API tests

In the realm of web and app development, where data interaction via APIs is ubiquitous, robust API testing is crucial for a project's success. Effective tests not only ensure the application's stability and security but also instill confidence in its functionality. This topic delves into API testing, focusing on various aspects—including testing core API views and simulating user sessions.

You'll learn how to use Django and Python tools to write tests, handle user input securely, and view Django as a black box to simplify testing. This exploration traverses two crucial dimensions: API tests for external services and Django API tests for our service. This dual focus lays the groundwork for a comprehensive journey, equipping you with insights into testing strategies for both external interfaces and the intricacies of Django applications. Let's begin this exploration, untangle the complexities, and arm you with the skills needed to navigate the diverse challenges of API testing.

Testing your API views

The first critical step in testing is verifying API views. You need to ensure that your API touchpoints work correctly. Python and Django often utilize the requests library for this task.

Firstly, install this library:

pip install requests

About the installed version, run:

pip show requests

This command showcases information about the requests library, including its version if installed. If the library is not installed, this command will not output anything. The recent version of the requests library is 2.31.0, released on May 22, 2023.

The requests library is a much-used tool in the Python programming language for dispatching HTTP requests and handling HTTP responses. With a convenient, simple interface for interacting with web servers, it serves as the perfect choice for API testing, web scraping, and other scenarios.

For instance, suppose we have a GET endpoint at https://api.example.com/data that provides a text response, and a POST endpoint at https://api.example.com/post-endpoint that expects to receive specific data. You can use the requests library to interact with these endpoints and examine the responses. You can also test GET and POST requests using the requests library:

import requests

# testing GET requests 
response = requests.get('https://api.example.com/data') 
print(response.text)

# testing POST requests
data = {'key': 'value'} 
response = requests.post('https://api.example.com/post-endpoint', data=data) 
print(response.text)

You can thoroughly analyze your responses:

import requests

response = requests.get('https://api.example.com/data')
print(response.status_code)  # HTTP-status code
print(response.headers)      # response headers
print(response.text)         # response text
print(response.json())       # Convert JSON response to dictionary

Also, you can handle errors, for example, related to a request to a non-existent endpoint like https://api.example.com/nonexistent-endpoint:

import requests

try:
    response = requests.get('https://api.example.com/nonexistent-endpoint')
    response.raise_for_status()
except requests.exceptions.HTTPError as err:
    print(f"HTTP Error: {err}")
except requests.exceptions.RequestException as err:
    print(f"An error occurred: {err}")

Within the context of API testing, the requests library offers convenient tools for sending requests and parsing responses, making tests easier and more efficient.

So, while testing APIs using requests proves handy, some aspects of the API might be challenging or even impossible to test with this approach:

• Large number of parameter combinations: testing all possible combinations of API parameters can be challenging. Each additional parameter increases the number of potential combinations exponentially, rendering manual testing impractical.

• Validating API parameters: verifying parameters passed through API requests can be challenging. Without careful scrutiny, incorrect parameters might trigger crashes or unexpected program behavior.

• Maintaining data formatting: in API testing, data formatting describes a schema that defines how data is formatted. You should consistently update this diagram to include new parameters.

• API request limits and quotas: some APIs may limit the number of requests within a specific time frame. This could make testing large couples of queries or scenarios demanding high throughput challenging.

• Middleware interaction testing: requests does not support middleware interaction testing, which may be essential for some applications.

While testing external services occasionally necessitates facing these challenges, you have a more favorable tool at your disposal for your own Django projects. Let's examine this approach.

Testing your own API Views with Django Client

Django Client is a tool provided by Django for testing web applications, including API views. Django Client offers a convenient interface for sending HTTP requests to your application, enabling you to mimic API interactions in a test environment.

To begin using the Django Client, import it from the django.test module. Establish an instance of the Client() class that will represent your HTTP requests. You can use this instance to send different kinds of requests such as GET, POST, PUT, DELETE, and more to mimic interactions with your API.

from django.test import Client

client = Client()

Suppose we have a GET endpoint at /api/data/ that provides a response, and a POST endpoint at /api/create/ that expects to receive specific data. You can use Client to submit a GET request to the API endpoint:

response = client.get('/api/data/')

if response.status_code == 200:
    print('Success! Response data:', response.json())
else:
    print('Error! Status code:', response.status_code)

You can also submit POST requests with data using the post() method:

data = {'key': 'value'}
response = client.post('/api/create/', data)

if response.status_code == 201:
    print('Object created successfully!')
else:
    print('Error! Status code:', response.status_code)

Django Client also enables you to add headers to requests, emulate authentication, manage cookies, and much more.

Django Client supports authentication, an advantage when testing views that require an authenticated user. This becomes especially useful when testing APIs exhibiting different behaviors based on whether the user is authenticated or not:

from django.test import Client, TestCase
from django.contrib.auth.models import User
from django.urls import reverse

class TestMyView(TestCase):
    def setUp(self):
        # create a Client instance
        self.client = Client()

        # create a user
        self.user = User.objects.create_user(username='testuser', password='12345')

    def test_authenticated(self):
        # authenticate the user
        self.client.login(username='testuser', password='12345')

        # making a request to the view
        response = self.client.get(reverse('my_view'))

        # checking that the response was successful
        self.assertEqual(response.status_code, 200)

        # checking that the user is authenticated
        self.assertEqual(str(response.context['user']), 'testuser')

    def test_unauthenticated(self):
        # making a request to the view
        response = self.client.get(reverse('my_view'))

        # checking the redirect
        self.assertEqual(response.status_code, 302)

        # checking that the user is not authenticated
        self.assertEqual(str(response.context['user']), 'AnonymousUser')

In this example, we create a test user and use it for authentication using self.client.login(). We then submit a request to the view and verify that the response was successful and the user is authenticated.

In the second test, we make a request to the same view, but without user authentication. We verify that a redirect has occurred (normal behavior for views requiring authentication) and the user is not authenticated. This approach ensures that our view correctly handles both authenticated and unauthenticated users.

Django Client supports middleware, enabling you to test how your application engages with the middleware. This becomes useful when testing aspects such as error handling managed by middleware.

So, the Django Client equips developers with a feature-loaded, convenient method of testing APIs within Django applications. Utilize it to create automated tests, ensure requests are processed accurately, and confirm your API runs smoothly.

Now that we've explored testing API endpoints, let's discuss which aspects you should concentrate on when testing.

Never trust user input

A paramount rule in test design is to approach user input or any data received through your project's API with caution. This key principle significantly boosts the security and reliability of your web application. Although there are other principles, like those highlighted in OWASP-10, remembering this one can immensely improve your application's overall stability.

When scripting tests for APIs, pay special attention to validating input data and checking for unauthorized values. If you're using API frameworks (like DRF), it's a good idea to explore the framework's built-in mechanisms that help validate user input. In DRF, we have handy query validation vehicles, such as serializerss and built-in validators, which ensure data from the user meets the expected format and requirements.

Suppose we have an app named myapp with MyModel model and a 'create-object' endpoint in there. An example test that checks data validation when creating an object via the API could look like:

from django.test import Client
from django.urls import reverse
from rest_framework import status
from myapp.models import MyModel

client = Client()

def test_create_object_valid_data():
    # valid data for object creation
    valid_data = {'name': 'Valid Name', 'value': 42}

    # sending a POST request to an API endpoint
    response = client.post(reverse('create-object'), data=valid_data)

    # checking response status
    assert response.status_code == 201

    # verifying that the object was successfully created in the database
    assert MyModel.objects.filter(name=valid_data['name']).exists()

This test submits a POST request to the API endpoint to create an object with valid data, verifies that the response status is 201, and ensures the object was added to the database successfully.

In general, when scripting tests for APIs with DRF, it's paramount to focus on the validation and security of user-provided data to ensure the API's stability and security.

Using Django as a Black Box

When you use Django as a black box, you concentrate on testing the external behavior of your web application, not the minutiae of its internal workings. This is beneficial when it's not necessary to scrutinize every detail of your functionality, but you want to ensure that your API endpoints are operating correctly. With Django testing via pytest-django, the black box approach is simplified, providing handy methods for crafting tests.

First, you need to install pytest-django using pip:

pip install pytest-django

Then, you can craft tests using standard pytest syntax:

import pytest
from django.test import RequestFactory
from django.urls import reverse
from app.views import TestingView # view that does something simple with the request

@pytest.mark.django_db
def test_your_view(client):
    # create a request object
    request = RequestFactory().get(reverse('view_url'))

    # call the view by passing a request
    response = TestingView.as_view()(request)

    assert response.status_code == 200

In this sample, @pytest.mark.django_db demands the use of a Django database for tests. The client parameter, provided by pytest-django, symbolizes a Django test client for sending HTTP requests.

We use RequestFactory to build request instances, which can then become the primary argument to any view. This permits you to scrutinize a view function just like any other function – as a black box, with precise inputs, gauging for specific outputs.

You can execute your tests using the command below:

pytest

This command instructs pytest to identify and run all tests in the current directory and its subfolders.

You should receive output similar to the following after running the command:

============================= test session starts ==============================
platform linux -- Python 3.8.5, pytest-6.2.1, py-1.10.0, pluggy-0.13.1
Django settings: mysite.settings (from ini file)
rootdir: /path_to_your_project, configfile: pytest.ini
plugins: django-4.1.1
collected 1 item                                                               

path_to_your_test_file.py .                                              [100%]

============================== 1 passed in 0.12s ===============================

In the place of your_test_file.py, substitute the real name of your Python file that contains the test.

The output showcases the count of tests that were collected and whether they succeeded or not. In our sample, the lone test in your file is depicted by a dot, indicating its success.

If any failures occur, pytest will offer comprehensive information about the flawed tests, making it simpler to spot and tackle issues.

Black box testing of Django offers several perks:

Isolation: Conducting black box testing on views allows you to separate the view's functionality from the rest of the system. This means you're only testing what the view does, without involvement from the rest of the system. This potentially reveals errors in the view that might otherwise stay hidden by more complex tests.

Reality Matching: Black box view testing replicates a real user's interaction with your application via a web interface, which helps ensure your application behaves as expected in real-world scenarios.

Simplicity: Black box testing is generally simpler and quicker than white box testing (a method where the tester gets full access to the internal structure and code of the API, enabling detailed analysis of its composition to identify potential issues and verify proper functioning). Here, there's no need for exhaustive understanding of the system's internal workings; instead, you just check that given a certain input, the system does what you anticipate.

Reuse: Since black box tests are independent of the system's internal architecture, they can be effortlessly reapplied across different areas of your application, which enhances the efficiency of your testing process.

It should be noted, however, that black box testing may not always be the best choices in all cases. For instance, when you are trying to troubleshoot a complex problem, white box testing—which affords full access to all internal structuring and operations of the system—may prove a more suitable tactic.

Simulating user sessions

Simulating user sessions in API testing is an important aspect to verify the functionality of the features associated with interacting with the application within user sessions. In this context, the use of the Faker library in Python becomes a valuable tool for creating realistic and random data that emulates the behavior of real users.

To install Faker, use

pip install faker

Simulating user sessions using the Faker library provides the ability to create realistic test scenarios with fictitious data. Faker allows you to generate random but reliable data, which can be useful for creating a variety of user sessions in tests. To simulate user sessions using Faker, you can create fictitious users, generate unique names, email addresses, passwords and other data. This is especially useful when testing systems where authentication or authorization is required, such as web applications or APIs.

Consider a scenario where we aim to verify that a user can successfully log in using the /api/token/ endpoint by providing a username and password. Subsequently, the user should be able to submit data to the /your/protected/endpoint/ with a specified payload. Here's how you can simulate users and sessions with Faker:

from rest_framework.test import APITestCase
from django.contrib.auth.models import User
from rest_framework.authtoken.models import Token
from faker import Faker

fake = Faker()

class UserSessionTest(APITestCase):
    def create_fake_user(self):
        return User.objects.create_user(
            username=fake.user_name(),
            password=fake.password(),
            email=fake.email()
        )

    def test_user_session_simulation(self):
        # create fake user
        fake_user = self.create_fake_user()

        # authentication
        response = self.client.post('/api/token/', data={
            'username': fake_user.username,
            'password': fake_user.password,
        })
        self.assertEqual(response.status_code, 200)

        # extract the token from the response
        token = response.data['access']

        # set the token in the header for authorization
        self.client.credentials(HTTP_AUTHORIZATION=f'Bearer {token}')

        # create fake data that can be associated with a user session
        fake_data = {
            'field1': fake.word(),
            'field2': fake.random_number()
        }

        # send a request to a secure endpoint with an authorization token
        response = self.client.post('/your/protected/endpoint/', data=fake_data)
        self.assertEqual(response.status_code, 200)

Using Faker, you have flexible control over test data generation, which helps you create a variety of user sessions to test different use cases in your tests. With this library you can effectively simulate a variety of situations, verify system functionality, and ensure that the application correctly processes a variety of data across user sessions. There are many scenarios for using faker to simulate user sessions and more, you can read more in the documentation.

Conclusion

We've covered important aspects of API testing, from testing key touchpoints to simulating user sessions.

The requests library can be sed to send HTTP requests and validate responses, and the Django Client is useful for testing web applications, including APIs. Additionally, we have emphasized the principle of “Never trust user input”, which plays an important role in ensuring the security and reliability of web applications.

Using Django as a black box helps to focus on testing the external behavior of the application, which makes the tests more flexible and resistant to changes in internal logic. pytest-django makes it easier to write black-box style tests. You can read more about this library in the documentation.

Faker provides tools to generate realistic data, which helps you create a variety of test scenarios and simulate user sessions. The examples of using the library in Django and DRF tests highlighted how easy it is to simulate different data usage scenarios, thereby ensuring the stability and security of the application.

Overall, these methods and tools not only provide effective testing, but also build confidence in the functionality, stability and security of your project, which is key in the world of web and app development.