1 00:00:00,220 --> 00:00:02,260 In this video we're gonna look at the 2 00:00:02,260 --> 00:00:04,540 solution to define the secret testing 3 00:00:04,540 --> 00:00:06,310 challenge. So hopefully you are able to 4 00:00:06,310 --> 00:00:08,109 solve that challenge on your own, and had 5 00:00:08,109 --> 00:00:09,039 a bit of fun doing it. 6 00:00:09,039 --> 00:00:11,379 But if you got stuck or if you just want 7 00:00:11,379 --> 00:00:12,849 to see how I did it, feel free to follow 8 00:00:12,849 --> 00:00:15,129 along here. So in the last video we 9 00:00:15,129 --> 00:00:16,990 already saw how the profile is forbidden, 10 00:00:16,990 --> 00:00:19,300 but how can we work around this? Now if 11 00:00:19,300 --> 00:00:21,730 you want just a hint, you can use the 12 00:00:21,730 --> 00:00:23,920 embed parameter. So if you remember in 13 00:00:23,920 --> 00:00:27,400 the documentation we have this and bed 14 00:00:27,400 --> 00:00:30,640 parameter available, and it has something 15 00:00:30,640 --> 00:00:32,320 to do with this parameter. So if you just 16 00:00:32,320 --> 00:00:34,059 want to pause and use that as a hint go 17 00:00:34,059 --> 00:00:35,890 ahead and do that, but otherwise keep 18 00:00:35,890 --> 00:00:38,230 following along for the full solution. So 19 00:00:38,230 --> 00:00:42,309 we'll copy this, and we'll take it over 20 00:00:42,309 --> 00:00:44,710 to Postman, and let's put it in here, 21 00:00:44,710 --> 00:00:50,229 let's replace this and let's send that 22 00:00:50,229 --> 00:00:53,499 command. So we can see that when we send 23 00:00:53,499 --> 00:00:55,210 that command we get back the blog post, 24 00:00:55,210 --> 00:00:57,969 and we also get back the comments that 25 00:00:57,969 --> 00:01:01,569 are embedded under that blog post. So now 26 00:01:01,569 --> 00:01:03,159 what if we did the same thing for 27 00:01:03,159 --> 00:01:07,000 profile? What if we replace comments here 28 00:01:07,000 --> 00:01:11,470 with profiles? Wonder what would happen 29 00:01:11,470 --> 00:01:15,340 then? So if we send this, and voila we 30 00:01:15,340 --> 00:01:19,540 have the secret profile ID, it's embedded 31 00:01:19,540 --> 00:01:23,170 here in this. So by doing this we've 32 00:01:23,170 --> 00:01:25,780 enabled it, we've been able to see the 33 00:01:25,780 --> 00:01:27,640 details of this profile that was 34 00:01:27,640 --> 00:01:29,050 supposed to be secret, that were not 35 00:01:29,050 --> 00:01:31,990 authorized to see if we go directly to 36 00:01:31,990 --> 00:01:34,240 it. And this example shows us why it's 37 00:01:34,240 --> 00:01:35,740 important to figure out different paths 38 00:01:35,740 --> 00:01:36,700 in the API. 39 00:01:36,700 --> 00:01:38,830 Sometimes things are implemented only 40 00:01:38,830 --> 00:01:41,050 assuming one path, so we want to make 41 00:01:41,050 --> 00:01:42,730 sure that we consider other ways that 42 00:01:42,730 --> 00:01:44,200 you might be able to get at some 43 00:01:44,200 --> 00:01:44,920 information. 44 00:01:44,920 --> 00:01:47,440 I hope this challenge has demonstrated 45 00:01:47,440 --> 00:01:49,030 some of the intricacies of testing an 46 00:01:49,030 --> 00:01:51,160 API, and I hope it has also got you 47 00:01:51,160 --> 00:01:52,570 thinking about some of the approaches 48 00:01:52,570 --> 00:01:54,630 you can take when testing GET calls. In 49 00:01:54,630 --> 00:01:57,100 the next section we're going to dive in 50 00:01:57,100 --> 00:01:58,810 a bit deeper, we're gonna look at testing 51 00:01:58,810 --> 00:02:03,810 POST calls, so hope to see you there.