1
00:00:00,170 --> 00:00:02,780
Hi and welcome to the next section in

2
00:00:02,780 --> 00:00:04,910
this course. In this section we're going

3
00:00:04,910 --> 00:00:07,370
to continue to dig into hands-on API

4
00:00:07,370 --> 00:00:09,890
testing. But up until now we've been

5
00:00:09,890 --> 00:00:11,480
looking at static data, so we've been

6
00:00:11,480 --> 00:00:13,580
looking at GET calls, calls that read

7
00:00:13,580 --> 00:00:15,620
data that's there but don't change

8
00:00:15,620 --> 00:00:17,509
anything. In this section we're gonna

9
00:00:17,509 --> 00:00:19,279
look at changing data, so we're gonna

10
00:00:19,279 --> 00:00:21,769
look at POST, PUT, and DELETE calls, and

11
00:00:21,769 --> 00:00:24,079
see what happens when we change the data

12
00:00:24,079 --> 00:00:26,839
on our service. So as you can imagine,

13
00:00:26,839 --> 00:00:29,089
this gives us a whole new set of testing

14
00:00:29,089 --> 00:00:31,789
challenges. Now we give API users the

15
00:00:31,789 --> 00:00:33,500
ability to modify something on our

16
00:00:33,500 --> 00:00:35,960
service, and so we want to make sure that

17
00:00:35,960 --> 00:00:38,359
they can't do so in a harmful way. But of

18
00:00:38,359 --> 00:00:39,949
course two main ways that people can

19
00:00:39,949 --> 00:00:41,750
harm our app through bad POST calls.

20
00:00:41,750 --> 00:00:45,859
First way is malicious users. We'll talk

21
00:00:45,859 --> 00:00:48,590
a little bit about security testing in

22
00:00:48,590 --> 00:00:50,570
your API later in this course, but that's

23
00:00:50,570 --> 00:00:52,879
probably a full course in itself. The

24
00:00:52,879 --> 00:00:54,589
second way though is through users

25
00:00:54,589 --> 00:00:56,300
accidentally doing the wrong thing. For

26
00:00:56,300 --> 00:00:58,730
example what happens if a user sends

27
00:00:58,730 --> 00:01:00,260
their data in the wrong format, or if

28
00:01:00,260 --> 00:01:01,640
they try to overwrite data that's

29
00:01:01,640 --> 00:01:03,589
already in the system. There are many

30
00:01:03,589 --> 00:01:05,209
things that could go wrong with POST

31
00:01:05,209 --> 00:01:06,769
calls, and so in this video we're going

32
00:01:06,769 --> 00:01:09,619
to look at how we can test POST calls.

33
00:01:09,619 --> 00:01:13,189
Let's take a look at a real example of

34
00:01:13,189 --> 00:01:16,159
this. So I have a local application here

35
00:01:16,159 --> 00:01:17,079
that we'll use for demonstration

36
00:01:17,079 --> 00:01:20,270
purposes. And for this application we can

37
00:01:20,270 --> 00:01:22,040
pretend that it's kind of managing some

38
00:01:22,040 --> 00:01:24,170
blog posts. So let's start with just a

39
00:01:24,170 --> 00:01:27,020
GET call to the blog post URL, we'll send

40
00:01:27,020 --> 00:01:29,210
that, and we can see we get back a couple

41
00:01:29,210 --> 00:01:33,860
of sample blog posts here. So now let's

42
00:01:33,860 --> 00:01:37,070
copy this, because we're going to need

43
00:01:37,070 --> 00:01:38,869
when we do a POST we need parameters, we

44
00:01:38,869 --> 00:01:41,060
need a body parameter. So change this to

45
00:01:41,060 --> 00:01:44,780
POST, and now we have the body tab

46
00:01:44,780 --> 00:01:47,390
available here. So let's go to that, and

47
00:01:47,390 --> 00:01:50,810
let's actually put in raw data and then

48
00:01:50,810 --> 00:01:53,479
we'll call it JSON. So the data that we

49
00:01:53,479 --> 00:01:56,270
have here in our API is JSON formatted,

50
00:01:56,270 --> 00:02:00,829
so we'll use that JSON option in Postman

51
00:02:00,829 --> 00:02:03,619
to specify it. And we can see here this

52
00:02:03,619 --> 00:02:06,380
is the inputs based on the GET call that

53
00:02:06,380 --> 00:02:09,739
the POST call takes, or at least that

54
00:02:09,739 --> 00:02:13,610
this blog posts URL produces. So we have

55
00:02:13,610 --> 00:02:16,340
ID, we have a title, a body, and then a

56
00:02:16,340 --> 00:02:18,800
profile ID that links it to which

57
00:02:18,800 --> 00:02:22,100
profile created this. So for the first

58
00:02:22,100 --> 00:02:23,510
thing here let's just try a few things,

59
00:02:23,510 --> 00:02:26,150
let's get rid of the title here and see

60
00:02:26,150 --> 00:02:27,830
what happens. So we'll get rid of that,

61
00:02:27,830 --> 00:02:32,000
and we'll send this POST request and

62
00:02:32,000 --> 00:02:34,610
we'll see what happens. So we send that

63
00:02:34,610 --> 00:02:38,270
request, insert failed duplicate ID. Now

64
00:02:38,270 --> 00:02:40,430
that's because we're sending the ID here.

65
00:02:40,430 --> 00:02:44,360
So we're sending an ID of 1, but that ID

66
00:02:44,360 --> 00:02:47,360
already exists in the system. And a POST

67
00:02:47,360 --> 00:02:50,930
call is for creating new requests, so we

68
00:02:50,930 --> 00:02:54,520
can't use an existing ID in the system.

69
00:02:54,520 --> 00:02:57,230
So let's just try removing this, let's

70
00:02:57,230 --> 00:02:59,930
see what happens if we don't have an ID

71
00:02:59,930 --> 00:03:03,020
in here, let's send this call again, we

72
00:03:03,020 --> 00:03:05,870
scroll down and we succeeded. Now we

73
00:03:05,870 --> 00:03:07,520
probably should have changed the body on

74
00:03:07,520 --> 00:03:09,920
this, since now we have two bodies that

75
00:03:09,920 --> 00:03:11,780
are the same, but we can see that it

76
00:03:11,780 --> 00:03:13,970
succeeded, however there's no name field

77
00:03:13,970 --> 00:03:17,360
here. So if having a name or a title for

78
00:03:17,360 --> 00:03:19,640
our blog post was important for business

79
00:03:19,640 --> 00:03:21,290
reasons, we would want to check that in

80
00:03:21,290 --> 00:03:24,050
the API, and we would want the API to not

81
00:03:24,050 --> 00:03:27,470
allow us to send a POST request with

82
00:03:27,470 --> 00:03:30,620
insufficient information. So this is one

83
00:03:30,620 --> 00:03:32,090
kind of test that we can do with POST

84
00:03:32,090 --> 00:03:34,130
request, is make sure that it requires

85
00:03:34,130 --> 00:03:36,080
the things that are required, and it

86
00:03:36,080 --> 00:03:39,920
checks for the existence of existing IDs

87
00:03:39,920 --> 00:03:42,590
that we can only create new things. All

88
00:03:42,590 --> 00:03:45,140
right so now let's try it, and let's just

89
00:03:45,140 --> 00:03:48,590
see if we can explicitly specify our ID.

90
00:03:48,590 --> 00:03:53,180
So we'll put the ID back in, and we'll

91
00:03:53,180 --> 00:03:56,300
give it an idea of five because the next

92
00:03:56,300 --> 00:03:58,340
one would be four right, we had an ID of

93
00:03:58,340 --> 00:04:00,440
three here so the next one will be four,

94
00:04:00,440 --> 00:04:02,269
but we'll say no or skip four and we'll

95
00:04:02,269 --> 00:04:05,030
do five. And let's just give it a name as

96
00:04:05,030 --> 00:04:07,850
well so that we have a properly

97
00:04:07,850 --> 00:04:13,250
formatted, so let's just say test. All

98
00:04:13,250 --> 00:04:15,950
right and we'll put a comma and we'll

99
00:04:15,950 --> 00:04:18,200
send this. So if we scroll down here we

100
00:04:18,200 --> 00:04:20,750
can see that it created a blog post with

101
00:04:20,750 --> 00:04:22,760
an ID of five as we specified, so it

102
00:04:22,760 --> 00:04:24,350
didn't increment next one, it used the

103
00:04:24,350 --> 00:04:27,079
one that we specified. So now let's try a

104
00:04:27,079 --> 00:04:27,440
few

105
00:04:27,440 --> 00:04:29,420
interesting values, and let's see if we

106
00:04:29,420 --> 00:04:32,150
can kind of break something here. So in

107
00:04:32,150 --> 00:04:33,950
programming there's an interesting value

108
00:04:33,950 --> 00:04:37,570
called double max, and that's the biggest

109
00:04:37,570 --> 00:04:39,740
number that can be stored in a double

110
00:04:39,740 --> 00:04:41,120
variable type. So let's try that number

111
00:04:41,120 --> 00:04:47,060
here, we'll say 1 e to the 308, and let's

112
00:04:47,060 --> 00:04:49,490
send that request and see what happens.

113
00:04:49,490 --> 00:04:51,950
Ok it looks like it created it fine. So

114
00:04:51,950 --> 00:04:55,460
let's see what happens if we go bigger

115
00:04:55,460 --> 00:04:58,670
than that, ok 1 e to the 309, let's send

116
00:04:58,670 --> 00:05:01,250
that and see what happens. Now we can see

117
00:05:01,250 --> 00:05:03,290
down here it created the post for us but

118
00:05:03,290 --> 00:05:05,930
it set the ID to null. Now if we were

119
00:05:05,930 --> 00:05:07,490
testing this application we'd really

120
00:05:07,490 --> 00:05:08,990
want to dig in and start exploring some

121
00:05:08,990 --> 00:05:10,910
issues that might come from having a

122
00:05:10,910 --> 00:05:14,120
null ID in our database. And actually in

123
00:05:14,120 --> 00:05:15,320
this application there would be a number

124
00:05:15,320 --> 00:05:17,270
of issues. But I'm gonna leave the

125
00:05:17,270 --> 00:05:19,250
example here for now. I think it

126
00:05:19,250 --> 00:05:21,590
establishes the point that we want to

127
00:05:21,590 --> 00:05:24,830
check for invalid inputs, or unlikely

128
00:05:24,830 --> 00:05:27,260
inputs because someone malicious or

129
00:05:27,260 --> 00:05:29,960
accidentally might put stuff like this

130
00:05:29,960 --> 00:05:32,450
into an API. So we want to check and see

131
00:05:32,450 --> 00:05:34,370
how our API handles these kinds of

132
00:05:34,370 --> 00:05:36,830
things. And then of course when we're

133
00:05:36,830 --> 00:05:38,540
testing an API we need to consider many

134
00:05:38,540 --> 00:05:40,580
other things, security, or performance,

135
00:05:40,580 --> 00:05:43,190
making sure that calculated values are

136
00:05:43,190 --> 00:05:45,680
properly recalculated when something

137
00:05:45,680 --> 00:05:47,180
changes, and so many other considerations.

138
00:05:47,180 --> 00:05:49,340
But the point of what I'm doing here is

139
00:05:49,340 --> 00:05:50,840
to give you a bit of a glimpse, to give

140
00:05:50,840 --> 00:05:53,540
you a bit of a feeling of what all goes

141
00:05:53,540 --> 00:05:56,330
into testing POST calls, so that's when

142
00:05:56,330 --> 00:05:57,860
you're looking at it you can think

143
00:05:57,860 --> 00:06:00,530
carefully about how your particular API

144
00:06:00,530 --> 00:06:02,419
works, and what inputs you might want to

145
00:06:02,419 --> 00:06:04,520
do. Sso as with all parts of testing, you

146
00:06:04,520 --> 00:06:06,380
need to explore and investigate and

147
00:06:06,380 --> 00:06:09,350
continue to learn. In the next video

148
00:06:09,350 --> 00:06:11,660
we'll look at testing PUT calls, it's

149
00:06:11,660 --> 00:06:12,950
similar to POST but's a little bit

150
00:06:12,950 --> 00:06:17,950
different, so hope to see you there.