thanks for your time
I have a POST request that I want to document in the blueprint apiary, the header is something like this:
text/html
_method:POST
data[User][username]:
data[User][password]:
data[User][remember]:0
http://d.pr/i/uRFx
I have something like this but I am not sure how to finish it:
## login [/users/login/{username}{password}{remember}{ident}]
Login with a user and password
+ Parameters
+ username (required, string, `myname`) ... the username format should follow CakePHP: data[User][username].
+ password (required, string, `whatever`) ... the password format should follow CakePHP: data[User][password]
+ remember (required, number, `0`) ... the remember format should follow CakePHP: data[User][remember]
+ ident (optional, number, `0`) ... the ident format should follow CakePHP: data[User][ident]
### make login [POST]
+ login by user (text/plain)
What goes in here???????????
any idea? Thanks!
Apparently this is submitting the data in a web form. In this case the Content-Type is of the application/x-www-form-urlencoded type.
The message-body of the request has special formatting and also some of its charters (square brackets) have to be %-escaped. For the details on the formatting of the request body see aforementioned Wiki article.
The API Blueprint in its simplest form could be something like:
# Login [/users/login]
## Make Login [POST]
+ Request (application/x-www-form-urlencoded)
data%5BUser%5D%5Busername%5D=qq&data%5BUser%5D%5Bpassword%5Dqq&data%5BUser%5D%5Bremember%5D=0
+ Response 201
You should be able to see your example of request message-body in your traffic inspector under the "view URL encoded" link.
Refer to this blueprint to see this example in action.
Also refer to this SO question for further details on application/x-www-form-urlencoded.
Related
I am trying to GET some data from another server into Tally via an XML API. But from the Tally documentation, I can see how to do HTTP POST. But I don't know what is the step by step process to do the HTTP GET using RemoteURL TDL instruction and pass the HTTP Header parameters. Can somebody please help? A sample would be a great help. Thanks!
To fetch data from a remote URL, if you are using POST, you would need to create a report and attach it to the request - this report is actually the POST payload.
POST Request:
[Collection: MakePOSTRequest]
Data Source: HTTP JSON: <insert URL here>
Remote Request: <insert TDL Report Name here> : UTF8
Export Header: <Insert header here>
JSON Object Path: "."
For GET request, you don't need anything except the URL. In case you have query parameters, attach it to the URL directly.
[Collection: MakeGETRequest]
Data Source: HTTP JSON: <insert URL here>
Export Header: <Insert header here>
JSON Object Path: "."
Let's say you have one URL: http://localhost:8000/get_api_data, which accepts both POST and GET requests. Then for the POST request, you would add the parameters via the TDL report, whereas for the GET request, you'd simply add the parameters to the URL this way: http://localhost:8000/get_api_data?key1='xxx'&key2='yyy'.
Not Working for me too..
[Collection: MakeGETRequest]
Data Source: HTTP JSON: 'http://35.198.189.9/api/Send?UserId=11&Guid=123'
JSON Object Path: "."
Note - I am very much new to all this. Apologies if anything is unclear.
My overriding aim is to pull out MOT history data for a large batch of vehicles from the DVLA API. I understand that this can be done using Postman, which I am using (on a 64-bit Windows laptop if at all relevant).
The DVLA provide the following instructions
====================================================
Getting started
All API interfaces are implemented as restful APIs and accessed over https.
To access API you will need an API key that uniquely identifies the source of the request. DVSA will give you an API key if it approves your application.
You should keep your API key secure, as DVSA manages throttling and quotas at an API key level.
Each request must have the following mandatory fields in the header:
Accept: application/json+v6
x-api-key:
Content-type field confirms that the response type is in JSON format, and the x-api-key field serves your API key to identify the source of the request.
Technical resources
Access the API at https://beta.check-mot.service.gov.uk/
This root URL will change when the service moves from beta to live.
These 4 endpoints equate to the 4 methods of using the API:
/trade/vehicles/mot-tests?registration={registration}
‘Registration’ is the vehicle registration number.
===================================================
In order to test that this is possible, I am entering the following single request into the bar in Postman, selecting "POST" and hitting "SEND"
https://beta.check-mot.service.gov.uk/trade/vehicles/mot-tests?Content-type=application/json&x-api-key=ABCDEFGH®istration=MYREG
n.b. no inverted commas or other punctuation surrounds the actual values for ABCDEFH or MYREG
Expected result: Some sort of JSON with MOT history for this vehicle
Actual result: {"message": "Missing Authentication Token"}{"message": "Missing Authentication Token"}
I am unclear on:
- whether I should be using POST
what the +v6 after the application is necessary (other documentation leaves it out)
Why "Accept" and "Content-type" appear to be used interchangeably in the documentation
Whether the ordering of the parameters matters
Whether this can be equally tested by simply pasting the url into a browser
Thanks for any help
Reading through the Documentation found here:
https://dvsa.github.io/mot-history-api-documentation/
It mentions that those fields should be added as Headers:
Each request must have the following mandatory fields in
the header:
- Accept: application/json+v6
- x-api-key: <your api key>
There are example cURL requests on the site to help you with creating the request.
If you use Postman's Import feature within the app (found in the top right), you can add this cURL request in the Paste Raw Text tab.
curl -H "Accept: application/json+v6" -H "x-api-key: <your_api_key>" https://beta.check-mot.service.gov.uk/trade/vehicles/mot-tests\?registration=ZZ99ABC
This will give you an example request of what it should look like. From here, you will be able to add in your own API Token and send the request.
If you are using Postman, you can use the Authorization tab right under the request to give the required mandatory header fields. Select Header from Add to drop down. You can also add additional headers information using the next tab named Headers. (for example, the accept-headers).
Edit:
Authorization:
Headers Tab
Normally, you should be getting the authorization token when you register to the site in question(x-api-key here).You need to figure out the value of that token from the initial call's response headers. According to the document which Danny shared, you will be getting x-api-key from them once they approve your request.
Edit:
Alternatively, you can use import feature as Danny suggested in his answer. At the end of the day, you need to add the values as headers instead of query parameters.
For anyone using Python with the MOT history api and getting the same error message, try GET:
import requests
url = f'https://beta.check-mot.service.gov.uk/trade/vehicles/mot-tests?registration={plate_number}'
payload = {}
headers = {
'Accept': 'application/json+v6',
'x-api-key': 'your-api-key'}
response = requests.get(url, headers=headers, data=payload)
data = response.json()
model = data[0]['model'] # get the vehicle model for example
print(model)
Certain APIs in my project can only be accessed via OAuth 2.0 using an encoded format. I am able to manually submit a POST using POSTMAN as it has the x-www-form-urlencoded feature to send the request (image attached). As a workaround, I created a java function to convert my json body to an encoded URI and passed as a variable. However, I am getting a "http call failed for URL" when running it. I was wondering if Karate has its own library to convert json to Encoded URIs.
Scenario: Json to Encoded URI on POST body
* def JavaDemo = Java.type('com.ge.health.gam.service.servicerequest.testsuite.CustomJavaClass')
* def encodedURI = JavaDemo.jsonToURI()
* print encodedURI
Given url 'http://location.ver02.geicenter.com/uaa/oauth/token'
And request encodedURI
When method post
Then status 200
com.intuit.karate.exception.KarateException: http call failed after 263 milliseconds for URL: http://location.ver02.geicenter.com/uaa/oauth/token
As suggested by Peter Thomas, I found the below to be able to submit requests via Oath 2.0. In my case, I also had to install a required certificate in order to receive a valid response. you also have to take that into consideration.
Given path 'uaa', 'oauth', 'token'
And form field key = 'value'
And form field key = 'value'
And form field key = 'value'
And form field key = 'value'
When method post
Then status 200
Yes. Please refer to the documentation for form field. There is also an OAuth 2 example in the demos, look for it.
Also see: https://stackoverflow.com/a/58643689/143475
I'm using OWASP ZAP to test our API. We have a couple of POST endpoints which use an API Token and a shared secret for authentication and validating the request.
Some parameters of the request body are concatenated and hashed using the shared secret. This value is inserted into the request header.
How can I programatically generate this signature using OWASP ZAP?
Request Header
Content-Type: "application/json"
Accept: "application/json"
API-Key: {API_KEY}
Signature: {hash(field_one + field_two + field_three + SHARED_SECRET)}
Request Body
{
"field_one": "abc",
"field_two": "123",
"field_three": "xyz"
}
The SHARED_SECRET is the password that is stored locally by the client and used to hash the three fields from the request.
It is stored on the server along with the API-Key so that requests can be identified and validated.
Use an HTTP Sender Script. Create it in the ZAP UI so that you can test it as you're writing it. First make sure you are just detecting the requests you want to change, then extract the field values you need and finally generate the hash. Keep testing at each stage to make sure its doing what you need. And if you need specific help theres always the zaproxy-scripts group.
I'm trying to stress test a website where people are able to create reports which are stored in SQL, etc...
Let's say the page orders are the followings:
mywebsite.com/home
mywebsite.com/reports
mywebsite.com/reports/create
mywebsite.com/reports/2
As you can see, there is a sub-page called reports. It has a create button. Then the user is being redirected to the create sub-page. When it clicks the save button, it get's redirected straight to its reports sub-page. Now my issue is I don't see the redirection URL that is being received by the browser where to be redirected. Maybe the report ID will be 3 or 4, or 123.... etc. I want this value as a variable. At the create sub-page I have a Response code: 302 but I can't figure out where is it redirecting the user to and where can I modify this URL value.
When you are being redirected the server sends Location header which indicates where exactly you are being redirected
In order to extract this redirect URL you can add Regular Expression Extractor postprocessor as a child of the main request and configure it like:
Apply to: Main sample and sub-samples
Field to check: Response headers
Reference Name: anything meaningful, i.e. location
Regular Expression: Location: (.*)
Template: $1$
Assuming everything goes well you should be able to refer the extracted value as ${location} where required.
References:
Using RegEx (Regular Expression Extractor) with JMeter
JMeter: Regular Expressions