Api FUNdamentals #MHA2017
0 likes429 views
- The document introduces APIs and provides an overview of what they are, how they work, and strategies for testing APIs. - It discusses RESTful principles, how HTTP requests and responses work, authentication methods like OAuth and JWT, and tools for testing APIs like Postman. - Examples are given around making GET and POST requests to APIs and checking the status and response to demonstrate how APIs can be interacted with and tested.
![Body
• Data to send with the
request – usually for a
POST or PUT
• Data format – xml,
json, etc. - is specified
by the content-type
header
{
"location": {
"lat": -33.8669710,
"lng": 151.1958750
},
"accuracy": 50,
"name": "Google Shoes!",
"phone_number": "(02) 9374
4000",
"address": "48 Pirrama Road,
Pyrmont, NSW 2009, Australia",
"types": ["shoe_store"],
"website":
"http://www.google.com.au/",
"language": "en-AU"
}](https://image.slidesharecdn.com/api-fundamentals-170522185246/85/Api-FUNdamentals-MHA2017-19-320.jpg)
Api FUNdamentals #MHA2017
- 1. Welcome! • We’ll use postman for some of our examples. If you would like to follow along, download postman now. www.getpostman.com. • Feel free to pair with someone! • Our Postman demo collection will be available with our presentation materials. • Follow @apidemo_carter onTwitter!
- 2. JoEllen Carter / Lisa Crispin
- 3. Overview • What is an API? • History of API growth • Current API landscape • HowAPIs work, including some hands-on demos • Strategies and tools for testing an API • API Stories
- 5. !!!
- 6. Interfaces • Touch • Voice • Sight
- 9. 2000 2002 2004 2006 2008
- 11. Why RESTful? • REST: Representational state transfer • Uniform and predefined set of stateless operations • People can “just know things” about an API that’s RESTful
- 13. How does an Application Programming Interface Work?
- 14. RPC SOAP HTTP HTTPS CoAP …
- 16. URL https://api.twitter.com/1.1/statuses/update.json?status=testing {base url} / {version} / {endpoint} ? {query parameters}
- 17. GET • Get some data about an object or ‘resource’ POST • Create a new resource PUT • Update a resource DELETE • Delete a resource Methods
- 18. Headers • Headers are key/value combinations that specify additional information about the request • Some common request headers are: • Content-type • Authentication • Accept • Origin
- 19. Body • Data to send with the request – usually for a POST or PUT • Data format – xml, json, etc. - is specified by the content-type header { "location": { "lat": -33.8669710, "lng": 151.1958750 }, "accuracy": 50, "name": "Google Shoes!", "phone_number": "(02) 9374 4000", "address": "48 Pirrama Road, Pyrmont, NSW 2009, Australia", "types": ["shoe_store"], "website": "http://www.google.com.au/", "language": "en-AU" }
- 20. What about cookies? • Restful API requests should be self-reliant • Cookies are session-dependent, so not independent • Using cookies to store data means your API is not Restful
- 21. Authentication • Insecure - Authorization token in url • https://api.darksky.net/forecast/{{token}} /39.9026420,-105.0905190 • https://maps.googleapis.com/maps/api/p lace/nearbysearch/json?key={{googlema psKey}} • Basic • Username:password are concatenated and encoded • Sent in Authorization header
- 22. Authentication - Oauth • Oauth1/2 - https://oauth.net/ Service Provider
- 24. Authentication - JWT JSON WebToken https://jwt.io/ - an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. • Header – type of token (JWT) and hashing (signing) algorithm • Payload – contains ‘claims’, or information about the user • Signature = signature from header-specified algorithm using encoded Header + encoded payload + secret
- 25. Let’s try a GET now… • We’ll hit the dark sky api to get our current weather
- 27. OK200 Bad Request400 Forbidden403 Not Found404 Internal Server Error500 Service Unavailable503 GatewayTimeout504 Common Status Codes
- 28. Let’s try a POST now… • We’ll post a tweet from #MHA2017
- 30. Security • Basic • Authentication tokens are valid/present • Account boundaries are not violated • SSL is enforced/warned when not present • Hacker-in-training • Injection points – headers, parameters, body • Recording tools – what is exposed/available • White Hat hacker - OWASP • Rest Security Cheat Sheet • OWASP top 10 security vulnerabilities – new section on Under-protected APIs
- 31. Functional • Basic • Correct status codes are generated for invalid inputs • Request/response bodies contain the correct content type and schema • Backwards-compatibility for public APIs - previous tests continue to pass or breaking changes are clearly documented – aka regression testing • Advanced • Join API requests together to mirror application functionality
- 32. Exploratory • Identify the variable bits - things that can/will/might change • Requests – • Method • Mix/match endpoints • Parameters • Headers, especially content type • ContentType • Size, Depth - images, json/xml nesting • Timing & Frequency – what happens with caching?
- 33. Heuristics • Apply Heuristics to the variables • Zero, One, Many • Some, None,All • Beginning, Middle, End • Too Many,Too Few • Relative Position, i.e. content
- 34. Automation • Part of your CI/CD pipeline • Part of development process since tests can be run in both local and pre-production environments • Performance • Combine tests with monitoring • Tools • Postman • Command line runner that can be integrated into your CI • Developer adoption is high • Runscope • Powerful code snippets
- 35. Supporting an API Tracker API, rewritten in 2012-13 • Our own client software uses public API, same as customers • With some private endpoints • Leading practices: RESTful, JSON in & out, • Versioning • Only changes are additions • Promote new endpoints through various stages • “edge” version • Metadata-driven • Reference doc generated from metadata and unit test outputs
- 36. Long-term results • Few support requests • Thanks to comprehensive unit tests, comprehensive doc & examples • Comprehensive doc for devs to introduce new endpoints • Many new endpoints added • Mostly without pain – one backwards compatibility issue • Postman regression tests run in CI in addition to unit tests • Include performance checks
- 38. Take-aways • APIs are the engine behind the apps we use every day • APIs are an integral part of our agile processes - APIs make apps more testable, and can be tested! • APIs add value to your product - maybe your company/product/team needs an API? • You’ve learned some terms about RESTful web services – go forth and learn more!
- 39. Links • ProgrammableWeb • API Security Testing • OWASPTop 10 Project • List of HTTP Header fields • Varonis - Introduction to Oauth • Oauth.net • Understanding rest and rpc