Skip to main content

You can support this site from as little as $1 a month on Patreon.

The support pays for site hosting and the expansion of this content.

In addition, Patreon Supporters gain access to exclusive online video training courses and ebooks.

Join Now

Testing a REST API

  • how to model an API
  • testing ideas

Testing different from Technology and Tooling

  • at this point we have discussed technology and tooling
  • time to discuss testing

What would we test?

  • Risk
  • Coverage
  • Functionality and Outcomes

Coverage Driven Testing

REST APIs are a very 'pure' system.

  • Input -> Process -> Output
  • Request -> Process -> Response

Most of the variation comes from:

  • Input
  • Current System State

With a UI we have to worry about variation like:

  • which browser?
  • exactly how I interact e.g. time between click and release of mouse, did I hold a key at the same time? etc.

Coverage of What?

  • Verbs - have you used every verb with every end point?
  • Endpoints - have you tried them all?
  • Swagger - have you used the Swagger API document?
  • Documentation - have you read the docs?
  • Query Params - have you tried combinations?
  • formats (content and accept) - have you varied XML, JSON, Text and others?
  • State - Get when missing, Create when exists? etc.

What are the architecture risks?

  • Client -> Web Server -> App Server -> App
  • Do we understand the architecture?

What are the capacity risks?

  • Performance?
  • Load Testing?

What are the security risks?

  • Authentication
  • Authorisation
  • Injection
  • What headers are accepted? X-HTTP-Method-Override?

Data Risks

  • minimum data in requests - missing fields, headers
  • not enough data in requests
  • wrong format data: json, xml, length, null, empty
  • malformed data
  • consistency? query params across requests?
  • are defaults correct?
  • duplicate data in payloads?
  • headers: missing, malformed, too many, duplicate

Document your testing

  • How can you document your testing?
  • Mindmaps?
  • Text files
  • Record all requests through an HTTP Proxy and store as a HAR file

Other Risks or Common Issues?

Exercise: Think through testing

  • Read the requirements
  • Create some test ideas
  • Look at the existing testing conducted
  • Any ideas from that?
  • Test
  • Document and Track your Testing in a lightweight fashion
  • Try different tools
  • Run all your requests and responses through a Proxy and review the results - you might be surprised to see differences that your REST Client Tool did not reveal.

 

Copyright Compendium Developments Ltd 2020