I have a problem with setting up specific scnario in gatling.
I want to call my api to get authorization cookie, and then start the main scenario. I want to authorize only once, save the response, and then, for example, run test for 500 users for 30 minutes using the same auth cookie.
Is it possible to set up it like this? I'm not sure if it is possible using before hook.
I was searching for answer to this question, but I've found nothing. It would be great if I get some advices
I'm not sure if anybody needs answer to this question besides me, but I'll post what I had to do, to achieve my goal :)
I simply made post to authentication method before the scenario. I used scalaj-http library.
I saved a response in a varable and after this request was completed I run my scenario with passed variable
Related
I'm still very new to React so forgive me if the question is too naive. To my understand, React usually requires an API to do XHR requests. So someone with very basic tech background can easily figure out what the api looks like by looking at the network tab in web browser's debug console.
For example, people might find a page that calls to api https://www.example.com/product/1, then they can just do brute force scraping on product id 1 - 10000 to get data for all products.
https://www.example.com/api/v1/product/1
https://www.example.com/api/v1/product/2
https://www.example.com/api/v1/product/3
https://www.example.com/api/v1/product/4
https://www.example.com/api/v1/product/5
https://www.example.com/api/v1/product/6
...
Even with user auth, one can just use same cookie or token when they login to make the call and get the data.
So what is the best way to prevent scraping on React app? or maybe the api shouldn't be designed as such, hence I'm just asking the wrong question?
Here are some suggestions to address the issue you're facing:
This is a common problem. You need to solve it by using id's that are GUID's and not sequentially generated integers.
Restricting to the same-origin won't work because someone can make a request through Postman or Insomnia or Curl.
You can also introduce rate-limiting
In addition, you can invalidate your token after a certain number of requests or require it to be renewed after every 10 requests
I think no matter what you do to the JavaScript code, reading your API endpoint is the easiest thing in the world(Wireshark is an easy, bad example), once it is called upon from the browser. Expect it to be public, with that said, protecting it it is easier than you might anticipate.
Access-Control-Allow-Origin is your friend
Only allow requests to come from given urls. This may or may not allow GET requests but it will always allow direct access on GET routes. Keep that in mind.
PHP Example
$origin = $_SERVER['HTTP_ORIGIN'];
$allowed_domains = [
'http://mysite1.com',
'https://www.mysite2.com',
'http://www.mysite2.com',
];
if (in_array($origin, $allowed_domains)) {
header('Access-Control-Allow-Origin: ' . $origin);
}
Use some form of token that can be validated
This is another conventional approach, and you can find more about this here: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
Cheers!
I'm a beginner to test axios calls and started using axios-mock-adapter but I don't get why we use axios-mock-adapter.
mock.onPost('/api').reply(200, userData, headers);
In this code snippet, does the request really go to the server or is this just a simulation?
Because if I give wrong credentials, it responses with 200 status as I identify it on 'reply' to return 200.
So if I identify the response status, what is the reason to use it?
If it doesn't really go to server, it seems like this is useless.
Maybe I miss something I don't know because I'm new but someone should put the light on this issue on my mind.
Answers to your questions
In this code snippet, does the request really go to the server or is this just a simulation?
It is just a simulation. No request is made, just the "reply" is returned. This is called mocking and is hugely popular and useful for writing tests.
If you are new to different kinds of testing in general, this answer is well worth reading.
If it doesn't really go to server, it seems like this is useless.
If you want to test the system as a whole: i.e. your website + backend logic (like auth, data retrieval etc.) then yes, this is useless. But you would not use a mock for that.
Integration tests typically are executed against a running system, they are valuable, but very hard to maintain and are generally slower to execute. You have to take care of not just your tests, but even the data.
When would you use a mock
Mocks are essential for unit testing your code. Mocks help isolate your front end code logic from the dynamic behavior. This makes it easier for you to simulate many scenarios without the overhead of maintaining data.
Example Scenario
Use Case
In your application, you have to authenticate a user against a REST end point. It is expected that:
When user is logged in successfully, Logout button is shown in the header.
When users password has expired, a "change your password" screen is shown.
When user has entered wrong credentials, a warning is shown
When backend is not responding user is shown a screen to try again later
Without mocks, you need to ensure that you have the exact data configured in your authentication system. From experience I can tell you it is hard, especially #2 & #4.
But with mocks, you can just configure the mock to return the response you expect for each scenarios, in/before each it() block.
This is also easier to maintain as expectation (assert/expect statements) is set near the test data (mock.reply()).
Don't mark question as duplicate or already asked. If know please answer.
I am trying to integrate payumoney payment gateway in my hybrid app. I went through some tutorials and finally reached to plugin cordovaInAppBrowser and using its events, loadstart, loadstop but not able to send and get parameters.Since last One Week I stucked and so finally posting here. Thanks, in advance
Finally I succeed in integrating the payment gateway in ionic. Its very easy, jsut follow the following steps,
add the cordovaInAppBrowser plugin and Inject the dependency.
make all the fields you get that to send to that Gateway with all validations.
now you needed some 3 files as success.php, failure.php and paymentfile.html.
$cordovaInAppBrowser.open("filename?"+params, '_blank',options)
make note that success and faliure php file are in server and access them through server
get the response in the php file than to controller, based on the response traverse the path and its done.
Most important you need to serialize the data while sending as its should be global and assign it to window object.
Also we have to use the cordovaInAppBrowser events loadstop() and all the stuff i had done in this event and later i call the close() function when its done.
Its Done.
Can anyone who knows how to use the angularjs ngFacebook module help me to perform a facebook batch request? Is it possible to do it with this module?
What I need exactly is to get the user events from facebook, for that I have to do 4 different request:
$facebook.api('/me/events/attending').then(function(response) {//code here});
$facebook.api('/me/events/created').then(function(response) {//code here});
$facebook.api('/me/events/maybe').then(function(response) {//code here});
I think I could batch this request, I just don't know if it's possible to do using this module.
Also the most tricky part would be that, for each event returned I would need to get the owner, and with the owner.id to get his picture, right now what I do is:
$facebook.api('/me/events/attending?fields=owner').then(function(response) {
//And here I do a "for" into the events to request for each owner picture
});
Of course it doesn't seem the best way to do it, but I have searched a lot for the solution and I couldn't make anything work.
I think you should be able to request all user events, inluding the owner info:
GET /me/events?fields=id,name,owner{id,picture},rsvp_status
You can determine the "status" of the event to the user by the rsvp_status (attending, maybe, declined, no_reply) field.
See
https://developers.facebook.com/docs/graph-api/reference/v2.3/event#read
https://developers.facebook.com/docs/graph-api/reference/user/events/
https://developers.facebook.com/docs/graph-api/using-graph-api/v2.0#fieldexpansion
I'm not sure of the batch request protocol that Facebook uses but you could try this module.
https://github.com/jonsamwell/angular-http-batcher
If it doesn't support it add an issue and I'll looking into implementing it. Disclosure: I created this angular http batching library.
I've been working on a REST implementation with my existing Cake install, and it's looking great except that I want to use HTTP Digest Authentication for all requests (Basic Auth won't cut it). So great, I'll generate a header in the client app (which is not cake) and send it to my cake install. Only problem is, I can't find a method for extracting that Digest from the request...
I've looked through the Cake API for something that I can use to get the Digest Header. You'd think that Request Handler would be able to grab it, but I can't find anything resembling that.
There must be another method of getting the digest that I am overlooking?
In the meantime I'm writing my own regex to parse it out of the Request... once I'm done I'll post it here so no one has to waste as much time as I did hunting for it.
Figured it out. It's already accessible via PHP as $_SERVER['PHP_AUTH_DIGEST']
So then you pass to parseDigestAuthData($_SERVER['PHP_AUTH_DIGEST']);
<bangs head against wall>