# Chapter 3 - POST Requests: Creating and Authorizing Users

Before we start building an actual project in an IDE (next chapter), I want to spend some time working with POST Requests for a _very_ common flow - Creating and Authorizing Users.

>💡 This is a fundamental hook to have in your automation because you most likely need a User, Customer, or entity in each of your tests that is the "actor" or "actress".

Instead of having hard-coded users, we can have ephemeral users that we create for each test (with whatever settings we want) and then delete the user once the test is complete.

### 📚 DemoQA Bookstore API 📚

📗 📕 📘 📙
---
In this notebook, we will use the [DemoQA Bookstore API](https://demoqa.com/swagger/) which is a free, demo macroservice for creating users and managing their collection of books. It's great for practice!

>💡 In the next chapter, we will use the same code to create the exact hook I described above

In [1]:
""" This time, we'll build the URL:

1. BASE_URL - The address of the environment under test (Dev, QA, Prod, etc.)
2. ROUTE    - The service to use (Account or BookStore)
3. ENDPOINT - The object to act on

* Some people combine BASE_URL + ROUTE + ENDPOINT into a single variable too!
* We'll do that in the next cell
"""
# Breaking the URL into pieces makes it easier to control
# which envs and versions your framework and tests target
BASE_URL = 'https://demoqa.com'  # example: https://test.demoqa.com
ROUTE = '/Account/v1'            # example: /Account/v3

In [2]:
""" Write the logic to create a user.

> Notice how this time we will define a PAYLOAD (aka BODY)

This is the data required for this endpoint to create what we want.
In this case, we need to provide:

* userName - spelled exactly how the docs define it
* password
"""
import requests

def create_user():
    # 1. Define the endpoint (URL)
    endpoint = BASE_URL + ROUTE + '/User'

    # 2. Define the data you need to send in the request
    payload = {'userName': 'greatest_name', 'password': 'P@4$$w0rd'}

    # 3. Pick the action method, send it, and hold the response
    response = requests.post(endpoint, json=payload)
    return response


user_response = create_user()
print(user_response.json())

{'userID': 'cfbc7809-1711-4e7a-aeb2-ad8395aaf44a', 'username': 'greatest_name', 'books': []}


## Properly control your data

Our function in the above cell created a user as expected!

However, running the cell again reveals a problem... the user already exists!

>🛑 This behavior is expected from the developer's point of view, but our current implementation would prevent us from having a unique user per test because it's hard coded 😢

For now, we'll create a `delete` function later in the notebook, but we'll need to solve that in the next chapter when we dive into hooks in an IDE.

In [3]:
""" Generate a token to authorize our newly created user  """
def generate_token():
    endpoint = BASE_URL + ROUTE + '/GenerateToken'
    payload = {'userName': 'greatest_name', 'password': 'P@4$$w0rd'}

    response = requests.post(endpoint, json=payload)
    return response


token_response = generate_token()
print(token_response.json())

{'token': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyTmFtZSI6ImdyZWF0ZXN0X25hbWUiLCJwYXNzd29yZCI6IlBANCQkdzByZCIsImlhdCI6MTYxMzQxODAzNX0.sSdp3s8PQxrZBDFpS3Upk5hx5rj0Puf0fOOBJfvCgZ0', 'expires': '2021-02-22T19:40:35.173Z', 'status': 'Success', 'result': 'User authorized successfully.'}


In [4]:
""" Delete the user.

* This is a DELETE action
* It requires that we pass in a `UserId` in the endpoint
* Doesn't take a payload
"""
def delete_user(user_id):
    endpoint = BASE_URL + ROUTE + f'/User/{user_id}'
    response = requests.delete(endpoint)
    return response


deletion = delete_user(user_response.json()['userID'])
print(deletion.content)

b'{"code":"1200","message":"User not authorized!"}'


## Authorization

Many API calls you make will require that your client and/or users be authorized.

>💡 How you do this will depend on the design and "auth requirements" of the API.

In our case, we need to pass in a `headers` object with the Authorization Token. Let's write the function again in the next cell so we can see the difference.

In [5]:
""" V2: Delete the user with proper headers """
def delete_user(user_id, token):
    endpoint = BASE_URL + ROUTE + f'/User/{user_id}'
    headers = {'Authorization': f'Bearer {token}'}

    response = requests.delete(endpoint, headers=headers)
    return response


# 1. Get user_id and token
user_id = user_response.json()['userID']
token   = token_response.json()['token']

# 2. Pass in these values to our function
deletion = delete_user(user_id, token)

print(deletion.status_code) # 204: No Content
print(deletion.content)

204
b''


## Decoupling the code

In our `V2` function above, observe that we have `user_id` and `token` in the function signature instead of having them hard-coded.

Our `create_user()` and `generate_token()` functions used the same payload object which forced us to update each function when we wanted to change something like the username... This is bad! Let's update the functions below:

In [6]:
""" Define our functions using parameters and a return type """
from typing import Dict
from requests import Response


BASE_URL = 'https://demoqa.com'
ACCOUNT_URL = BASE_URL + '/Account/v1'


def create_user(username, password) -> Dict:
    payload = {'userName': username, 'password': password}
    response = requests.post(f'{ACCOUNT_URL}/User', json=payload)
    return response.json()


def generate_token(username, password) -> Dict:
    payload = {'userName': username, 'password': password}
    response = requests.post(f'{ACCOUNT_URL}/GenerateToken', json=payload)
    return response.json()


def delete_user(user_id, token) -> Response:
    headers = {'Authorization': f'Bearer {token}'}
    response = requests.delete(f'{ACCOUNT_URL}/User/{user_id}', headers=headers)
    return response

In [7]:
""" Use the functions to create an authorized user, then delete it """
CREDENTIALS = 'username 001', 'P@$$w0rd'

user_id = create_user(*CREDENTIALS)['userID']
token   = generate_token(*CREDENTIALS)['token']

delete_response = delete_user(user_id, token)
assert delete_response.status_code == 204

## Your Challenge

Create the function that calls the `/Account/v1/Authorized` endpoint which is used to check if a given user is authorized or not.

**STEPS:**

1. Create an authorized user
2. Assert they are authorized using this endpoint
3. Then delete the user.

**OPTIONAL BONUS:**

Define Models with Pydantic to use for the `create_user()` and `generate_token()` functions!