Testing of Integration APIs
APIs are becoming an integral part of modern enterprise, fuelling the digital transformation by providing quick and reliable intra and inter-company communication. While they provide flexibility, proper testing of APIs is necessary to ensure they meet the expectations.
API is an acronym for Application Programming Interface. In software application (app) development, API is the middle layer between the presentation (UI) and the database layer. APIs enable communication and data exchange from one software system to another.
API testing is a software testing practice that tests the APIs directly — from their functionality, reliability, performance, to security. Part of integration testing, API testing effectively validates the logic of the build architecture within a short amount of time.
i. Validation Testing:
API validation testing is a type of software testing that ensures that an application programming interface (API) performs as expected and meets the requirements of its specification before its built.
This type of testing is usually done after the design phase and before the development begins. Once the API is designed, it can be mocked to simulate the expected request and responses. This resonates the behavior without the actual implementation. This avoids the need to change after its built. Integration tools such as MuleSoft provides features to design, mock and validate the APIs without the need to write code.
ii. Unit Testing:
A unit test verifies a small portion of your code independently from other modules of your application. It is a form of white box testing to check if a unit or component of the system is working as expected. It is a form of white box testing where individual components of an API are tested — including logic, transformations, error handling etc.
Few examples of unit testing include:
- Verifying if a method returns an expected value
- Throws an exception for a specified condition
- Verifying the expected error handling scenario is invoked for the corresponding error type
- Verifies the state of the system at a certain step in the process
In unit testing especially for APIs, we often need to mock the output from a particular step of the process. ex: the output of a database, response from another system etc. In these cases, stubs/mocks are generally used to mimic that behaviour.
With unit testing, it is quite essential to do a code coverage to ensure that all the units that constitute the API are covered as part of unit testing. The higher the code coverage, the better the quality of the API. In general a code coverage of more than 70% is considered a good coverage. MuleSoft provides MUnit, a unit testing framework to perform unit testing of applications, calculate code coverage and option to integrate it in the CICD pipelines.
Together with unit testing, it’s also essential that the code works as expected even after integrating with other components. There could be a chance of conflict after integration, so it’s important that to write integration tests as well.
iii. Integration Testing
An API often constitutes interaction with another system/service. The more interconnected the parts, the higher the likelihood of conflicts or something going wrong. It is essential to see if the API works together with these services in synergy. An integration test combines individual units of work and tests them as a group.
In a ERP API, you may want to return the details of a particular order by connecting to the backed database service:
In this scenario, you want to test:
a. The behaviour of the API to connect and fetch the data from the database
b. How the API handles the connectivity errors when the database goes down
c. How it handles the errors when bad data is passed to the database
Tools such as Postman, SOAP UI helps in doing the Integration Testing. You can embed these integration tests to run as part of your CICD pipelines to ensure they run on a consistent basis and facilitate the automated testing.
iv. Functional Testing
API functional testing is a type of software testing that verifies that an API functions as intended. This type of testing is essential because APIs form the backbone of modern applications and are critical for their proper functioning. If an API is not functioning correctly, it can cause a range of issues, including poor user experience, data loss, and security vulnerabilities.
This test analyzes specific functions within the codebase to guarantee that the API functions within its expected parameters and can handle errors when the results are outside the designated parameters.
v. Load Testing
Load testing is a great way to minimize performance risks, because it ensures an API can handle an expected load. By simulating traffic to an API in development, businesses can identify bottlenecks before they reach production environments. These bottlenecks can be notoriously difficult to find in development environments in the absence of a production load.
Load testing is usually done in user acceptance environment as it closely resonates a live environment.
Load testing requires setup of a huge amount of data and also to trigger it concurrently to resonate a real case scenario. These days, with the tools its becoming easier to simulate these. For example, with Apache JMeter you can easily simulate large amounts of data to assess how a API behaves to that load. Also, SOAP UI helps in simulating the required concurrency of making the requests and monitoring the key server parameters.
API response time, thread count, CPU and memory usage are key parameters to be checked during load testing. It is essential to ensure that these remain under threshold under the expected load scenarios.
vi. Security Testing:
API security testing focuses on ensuring the security of the API. APIs enable communication and data exchange between different systems, and it is essential to secure them to protect against unauthorized access or attacks. Here are some common types of API security testing:
a. Authentication Testing: This type of testing verifies that the API properly authenticates the identity of users before allowing access to its resources. This can include testing for the use of proper credentials and password policies.
b. Authorization Testing: This type of testing verifies that the API properly enforces access controls to its resources, ensuring that only authorized users can access them.
c. Input Validation Testing: This type of testing verifies that the API properly validates input to prevent injection attacks such as SQL injection or cross-site scripting (XSS).
d. Output Encoding Testing: This type of testing verifies that the API properly encodes output to prevent XSS attacks.
e. Sensitive Data Exposure Testing: This type of testing verifies that the API properly protects sensitive data such as passwords and financial information.
f. Denial of Service (DoS) Testing: This type of testing verifies that the API can withstand DoS attacks, which aim to make a system unavailable by overwhelming it with traffic.
API security testing is critical to ensure the security and protection of APIs and the systems they connect to. It is important to test APIs thoroughly to identify and address any vulnerabilities before they can be made available for general use.
vii. Smoke Testing:
Smoke testing preliminarily tests if an API, after its release to a new environment be usable/not.
It focuses on basic tests such as:
- is an API reachable
- is the API communicate to its connected systems like databases
Smoke testing aims to determine if a release is so badly broken as to decide if further usage of it is worth/not usually run quickly providing faster feedback.
Smoke tests usually be a sub section of integration tests and can be automated and integrated with the CICD pipelines.
Conclusions
In summary, API testing is a crucial aspect of the software development process as it helps to ensure the functionality, reliability, and security of APIs. There are several types of API testing, each with its own set of goals and methods, and it is important to consider all of them in order to thoroughly test the APIs. By performing API testing at various stages of development, organizations can identify and fix any issues early on, resulting in a higher quality final product. It is essential to prioritize API testing in order to deliver a robust and reliable application to end users.
