Does It Really Work? Testing API Calls (Part II)

Published by Gil Zilberfeld on

Testing APIs is complex, but in the end, we’re making a request, look at the response, and need to consider – did it work? Did it affect the system in the way I expect it?

Last time, we created a record, with a POST call, which looked like it worked. But then we looked for the created record in two ways: we issued a specific GET for that record, and a GET all records. Neither brought it back.

A mystery waiting to be solved? Here’s the solution.

If you read through the documentation, you’ll see that JSONPlaceHolder is really a mocked site (it even says so in their subtitle). It returns mocked answers. So adding that blog post record didn’t change anything in it. It will always return the original 100 records. It ignores adding records, or deleting them, or changing their data.

Which is a nice anecdote, but what have we learned? First, read the docs. But let’s talk about the general case of testing APIs.

APIs Can Be Deceiving

First, even if one request looks like it’s working, it doesn’t mean it actually does.
We looked for clues if a request is working (looking at the status code and response). But in order to trust that it actually does, we needed to check THE FEATURE. Not just the specific API.

The “feature” here was basic CRUD information – storing new data, and looking for it. Only by failing the GET we understood that the POST lied to us.

While we stopped when we smelled a rat, we didn’t try a handful of other methods that the site says it supports: Patching, updating and deleting – which are all part of the blog post management feature. When checking real features like that, we should check those too.

Here’s an example of DELETE-ing a record:

Making a DELETErequest for deleting a non-exisintg blog post for userID using Postman for APIs Testing.

As you can see, it lies to our face – a 200 status code for deleting a non-existent record.

In real life applications, to check the feature, I would test for all these data related operations, and if they work as I expect, then I will report the feature is working. Not just the return code, but also if that data is manageable, and if I can do something with it later.

But that also, doesn’t always tell the whole truth.

The HTTP Honor System

When we did the HTTP POST request, we looked at the status code, saw that it was 201, and felt that it’s working – we thought we’ve added a record, and a 201 “Created” response is a good response.

Now, what happened if it had returned a 200? Just “OK”. Would that be a bug?

Well, it depends. After all, nothing is really working. Returning 200 instead of the 201 is really a small bug compared to what we have here.

But let’s pretend it did work. And let’s pretend the documentation doesn’t tell us what we should expect. Is a 200 code a wrong status code for creating a record?

Legally speaking, nope. There are no rules as to what requests should return. There are conventions – it would be nice to get a 201 for a CREATED record. But nobody enforces this. There is no HTTP police.

The whole thing is built like an honor system, and is completely in the hands of developers. If the API is a contract for external users, we can treat a wrong status code as a bug, but again, that is probably not a big problem as other things. If it’s an internally used API, that matters even less.

Another example is with deleting records. In financial or medical applications, anything that’s regulated, you can’t just delete data. That means that even if the DELETE request returns a 200 code, the data may not have been completely erased. We need to understand that feature in context, to evaluate if it’s working correctly.

The way we think about features, not focusing on the APIs, holds true for bugs too. If the users perceive broken functionality, it comes from the features, not from specific APIs. Oh, and usually the fix is not around a single API either.

We need to think about features and behaviors across multiple APIs, when we’re testing. Don’t believe your eyes, as single APIs don’t tell the entire story. And don’t trust status codes either, they don’t always tell the (whole) truth.

And while you contemplate right and wrong, check out my “Testing APIs with Postman” workshop, where the right amount of doubt is discussed, and how to manage it.

Categories: Uncategorized

1 Comment

Software Testing Notes · November 4, 2023 at 10:35 am

[[..Pingback..]]
This article was curated as a part of #109th Issue of Software Testing Notes Newsletter.
https://softwaretestingnotes.substack.com/p/issue-109-software-testing-notes
Web: https://softwaretestingnotes.com

Reply

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

API Complexity and input data

Why API Testing Is Complex – Input Data

I’ve given an example of how API testing can get complex. Let’s talk about more options to make things not so simple: Input data . The number of cases we can think of to test, Read more…

Simple yet Complex API

Why API Testing Is Complex – An Example

Years ago, I started working with a client, where the developers were doing all the API testing. They had great coverage, and it was easy to measure it, too. They had an Excel sheet with Read more…

Black box vs white box testing

Better API Testing – A Boxing Match

APIs are interfaces. It’s in their name. Interfaces in software allow to decouple the “what” from the “how”. The function from the implementation. API testing should reflect that, right? For example, when a user calls Read more…