬‭software‬‭solutions‬‭designed‬‭to‬‭automate‬‭and‬‭streamline‬‭the‬‭process‬‭of‬
C
‭delivering‬ ‭software‬ ‭updates‬ ‭and‬ ‭features‬ ‭to‬ ‭production‬ ‭environments.‬ ‭They‬ ‭help‬ ‭teams‬ ‭build,‬ ‭test,‬ ‭and‬
‭deploy code more efficiently and reliably. Here are some popular CD tools:‬

‭Jenkins‬

‭Pros:‬

‭1.‬ O ‭ pen Source and Free:‬‭Jenkins is open-source and free‬‭to use, making it accessible for all types of‬
‭organizations.‬
‭2.‬ ‭Extensive Plugin Ecosystem:‬‭Jenkins has a vast plugin‬‭ecosystem, allowing integration with many‬
‭other tools and services.‬
‭3.‬ ‭Highly Customizable:‬‭Due to its open-source nature,‬‭Jenkins can be customized to meet almost any‬
‭CI/CD requirement.‬
‭4.‬ ‭Large Community Support:‬‭Jenkins has a large, active‬‭community that contributes to its plugins‬
‭and provides support.‬

‭Cons:‬

‭1.‬ C ‭ omplex Setup and Maintenance:‬‭Jenkins requires manual‬‭setup and ongoing maintenance, which‬
‭can be time-consuming.‬
‭2.‬ ‭Steep Learning Curve:‬‭The configuration and management‬‭of Jenkins can be complex, especially‬
‭for beginners.‬
‭3.‬ ‭Performance Issues:‬‭Jenkins can experience performance‬‭issues when scaling, especially with large‬
‭pipelines.‬
‭4.‬ ‭User Interface:‬‭The UI is considered outdated compared‬‭to newer CI/CD tools.‬

‭GitLab CI/CD‬

‭Pros:‬

‭120‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭1.‬ I‭ ntegrated with GitLab:‬‭GitLab CI/CD is integrated with GitLab, providing a seamless experience‬
‭from code repository to CI/CD.‬
‭2.‬ ‭Ease of Use:‬‭GitLab CI/CD is easier to set up and‬‭use compared to Jenkins, with a more modern UI.‬
‭3.‬ ‭Built-in Features:‬‭GitLab offers a wide range of built-in‬‭features such as version control, issue‬
‭tracking, and CI/CD.‬
‭4.‬ ‭Auto DevOps:‬‭GitLab provides Auto DevOps, which automates‬‭CI/CD pipeline creation for‬
‭common use cases.‬

‭Cons:‬

‭1.‬ R ‭ esource Intensive:‬‭Running GitLab CI/CD, especially‬‭on self-hosted instances, can be‬
‭resource-intensive.‬
‭2.‬ ‭Complexity for Advanced Use Cases:‬‭While GitLab CI/CD‬‭is easy to start with, complex pipelines‬
‭and integrations can become challenging.‬
‭3.‬ ‭Cost:‬‭While GitLab offers free tiers, advanced features,‬‭and larger pipelines may require a paid‬
‭subscription.‬
‭4.‬ ‭Runner Management:‬‭Managing GitLab Runners for CI/CD‬‭can be cumbersome, especially at‬
‭scale.‬

‭AWS CodePipeline‬

‭Pros:‬

‭1.‬ I‭ ntegration with AWS Services:‬‭AWS CodePipeline integrates‬‭seamlessly with other AWS services,‬
‭making it ideal for AWS-centric environments.‬
‭2.‬ ‭Scalability:‬‭As a managed service, AWS CodePipeline‬‭scales automatically based on the workload.‬
‭3.‬ ‭Pay-as-You-Go:‬‭Pricing is based on usage, which can‬‭be cost-effective for smaller projects.‬
‭4.‬ ‭Security and Compliance:‬‭AWS provides strong security‬‭features and compliance with various‬
‭standards.‬

‭Cons:‬

‭1.‬ A ‭ WS Lock-in:‬‭Using AWS CodePipeline can lead to vendor‬‭lock-in, as it’s deeply integrated with‬
‭AWS services.‬
‭2.‬ ‭Learning Curve:‬‭Familiarity with AWS services and‬‭concepts is required to effectively use‬
‭CodePipeline.‬
‭3.‬ ‭Less Flexibility:‬‭Compared to Jenkins, AWS CodePipeline‬‭has fewer customization options and a‬
‭smaller ecosystem of plugins.‬
‭4.‬ ‭Cost for Larger Pipelines:‬‭Costs can accumulate quickly‬‭for larger projects or more complex‬
‭pipelines, especially if additional AWS services are required.‬

‭Travis CI‬

‭ ravis‬‭CI‬‭is‬‭a‬‭continuous‬‭integration‬‭service‬‭used‬‭to‬‭build‬‭and‬‭test‬‭software‬‭projects‬‭hosted‬‭on‬‭GitHub‬‭and‬
T
‭Bitbucket. Here are some pros and cons of using Travis CI:‬

‭121‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Pros‬

‭1.‬ E‭ ase‬ ‭of‬ ‭Use:‬ ‭Travis‬ ‭CI‬ ‭is‬ ‭straightforward‬ ‭to‬ ‭set‬ ‭up‬ ‭and‬‭use,‬‭especially‬‭for‬‭open-source‬‭projects.‬‭It‬
‭integrates seamlessly with GitHub and Bitbucket repositories.‬
‭2.‬ C ‭ onfiguration‬‭as‬‭Code:‬‭Configuring‬‭builds‬‭is‬‭done‬‭via‬‭a‬‭.travis.yml‬‭file,‬‭which‬‭is‬‭stored‬‭in‬‭the‬
‭repository. This makes it easy to version and review build configurations.‬
‭3.‬ ‭Language‬ ‭Support:‬ ‭Travis‬ ‭CI‬ ‭supports‬ ‭a‬ ‭wide‬‭range‬‭of‬‭programming‬‭languages‬‭and‬‭frameworks,‬
‭including JavaScript, Ruby, Python, PHP, Java, Go, and more.‬
‭4.‬ ‭Free‬ ‭for‬ ‭Open‬ ‭Source:‬ ‭Travis‬ ‭CI‬ ‭offers‬ ‭free‬ ‭unlimited‬ ‭builds‬ ‭for‬ ‭open-source‬ ‭projects,‬ ‭which‬ ‭is‬ ‭a‬
‭significant advantage for the open-source community.‬
‭5.‬ ‭Extensive‬ ‭Documentation:‬ ‭Travis‬ ‭CI‬ ‭provides‬ ‭comprehensive‬ ‭documentation‬ ‭and‬ ‭a‬ ‭robust‬
‭community, making it easier to find solutions to common issues.‬
‭6.‬ ‭Third-Party‬ ‭Integrations:‬ ‭It‬ ‭integrates‬ ‭well‬ ‭with‬ ‭other‬ ‭tools‬ ‭and‬ ‭services,‬ ‭such‬ ‭as‬‭Slack,‬‭HipChat,‬
‭and email for notifications, and can deploy to various cloud services.‬
‭7.‬ ‭Parallel‬ ‭Testing:‬ ‭Travis‬ ‭CI‬ ‭allows‬ ‭running‬ ‭multiple‬ ‭builds‬ ‭in‬ ‭parallel,‬ ‭which‬ ‭can‬ ‭speed‬ ‭up‬‭the‬‭CI‬
‭process significantly.‬

‭Cons‬

‭1.‬ L ‭ imited‬ ‭Free‬ ‭Plan‬ ‭for‬ ‭Private‬ ‭Repositories:‬ ‭For‬ ‭private‬ ‭repositories,‬ ‭the‬ ‭free‬ ‭plan‬ ‭has‬ ‭limitations,‬
‭and higher usage requires a paid subscription.‬
‭2.‬ ‭Build‬‭Speed:‬‭Build‬‭times‬‭can‬‭sometimes‬‭be‬‭slower‬‭compared‬‭to‬‭other‬‭CI‬‭services,‬‭especially‬‭during‬
‭peak times for free users.‬
‭3.‬ C ‭ omplex‬ ‭Configuration:‬ ‭While‬ ‭ .travis.yml‬‭is‬ ‭powerful,‬ ‭it‬ ‭can‬ ‭become‬ ‭complex‬ ‭and‬ ‭hard‬ ‭to‬
‭manage for larger projects with many dependencies and build steps.‬
‭4.‬ ‭Resource‬ ‭Limitations:‬ ‭There‬ ‭are‬ ‭limitations‬ ‭on‬ ‭build‬ ‭times‬ ‭and‬ ‭resources‬ ‭(CPU,‬‭memory)‬‭for‬‭free‬
‭plans, which can be restrictive for resource-intensive projects.‬
‭5.‬ ‭Lack‬ ‭of‬ ‭Advanced‬ ‭Features:‬ ‭Compared‬ ‭to‬ ‭some‬ ‭newer‬ ‭CI/CD‬ ‭tools,‬ ‭Travis‬ ‭CI‬ ‭may‬ ‭lack‬ ‭some‬
‭advanced‬ ‭features‬ ‭and‬ ‭flexibility,‬ ‭such‬ ‭as‬ ‭more‬ ‭sophisticated‬ ‭deployment‬ ‭workflows‬ ‭or‬ ‭more‬
‭granular control over build environments.‬
‭6.‬ ‭Vendor‬ ‭Lock-In:‬ ‭As‬ ‭with‬ ‭any‬‭CI‬‭service,‬‭there‬‭can‬‭be‬‭some‬‭level‬‭of‬‭vendor‬‭lock-in.‬‭Migrating‬‭to‬‭a‬
‭different‬ ‭CI/CD‬ ‭platform‬ ‭can‬ ‭be‬ ‭time-consuming‬ ‭and‬ ‭require‬ ‭significant‬ ‭changes‬ ‭to‬ ‭the‬ ‭build‬
‭configuration.‬

‭CircleCI‬

‭Pros:‬

‭1.‬ E ‭ ase of Use‬‭: CircleCI is user-friendly with an intuitive‬‭interface, making it easy for new users to get‬
‭started quickly.‬
‭2.‬ ‭Scalability‬‭: Offers excellent scalability options,‬‭allowing teams to run a large number of parallel‬
‭jobs.‬
‭3.‬ ‭Integration‬‭: Integrates well with many third-party‬‭tools and services like GitHub, Bitbucket,‬
‭Docker, and more.‬

‭122‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭ .‬ C
4 ‭ ustomization‬‭: Highly configurable pipelines with support for custom scripts and workflows.‬
‭5.‬ ‭Cloud and On-Premises‬‭: Provides both cloud-based and‬‭self-hosted solutions, giving flexibility‬
‭based on the team's needs.‬

‭Cons:‬

‭ .‬ P
1 ‭ ricing‬‭: Can get expensive, especially for larger‬‭teams or projects with high concurrency needs.‬
‭2.‬ ‭Configuration Complexity‬‭: YAML-based configuration‬‭files can become complex and difficult to‬
‭manage for very large projects.‬
‭3.‬ ‭Support‬‭: Users sometimes report slow support response‬‭times.‬

‭Bamboo‬

‭Pros:‬

‭1.‬ I‭ ntegration with Atlassian Suite‬‭: Seamlessly integrates‬‭with other Atlassian products like Jira and‬
‭Bitbucket, providing a cohesive development environment.‬
‭2.‬ ‭Deployment Projects‬‭: Offers robust deployment projects‬‭that allow for complex release‬
‭management.‬
‭3.‬ ‭Customizable Agents‬‭: Allows customization of build‬‭agents to fit specific needs.‬
‭4.‬ ‭Flexibility‬‭: Highly flexible in terms of configurations‬‭and scripting languages.‬

‭Cons:‬

‭ .‬
1 ‭ ser Interface‬‭: The UI can be less intuitive compared‬‭to other modern CI/CD tools.‬
U
‭2.‬ ‭Performance‬‭: Some users report performance issues,‬‭particularly with larger builds.‬
‭3.‬ ‭Cost‬‭: Requires a license, which can be costly, particularly‬‭for small teams or startups.‬
‭4.‬ ‭Resource Intensive‬‭: Self-hosted solution can require‬‭significant resources and maintenance.‬

‭GitHub Actions‬

‭Pros:‬

‭1.‬ I‭ ntegration with GitHub‬‭: Provides seamless integration‬‭with GitHub repositories, making it easy‬
‭to set up and manage CI/CD pipelines directly within the platform.‬
‭2.‬ ‭Flexibility and Customization‬‭: Highly flexible with‬‭a wide range of pre-built actions and the‬
‭ability to create custom actions.‬
‭3.‬ ‭Community and Marketplace‬‭: Large community and extensive‬‭marketplace with reusable‬
‭workflows and actions.‬
‭4.‬ ‭Cost‬‭: Offers a generous free tier, particularly beneficial‬‭for open-source projects.‬
‭5.‬ ‭Ease of Use‬‭: Simple to get started with GitHub’s YAML-based‬‭workflows.‬

‭Cons:‬

‭123‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭1.‬ C ‭ omplex Workflows‬‭: Managing complex workflows can become challenging, especially with‬
‭extensive YAML configurations.‬
‭2.‬ ‭Limited to GitHub‬‭: Primarily designed for GitHub repositories,‬‭so it might not be the best fit for‬
‭teams using other VCS platforms.‬
‭3.‬ ‭Performance‬‭: Some users report slow performance on‬‭the free tier, particularly for‬
‭resource-intensive tasks.‬
‭4.‬ ‭Support‬‭: Support can be limited, with users relying‬‭heavily on community resources for‬
‭troubleshooting.‬

‭Step-by-Step Guide to Setting Up a Basic CI Pipeline with Maven and BDD‬

‭1. Connecting to a VCS‬

‭Version Control Systems (VCS): Importance in CI‬

‭●‬ C ‭ ollaboration‬‭: VCS like Git enables multiple developers‬‭to work on the same codebase‬
‭simultaneously, facilitating team collaboration and reducing conflicts.‬
‭●‬ ‭History and Tracking‬‭: It maintains a complete history‬‭of all changes, allowing developers to track‬
‭modifications, identify contributors, and understand the context of changes.‬
‭●‬ ‭Branching and Merging‬‭: VCS supports branching, enabling‬‭developers to work on features or fixes‬
‭in isolation and merge them back into the main codebase when ready.‬
‭●‬ ‭Backup and Recovery‬‭: VCS acts as a backup system,‬‭allowing the recovery of previous versions of‬
‭the codebase in case of errors or issues.‬
‭●‬ ‭Integration with CI Tools‬‭: CI tools use VCS to trigger‬‭automated builds and tests whenever‬
‭changes are committed, ensuring continuous integration and delivery.‬
‭●‬ ‭Example with GitHub‬‭:‬
‭○‬ ‭Create a new repository on GitHub.‬
‭○‬ ‭Push your local repository to GitHub using the remote URL provided.‬

‭2. Setting Up Your Maven Project for BDD‬

‭Ensure your Maven project is configured for BDD. This typically involves adding dependencies for‬
pom.xml‬‭file.‬
‭Cucumber and JUnit in your‬‭

<‭
‭p
‬roject‬‭
xmlns‬
="http://maven.apache.org/POM/4.0.0"‬
‭
xmlns:‬
‭ xsi‬
‭ ="http://www.w3.org/2001/XMLSchema-instance"‬
‭
xsi‬
‭ :schemaLocation‬
‭ ="http://maven.apache.org/POM/4.0.0‬
‭
http://maven.apache.org/maven-v4_0_0.xsd"‬
‭ >‬
‭
<‭
‭m
‬odelVersion‬
>4.0.0</‬
‭ modelVersion‬
‭ >‬
‭
<‭
‭g
‬roupId‬
>com.example</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>bdd-api-automation</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>1.0-SNAPSHOT</‬
‭ version‬
‭ >‬
‭

<‭
‭d
‬ependencies‬
>‬
‭
<!-- TestNG Dependency -->‬
‭

‭124‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>org.testng</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>testng</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>7.4.0</‬
‭ version‬
‭ >‬
‭
<‭
‭s
‬cope‬
>test</‬
‭ scope‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<!-- Rest Assured Dependency -->‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>io.rest-assured</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>rest-assured</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>4.3.3</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<!-- Cucumber Dependencies -->‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>io.cucumber</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>cucumber-java</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>6.10.4</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>io.cucumber</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>cucumber-testng</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>6.10.4</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<!-- JSON Schema Validator Dependency -->‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>io.rest-assured</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>json-schema-validator</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>4.3.3</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>org.testng</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>testng</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>7.4.0</‬
‭ version‬
‭ >‬
‭
<‭
‭s
‬cope‬
>compile</‬
‭ scope‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<!-- JUnit for running tests -->‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>junit</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>junit</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>4.13.2</‬
‭ version‬
‭ >‬
‭
<‭
‭s
‬cope‬
>test</‬
‭ scope‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<!-- Logging -->‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>org.slf4j</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>slf4j-api</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>1.7.30</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>org.slf4j</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>slf4j-simple</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>1.7.30</‬
‭ version‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>junit</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>junit</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>4.13.1</‬
‭ version‬
‭ >‬
‭

‭125‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

<‭
‭s
‬cope‬>compile</‬
‭ scope‬
‭ >‬
‭
‭/‬
< dependency‬
‭ >‬
‭
</‬
‭ dependencies‬
‭ >‬
‭
<‭
‭p
‬roperties‬
>‬
‭
<‭
‭m
‬aven.compiler.source‬ >17</‬
‭ maven.compiler.source‬
‭ >‬
‭
<‭
‭m
‬aven.compiler.target‬ >17</‬
‭ maven.compiler.target‬
‭ >‬
‭
</‬
‭ properties‬
‭ >‬
‭
<‭
‭b
‬uild‬
>‬
‭
<‭
‭p
‬lugins‬
>‬
‭
<‭
‭p
‬lugin‬>‬
‭
<‬
‭ groupId‬
‭ >org.apache.maven.plugins</‬
‭ groupId‬
‭ >‬
‭
<‬
‭ artifactId‬
‭ >maven-surefire-plugin</‬
‭ artifactId‬
‭ >‬
‭
<‬
‭ version‬
‭ >3.0.0-M5</‬
‭ version‬
‭ >‬
‭
<‬
‭ configuration‬
‭ >‬
‭
<‬
‭ includes‬
‭ >‬
‭
<‬
‭ include‬
‭ >**/runners/RunCucumberTest.java</‬
‭ include‬
‭ >‬
‭
</‬
‭ includes‬
‭ >‬
‭
</‬
‭ configuration‬
‭ >‬
‭
</‬
‭ plugin‬
‭ >‬
‭
</‬
‭ plugins‬
‭ >‬
‭
</‬
‭ build‬
‭ >‬
‭
</‬
‭ project‬
‭ >‬
‭

‭3. Creating Feature Files and Step Definitions‬

src/test/resources‬‭directory and your step definitions in the‬

‭Create your feature files in the‬‭
src/test/java‬‭directory.‬
‭

‭Example Feature File (‬‭

src/test/resources/features/api.feature‬
‭):‬
Feature‬
‭ : API Testing‬
‭

Scenario‬
‭ : Get user details‬
‭
Given‬‭
‭ I set the API endpoint to "/user"‬
When‬‭
‭ I send a GET request‬
Then‬‭
‭ I should receive a 200 status code‬
And‬‭
‭ the response should contain user details‬

‭Example Step Definitions (‬‭

src/test/java/steps/APISteps.java‬
‭):‬

package‬‭
‭ steps‬
;‬
‭

‭mport‬‭
i io.cucumber.java.en.‬
Given‬
‭ ;‬
‭
import‬‭
‭ io.cucumber.java.en.‬
Then‬
‭ ;‬
‭
import‬‭
‭ io.cucumber.java.en.‬
When‬
‭ ;‬
‭
import static‬‭
‭ org.hamcrest.MatcherAssert‬.‬
‭assertThat‬
‭ ;‬
‭
import static‬‭
‭ org.hamcrest.Matchers‬
.‭
‭ e
‬qualTo‬
;‬
‭

‭126‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭mport‬‭
i io.restassured.RestAssured‬
;‬
‭
import‬‭
‭ io.restassured.response.Response‬
;‬
‭

public class‬‭
‭ APISteps‬‭
{‬
private‬‭
‭ Response‬‭
response‬
;‬
‭

‭Given‬
@ (‭
‭"
‬I set the API endpoint to {string}"‬
)‬
‭
public void‬‭
‭ i_set_the_API_endpoint_to(String endpoint)‬‭
{‬
RestAssured.baseURI =‬‭
‭ "https://api.example.com"‬‭
+ endpoint;‬
}‬
‭

‭When(‬
@ "I send a GET request"‬
‭ )‬
‭
public void‬‭
‭ i_send_a_GET_request() {‬
response = RestAssured.get();‬
‭
}‬
‭

‭Then(‬
@ "I should receive a {int} status code"‬
‭ )‬
‭
public void‬‭
‭ i_should_receive_a_status_code(‬
int‬‭
‭ statusCode) {‬
assertThat(response.getStatusCode(), equalTo(statusCode));‬
‭
}‬
‭

‭Then(‬
@ "the response should contain user details"‬
‭ )‬
‭
public void‬‭
‭ the_response_should_contain_user_details()‬‭
{‬
// Add assertions to verify the response body‬
‭
}‬
‭
}‬
‭

‭Example Test Runner (‬‭

src/test/java/RunCucumberTest.java‬
‭):‬

‭mport‬‭
i org.junit.runner.‬
RunWith‬
‭ ;‬
‭
import‬‭
‭ io.cucumber.‬
junit.Cucumber;‬
‭
import‬‭
‭ io.cucumber.‬
junit.CucumberOptions;‬
‭

‭RunWith‬
@ (Cucumber.‬
‭ class‬
‭ )‬
‭
@CucumberOptions(features =‬‭
‭ "src/test/resources/features"‬
,‬‭
‭ glue =‬‭
"steps"‬
)‬
‭
public class‬‭
‭ RunCucumberTest‬‭
{‬
}‬
‭

‭127‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭4. Configuring the CI Pipeline‬

‭1.‬ ‭Create a Workflow File‬‭:‬

.github/workflows‬
‭○‬ ‭In your repository, create a directory‬‭ ‭.‬
ci.yml‬‭in this directory.‬
‭ ‬ ‭Create a file‬‭
○
‭2.‬ ‭Define the Workflow‬‭:‬

name‬
‭ : CI/CD Pipeline‬
‭

‭n‬
o :‬
‭
push‬
‭ :‬
‭
branches‬
‭ :‬
‭
- master‬
‭
pull_request‬
‭ :‬
‭
branches‬
‭ :‬
‭
- master‬
‭

‭obs‬
j :‬
‭
build‬
‭ :‬
‭
runs-on‬
‭ : ubuntu-latest‬
‭

steps‬
‭ :‬
‭
-‬‭
‭ name‬
: Checkout code‬
‭
uses‬
‭ : actions/checkout@v2‬
‭

-‬‭
‭ name‬
: Set up JDK 17‬
‭
uses‬
‭ : actions/setup-java@v2‬
‭
with‬
‭ :‬
‭
distribution‬
‭ :‬‭
‭ 'temurin'‬
java-version‬
‭ :‬‭
‭ '17'‬

-‬‭
‭ name‬
: Cache Maven packages‬
‭
uses‬
‭ : actions/cache@v2‬
‭
with‬
‭ :‬
‭
path‬
‭ : ~/.m2/repository‬
‭
key‬
‭ : ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml')‬‭
‭ }}‬
restore-keys‬
‭ : ${{ runner.os }}-maven‬
‭

-‬‭
‭ name‬: Build with Maven‬
‭
run‬
‭ : mvn clean install --no-transfer-progress‬
‭

-‬‭
‭ name‬: Run tests‬
‭
run‬
‭ : mvn test --no-transfer-progress‬
‭

-‬‭
‭ name‬
: Archive test results‬
‭
if‬
‭ : always()‬
‭
uses‬
‭ : actions/upload-artifact@v2‬
‭
with‬
‭ :‬
‭
name‬
‭ : test-results‬
‭
path‬
‭ : target/surefire-reports/*.xml‬
‭

deploy‬
‭ :‬
‭
needs‬
‭ : build‬
‭
runs-on‬
‭ : ubuntu-latest‬
‭
if‬
‭ : github.ref == 'refs/heads/master'‬
‭

‭128‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

steps‬
‭ :‬
‭
-‬‭
‭ name‬
: Checkout code‬
‭
uses‬
‭ : actions/checkout@v2‬
‭

-‬‭
‭ name‬
: Set up JDK 17‬
‭
uses‬
‭ : actions/setup-java@v2‬
‭
with‬
‭ :‬
‭
distribution‬
‭ :‬‭
‭ 'temurin'‬
java-version‬
‭ :‬‭
‭ '17'‬

-‬‭
‭ name‬: Deploy to production‬
‭
run‬
‭ : echo "Deploying to production..."‬
‭
# Add your deployment steps here‬
‭

‭5. Running Automated Tests‬

‭●‬ ‭Example in the Workflow File‬‭:‬

‭‬‭
- name‬
: Run tests‬
‭
run‬
‭ : mvn test --no-transfer-progress‬
‭

‭6. Handling Build Artifacts‬

‭●‬ ‭Example with GitHub Actions‬‭:‬

‭‬‭
- name‬
: Archive test results‬
‭
if‬
‭ : always()‬
‭
uses‬
‭ : actions/upload-artifact@v2‬
‭
with‬
‭ :‬
‭
name‬
‭ : test-results‬
‭
path‬
‭ : target/surefire-reports/*.xml‬
‭

‭129‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭7. Push your code to GitHub‬

‭After making changes, you can push your changes to Git Hub.‬

‭Here is the sample PR‬

‭https://github.com/Lamhot/api-bdd-testing/pull/1‬

‭130‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭Common Interview Questions and Answers Related to CI/CD‬

‭1. What is CI/CD?‬

‭ nswer:‬
A
‭CI/CD‬ ‭stands‬ ‭for‬ ‭Continuous‬ ‭Integration‬ ‭and‬‭Continuous‬‭Deployment‬‭(or‬‭Continuous‬‭Delivery).‬‭CI‬‭is‬‭a‬
‭development‬‭practice‬‭where‬‭developers‬‭integrate‬‭code‬‭into‬‭a‬‭shared‬‭repository‬‭frequently.‬‭Each‬‭integration‬
‭is‬ ‭verified‬ ‭by‬ ‭an‬ ‭automated‬ ‭build‬ ‭and‬ ‭automated‬ ‭tests.‬ ‭CD‬ ‭is‬ ‭the‬ ‭next‬ ‭step,‬ ‭where‬ ‭code‬ ‭changes‬ ‭are‬
‭automatically built, tested, and deployed to production.‬

‭2. Why is CI/CD important?‬

‭ nswer:‬
A
‭CI/CD‬ ‭helps‬ ‭ensure‬ ‭code‬ ‭quality,‬ ‭reduce‬ ‭bugs,‬‭and‬‭improve‬‭software‬‭delivery‬‭speed.‬‭By‬‭automating‬‭the‬
‭build,‬ ‭test,‬ ‭and‬ ‭deployment‬ ‭processes,‬ ‭teams‬ ‭can‬ ‭catch‬ ‭issues‬ ‭early‬‭and‬‭deliver‬‭updates‬‭more‬‭frequently‬
‭and reliably.‬

‭3. What tools are commonly used for CI/CD?‬

‭ nswer:‬
A
‭Common‬ ‭tools‬ ‭include‬ ‭Jenkins,‬ ‭Travis‬ ‭CI,‬ ‭CircleCI,‬ ‭GitLab‬ ‭CI,‬ ‭Bamboo,‬ ‭and‬ ‭Azure‬ ‭DevOps‬ ‭for‬ ‭CI/CD,‬
‭along with Docker and Kubernetes for containerization and orchestration.‬

‭4. What is containerization, and how does it relate to CI/CD?‬

‭ nswer:‬
A
‭Containerization‬ ‭involves‬ ‭packaging‬ ‭an‬ ‭application‬ ‭and‬ ‭its‬ ‭dependencies‬ ‭into‬ ‭a‬ ‭container‬ ‭that‬ ‭can‬ ‭run‬
‭consistently‬ ‭across‬ ‭different‬ ‭environments.‬ ‭Tools‬ ‭like‬ ‭Docker‬ ‭are‬ ‭used‬ ‭in‬ ‭CI/CD‬ ‭pipelines‬ ‭to‬ ‭ensure‬
‭consistent deployment and simplify scaling and orchestration.‬

‭5. How do you measure the success of a CI/CD pipeline?‬

‭ nswer:‬
A
‭Success‬ ‭can‬ ‭be‬ ‭measured‬ ‭by‬ ‭metrics‬ ‭such‬ ‭as‬ ‭build‬ ‭frequency,‬ ‭build‬ ‭success‬ ‭rate,‬ ‭deployment‬ ‭frequency,‬
‭mean‬ ‭time‬ ‭to‬ ‭recovery‬ ‭(MTTR),‬ ‭and‬ ‭lead‬ ‭time‬ ‭for‬ ‭changes.‬ ‭Monitoring‬ ‭these‬ ‭metrics‬ ‭helps‬ ‭identify‬
‭bottlenecks and improve the pipeline.‬

‭6. What are some common challenges in implementing CI/CD?‬

‭ nswer:‬
A
‭Challenges‬ ‭include‬ ‭integrating‬ ‭various‬ ‭tools,‬ ‭managing‬ ‭complex‬ ‭dependencies,‬ ‭handling‬ ‭environment‬
‭differences,‬ ‭ensuring‬ ‭test‬‭coverage‬‭and‬‭reliability,‬‭and‬‭dealing‬‭with‬‭cultural‬‭and‬‭organizational‬‭resistance‬
‭to change.‬

‭7. How do you ensure quality in a CI/CD pipeline?‬

‭131‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭ nswer:‬
A
‭Ensure‬ ‭quality‬ ‭by‬ ‭implementing‬ ‭comprehensive‬ ‭automated‬ ‭testing,‬ ‭including‬ ‭unit,‬ ‭integration,‬ ‭and‬
‭acceptance‬ ‭tests.‬ ‭Incorporate‬ ‭static‬ ‭code‬ ‭analysis,‬ ‭code‬ ‭reviews,‬ ‭and‬ ‭continuous‬ ‭monitoring.‬ ‭Regularly‬
‭review and improve pipeline configurations and processes.‬

‭8. How would you integrate API tests into a CI/CD pipeline?‬

‭ nswer:‬
A
‭API‬‭tests‬‭can‬‭be‬‭integrated‬‭into‬‭a‬‭CI/CD‬‭pipeline‬‭using‬‭tools‬‭like‬‭Jenkins‬‭or‬‭GitLab‬‭CI‬‭by‬‭defining‬‭steps‬‭in‬
‭the‬ ‭pipeline‬ ‭configuration‬ ‭file‬ ‭to‬‭run‬‭the‬‭tests‬‭automatically‬‭after‬‭the‬‭build‬‭phase.‬‭This‬‭can‬‭include‬‭using‬
‭testing frameworks like Postman, Newman, or RestAssured.‬

‭9. What is the purpose of a build pipeline?‬

‭ nswer:‬
A
‭A‬ ‭build‬ ‭pipeline‬ ‭automates‬ ‭the‬ ‭process‬ ‭of‬ ‭building,‬ ‭testing,‬ ‭and‬ ‭deploying‬ ‭code.‬ ‭It‬ ‭ensures‬ ‭that‬ ‭code‬
‭changes‬‭are‬‭consistently‬‭integrated,‬‭tested,‬‭and‬‭delivered,‬‭helping‬‭to‬‭catch‬‭issues‬‭early‬‭and‬‭streamline‬‭the‬
‭development process.‬

‭10. What are the common stages in a CI/CD pipeline?‬

‭ nswer:‬
A
‭Common stages include:‬

‭‬
● ‭ ource‬‭: Code is committed and pushed to a version‬‭control system.‬
S
‭●‬ ‭Build‬‭: Code is compiled and built.‬
‭●‬ ‭Test‬‭: Automated tests are run.‬
‭●‬ ‭Deploy‬‭: Code is deployed to staging/production environments.‬
‭●‬ ‭Monitor‬‭: The deployed application is monitored for‬‭issues.‬

‭11. How do you ensure the security of APIs in CI/CD?‬

‭ nswer:‬
A
‭Ensure‬‭API‬‭security‬‭by‬‭incorporating‬‭security‬‭testing‬‭into‬‭the‬‭CI/CD‬‭pipeline.‬‭This‬‭can‬‭include‬‭using‬‭tools‬
‭for‬‭vulnerability‬‭scanning,‬‭static‬‭code‬‭analysis,‬‭and‬‭running‬‭security‬‭tests‬‭to‬‭identify‬‭and‬‭fix‬‭security‬‭issues‬
‭early in the development process.‬

‭12. What is continuous testing?‬

‭ nswer:‬
A
‭Continuous‬ ‭testing‬ ‭involves‬ ‭running‬ ‭automated‬ ‭tests‬ ‭throughout‬ ‭the‬ ‭software‬ ‭development‬ ‭lifecycle.‬ ‭It‬
‭aims‬ ‭to‬ ‭provide‬ ‭rapid‬ ‭feedback‬ ‭on‬ ‭the‬‭quality‬‭of‬‭the‬‭code,‬‭ensuring‬‭that‬‭new‬‭code‬‭changes‬‭do‬‭not‬‭break‬
‭existing functionality.‬

‭13. What is the difference between unit testing and integration testing in the context of APIs?‬

‭132‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭ nswer:‬
A
‭Unit‬ ‭testing‬ ‭focuses‬ ‭on‬ ‭testing‬ ‭individual‬ ‭components‬ ‭or‬ ‭functions‬ ‭in‬ ‭isolation.‬ ‭Integration‬ ‭testing‬
‭examines‬ ‭how‬ ‭different‬ ‭components‬ ‭or‬ ‭services‬ ‭work‬ ‭together,‬ ‭ensuring‬ ‭they‬ ‭interact‬ ‭correctly‬ ‭and‬
‭produce the expected outcomes.‬

‭14. What is the role of a version control system in CI/CD?‬

‭ nswer:‬
A
‭A‬‭version‬‭control‬‭system‬‭(VCS)‬‭like‬‭Git‬‭allows‬‭multiple‬‭developers‬‭to‬‭work‬‭on‬‭code‬‭simultaneously‬‭while‬
‭keeping‬ ‭track‬ ‭of‬ ‭changes.‬ ‭It‬ ‭is‬ ‭integral‬ ‭to‬ ‭CI/CD‬‭as‬‭it‬‭triggers‬‭pipeline‬‭actions‬‭(like‬‭build‬‭and‬‭test)‬‭upon‬
‭code commits or pull requests.‬

‭15. What is a rollback in the context of CI/CD?‬

‭ nswer:‬
A
‭A‬ ‭rollback‬ ‭is‬ ‭the‬ ‭process‬ ‭of‬ ‭reverting‬ ‭to‬ ‭a‬ ‭previous‬ ‭stable‬ ‭version‬ ‭of‬ ‭the‬ ‭application‬ ‭in‬ ‭case‬ ‭the‬ ‭current‬
‭deployment‬ ‭causes‬ ‭issues.‬ ‭Automated‬ ‭rollback‬ ‭strategies‬ ‭can‬ ‭be‬ ‭part‬ ‭of‬ ‭a‬ ‭CI/CD‬ ‭pipeline‬ ‭to‬ ‭ensure‬
‭minimal downtime and quick recovery.‬

‭16. How do you handle environment-specific configurations in CI/CD?‬

‭ nswer:‬
A
‭Environment-specific‬ ‭configurations‬ ‭can‬ ‭be‬ ‭managed‬ ‭using‬‭environment‬‭variables,‬‭configuration‬‭files,‬‭or‬
‭secret‬ ‭management‬ ‭tools‬ ‭like‬ ‭Vault‬‭or‬‭AWS‬‭Secrets‬‭Manager.‬‭CI/CD‬‭tools‬‭allow‬‭for‬‭configuring‬‭different‬
‭settings for different environments (development, staging, production).‬

‭133‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Chapter 10‬

‭Test Driven Development for Spring Micro Service with‬

‭Cucumber‬

‭Introduction to Test Driven Development (TDD)‬

‭What is Test Driven Development (TDD)?‬

‭ est Driven Development (TDD) is a software development methodology where tests are written before the‬
T
‭code that needs to be tested. It follows a repetitive cycle of writing a test, writing the minimum amount of‬
‭code to pass the test, and then refactoring the code. This process ensures that the codebase remains clean,‬
‭maintainable, and well-tested.‬

‭Principles of TDD‬

‭TDD is based on three core principles:‬

‭1.‬ R ‭ ed‬‭: Write a test that defines a function or improvements‬‭of a function, which fails initially because‬
‭the function doesn’t exist.‬
‭2.‬ ‭Green‬‭: Write the minimal code necessary to pass the‬‭test.‬
‭3.‬ ‭Refactor‬‭: Clean up the code while ensuring that all‬‭tests still pass. Refactoring is crucial to maintain‬
‭code quality and readability.‬

‭Benefits of TDD‬

‭●‬ I‭ mproved Code Quality‬‭: Writing tests first ensures‬‭that the code meets the requirements and‬
‭handles edge cases effectively.‬
‭●‬ ‭Less Debugging‬‭: Since tests are written upfront, it’s‬‭easier to identify and fix issues early in the‬
‭development process.‬
‭●‬ ‭Documentation‬‭: Tests serve as a form of documentation,‬‭providing clear examples of how the code‬
‭is supposed to work.‬
‭●‬ ‭Design Improvement‬‭: TDD encourages better design decisions‬‭as it requires developers to think‬
‭about the code’s behavior before implementation.‬

‭Overview of the TDD Cycle‬

‭The TDD cycle consists of three main steps:‬

‭1.‬ ‭Red Phase‬‭:‬

‭○‬ ‭Write a test for a new feature or a piece of functionality.‬

‭134‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭○‬ R ‭ un the test to see it fail. This step ensures that the test is valid and the functionality is not‬
‭yet implemented.‬
‭2.‬ ‭Green Phase‬‭:‬
‭○‬ ‭Write the simplest code possible to make the test pass.‬
‭○‬ ‭Run the tests to ensure the new code passes the test.‬
‭ .‬ ‭Refactor Phase‬‭:‬
3
‭○‬ ‭Refactor the code to improve its structure and readability.‬
‭○‬ ‭Ensure that all tests still pass after refactoring.‬

‭Introduction to Microservice‬

‭ icroservices is an architectural style that structures an application as a collection of small, autonomous‬

M
‭services modeled around a business domain. This approach allows for easier scaling, maintenance, and‬
‭deployment of individual services. Spring Boot, a project from the Spring framework, is widely used to‬
‭create production-ready, stand-alone applications that run on the JVM. It's particularly well-suited for‬
‭building microservices due to its simplicity, flexibility, and support for cloud-based deployments.‬

‭Getting started with microservices using Spring Boot‬

‭1. Setup Your Development Environment‬

‭Before you start, ensure you have the following tools installed:‬

‭ ‬ J‭ ava Development Kit (JDK) 8 or higher‬

●
‭●‬ ‭Maven or Gradle‬‭for dependency management and build‬
‭●‬ ‭An Integrated Development Environment (IDE)‬‭like IntelliJ‬‭IDEA, Eclipse, or VS Code‬

‭2. Create a Spring Boot Application‬

‭You can create a Spring Boot project using the‬‭Spring‬‭Initializr‬‭:‬

‭ .‬
1 ‭ o to‬‭start.spring.io‬
G
‭2.‬ ‭Select‬‭Project‬‭: Maven Project (or Gradle)‬
‭3.‬ ‭Select‬‭Language‬‭: Java‬
‭4.‬ ‭Select‬‭Spring Boot‬‭version (e.g., 2.7.1)‬
‭5.‬ ‭Provide‬‭Project Metadata‬‭: Group, Artifact, Name, Description,‬‭Package name, Packaging‬
‭(Jar/War), Java Version‬
‭6.‬ ‭Select dependencies, such as:‬
‭○‬ ‭Spring Web‬‭for RESTful web services‬
‭○‬ ‭Spring Boot Actuator‬‭for monitoring and management‬
‭○‬ ‭Spring Data JPA‬‭for database interaction (optional)‬
‭ .‬ ‭Click‬‭Generate‬‭to download a ZIP file containing your‬‭new project.‬
7

‭Unzip the downloaded file and open it in your IDE.‬

‭135‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭3. Building Your First Microservice‬

‭1. Set Up Your Spring Boot Application‬

‭a.‬‭Create‬‭a‬‭new‬‭Spring‬‭Boot‬‭project‬‭using‬‭Spring‬‭Initializr‬‭or‬‭your‬‭preferred‬‭method.‬‭Include‬‭the‬‭following‬
‭ ependencies:‬
d

‭‬
● ‭ pring Web‬
S
‭●‬ ‭Spring Data JPA‬
‭●‬ ‭H2 Database‬
‭●‬ ‭Spring Boot DevTools (optional for hot reloading)‬
‭●‬ ‭Spring Boot Test‬
‭●‬ ‭Cucumber‬

pom.xml‬‭should include these dependencies:‬

‭b.‬‭Your‬‭

‭?‬
< xml version‬
‭ ="1.0"‬‭
‭ encoding‬="UTF-8"‬
‭ ?>‬
‭
<‭
‭p
‬roject‬‭
xmlns‬
="http://maven.apache.org/POM/4.0.0"‬
‭
xmlns:‬
‭ xsi‬
‭ ="http://www.w3.org/2001/XMLSchema-instance"‬
‭
xsi‬
‭ :schemaLocation‬
‭ ="http://maven.apache.org/POM/4.0.0‬
‭
https://maven.apache.org/xsd/maven-4.0.0.xsd"‬
‭ >‬
‭
<‭
‭m
‬odelVersion‬>4.0.0</‬
‭ modelVersion‬
‭ >‬
‭
<‭
‭p
‬arent‬
>‬
‭
<‭
‭g
‬roupId‬
>org.springframework.boot</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬>spring-boot-starter-parent</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>3.3.1</‬
‭ version‬
‭ >‬
‭
<‭
‭r
‬elativePath‬/>‬‭
‭ <!-- lookup parent from repository‬‭ -->‬
</‬
‭ parent‬
‭ >‬
‭
<‭
‭g
‬roupId‬
>com.example</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬
>spring.bdd.api</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>0.0.1-SNAPSHOT</‬
‭ version‬
‭ >‬
‭
<‭
‭n
‬ame‬
>spring.bdd.api</‬
‭ name‬
‭ >‬
‭
<‭
‭d
‬escription‬
>Demo project for Spring Boot with BDD</‬
‭ description‬
‭ >‬
‭
<‭
‭u
‬rl‬
/>‬
‭
<‭
‭l
‬icenses‬
>‬
‭
<‭
‭l
‬icense‬
/>‬
‭
</‬
‭ licenses‬
‭ >‬
‭
<‭
‭d
‬evelopers‬
>‬
‭
<‭
‭d
‬eveloper‬/>‬
‭
</‬
‭ developers‬
‭ >‬
‭
<‭
‭s
‬cm‬
>‬
‭
<‭
‭c
‬onnection‬/>‬
‭
<‭
‭d
‬eveloperConnection‬ />‬
‭
<‭
‭t
‬ag‬
/>‬
‭
<‭
‭u
‬rl‬
/>‬
‭
</‬
‭ scm‬
‭ >‬
‭
<‭
‭p
‬roperties‬
>‬
‭
<‭
‭j
‬ava.version‬>17</‬
‭ java.version‬
‭ >‬
‭
</‬
‭ properties‬
‭ >‬
‭
<‭
‭d
‬ependencies‬>‬
‭
<‭
‭d
‬ependency‬>‬
‭
<‭
‭g
‬roupId‬>org.springframework.boot</‬
‭ groupId‬
‭ >‬
‭

‭136‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

<‭
‭a
‬rtifactId‬
>spring-boot-starter-data-jpa</‬
‭ artifactId‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭

<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>org.springframework.boot</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬>spring-boot-starter-web</‬
‭ artifactId‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭

<‭
‭d
‬ependency‬>‬
‭
<‭
‭g
‬roupId‬>com.h2database</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬ >h2</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭s
‬cope‬
>runtime</‬
‭ scope‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
</‬
‭ dependencies‬
‭ >‬
‭
<‭
‭b
‬uild‬
>‬
‭
<‭
‭p
‬lugins‬
>‬
‭
<‭
‭p
‬lugin‬>‬
‭
<‭
‭g
‬roupId‬ >org.springframework.boot</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬ >spring-boot-maven-plugin</‬
‭ artifactId‬
‭ >‬
‭
</‬
‭ plugin‬
‭ >‬
‭
</‬
‭ plugins‬
‭ >‬
‭
</‬
‭ build‬
‭ >‬
‭

</‬
‭ project‬
‭ >‬
‭

‭2. Create the User Entity‬

User‬‭entity class:‬
‭Create a‬‭

package‬‭
‭ com.example.spring.bdd.api.entity‬
;‬
‭

import‬‭
‭ jakarta.persistence.‬
*;‬
‭

‭Entity‬
@
@Table‬
‭ (name =‬‭
‭ "users"‬
)‬
‭
public class‬‭
‭ User‬‭
{‬

‭Id‬
@
@GeneratedValue‬
‭ (strategy =‬‭
‭ GenerationType‬
.‬
‭IDENTITY‬
‭ )‬
‭
private‬‭
‭ Long‬‭
id‬
;‬
‭
private‬‭
‭ String‬‭
name‬
;‬
‭
private‬‭
‭ String‬‭
email‬
;‬
‭
private‬‭
‭ String‬‭
password‬
;‬
‭

// Getters and setters‬

‭

public‬‭
‭ Long‬‭
getId‬
() {‬
‭
return‬‭
‭ id‬
;‬
‭
}‬
‭

public void‬‭
‭ setId‬
(‬
‭Long‬‭
‭ id) {‬
this‬
‭ .‭
‭i
‬d‬‭
= id;‬
}‬
‭

‭137‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

public‬‭
‭ String‬‭
getName‬
() {‬
‭
return‬‭
‭ name‬
;‬
‭
}‬
‭

public void‬‭
‭ setName‬
(‭
‭S
‬tring‬‭
name) {‬
this‬
‭ .‭
‭n
‬ame‬‭
= name;‬
}‬
‭

public‬‭
‭ String‬‭
getEmail‬
() {‬
‭
return‬‭
‭ email‬
;‬
‭
}‬
‭

public void‬‭
‭ setEmail‬
(‬
‭ String‬‭
‭ email) {‬
this‬
‭ .‭
‭e
‬mail‬‭
= email;‬
}‬
‭

public‬‭
‭ String‬‭
getPassword‬
() {‬
‭
return‬‭
‭ password‬
;‬
‭
}‬
‭

public void‬‭
‭ setPassword‬
(‬
‭ String‬‭
‭ password) {‬
this‬
‭ .‭
‭p
‬assword‬‭
= password;‬
}‬
‭
}‬
‭

‭3. Create the User Repository‬

‭Create a repository interface:‬

package‬‭
‭ com.example.spring.bdd.api.repository‬
;‬
‭

‭mport‬‭
i com.example.spring.bdd.api.entity.User‬
;‬
‭
import‬‭
‭ org.springframework.data.jpa.repository.JpaRepository‬
;‬
‭
import‬‭
‭ org.springframework.stereotype.‬
Repository‬
‭ ;‬
‭

‭Repository‬
@
public interface‬‭
‭ UserRepository‬‭
extends‬‭
JpaRepository‬
<‬
‭User‬
‭ ,‬‭
‭ Long‬
> {‬
‭
}‬
‭

‭4. Create the User Service‬

‭Create a service class to handle business logic:‬

package‬‭
‭ com.example.spring.bdd.api.service‬
;‬
‭

‭mport‬‭
i com.example.spring.bdd.api.entity.User‬
;‬
‭
import‬‭
‭ com.example.spring.bdd.api.repository.UserRepository‬
;‬
‭
import‬‭
‭ org.springframework.beans.factory.annotation.‬
Autowired‬
‭ ;‬
‭
import‬‭
‭ org.springframework.stereotype.‬
Service‬
‭ ;‬
‭

‭138‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭mport‬‭
i java.util.List‬
;‬
‭
import‬‭
‭ java.util.Optional‬
;‬
‭

‭Service‬
@
public class‬‭
‭ UserService‬‭
{‬

‭Autowired‬
@
private‬‭
‭ UserRepository‬‭
userRepository‬
;‬
‭

public‬‭
‭ User‬‭
createUser‬
(‭
‭ U
‬ser‬‭
user) {‬
return‬‭
‭ userRepository‬.save(user);‬
‭
}‬
‭

public‬‭
‭ List‬
<‬
‭User‬
‭ >‬‭
‭ getAllUsers‬
() {‬
‭
return‬‭
‭ userRepository‬
.findAll();‬
‭
}‬
‭

public‬‭
‭ Optional‬
<‬
‭User‬
‭ >‬‭
‭ getUserById‬
(‬
‭Long‬‭
‭ id) {‬
return‬‭
‭ userRepository‬
.findById(id);‬
‭
}‬
‭

public‬‭
‭ User‬‭
updateUser‬
(‭
‭ L
‬ong‬‭
id,‬‭
User‬‭
userDetails)‬‭
{‬
User user‬‭
‭ =‬‭
userRepository‬.findById(id).orElseThrow(()‬‭
‭ ->‬‭
new‬
RuntimeException(‬
‭ "User not found"‬
‭ ));‬
‭
user‬
‭ .setName(userDetails.getName());‬
‭
user‬
‭ .setEmail(userDetails.getEmail());‬
‭
user‬
‭ .setPassword(userDetails.getPassword());‬
‭
return‬‭
‭ userRepository‬.save(‬
‭ user‬
‭ );‬
‭
}‬
‭

public void‬‭
‭ deleteUser‬
(‭
‭ L
‬ong‬‭
id) {‬
userRepository‬
‭ .deleteById(id);‬
‭
}‬
‭
}‬
‭

‭5. Create the User Controller‬

‭Create a REST controller to handle HTTP requests:‬

package‬‭
‭ com.example.spring.bdd.api.controller‬
;‬
‭

‭mport‬‭
i com.example.spring.bdd.api.entity.User‬
;‬
‭
import‬‭
‭ com.example.spring.bdd.api.service.UserService‬;‬
‭
import‬‭
‭ org.springframework.beans.factory.annotation.‬
Autowired‬
‭ ;‬
‭
import‬‭
‭ org.springframework.http.ResponseEntity‬;‬
‭
import‬‭
‭ org.springframework.web.bind.annotation.‬*;‬
‭

‭mport‬‭
i java.util.List‬
;‬
‭
import‬‭
‭ java.util.Optional‬
;‬
‭

‭RestController‬
@
@RequestMapping‬
‭ (‬
‭"/api/users"‬
‭ )‬
‭
public class‬‭
‭ UserController‬‭
{‬

‭139‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Autowired‬
@
private‬‭
‭ UserService‬‭
userService‬
;‬
‭

‭PostMapping‬
@
public‬‭
‭ User‬‭
createUser‬
(‭
‭ @
‬RequestBody‬‭
User‬‭
user)‬‭
{‬
return‬‭
‭ userService‬
.createUser(user);‬
‭
}‬
‭

‭GetMapping‬
@
public‬‭
‭ List‬
<‬
‭User‬
‭ >‬‭
‭ getAllUsers‬
() {‬
‭
return‬‭
‭ userService‬
.getAllUsers();‬
‭
}‬
‭

‭GetMapping‬
@ (‬
‭"/{id}"‬
‭ )‬
‭
public‬‭
‭ ResponseEntity‬ <‬
‭User‬
‭ >‬‭
‭ getUserById‬(‬
‭@PathVariable‬‭
‭ Long‬‭
id) {‬
Optional‬
‭ <‬
‭ User‬
‭ >‬‭
‭ user‬‭=‬‭
userService‬.getUserById(id);‬
‭
return‬‭
‭ user‬.map(‬
‭ ResponseEntity‬
‭ ::‬
‭ ok‬
‭ ).orElseGet(()‬‭
‭ ->‬
ResponseEntity‬
‭ .‬
‭notFound‬
‭ ().build());‬
‭
}‬
‭

‭PutMapping‬
@ (‬
‭"/{id}"‬
‭ )‬
‭
public‬‭
‭ ResponseEntity‬ <‬
‭User‬
‭ >‬‭
‭ updateUser‬(‭
‭@
‬PathVariable‬‭
Long‬‭id,‬‭
@RequestBody‬‭
User‬
userDetails) {‬
‭
try‬‭
‭ {‬
User updatedUser‬‭
‭ =‬‭
userService‬.updateUser(id,‬‭
‭ userDetails);‬
return‬‭
‭ ResponseEntity‬.‬
‭ok‬
‭ (‭
‭u‬pdatedUser‬
);‬
‭
}‬‭
‭ catch‬‭
(‬RuntimeException‬‭
‭ e) {‬
return‬‭
‭ ResponseEntity‬.‬
‭notFound‬
‭ ().build();‬
‭
}‬
‭
}‬
‭

‭DeleteMapping‬
@ (‭
‭"
‬/{id}"‬
)‬
‭
public‬‭
‭ ResponseEntity‬<‬
‭Void‬
‭ >‬‭
‭ deleteUser‬(‭
‭@‬PathVariable‬‭
Long‬‭
id) {‬
try‬‭
‭ {‬
userService‬
‭ .deleteUser(id);‬
‭
return‬‭
‭ ResponseEntity‬
.‬
‭ noContent‬
‭ ().build();‬
‭
}‬‭
‭ catch‬‭
(‬
RuntimeException‬‭
‭ e) {‬
return‬‭
‭ ResponseEntity‬
.‬
‭ notFound‬
‭ ().build();‬
‭
}‬
‭
}‬
‭
}‬
‭

‭6. Configure H2 Database‬

application.properties‬
‭Add H2 configuration in‬‭ ‭:‬

‭pring.application.name‬
s =‬
‭ spring.bdd.api‬
‭
# src/main/resources/application.properties‬
‭
spring.h2.console.enabled‬
‭ =‭
‭t
‬rue‬
# default path: h2-console‬
‭
spring.h2.console.path‬
‭ =‭
‭/
‬h2-ui‬

spring.datasource.url‬
‭ =‬
‭jdbc:h2:file:./testdb‬
‭

‭140‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭pring.datasource.driverClassName‬
s =‬
‭ org.h2.Driver‬
‭
spring.datasource.username‬
‭ =‬
‭ sa‬
‭
spring.datasource.password‬
‭ =‬
‭

‭pring.jpa.show-sql‬
s =‬
‭true‬
‭
spring.jpa.properties.hibernate.dialect‬
‭ =‬
‭ org.hibernate.dialect.H2Dialect‬
‭
spring.jpa.hibernate.ddl-auto‬
‭ =‬‭
‭ update‬

‭7. Define the Application Class‬

@SpringBootApplication‬‭annotated class.‬
‭ he entry point for your Spring Boot application is the‬‭
T
‭Here’s an example:‬

package‬‭
‭ com.example.spring.bdd.api‬
;‬
‭

‭mport‬‭
i org.springframework.boot.SpringApplication‬
;‬
‭
import‬‭
‭ org.springframework.boot.autoconfigure.‬
SpringBootApplication‬
‭ ;‬
‭

‭SpringBootApplication‬
@
public class‬‭
‭ Application‬‭
{‬

public static void‬‭

‭ main‬
(‭
‭ S
‬tring‬
[] args) {‬
‭
SpringApplication‬
‭ .‭
‭r
‬un‬(‬
‭Application‬
‭ .‬
‭class‬
‭ , args);‬
‭
}‬
‭

}‬
‭

‭141‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭8. Run your app and make sure the app is running.‬

‭Use this curl request to test your endpoint.‬

curl --location‬‭
‭ 'http://localhost:8080/api/users'‬‭
\‬
--header‬‭
‭ 'Content-Type: application/json'‬‭
\‬
--data-raw‬‭
‭ '{‬
"id"‬
‭ :‬
‭ 1‭
‭,‬‬
"name"‬
‭ :‬‭
‭ "John Doe"‬
,‬
‭
"email"‬
‭ :‬‭
‭ "[email protected]"‬
,‬
‭
"password"‬
‭ :‬‭
‭ "password123"‬
}‬
‭
'‬
‭

‭142‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭143‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭Write BDD Tests‬

‭1. Update your pom.xml‬

‭You can use a testing framework like Cucumber along with Spring Boot Test to write BDD tests.‬

<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>io.cucumber</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬>cucumber-java</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>7.0.0</‬
‭ version‬
‭ >‬
‭
<‭
‭s
‬cope‬
>test</‬
‭ scope‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>io.cucumber</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬>cucumber-spring</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>7.0.0</‬
‭ version‬
‭ >‬
‭
<‭
‭s
‬cope‬
>test</‬
‭ scope‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭
<‭
‭d
‬ependency‬
>‬
‭
<‭
‭g
‬roupId‬
>io.cucumber</‬
‭ groupId‬
‭ >‬
‭
<‭
‭a
‬rtifactId‬>cucumber-junit</‬
‭ artifactId‬
‭ >‬
‭
<‭
‭v
‬ersion‬
>7.0.0</‬
‭ version‬
‭ >‬
‭
<‭
‭s
‬cope‬
>test</‬
‭ scope‬
‭ >‬
‭
</‬
‭ dependency‬
‭ >‬
‭

src/test/resources/features/user.feature‬
‭2. Create a feature file‬‭ ‭:‬

Feature‬
‭ : User Management‬
‭

Scenario‬
‭ : Create a new user‬
‭
Given‬‭
‭ I create a user with name "John Doe" and‬‭
email "[email protected]"‬
Then‬‭
‭ the user is created successfully‬

Scenario‬
‭ : Get all users‬
‭
When‬‭
‭ I get all users‬
Then‬‭
‭ I receive a list of users‬

Scenario‬
‭ : Get a user by ID‬
‭
Given‬‭
‭ a user with name "John Doe" and email "[email protected]"‬‭
exists‬
When‬‭
‭ I get the user by ID‬
Then‬‭
‭ I receive the user details‬

Scenario‬
‭ : Update a user‬
‭
Given‬‭
‭ a user with name "Jane Doe" and email "[email protected]"‬‭
exists‬
When‬‭
‭ I update the user's name to "Jane Smith" and‬‭
email to‬
"[email protected]"‬
‭
Then‬‭
‭ the user is updated successfully‬

Scenario‬
‭ : Delete a user‬
‭
Given‬‭
‭ a user with name "John Doe" and email "[email protected]"‬‭
exists‬
When‬‭
‭ I delete the user by ID‬
Then‬‭
‭ the user is deleted successfully‬

‭144‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

‭3. Create Step Definitions‬

‭Create step definitions‬

src/test/com.example.spring.bdd.api.steps/steps/UserSteps.java:‬
‭

package‬‭
‭ com.example.spring.bdd.api.steps‬
;‬
‭

‭mport‬‭
i com.example.spring.bdd.api.Application‬
;‬
‭
import‬‭
‭ com.example.spring.bdd.api.entity.User‬
;‬
‭
import‬‭
‭ com.example.spring.bdd.api.repository.UserRepository‬
;‬
‭
import‬‭
‭ io.cucumber.java.‬
Before‬
‭ ;‬
‭
import‬‭
‭ io.cucumber.java.en.‬
Given‬
‭ ;‬
‭
import‬‭
‭ io.cucumber.java.en.‬
Then‬
‭ ;‬
‭
import‬‭
‭ io.cucumber.java.en.‬
When‬
‭ ;‬
‭
import‬‭
‭ org.junit.jupiter.api.Assertions‬
;‬
‭
import‬‭
‭ org.springframework.beans.factory.annotation.‬
Autowired‬
‭ ;‬
‭
import‬‭
‭ org.springframework.boot.test.context.‬
SpringBootTest‬
‭ ;‬
‭
import‬‭
‭ org.springframework.boot.test.web.client.TestRestTemplate‬;‬
‭
import‬‭
‭ org.springframework.http.HttpStatus‬
;‬
‭
import‬‭
‭ org.springframework.http.ResponseEntity‬;‬
‭

import‬‭
‭ java.util.List‬
;‬
‭

‭SpringBootTest‬
@ (classes =‬‭
‭ Application‬.‬
‭class‬
‭ , webEnvironment‬‭
‭ =‬
SpringBootTest‬
‭ .‬
‭WebEnvironment‬
‭ .‬
‭ DEFINED_PORT‬
‭ )‬
‭
public class‬‭
‭ UserSteps‬‭
{‬

‭Autowired‬
@
private‬‭
‭ TestRestTemplate‬‭
restTemplate‬
;‬
‭

‭Autowired‬
@
private‬‭
‭ UserRepository‬‭
userRepository‬
;‬
‭

‭rivate‬‭
p ResponseEntity‬
<‭
‭ U
‬ser‬
>‬‭
‭ responseEntity‬
;‬
‭
private‬‭
‭ ResponseEntity‬
<‭
‭ U
‬ser‬
[]>‬‭
‭ responseEntityList‬
;‬
‭
private‬‭
‭ User‬‭
createdUser‬;‬
‭

‭Before‬
@
public void‬‭
‭ setUp‬
() {‬
‭
userRepository‬
‭ .deleteAll();‬
‭
}‬
‭

‭Given‬
@ (‭
‭"
‬I create a user with name {string} and‬‭ email {string}"‬)‬
‭
public void‬‭
‭ i_create_a_user_with_name_and_email‬ (‬
‭String‬‭
‭ name,‬‭
String‬‭
email) {‬
User user‬‭
‭ =‬‭
new‬‭
User();‬
user‬
‭ .setName(name);‬
‭
user‬
‭ .setEmail(email);‬
‭
responseEntity‬‭
‭ =‬‭restTemplate‬
.postForEntity(‬
‭ "http://localhost:8080/api/users"‬
‭ ,‬
‭
user‬
‭ ,‬‭
‭ User‬
.‭
‭c
‬lass‬
);‬
‭
createdUser‬‭
‭ =‬‭
responseEntity‬.getBody();‬
‭
}‬
‭

‭Then‬
@ (‭
‭"
‬the user is created successfully"‬ )‬
‭
public void‬‭
‭ the_user_is_created_successfully‬ ()‬‭
‭ {‬
Assertions‬
‭ .‭
‭a
‬ssertNotNull‬(‬
‭createdUser‬
‭ .getId());‬
‭
Assertions‬
‭ .‭
‭a
‬ssertEquals‬
(‭
‭ H
‬ttpStatus‬
.‭
‭C‬REATED‬
,‬‭
‭ responseEntity‬
.getStatusCode());‬
‭

‭145‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

}‬
‭

‭When‬
@ (‭
‭"
‬I get all users"‬
)‬
‭
public void‬‭
‭ i_get_all_users‬
() {‬
‭
responseEntityList‬‭
‭ =‬
restTemplate‬
‭ .getForEntity(‬
‭ "http://localhost:8080/api/users"‬
‭ ,‬‭
‭ User‬
[].‬
‭ class‬
‭ );‬
‭
}‬
‭

‭Then‬
@ (‭
‭"
‬I receive a list of users"‬)‬
‭
public void‬‭
‭ i_receive_a_list_of_users‬() {‬
‭
Assertions‬
‭ .‭
‭a
‬ssertTrue‬
(‬
‭ responseEntityList‬
‭ .getBody().‬
‭ length‬‭
‭ >‬‭
0‭
)
‬;‬
Assertions‬
‭ .‭
‭a
‬ssertEquals‬(‭
‭H
‬ttpStatus‬
.‭
‭O‬K‬
,‬‭
‭ responseEntityList‬
.getStatusCode());‬
‭
}‬
‭

‭Given‬
@ (‭
‭"
‬a user with name {string} and email {string}‬‭exists"‬)‬
‭
public void‬‭
‭ a_user_with_name_and_email_exists‬
(‬
‭ String‬‭
‭ name,‬‭
String‬‭
email) {‬
User user‬‭
‭ =‬‭
new‬‭
User();‬
user‬
‭ .setName(name);‬
‭
user‬
‭ .setEmail(email);‬
‭
createdUser‬‭
‭ =‬‭
userRepository‬
.save(‬
‭ user‬
‭ );‬
‭
}‬
‭

‭When‬
@ (‭
‭"
‬I get the user by ID"‬)‬
‭
public void‬‭
‭ i_get_the_user_by_id‬ () {‬
‭
responseEntity‬‭
‭ =‬‭restTemplate‬.getForEntity(‬
‭ "http://localhost:8080/api/users/"‬
‭
+‬‭
‭ createdUser‬
.getId(),‬‭
‭ User‬.‬
‭class‬
‭ );‬
‭
}‬
‭

‭Then‬
@ (‭
‭"
‬I receive the user details"‬ )‬
‭
public void‬‭
‭ i_receive_the_user_details‬ () {‬
‭
User user‬‭
‭ =‬‭
responseEntity‬ .getBody();‬
‭
Assertions‬
‭ .‭
‭a
‬ssertNotNull‬(‬
‭user‬
‭ );‬
‭
Assertions‬
‭ .‭
‭a
‬ssertEquals‬
(‭
‭ c
‬reatedUser‬.getId(),‬‭
‭ user‬
.getId());‬
‭
Assertions‬
‭ .‭
‭a
‬ssertEquals‬
(‭
‭ c
‬reatedUser‬.getName(),‬‭
‭ user‬
.getName());‬
‭
Assertions‬
‭ .‭
‭a
‬ssertEquals‬
(‭
‭ c
‬reatedUser‬.getEmail(),‬‭
‭ user‬.getEmail());‬
‭
Assertions‬
‭ .‭
‭a
‬ssertEquals‬
(‭
‭ H
‬ttpStatus‬.‭
‭O
‬K‬
,‬‭
‭ responseEntity‬.getStatusCode());‬
‭
}‬
‭

‭When‬
@ (‭
‭"
‬I update the user's name to {string} and‬‭
email to {string}"‬)‬
‭
public void‬‭
‭ i_update_the_user_s_name_to_and_email_to‬
(‭
‭S‬tring‬‭
newName,‬‭
String‬
newEmail) {‬
‭
createdUser‬
‭ .setName(newName);‬
‭
createdUser‬
‭ .setEmail(newEmail);‬
‭
restTemplate‬
‭ .put(‬
‭ "http://localhost:8080/api/users/"‬‭
‭ +‬‭
createdUser‬
.getId(),‬
‭
createdUser‬
‭ );‬
‭
}‬
‭

‭Then‬
@ (‭
‭"
‬the user is updated successfully"‬)‬
‭
public void‬‭
‭ the_user_is_updated_successfully‬()‬‭
‭ {‬
User updatedUser‬‭
‭ =‬‭
userRepository‬.findById(‬
‭ createdUser‬
‭ .getId()).orElse(‬
‭ null‬
‭ );‬
‭
Assertions‬
‭ .‭
‭a
‬ssertNotNull‬(‬
‭updatedUser‬
‭ );‬
‭
Assertions‬
‭ .‭
‭a
‬ssertEquals‬
(‭
‭ c
‬reatedUser‬
.getId(),‬‭
‭ updatedUser‬
.getId());‬
‭
Assertions‬
‭ .‭
‭a
‬ssertEquals‬
(‭
‭ c
‬reatedUser‬
.getName(),‬‭
‭ updatedUser‬
.getName());‬
‭
Assertions‬
‭ .‭
‭a
‬ssertEquals‬
(‭
‭ c
‬reatedUser‬
.getEmail(),‬‭
‭ updatedUser‬
.getEmail());‬
‭
}‬
‭

@When‬
‭ (‭
‭"
‬I delete the user by ID"‬
)‬
‭

‭146‬
 ‭End to End APIs and API Testing, Curated by Lamhot Siagian‬

public void‬‭
‭ i_delete_the_user_by_id‬
() {‬
‭
restTemplate‬
‭ .delete(‬
‭ "http://localhost:8080/api/users/"‬‭
‭ +‬‭
createdUser‬
.getId());‬
‭
}‬
‭

‭Then‬
@ (‭
‭"
‬the user is deleted successfully"‬)‬
‭
public void‬‭
‭ the_user_is_deleted_successfully‬()‬‭
‭ {‬
boolean‬‭
‭ userExists‬‭
=‬‭
userRepository‬.existsById(‬
‭ createdUser‬
‭ .getId());‬
‭
Assertions‬
‭ .‭
‭a
‬ssertFalse‬
(‬
‭ userExists‬
‭ );‬
‭
}‬
‭
}‬
‭

‭4. Create Test Runner‬

src/test/java/com/example/demo/CucumberTest.java‬
‭Create a test runner‬‭ ‭:‬

package‬‭
‭ com.example.spring.bdd.api.runner‬
;‬
‭

‭mport‬‭
i com.example.spring.bdd.api.Application‬;‬
‭
import‬‭
‭ io.cucumber.junit.Cucumber‬ ;‬
‭
import‬‭
‭ io.cucumber.junit.‬CucumberOptions‬
‭ ;‬
‭
import‬‭
‭ io.cucumber.spring.‬CucumberContextConfiguration‬
‭ ;‬
‭
import‬‭
‭ org.junit.runner.‬
RunWith‬
‭ ;‬
‭
import‬‭
‭ org.springframework.boot.test.context.‬SpringBootTest‬
‭ ;‬
‭
import‬‭
‭ org.springframework.test.context.‬ContextConfiguration‬
‭ ;‬
‭

‭RunWith‬
@ (‭
‭C
‬ucumber‬
.‭
‭c‬lass‬
)‬
‭
@CucumberContextConfiguration‬
‭
@ContextConfiguration‬
‭ (classes = {‬
‭ Application‬
‭ .‬
‭class‬
‭ })‬
‭
@CucumberOptions‬
‭ (features =‬‭
‭ "src/test/resources/features"‬
,‬‭
‭ glue =‬
"com.example.spring.bdd.api.steps"‬
‭ )‬
‭
public class‬‭
‭ CucumberTest‬‭{‬
}‬
‭

‭147‬
 ‭End to End API Testing, Curated by Lamhot Siagian‬

‭References‬
‭ .‬ ‭https://en.wikipedia.org/wiki/List_of_HTTP_status_codes‬
1
‭2.‬ ‭https://toolsqa.com/postman/response-in-postman/‬
‭3.‬ ‭https://blog.postman.com/what-are-http-methods/‬
‭4.‬ ‭https://testfully.io/blog/http-methods/‬
‭5.‬ ‭https://en.wikipedia.org/wiki/HTTP‬
‭6.‬ ‭https://katalon.com/resources-center/blog/test-case-template-examples‬
‭7.‬ ‭https://www.guru99.com/testing-rest-api-manually.html‬
‭8.‬ ‭https://www.softwaretestinghelp.com/rest-api-testing-with-bdd-cucumber/‬
‭9.‬ ‭https://nonamesecurity.com/learn/what-is-api-security-testing/‬
‭10.‬ ‭https://nonamesecurity.com/wp-content/uploads/2023/06/Product-Brief_SecurityTesting.pdf‬
‭11.‬ ‭https://nordicapis.com/how-to-implement-input-validation-for-apis/‬
‭12.‬ ‭https://apidog.com/blog/rate-limiting-vs-throttling/‬
‭13.‬ ‭https://www.testingxperts.com/blog/api-security-testing#What%20is%20API%20Security%20Test‬
‭ing‬

‭148‬