I perform API Testing using Postman and have requests with Bearer Token as Authorisation. And whenever I push the collection to github, Github removes the token. If the bearer tokens are removed API Tests fail while running via Jenkins CI tool.
What is the best practice?
When I did testing with postman, I create first a call to the login service to fetch a bearer token. I never placed bearer tokens in a test because it is not secure.
You also can ask your developers how to fetch a bearer token.
With my previous project there was a call to a login service. On our dev en test environment, the test users credentials was stored in jenkins. Then the test was launched with those credentials.
The test logged in first to get the bearer token. Then we could call all the other services.
3 Likes
What Bart said
Long expiry bearer tokens are not a secure thing and donβt help you as the tester. Use the same mechanism for integration and for the live environment, the devs need to expose a login service for an account that can only access test resources. Have a good hard long chat with your security tester/developer, they would love to help. If you want to, you can use jenkins to store the secrets, just lock down the jenkins access, since most people donβt secure their instances.
1 Like
Iβm doing for my learning at home. Are there any tutorials on how to achieve this?
1 Like