How you approach testing an API depends on a lot of things.
Will the API be a public API that will be consumed by some external people/systems, or is it a part of a larger product's infrastructure?
API logically can be a COM interface, a dll,a JAR ,a REST web service.
There are different approaches which ca be applied to test it out.
API when internal can be tested through unit testing and the use of the product that consumes it.
If it is an externally consumable API then you need to be much more thorough because people could use it in different ways than you might expect and send data in much different formats, etc. It also usually needs to make sense, be intuitive and be well documented if it is externally consumable.
Testing an API nearly always requires you to create some sort of consumer for testing purposes. You have to create an application to interact with the API. The application is usually very simple and driven by automated test cases and little/or no manual interaction.
If the API has dependencies, you may choose to mock those dependencies out so you can more thoroughly test all of those interactions and hit all of the positive and negative code paths.
Suppose an API interacts with a database and intends CRUD operation :
Create an invalid record with some business rule violation, such as a foreign key violation, or a unique key constraint violation, or something like Not Null violation, or even you can check for the precision violation . Just analyse how the system behaves in these type of test activity.
Read some record when row count is huge for a table and assess timelines for the same, and note if the query does not time out in the server- a typical bug you see in almost all system when developed initially.
Update some set of record with valid business rules and then invalid business rules and invalid constraints. Simultaneous updates involving some pessimistic locks and optimistic locks.
Delete a set of record which involves cascade delete, delete a non -existent records. Lot of scenarios on use cases that come up in a system will be criterion for API testing.
Below are few fundamental tests that hold relevance in this space
1. Verify the API response code for a valid request.
2. Verify the API response code for an invalid request.
3. Verify the API response time for a valid request.
4. Verify the API response time for an invalid request.
5. Verify the API response message for a valid request.
6. Verify the API response message for an invalid request.
7. Verify the API response content for a valid request.
8. Verify the API response content for an invalid request.
9. Verify the API response format for a valid request.
10. Verify the API response format for an invalid request.
11. Verify the API response size for a valid request.
12. Verify the API response size for an invalid request.
13. Verify the API response headers for a valid request.
14. Verify the API response headers for an invalid request.
15. Verify the API request method for a valid request.
16. Verify the API request method for an invalid request.
17. Verify the API request parameters for a valid request.
18. Verify the API request parameters for an invalid request.
19. Verify the API request payload for a valid request.
20. Verify the API request payload for an invalid request.
21. Verify the API authentication for a valid request.
22. Verify the API authentication for an invalid request.
23. Verify the API authorization for a valid request.
24. Verify the API authorization for an invalid request.
25. Verify the API rate limiting for a valid request.
26. Verify the API rate limiting for an invalid request.
27. Verify the API error handling for a valid request.
28. Verify the API error handling for an invalid request.
29. Verify the API security for a valid request.
30. Verify the API security for an invalid request.
31. Verify the API response time under high load.
32. Verify the API response time under low load.
33. Verify the API response for edge cases (empty, null, negative values, etc.).
34. Verify the API response when input is out of range.
35. Verify the API response when input is invalid.
36. Verify the API response when required fields are missing.
37. Verify the API response when optional fields are missing.
38. Verify the API response when the input is too long.
39. Verify the API response when input is too short.
40. Verify the API response when input contains special characters.
41. Verify the API response when input contains non-ASCII characters.
42. Verify the API response when input is case-sensitive.
43. Verify the API response when input is case-insensitive.
44. Verify the API response when input contains HTML or JavaScript tags.
45. Verify the API response when input contains SQL injection.
46. Verify the API response when input contains a cross-site scripting (XSS).
47. Verify the API response when input contains malware or viruses.
48. Verify the API response when input contains sensitive information
Post a Comment