# **Chapter 23: Advanced API Testing**

---

## **Introduction**

While Chapter 22 equipped you with the tools to execute API tests, this chapter transforms you into an **API Quality Engineer** capable of handling enterprise-grade challenges. Modern architectures—microservices, serverless, and cloud-native applications—demand sophisticated testing beyond functional validation.

According to the 2024 OWASP API Security Top 10, **94% of applications** contain some form of API vulnerability, and **70% of security breaches** originate at the API layer. Meanwhile, performance issues in distributed systems often cascade through API dependencies, causing system-wide failures.

This chapter covers:
- **Authentication Strategies**: Securing API tests with OAuth 2.0, JWT, and HMAC
- **Security Testing**: Identifying injection flaws, broken authentication, and authorization bypasses
- **Performance Engineering**: Load testing APIs and identifying latency bottlenecks
- **Service Virtualization**: Testing in isolation using mocks and stubs
- **Contract Testing**: Ensuring microservices compatibility through consumer-driven contracts
- **CI/CD Integration**: Dockerized execution and parallel test orchestration

---

## **23.1 API Authentication Strategies**

Authentication verifies **who** is making the request, while authorization determines **what** they can do. Understanding these mechanisms is crucial for testing protected endpoints and simulating different user privileges.

### **23.1.1 Basic Authentication**

**Concept**: Basic Auth transmits credentials as a Base64-encoded string in the `Authorization` header. While simple, it should always be used over HTTPS to prevent credential exposure.

**How It Works**:
1. Client concatenates username and password with a colon: `username:password`
2. String is Base64 encoded: `dXNlcm5hbWU6cGFzc3dvcmQ=`
3. Sent in header: `Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=`

**Implementation in REST Assured:**
```java
import io.restassured.RestAssured;
import static io.restassured.RestAssured.*;
import org.junit.jupiter.api.Test;

public class BasicAuthTest {
    
    @Test
    public void testBasicAuthentication() {
        // Method 1: Using explicit basic auth method
        given()
            // REST Assured automatically handles Base64 encoding
            .auth().basic("testuser", "testpassword")
        .when()
            .get("https://api.example.com/secure/resource")
        .then()
            .statusCode(200)
            .body("authenticated", equalTo(true));
        
        // Method 2: Manual header construction (educational purpose)
        String credentials = "testuser:testpassword";
        String base64Credentials = java.util.Base64.getEncoder()
            .encodeToString(credentials.getBytes());
        
        given()
            .header("Authorization", "Basic " + base64Credentials)
        .when()
            .get("https://api.example.com/secure/resource")
        .then()
            .statusCode(200);
    }
    
    @Test
    public void testBasicAuthWithPreemptiveMode() {
        // Preemptive mode sends credentials immediately without waiting for 401 challenge
        // This reduces network round-trips but slightly less secure if server doesn't require auth
        given()
            .auth().preemptive().basic("admin", "secret123")
        .when()
            .get("/api/admin/dashboard")
        .then()
            .statusCode(200);
    }
}
```

**Explanation**: The first example uses REST Assured's built-in `.auth().basic()` method which automatically encodes credentials. The second example shows manual Base64 encoding to demonstrate what's happening under the hood. Preemptive mode (third example) sends credentials immediately without waiting for a 401 Unauthorized response, improving performance but use only when you know authentication is required.

**Security Note**: Never commit credentials to version control. Use environment variables or secret management systems.

### **23.1.2 Bearer Token Authentication**

**Concept**: Bearer tokens (typically JWT - JSON Web Tokens) are opaque strings that the client presents to prove authentication. The server validates the token's signature and extracts claims (user ID, roles, expiration).

**Token Structure** (JWT):
- **Header**: Algorithm and token type
- **Payload**: Claims (user data, expiration)
- **Signature**: Verification that token hasn't been tampered with

**Implementation:**
```java
public class BearerTokenTest {
    
    // Store token securely (in real scenarios, fetch from auth endpoint or environment)
    private String accessToken;
    
    @BeforeEach
    public void setup() {
        // Typically obtained from login endpoint or OAuth flow
        accessToken = System.getenv("API_ACCESS_TOKEN");
    }
    
    @Test
    public void testWithBearerToken() {
        given()
            // Standard way to send bearer tokens
            .header("Authorization", "Bearer " + accessToken)
            // Alternative using auth() method
            .auth().oauth2(accessToken)
        .when()
            .get("/api/user/profile")
        .then()
            .statusCode(200)
            .body("user.id", notNullValue());
    }
    
    @Test
    public void testTokenRefreshFlow() {
        // Step 1: Use expired token, expect 401
        String expiredToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";
        
        given()
            .auth().oauth2(expiredToken)
        .when()
            .get("/api/data")
        .then()
            .statusCode(401)
            .body("error", equalTo("token_expired"));
        
        // Step 2: Refresh token (in real scenario, extract refresh logic to utility)
        String newToken = 
            given()
                .header("Authorization", "Bearer " + expiredToken)
                .body("{\"refresh_token\": \"abc123\"}")
            .when()
                .post("/auth/refresh")
            .then()
                .statusCode(200)
                .extract()
                .path("access_token");
        
        // Step 3: Verify new token works
        given()
            .auth().oauth2(newToken)
        .when()
            .get("/api/data")
        .then()
            .statusCode(200);
    }
    
    @Test
    public void testInvalidTokenHandling() {
        given()
            .header("Authorization", "Bearer invalid_token_123")
        .when()
            .get("/api/protected")
        .then()
            .statusCode(401)
            .body("error", equalTo("invalid_token"))
            .body("error_description", containsString("token validation failed"));
    }
}
```

**Explanation**: Bearer tokens are sent in the `Authorization` header with the prefix "Bearer ". The first test shows both header-based and method-based approaches. The second test demonstrates a token refresh flow—critical for long-running test suites where tokens might expire. The third test validates that the API properly rejects invalid tokens with appropriate error messages.

### **23.1.3 API Keys**

**Concept**: API keys are long-lived identifiers (unlike short-lived JWTs) used for identifying the calling application or project. They're typically sent in headers (`X-API-Key`) or query parameters (less secure).

**Implementation:**
```java
public class ApiKeyTest {
    
    @Test
    public void testHeaderBasedApiKey() {
        given()
            // Standard header location
            .header("X-API-Key", "ak_live_1234567890abcdef")
            // Alternative custom header names
            .header("api-key", "ak_live_1234567890abcdef")
        .when()
            .get("/api/public/data")
        .then()
            .statusCode(200);
    }
    
    @Test
    public void testQueryParamApiKey() {
        // Less secure - keys may appear in server logs and browser history
        // Use only for public read-only endpoints
        given()
            .queryParam("api_key", "ak_live_1234567890abcdef")
        .when()
            .get("/api/public/data")
        .then()
            .statusCode(200);
    }
    
    @Test
    public void testInvalidApiKey() {
        given()
            .header("X-API-Key", "invalid_key")
        .when()
            .get("/api/protected")
        .then()
            .statusCode(403) // Forbidden (key invalid) vs 401 (unauthenticated)
            .body("message", containsString("Invalid API Key"));
    }
    
    @Test
    public void testRateLimitingWithApiKey() {
        // Test that API keys are rate limited appropriately
        String apiKey = "ak_test_rate_limit";
        
        // Make 100 rapid requests
        for (int i = 0; i < 100; i++) {
            given()
                .header("X-API-Key", apiKey)
            .when()
                .get("/api/data")
            .then()
                .statusCode(anyOf(equalTo(200), equalTo(429))); // 429 = Too Many Requests
        }
        
        // Verify rate limit headers
        given()
            .header("X-API-Key", apiKey)
        .when()
            .get("/api/data")
        .then()
            .statusCode(anyOf(equalTo(200), equalTo(429)))
            .header("X-RateLimit-Limit", notNullValue())
            .header("X-RateLimit-Remaining", notNullValue());
    }
}
```

**Explanation**: API keys identify the client application rather than the user. The first example shows header-based authentication (preferred for security). The second shows query parameter usage (convenient but insecure as URLs appear in logs). The third test checks that invalid keys return 403 Forbidden rather than 401 Unauthorized (distinction: 401 = authentication required, 403 = authenticated but not authorized). The fourth test verifies rate limiting—essential for public APIs to prevent abuse.

### **23.1.4 OAuth 2.0**

**Concept**: OAuth 2.0 is an authorization framework enabling third-party applications to obtain limited access to user resources without exposing credentials. It defines several "flows" (grant types) for different scenarios.

**Common Flows**:
- **Authorization Code**: Web apps with server-side component (most secure)
- **Client Credentials**: Machine-to-machine communication (service accounts)
- **Password Grant**: Legacy/trusted applications (deprecated in OAuth 2.1)
- **Device Code**: Input-constrained devices (smart TVs, IoT)

**Client Credentials Flow Implementation:**
```java
public class OAuth2Test {
    
    private String accessToken;
    private String refreshToken;
    
    @BeforeEach
    public void obtainAccessToken() {
        // Client Credentials Flow - for service-to-service communication
        // No user context, only client authentication
        
        Response response = 
            given()
                .contentType(ContentType.URLENC)
                .formParam("grant_type", "client_credentials")
                .formParam("client_id", System.getenv("CLIENT_ID"))
                .formParam("client_secret", System.getenv("CLIENT_SECRET"))
                .formParam("scope", "read write") // Requested permissions
            .when()
                .post("https://auth.example.com/oauth/token")
            .then()
                .statusCode(200)
                .body("token_type", equalTo("Bearer"))
                .body("access_token", notNullValue())
                .extract()
                .response();
        
        accessToken = response.path("access_token");
        
        // Store expiration for refresh logic
        int expiresIn = response.path("expires_in"); // seconds
        System.out.println("Token expires in " + expiresIn + " seconds");
    }
    
    @Test
    public void testAuthorizationCodeFlow() {
        // Authorization Code Flow - simulating web app authentication
        // Step 1: Get authorization code (normally done via browser redirect)
        String authCode = "code_from_browser_redirect"; // Obtained manually or via Selenium
        
        // Step 2: Exchange code for tokens
        given()
            .contentType(ContentType.URLENC)
            .formParam("grant_type", "authorization_code")
            .formParam("code", authCode)
            .formParam("redirect_uri", "https://app.example.com/callback")
            .formParam("client_id", "my_app_id")
            .formParam("client_secret", "my_app_secret")
            .formParam("code_verifier", "pkce_verifier") // PKCE for mobile/SPA security
        .when()
            .post("/oauth/token")
        .then()
            .statusCode(200)
            .body("access_token", notNullValue())
            .body("refresh_token", notNullValue()) // Only in auth code flow
            .body("id_token", notNullValue()); // OpenID Connect
    }
    
    @Test
    public void testTokenIntrospection() {
        // Verify if token is active and get metadata
        given()
            .auth().basic("resource_server", "secret") // Client auth for introspection endpoint
            .formParam("token", accessToken)
        .when()
            .post("/oauth/introspect")
        .then()
            .statusCode(200)
            .body("active", equalTo(true))
            .body("scope", containsString("read"))
            .body("client_id", equalTo("my_client"));
    }
    
    @Test
    public void testTokenRevocation() {
        // Test logout/token revocation (security requirement)
        given()
            .formParam("token", accessToken)
            .formParam("token_type_hint", "access_token")
        .when()
            .post("/oauth/revoke")
        .then()
            .statusCode(200);
        
        // Verify token no longer works
        given()
            .auth().oauth2(accessToken)
        .when()
            .get("/api/protected")
        .then()
            .statusCode(401);
    }
}
```

**Explanation**: OAuth 2.0 is complex but essential for modern APIs. The Client Credentials flow (first example) is for machine-to-machine communication—no user context. The Authorization Code flow (second example) is for web applications—note the PKCE (Proof Key for Code Exchange) parameter which prevents authorization code interception attacks. Token introspection (third example) allows resource servers to validate tokens with the authorization server. Token revocation (fourth example) tests logout functionality—critical for security compliance.

### **23.1.5 HMAC (Hash-based Message Authentication)**

**Concept**: HMAC (Hash-based Message Authentication Code) signs requests using a shared secret. Unlike Bearer tokens, the secret never travels over the wire—only a hash of the request content plus timestamp.

**How It Works**:
1. Client creates canonical string: `METHOD + PATH + TIMESTAMP + BODY_HASH`
2. Generates HMAC-SHA256 signature using secret key
3. Sends signature in `Authorization` header
4. Server recreates signature and compares

**Implementation:**
```java
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.util.Base64;

public class HmacAuthTest {
    
    private String generateHmacSignature(String method, String path, 
                                       String body, String secret) throws Exception {
        // Create timestamp (prevents replay attacks)
        String timestamp = String.valueOf(Instant.now().getEpochSecond());
        
        // Create body hash (if body exists)
        String bodyHash = "";
        if (body != null && !body.isEmpty()) {
            bodyHash = sha256Hash(body);
        }
        
        // Build canonical string
        String canonicalString = String.format("%s|%s|%s|%s", 
            method.toUpperCase(), path, timestamp, bodyHash);
        
        // Generate HMAC
        Mac mac = Mac.getInstance("HmacSHA256");
        SecretKeySpec secretKey = new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
        mac.init(secretKey);
        
        byte[] hashBytes = mac.doFinal(canonicalString.getBytes(StandardCharsets.UTF_8));
        String signature = Base64.getEncoder().encodeToString(hashBytes);
        
        return timestamp + ":" + signature; // Return timestamp with signature for server validation
    }
    
    private String sha256Hash(String input) throws Exception {
        java.security.MessageDigest digest = java.security.MessageDigest.getInstance("SHA-256");
        byte[] hash = digest.digest(input.getBytes(StandardCharsets.UTF_8));
        return Base64.getEncoder().encodeToString(hash);
    }
    
    @Test
    public void testHmacAuthentication() throws Exception {
        String secretKey = System.getenv("API_SECRET_KEY");
        String method = "POST";
        String path = "/api/orders";
        String body = "{\"product_id\": 123, \"quantity\": 2}";
        
        String authHeader = generateHmacSignature(method, path, body, secretKey);
        
        given()
            .header("Authorization", "HMAC " + authHeader)
            .header("Content-Type", "application/json")
            .body(body)
        .when()
            .post(path)
        .then()
            .statusCode(201);
    }
    
    @Test
    public void testHmacReplayAttackPrevention() {
        // Attempt replay attack with old timestamp
        String oldTimestamp = String.valueOf(Instant.now().getEpochSecond() - 1000); // 16 minutes ago
        
        given()
            .header("Authorization", "HMAC " + oldTimestamp + ":fake_signature")
        .when()
            .get("/api/data")
        .then()
            .statusCode(401)
            .body("error", equalTo("timestamp_expired"));
    }
    
    @Test
    public void testHmacTamperedPayload() throws Exception {
        // Sign original payload
        String originalBody = "{\"amount\": 100}";
        String signature = generateHmacSignature("POST", "/api/payment", originalBody, "secret");
        
        // Send tampered payload with original signature
        String tamperedBody = "{\"amount\": 10000}"; // Modified amount
        
        given()
            .header("Authorization", "HMAC " + signature)
            .body(tamperedBody) // Different from what was signed
        .when()
            .post("/api/payment")
        .then()
            .statusCode(401)
            .body("error", equalTo("invalid_signature"));
    }
}
```

**Explanation**: HMAC provides request integrity and authentication without sending secrets over the network. The first method builds a canonical string combining HTTP method, path, timestamp (prevents replay attacks), and body hash. The server regenerates this signature using the shared secret—if they match, the request is authentic and untampered. The second test verifies that old timestamps are rejected (preventing replay attacks), and the third test ensures that tampering with the payload after signing invalidates the request.

---

## **23.2 API Security Testing**

APIs expose business logic directly to the network, making them prime targets for attackers. Security testing validates that APIs resist common attack vectors.

### **23.2.1 OWASP API Security Top 10**

The OWASP API Security Top 10 identifies critical risks:
1. **Broken Object Level Authorization (BOLA)**: Users access others' data by manipulating IDs
2. **Broken Authentication**: Weak token handling, credential stuffing
3. **Excessive Data Exposure**: APIs return more data than necessary
4. **Lack of Resources & Rate Limiting**: DoS via resource exhaustion
5. **Broken Function Level Authorization**: Regular users access admin endpoints
6. **Mass Assignment**: Clients modify restricted fields (e.g., `isAdmin`)
7. **Security Misconfiguration**: Default configs, verbose errors
8. **Injection**: SQL, NoSQL, Command injection via API parameters
9. **Improper Assets Management**: Old API versions exposed
10. **Insufficient Logging & Monitoring**: Inability to detect breaches

**Testing for BOLA (IDOR - Insecure Direct Object Reference):**
```java
@Test
public void testBrokenObjectLevelAuthorization() {
    // Scenario: User A should not access User B's data
    
    // Login as User A
    String userAToken = login("userA@example.com", "password");
    int userAId = 123;
    int userBId = 456; // Different user
    
    // Attempt 1: Access own data (should succeed)
    given()
        .auth().oauth2(userAToken)
    .when()
        .get("/api/users/" + userAId + "/orders")
    .then()
        .statusCode(200);
    
    // Attempt 2: Access other user's data (should fail with 403)
    given()
        .auth().oauth2(userAToken)
    .when()
        .get("/api/users/" + userBId + "/orders")
    .then()
        .statusCode(403)
        .body("error", equalTo("unauthorized_resource"));
    
    // Attempt 3: ID manipulation in nested resources
    given()
        .auth().oauth2(userAToken)
    .when()
        .get("/api/orders?user_id=" + userBId) // Try via query param
    .then()
        .statusCode(403);
    
    // Attempt 4: UUID prediction (if using sequential IDs)
    given()
        .auth().oauth2(userAToken)
    .when()
        .get("/api/users/" + (userAId + 1) + "/profile") // Try adjacent ID
    .then()
        .statusCode(403);
}
```

**Explanation**: BOLA (Broken Object Level Authorization) occurs when APIs rely on client-provided IDs without verifying ownership. The test first establishes a baseline (user can access their own data), then attempts horizontal privilege escalation (accessing other users' data) via URL parameters, query strings, and ID enumeration. All unauthorized attempts should return 403 Forbidden, not 404 (which would leak existence of resources).

### **23.2.2 Injection Attacks**

**SQL Injection via API:**
```java
@Test
public void testSqlInjectionInApiParameters() {
    String[] sqlPayloads = {
        "' OR '1'='1",
        "'; DROP TABLE users; --",
        "1' UNION SELECT * FROM users--",
        "1 AND 1=1",
        "1 AND 1=2"
    };
    
    for (String payload : sqlPayloads) {
        given()
            .queryParam("id", payload)
        .when()
            .get("/api/products")
        .then()
            .statusCode(anyOf(equalTo(400), equalTo(422))) // Should reject malformed input
            .body(not(containsString("SQL"))) // Should not expose SQL errors
            .body(not(containsString("syntax error"))); // Should not leak DB info
    }
}
```

**NoSQL Injection (MongoDB):**
```java
@Test
public void testNoSqlInjection() {
    // MongoDB injection via JSON body
    String maliciousPayload = """
        {
            "username": {"$ne": null},
            "password": {"$ne": null}
        }
        """;
    
    given()
        .contentType(ContentType.JSON)
        .body(maliciousPayload)
    .when()
        .post("/api/login")
    .then()
        .statusCode(anyOf(equalTo(400), equalTo(401))) // Should not authenticate
        .body("authenticated", not(equalTo(true)));
}
```

**Explanation**: APIs are vulnerable to injection when user input is concatenated into queries. The SQL injection test sends classic payloads that would manipulate SQL queries—if vulnerable, the API might return all records or execute destructive commands. The NoSQL injection test targets MongoDB by sending operator objects (`$ne` = not equal) to bypass authentication. Secure APIs should validate input types (reject objects when strings expected) and use parameterized queries.

### **23.2.3 Mass Assignment**

**Concept**: Mass assignment occurs when APIs automatically bind client-provided data to internal objects, allowing attackers to modify restricted fields like `isAdmin` or `accountBalance`.

```java
@Test
public void testMassAssignmentVulnerability() {
    // Normal user registration
    String normalPayload = """
        {
            "username": "normaluser",
            "email": "user@example.com",
            "password": "SecurePass123"
        }
        """;
    
    given()
        .body(normalPayload)
    .when()
        .post("/api/register")
    .then()
        .statusCode(201)
        .body("role", equalTo("user")); // Default role
    
    // Attempt mass assignment of admin role
    String maliciousPayload = """
        {
            "username": "hacker",
            "email": "hacker@example.com",
            "password": "SecurePass123",
            "role": "admin",
            "isVerified": true,
            "creditBalance": 10000
        }
        """;
    
    given()
        .body(maliciousPayload)
    .when()
        .post("/api/register")
    .then()
        .statusCode(anyOf(equalTo(201), equalTo(400)))
        // If 201, verify fields were NOT updated
        .body("role", not(equalTo("admin")))
        .body("isVerified", not(equalTo(true)))
        .body("creditBalance", not(equalTo(10000)));
}
```

**Explanation**: The test attempts to elevate privileges by including restricted fields (`role`, `isVerified`, `creditBalance`) in a registration request. Secure APIs should use Data Transfer Objects (DTOs) that whitelist allowed fields or explicitly ignore sensitive fields during binding. The test verifies that even if the request succeeds (201), the malicious fields were not persisted.

---

## **23.3 API Performance Testing**

APIs must handle load gracefully, maintaining response times under 200ms for cached data and 500ms for database queries (industry standards).

### **23.3.1 Load Testing with k6**

**k6** is a modern load testing tool using JavaScript, optimized for APIs and microservices.

**Installation:**
```bash
# macOS
brew install k6

# Docker
docker pull grafana/k6
```

**Basic Load Test:**
```javascript
// api-load-test.js
import http from 'k6/http';
import { check, sleep } from 'k6';
import { Rate } from 'k6/metrics';

// Custom metrics
const errorRate = new Rate('errors');

// Test configuration
export const options = {
  stages: [
    { duration: '2m', target: 100 }, // Ramp up to 100 users
    { duration: '5m', target: 100 }, // Stay at 100 users
    { duration: '2m', target: 200 }, // Ramp up to 200 users
    { duration: '5m', target: 200 }, // Stay at 200 users
    { duration: '2m', target: 0 },   // Ramp down
  ],
  thresholds: {
    http_req_duration: ['p(95)<500'], // 95% of requests under 500ms
    http_req_failed: ['rate<0.01'],   // Less than 1% errors
    errors: ['rate<0.05'],              // Custom error rate
  },
};

export default function () {
  const url = 'https://api.example.com/products';
  
  const params = {
    headers: {
      'Content-Type': 'application/json',
      'Authorization': `Bearer ${__ENV.API_TOKEN}`, // From env var
    },
  };
  
  const response = http.get(url, params);
  
  // Assertions
  const success = check(response, {
    'status is 200': (r) => r.status === 200,
    'response time < 500ms': (r) => r.timings.duration < 500,
    'content type is JSON': (r) => r.headers['Content-Type'].includes('application/json'),
  });
  
  errorRate.add(!success);
  
  // Think time between requests
  sleep(1);
}
```

**Execution:**
```bash
# Run with 10 virtual users for 30 seconds
k6 run --vus 10 --duration 30s api-load-test.js

# Run with environment variables
k6 run --env API_TOKEN=secret123 api-load-test.js

# Cloud execution (distributed)
k6 cloud api-load-test.js
```

**Explanation**: The k6 script defines a ramp-up pattern (gradual increase to 200 concurrent users) to simulate realistic traffic. Thresholds define SLA requirements—if 95th percentile response time exceeds 500ms, the test fails. The `check()` function validates functional correctness under load (a slow error is still a failure). Virtual users execute the default function in a loop, with sleep() simulating think time between requests.

### **23.3.2 Spike and Stress Testing**

```javascript
// spike-test.js
export const options = {
  stages: [
    { duration: '10s', target: 100 },  // Normal load
    { duration: '1m', target: 1000 },  // Spike to 1000 users
    { duration: '2m', target: 1000 },  // Sustained spike
    { duration: '10s', target: 100 },    // Recovery
    { duration: '3m', target: 100 },     // Verify recovery
  ],
};

export default function () {
  const res = http.get('https://api.example.com/health');
  
  check(res, {
    'status is 200 or 503': (r) => r.status === 200 || r.status === 503,
    'response time < 2s': (r) => r.timings.duration < 2000,
  });
}
```

**Explanation**: Spike testing verifies how the API handles sudden traffic surges (e.g., flash sales, viral content). The test rapidly increases from 100 to 1000 users, maintains the spike, then verifies graceful degradation and recovery. Acceptable responses might include 200 (success) or 503 (service unavailable with proper queueing), but never 500 (unhandled errors) or timeouts.

---

## **23.4 Mocking and Virtualization**

Testing APIs often requires dependencies (payment gateways, third-party services) that are unavailable in test environments. Mocking simulates these services.

### **23.4.1 WireMock**

**Concept**: WireMock is an HTTP mock server that stubs API responses based on request matching.

**Setup (Java):**
```xml
<dependency>
    <groupId>com.github.tomakehurst</groupgroupId>
    <artifactId>wiremock-jre8</artifactId>
    <version>2.35.0</version>
    <scope>test</scope>
</dependency>
```

**Implementation:**
```java
import com.github.tomakehurst.wiremock.WireMockServer;
import com.github.tomakehurst.wiremock.client.WireMock;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

import static com.github.tomakehurst.wiremock.client.WireMock.*;
import static io.restassured.RestAssured.*;

public class WireMockExample {
    
    private WireMockServer wireMockServer;
    
    @BeforeEach
    public void setup() {
        // Start mock server on dynamic port
        wireMockServer = new WireMockServer(0);
        wireMockServer.start();
        
        // Configure REST Assured to use mock
        baseURI = "http://localhost";
        port = wireMockServer.port();
        
        // Setup stubs
        setupStubs();
    }
    
    private void setupStubs() {
        // Stub: Payment Gateway Success
        stubFor(post(urlEqualTo("/payments/charge"))
            .withHeader("Content-Type", containing("json"))
            .withRequestBody(containing("amount"))
            .willReturn(aResponse()
                .withStatus(200)
                .withHeader("Content-Type", "application/json")
                .withBody("""
                    {
                        "transaction_id": "txn_12345",
                        "status": "approved",
                        "amount": 99.99,
                        "currency": "USD"
                    }
                    """)));
        
        // Stub: Payment Gateway Decline
        stubFor(post(urlEqualTo("/payments/charge"))
            .withRequestBody(containing("decline_test"))
            .willReturn(aResponse()
                .withStatus(402) // Payment Required
                .withBody("""
                    {
                        "error": "card_declined",
                        "message": "Your card was declined."
                    }
                    """)));
        
        // Stub: External Weather API
        stubFor(get(urlPathMatching("/weather/v1/current"))
            .withQueryParam("city", matching(".*"))
            .willReturn(aResponse()
                .withStatus(200)
                .withBody("""
                    {
                        "temperature": 22,
                        "unit": "celsius",
                        "conditions": "sunny"
                    }
                    """)));
    }
    
    @Test
    public void testOrderWithPayment() {
        // Test our API which internally calls payment gateway
        given()
            .body("{\"product_id\": 1, \"payment_method\": \"card\"}")
        .when()
            .post("/api/orders")
        .then()
            .statusCode(201)
            .body("payment_status", equalTo("approved"));
        
        // Verify that mock was called
        verify(postRequestedFor(urlEqualTo("/payments/charge"))
            .withRequestBody(containing("amount")));
    }
    
    @AfterEach
    public void tearDown() {
        wireMockServer.stop();
    }
}
```

**Explanation**: WireMock creates a local HTTP server that mimics external services. The `stubFor()` method defines rules: when a POST request comes to `/payments/charge` with JSON content, return a success response. This allows testing the order creation flow without hitting real payment processors. The `verify()` method ensures that our application actually called the dependency (contract verification). After each test, the server stops to ensure isolation.

### **23.4.2 Hoverfly for Service Virtualization**

**Concept**: Hoverfly simulates HTTP/S services by capturing and replaying traffic (simulation) or using templates.

```java
import io.specto.hoverfly.junit.core.Hoverfly;
import io.specto.hoverfly.junit.core.HoverflyMode;
import io.specto.hoverfly.junit5.HoverflyExtension;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;

import static io.restassured.RestAssured.*;
import static io.specto.hoverfly.junit.dsl.HoverflyDsl.*;
import static io.specto.hoverfly.junit.dsl.ResponseCreators.*;
import static io.specto.hoverfly.junit.dsl.matchers.HoverflyMatchers.*;

@ExtendWith(HoverflyExtension.class)
public class HoverflyExample {
    
    @Test
    public void testWithHoverflySimulation(Hoverfly hoverfly) {
        // Define simulation
        hoverfly.simulate(
            dsl(
                service("api.external-service.com")
                    .post("/validate")
                    .body(equalsToJson("{\"token\":\"abc123\"}"))
                    .willReturn(success("{\"valid\": true}"))
                    
                    .post("/validate")
                    .body(equalsToJson("{\"token\":\"invalid\"}"))
                    .willReturn(success("{\"valid\": false}"))
            )
        );
        
        // Test against virtualized service
        given()
            .baseUri("http://api.external-service.com")
            .body("{\"token\":\"abc123\"}")
        .when()
            .post("/validate")
        .then()
            .body("valid", equalTo(true));
    }
}
```

**Explanation**: Hoverfly works as a proxy that intercepts HTTP calls. In simulation mode, it returns predefined responses based on request matching (URL, headers, body). This is useful for testing against third-party APIs that have rate limits or costs associated with calls. Unlike WireMock (which requires code changes to point to localhost), Hoverfly can intercept traffic transparently using proxy settings.

---

## **23.5 Contract Testing**

In microservices architectures, teams need assurance that service changes don't break consumers. Contract testing verifies that provider and consumer agree on the API contract.

### **23.5.1 Consumer-Driven Contracts with Pact**

**Concept**: The consumer defines expectations (contract), and the provider verifies it can fulfill them.

**Consumer Test (Client Side):**
```java
import au.com.dius.pact.consumer.MockServer;
import au.com.dius.pact.consumer.dsl.PactDslWithProvider;
import au.com.dius.pact.consumer.junit5.PactConsumerTestExt;
import au.com.dius.pact.consumer.junit5.PactTestFor;
import au.com.dius.pact.core.model.V4Pact;
import au.com.dius.pact.core.model.annotations.Pact;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;

import static io.restassured.RestAssured.*;
import static org.hamcrest.Matchers.*;

@ExtendWith(PactConsumerTestExt.class)
@PactTestFor(providerName = "user-service")
public class UserServiceConsumerPact {
    
    @Pact(consumer = "order-service")
    public V4Pact createPact(PactDslWithProvider builder) {
        return builder
            .given("user exists")
            .uponReceiving("get user by id")
            .path("/users/123")
            .method("GET")
            .willRespondWith()
            .status(200)
            .body("""
                {
                    "id": 123,
                    "name": "John Doe",
                    "email": "john@example.com",
                    "status": "active"
                }
                """)
            .toPact(V4Pact.class);
    }
    
    @Test
    @PactTestFor(pactMethod = "createPact")
    void testGetUser(MockServer mockServer) {
        // This test runs against the mock provider
        given()
            .baseUri(mockServer.getUrl())
        .when()
            .get("/users/123")
        .then()
            .statusCode(200)
            .body("id", equalTo(123))
            .body("name", equalTo("John Doe"));
        
        // Pact file generated: order-service-user-service.json
    }
}
```

**Provider Verification (Service Side):**
```java
import au.com.dius.pact.provider.junit5.PactVerificationContext;
import au.com.dius.pact.provider.junitsupport.Provider;
import au.com.dius.pact.provider.junitsupport.State;
import au.com.dius.pact.provider.junitsupport.loader.PactFolder;
import au.com.dius.pact.provider.spring.junit5.PactVerificationSpringProvider;
import org.junit.jupiter.api.TestTemplate;
import org.junit.jupiter.api.extension.ExtendWith;

@Provider("user-service")
@PactFolder("pacts") // Looks for pact files generated by consumers
public class UserServiceProviderPactTest {
    
    @TestTemplate
    @ExtendWith(PactVerificationSpringProvider.class)
    void pactVerificationTestTemplate(PactVerificationContext context) {
        context.verifyInteraction();
    }
    
    @State("user exists") // Matches the "given" in consumer test
    public void userExistsState() {
        // Setup test data in database
        userRepository.save(new User(123L, "John Doe", "john@example.com", "active"));
    }
}
```

**Explanation**: Contract testing decouples microservices testing. The consumer (order-service) writes a pact specifying what it needs from the provider (user-service): a GET request to `/users/123` returns specific JSON fields. Pact generates a contract file. The provider test loads this file and verifies the real service returns compatible data. If the provider changes the response structure (e.g., renames `name` to `full_name`), the provider test fails, alerting the team to breaking changes before deployment.

---

## **23.6 API Test Automation in CI/CD**

Automated API tests must run fast, reliably, and provide actionable feedback in CI/CD pipelines.

### **23.6.1 Dockerized Test Execution**

**Dockerfile for REST Assured Tests:**
```dockerfile
# Dockerfile.test
FROM maven:3.9-eclipse-temurin-17-alpine

WORKDIR /app

# Copy pom.xml first for layer caching
COPY pom.xml .
RUN mvn dependency:go-offline

# Copy source code
COPY src ./src

# Default command runs tests
CMD ["mvn", "test", "-Dsuite=api-tests"]
```

**Docker Compose for Integration Testing:**
```yaml
# docker-compose.test.yml
version: '3.8'

services:
  api-tests:
    build:
      context: .
      dockerfile: Dockerfile.test
    environment:
      - BASE_URL=http://app:8080
      - DB_HOST=postgres
    depends_on:
      - app
      - postgres
    networks:
      - test-network

  app:
    image: myapp:latest
    environment:
      - DATABASE_URL=postgres://postgres:secret@postgres:5432/testdb
    depends_on:
      - postgres
    networks:
      - test-network

  postgres:
    image: postgres:15-alpine
    environment:
      POSTGRES_PASSWORD: secret
      POSTGRES_DB: testdb
    networks:
      - test-network

networks:
  test-network:
    driver: bridge
```

**Execution:**
```bash
# Run full integration test suite
docker-compose -f docker-compose.test.yml up --abort-on-container-exit

# Cleanup
docker-compose -f docker-compose.test.yml down -v
```

**Explanation**: Containerization ensures tests run in consistent environments across developer machines and CI servers. The Docker Compose setup creates an isolated network with the application, database, and test runner. Tests execute against the containerized app, providing true integration testing. The `--abort-on-container-exit` flag ensures CI fails if tests fail.

### **23.6.2 Parallel Execution**

**Maven Configuration for Parallel Tests:**
```xml
<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-surefire-plugin</artifactId>
    <version>3.2.3</version>
    <configuration>
        <parallel>methods</parallel>
        <threadCount>10</threadCount>
        <perCoreThreadCount>false</perCoreThreadCount>
    </configuration>
</plugin>
```

**Thread-Safe Test Design:**
```java
public class ParallelApiTest {
    
    // ThreadLocal to ensure each thread has isolated state
    private static final ThreadLocal<String> authToken = new ThreadLocal<>();
    
    @BeforeEach
    public void setup() {
        // Each thread gets its own token
        authToken.set(generateUniqueToken());
    }
    
    @Test
    public void testConcurrentOrders() {
        // Safe to run in parallel - no shared state
        given()
            .auth().oauth2(authToken.get())
        .when()
            .post("/api/orders")
        .then()
            .statusCode(201);
    }
    
    private String generateUniqueToken() {
        return "token_" + Thread.currentThread().getId() + "_" + System.currentTimeMillis();
    }
}
```

**Explanation**: Parallel execution reduces test suite duration but requires thread safety. The `ThreadLocal` class ensures each parallel thread maintains its own authentication token, preventing race conditions where tests interfere with each other's sessions. Maven Surefire's configuration splits test methods across 10 threads, utilizing multi-core CPUs efficiently.

---

## **Chapter Summary**

In this chapter, you advanced from basic API testing to **enterprise-grade API quality engineering**:

**Authentication Strategies**: You implemented multiple security protocols:
- **Basic Auth**: Simple Base64 encoding for legacy systems
- **Bearer Tokens**: JWT handling with expiration and refresh logic
- **OAuth 2.0**: Complete flows including Client Credentials and Authorization Code with PKCE
- **HMAC**: Request signing preventing replay attacks and payload tampering

**Security Testing**: You learned to identify critical vulnerabilities:
- **BOLA/IDOR**: Testing horizontal privilege escalation via ID manipulation
- **Injection**: SQL and NoSQL injection prevention through input validation
- **Mass Assignment**: Protecting against privilege escalation via field injection

**Performance Engineering**: You implemented load testing with **k6**, defining SLAs (95th percentile < 500ms) and spike testing to verify graceful degradation under traffic surges.

**Service Virtualization**: You isolated tests using **WireMock** (code-level mocking) and **Hoverfly** (proxy-based virtualization), enabling testing without external dependencies.

**Contract Testing**: You established **Consumer-Driven Contracts** with Pact, ensuring microservices compatibility and preventing breaking changes in distributed systems.

**CI/CD Integration**: You containerized test execution with Docker Compose for consistent integration testing and implemented parallel execution strategies for faster feedback loops.

**Key Takeaways:**
1. **Security First**: Never hardcode credentials; use environment variables and secret managers
2. **Defense in Depth**: Validate at multiple layers (input validation, parameterized queries, output encoding)
3. **Performance Budgets**: Define and enforce SLAs (latency < 500ms, error rate < 1%)
4. **Test Isolation**: Use virtualization to eliminate flaky tests caused by external dependencies
5. **Contract First**: Prevent integration failures by testing contracts before deployment

**Industry Standards Applied:**
- **OWASP API Security Top 10**: Comprehensive coverage of injection, authentication, and authorization flaws
- **RFC 6749**: OAuth 2.0 Authorization Framework implementation
- **RFC 7519**: JSON Web Token (JWT) handling
- **12-Factor App**: Configuration via environment variables, stateless processes

---

## **📖 Next Chapter: Chapter 24 - Mobile Application Testing**

Having mastered API testing from functional validation to security hardening, **Chapter 24: Mobile Application Testing** will extend your expertise to the mobile ecosystem.

In **Chapter 24**, you'll explore:

- **24.1 Mobile Application Fundamentals**: Native vs. Hybrid vs. PWA architectures, iOS and Android platform differences, and mobile-specific quality challenges (battery, connectivity, sensors)
- **24.2 Appium**: The industry-standard cross-platform automation framework—architecture, desired capabilities, element locators (Accessibility ID, XPath), and gesture automation (swipe, pinch, long-press)
- **24.3 Mobile Testing Tools and Platforms**: Cloud device labs (BrowserStack, Sauce Labs), emulators vs. simulators vs. real devices, and native frameworks (XCUITest, Espresso)
- **24.4 Mobile Testing Types**: Functional testing, interruption testing (calls, notifications), network testing (airplane mode, 3G/4G/5G transitions), and geolocation testing
- **24.5 Mobile-Specific Scenarios**: Biometric authentication (Face ID, Touch ID), deep linking, push notifications, camera integration, and offline mode synchronization

You'll transition from **backend API testing** to **client-side mobile quality**, learning to automate complex gestures, handle device fragmentation, and test in real-world conditions (varying networks, battery states, and interruptions).

**Continue to Chapter 24 to become a Mobile Testing Expert!**

<div style='width:100%; display:flex; justify-content:space-between; align-items:center; margin: 1em 0;'>
  <a href='22. api_testing_tools.ipynb' style='font-weight:bold; font-size:1.05em;'>&larr; Previous</a>
  <a href='../TOC.md' style='font-weight:bold; font-size:1.05em; text-align:center;'>Table of Contents</a>
  <a href='../6. mobile_application_testing/24. mobile_application_fundamentals.ipynb' style='font-weight:bold; font-size:1.05em;'>Next &rarr;</a>
</div>
