What is Request?

• Request is an action performed on a resource identified by a given Request-URL. Request methods are case-sensitive, and should always be noted in upper case.

Request section:

• Below the Request Name text field request section is provided and it is expanded by default.
• When the user collapses this section “Request” text is provided.
• When it is expanded, it displays the following tabs: –
  i) Query Parameter, ii) Request Header, iii) Request Body, iv) Authorization, v) Pre Requisite, vi) Assert and. Vii) Capture Data from Response.

Now, Let’s dive into Tabs in detail:

1. Query Parameter

What is a query parameter?

• The user can send the additional information to the server with the help of the query parameter.
• Query parameters are appended to the end of the Request URL, following ‘?’ and listed in key-value pairs, separated by ‘&’.
  Ex:- URI?id=1&name=abc

Add a query parameter

• Enter key and values in the text fields provided in the Key and Value column respectively.
• Add multiple query parameters by clicking on the “+ Query Parameter” button.

Edit a query parameter

• Single click on any key value in the Key column to edit a key.
• Single click on any value in the Value column to edit a value.

Remove a query parameter

• When hovered by mouse on any of the rows, it will display a Remove icon in the Remove column and upon clicking on it, the query parameter is removed.

2. Request Header

What is a request header?

• Request headers are meta-data associated with the API request.
• Headers will contain the information for the Request body and Authorization as shown in the below screen.

Add a request header

• Default headers related to request body and authorization are present in the table.
• Enter key and values in the text fields provided in the Key and Value column respectively.
• Add multiple headers by clicking on the “+ Header” button.

Edit a request header

• Single click on any key value in the Key column to edit a key.
• Single click on any value in the Value column to edit a value.

Remove a request header

• When hovered by the mouse on any row it will display a Remove icon in the Remove column and upon clicking, the header is removed.
• Default headers cannot be removed.

3. Request Body

Request body supports 5 types of body types, those are:-

i) Raw, ii) Form Data, iii) x-www-form-url encoded, iv) Binary and v) GraphQL

3.1 Raw

• What is Raw?
  • Sending an input to the server by entering a text.
  • Users can send the input in five formats. Those are:- i) JSON, ii) XML, iii) JavaScript, iv) HTML and v) Text

• Add Raw
  • Users can send the input in two ways. They are mentioned below.
    1. By clicking on Choose file button, the user will be provided to select the file from either local drive or from test data.

    Note: After selecting the file, the content of the file will be read in the code editor and the user can also edit the content through the code editor.

    2. Code editor is provided, where the user can write the code manually.

3.2 Form-Data

• What is form data?
  • Form data allows the user to send the request body, either in the form of key-value pairs or file format.
  • Form Data also helps the user run collections that contain requests requiring file upload.

• Add a form data
  • Users can send the input in two ways. Those are mentioned below.
    i. By selecting text in the key type column the user can send the key-value pairs as an input.
    ii. By selecting a file in the key type column the user can send the file as an input. (It will provide a warning message if the user selects a file from a local drive)
  • Add multiple form data by clicking on the “+ Form Data” button
• Edit a form data
  • Single click on any key value in the Key column to edit a key.
  • Single click on any value in the Value column to edit a value.
  • Users should remove the file to replace it with another file.
• Remove a form data
  • When hovered by mouse on any of the rows, it displays a Remove icon in the Remove column and, upon clicking on the remove icon from data will get removed.
    Note: The user can upload file sizes of up to 500MB. If it exceeds more than that, FireFlink will provide an error message from its end.

3.3 x-www-form-URL encoded

• What is x-www-form-URL encoded?
  • A web form is used to transfer data, not multipart/form-data.
  • It is used more generally to send text data to the server in the form of key-value pairs.

• Add a x-www-form-URL encoded
  • Enter key and values in the text fields provided in the Key and Value column respectively.
  • Add multiple URLs encoded keys and values by clicking on the +URL Encoded button.
• Edit a x-www-form-URL encoded
  • Single click on any key value in the Key column to edit a key.
  • Single click on any value in the Value column to edit a value.
• Remove a x-www-form-URL encoded
  • When hovered by mouse on any row, it will display a Remove icon in the Remove column and upon clicking, the URL encoded is removed.

3.4 None

• This does not contain anybody.

4. Authorization

• What is Authorization?
  • A user or application is granted access to an API after the API determines the extent of the permissions that it should assign.
  • Usually, authorization occurs after identity is successfully validated through authentication so that the API has some idea of the access it should grant.
• Why do we need authorization?
  • APIs use authorization to ensure that client requests access data securely.
  • Authorization data can be included in the header, body, or as parameters to a request.
  • There are nine types of authorization. They are: –
    (i) No Auth (ii) Basic Auth, (iii) Bearer Token, (iv) OAuth 1.0, (v) OAuth 2.0, (vi) Digest Auth, (vii) AWS, (viii) Hawk and (ix) Microsoft NTLM as shown in the below screen.

4.1 No Auth

• What is No Auth?
  • Here will not attempt to send any security measures details with a request.
• Why do we need No Auth?
  • When the user does not want to send any type of authorization request.

4.2 Basic Auth

• What is Basic Auth?
  • A Basic Authentication is the most simple and basic type of authorization available.
  • It requires just a username and password for checking the authorization of any person. (That is why we say basic access authentication)
• Adding Basic Auth
  • First, select the Basic Auth option from the Type dropdown.
  • User needs to add a username in the Username text field and a password in thePassword text field.
• Removing Basic Auth
  • Either the user has to clear all the text fields, or the user has to select the ‘No Auth’ option in the Type dropdown.

4.3 Bearer Token

• What is Bearer Token?
  • It is a single string that acts as the authentication of the API request.
  • The token is a text string, included in the request header.
• Why do we need Bearer Token?
  • Bearer tokens are a much simpler way of making API requests, since they do not require the cryptographic signing of each request.
  • Bearer tokens allow requests to authenticate using an access key, such as a JSON Web Token (JWT).
• Adding Bearer Token
  • Select the Bearer Token option from Type dropdown.
  • User needs to add an access key, such as a JSON Web Token in the Token text field.
• Remove Bearer Token
  • Either user will have to clear the text field or the user should select the “No Auth” option in the Type dropdown.

4.4 OAuth 1.0

1. What is OAuth 1.0?

• OAuth 1.0 uses the Authorization header as a way to authenticate the client to the OAuth Provider itself.

2. Why do we need OAuth 1.0?

• OAuth 1.0 provides a method for clients to access server resources on behalf of a resource owner.

3. Adding OAuth 1.0

• Select the OAuth 1.0 option from Type dropdown.

• Based on the Signature Method dropdown, all the fields will vary and the options of this dropdown are:-
  (i) HMAC-SHA1, (ii) HMAC-SHA256, (iii) HMAC-SHA512, (iv) RSA-SHA1, (v) RSA-SHA256, (vi) RSA-SHA512 and (vii) PLAINTEXT.
• Signature Method is the method that the Consumer uses to sign the request.

1. HMAC-SHA1

1. An HMAC is a MAC that is based on a hash function. The basic idea is to concatenate the key and the message and hash them together.
2. Secure Hash Algorithm (SHA), also called SHS, Secure Hash Standard is a cryptographic hash algorithm.
3. HMACSHA1 accepts keys of any size and produces a hash sequence that is 160 bits in length.
4. To add the HMAC-SHA1, the user first needs to select the HMAC-SHA1 option from the Signature Method dropdown.
5. User needs to enter the values in mandatory text fields. These text fields are consumer key, token secret, access token, and consumer secret text fields.

2. HMAC-SHA256

1. Using an HMAC with a sufficiently long secret key should prevent third parties from being able to brute-force the hashed values and identify their original values.
2. For HMAC-SHA256, a 256-bit key should be sufficient.
3. To add the HMAC-SHA256, the user first needs to select the HMAC-SHA256 option from the Signature Method dropdown.
4. User needs to enter the values mandatory text field story. These text fields are consumer key, token secret, access token, and consumer secret text fields.

3. HMAC-SHA512

1. HMAC-SHA512 is a type of keyed hash algorithm that is constructed from the SHA512 hash function and used as a Hash-based Message Authentication Code (HMAC).
2. HMACs provide security against tampering because one should know the secret key to change the message and reproduce the correct hash value.
3. To add the HMAC-SHA512 user first needs to select the HMAC-SHA512 option from the Signature Method dropdown.
4. User needs to enter the values in mandatory text fields. These text fields are consumer key, token secret, access token, and consumer secret text fields.

4. RSA-SHA1

1. RSA signature is a type of digital signature that uses the RSA asymmetric key algorithm.
2. To add the RSA-SHA1 user first needs to select the RSA-SHA1 option from the Signature Method dropdown.

• User needs to enter the values in mandatory text fields. These text fields are the Consumer Key and Access Token.
• Users also need to enter the values in the text area or select PEM file for Private key by clicking on Choose file button, which is mandatory.
  • PEM or Privacy Enhanced Mail is a Base64 encoded DER certificate.
  • PEM certificates are frequently used for web servers as they can easily be translated into readable data using a simple text editor.

5. RSA-SHA256

1. To add the RSA-SHA256 user first needs to select the RSA-SHA256 option from the Signature Method dropdown.
2. User needs to enter the values in mandatory text fields. These text fields are the Consumer Key and Access Token.
3. Users also need to enter the values in the text area or select the file for the Private key by clicking on Choose file button, which is mandatory.
   1. PEM or Privacy Enhanced Mail is a Base64 encoded DER certificate.
   2. PEM certificates are frequently used for web servers as they can easily be translated into readable data using a simple text editor.

6. RSA-SHA512

1. To add the RSA-SHA512 user first needs to select the RSA-SHA512 option from the Signature Method dropdown.
2. User needs to enter the values in mandatory text fields. Those text fields are the Consumer Key and Access Token.
3. Users also need to enter the values in the text area or select the file for the Private key by clicking on Choose file button, which is mandatory.
   1. PEM or Privacy Enhanced Mail is a Base64 encoded DER certificate.
   2. PEM certificates are frequently used for web servers as they can be easily translated into readable data using a simple text editor

7. PLAINTEXT

1. To add the PLAINTEXT, the user first needs to select the PLAINTEXT option from the Signature Method dropdown.
2. User needs to enter the values in mandatory text fields. Those text fields are consumer key, token secret, access token, and consumer secret text fields.
3. Advanced section is also present. This field is not mandatory. In case the user wants to give additional information then you can provide it in this section.
4. Advanced section text fields are Call-back URL, Verifier, Timestamp, Nonce, Version, and Realm. The user can provide this additional information in the authorization as well.

4. Removing OAuth 1.0

• Either the user has to clear all the text fields or the user has to select No the Auth option in the Type dropdown.

4.5 OAuth 2.0

1. What & why do we need OAuth 2.0?

• The OAuth 2.0 authorization framework enables applications to obtain limited access to an HTTP service, usually on behalf of a resource owner.
• OAuth 2.0 is used for many popular application APIs such as GitHub, Facebook, Google, Dropbox, and many more.

2. Adding OAuth 2.0

• Select the OAuth 2.0 option from the Type dropdown.
• Based on the Grant Type dropdown, all the fields vary and the options of this dropdown are (i) Password Credentials, (ii) Authorization Code, (iii) Authorization Code (with PKCE), (iv) Implicit a (v) Client Credentials.

• Password Credentials
  • Select the Password Credentials option from the Grant Type dropdown.
  • The user needs to enter the values in mandatory text fields. These text fields are Access Token URL, Username, Password, Client ID, and Client secret text fields.
  • Scope text field is a non-mandatory text field.
  • The user has also been provided with an advanced section where you can provide additional information in the Audience text field.
  • The user can also add the multiple values for the Audience text field by clicking on the ”+ icon”.
  • Click on the ‘Request Token’ button to generate a token, and the generated token will be filled in the ‘Access Token’ text field.
  • After generating the token, click on the ‘Send’ button to send this security measure to execute the request.

• Authorization Code
  • Select the Authorization Code option from the Grant Type dropdown.
  • The user needs to enter the values in mandatory text fields. Those text fields are Access Token URL, Call-back URL, Auth URL, Client ID, and Client Secret text fields.
  • Scope and State text fields are non-mandatory text fields.
  • The user has also been provided with an advanced section where you can provide additional information in the Audience and Resource text fields.
  • The user can also add the multiple values for Audience and Resource text fields by clicking on the “+ icon”.
  • Click on the ‘Request Token’ button to generate a token, and the generated token will be filled in the ‘Access Token’ text field.
  • After generating the token, click on the ‘Send’ button to send this security measure to execute the request.

Note: By default https://app.FireFlink.com/optimize/v1/public/auth/callback this url will be the call back url.

• Authorization Code (with PKCE)
  • Select the Authorization Code (with PKCE) option from the Grant Type dropdown.
  • The user needs to enter the values in mandatory text fields. These text fields are Access Token URL, Call-back URL, Auth URL, Client ID, and Client Secret text fields.
  • Scope, Code Verifier, and State text fields are non-mandatory text fields.
  • The user has also been provided with an advanced section where you can provide additional information in the Audience and Resource text fields.
  • The user can also add the multiple values for Audience and Resource text fields by clicking on the “+” icon.
  • Click on the ‘Request Token’ button to generate a token, and the generated token will be filled in the ‘Access Token’ text field.
  • After generating the token, click on the ‘Send’ button to send this security measure to execute the request.Note: By default https://app.FireFlink.com/optimize/v1/public/auth/callback this url will be the call back url.
• Implicit
  • Select the Implicit option from the Grant Type dropdown.
  • The user needs to enter the values in mandatory text fields. These text fields are Call-back URL, Auth URL, and Client ID.
  • Scope and State text fields are non-mandatory text fields.
  • The user has also been provided with an advanced section where you can provide additional information in the Audience text field.
  • The user can also add the multiple values for the Audience text field by clicking on the “+” icon.
  • Click on the ‘Request Token’ button to generate a token, and the generated token will be filled in the ‘Access Token’ text field.
  • After generating the token, click on the ‘Send’ button to send this security measure to execute the request.
    Note: By default https://app.FireFlink.com/callback this url will be the call back url.
• Client Credentials
  • Select the Client Credentials option from the Grant Type dropdown.
  • The user needs to enter the values in mandatory text fields. These text fields are Access Token URL, Client ID, and Client Secret text fields.
  • Scope and State text fields are non-mandatory text fields.
  • The user has also been provided with an advanced section where you can provide additional information in the Audience and Resource text fields.
  • The user can also add the multiple values for Audience and Resource text fields by clicking on the “+” icon.
  • Click on the ‘Request Token’ button to generate a token, and the generated token will be filled in the ‘Access Token’ text field.
  • After generating the token, click on the ‘Send’ button to send this security measure to execute the request.

4.6 Digest Auth

• What is Digest Auth?
  • Digest authentication protects an endpoint with a username and password without actually transmitting the password over the network.
• Adding Digest Auth
  • Select the Digest Auth option from the Type dropdown.
  • To authenticate with a digest endpoint, the user must send two requests instead of one.
  • The first request sent to the server receives a nonce value, which is then used to produce a one-time-use hash key to authenticate the request.

4.7 AWS

• What is AWS?
  • AWS is the mechanism used to authenticate with the AWS API.
• Adding AWS
  • Select the AWS option from the Type dropdown.
  • This dropdown consists of two sections.
  • The first section is about all the mandatory fields, wherein the user needs to provide value for Access Key and Secret Key text fields.
  • The second section is about all the fields that are non-mandatory, which are advanced information, and the text fields are AWS Region and Service Name.

4.8 Hawk

• What is Hawk?
  • Hawk is an HTTP authentication scheme using a Message Authentication Code (MAC) algorithm to provide partial HTTP request cryptographic verification.
• Adding Hawk
  • Select the Hawk option from the Type dropdown.
  • This dropdown consists of two sections.
  • The first section is all the mandatory fields, wherein the user needs to provide value for Hawk Auth ID and Hawk Auth Key text field.
  • The second section is about all the fields that are non-mandatory, which are advanced information, and the text fields are Username, Nonce, Timestamp, Extra, Application ID, and Delegated.

4.9 Microsoft NTLM

• What is Microsoft NTLM?
  • NTLM is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.
• Adding Microsoft NTLM
  • Select the Microsoft NTLM option from the Type dropdown.
  • The user needs to add a username in the Username text field and password in the Password text field.

5. Prerequisite

• What is a prerequisite?
  • To execute code before a request runs, you use prerequisites.
  • The user can carry out pre-processing such as setting variable values, parameters, headers and body data.
• Adding prerequisite script
  • The user has been provided with a code editor where he can find the default template and the user can also remove the template to write the code manually.
  • On the right side of the code editor, a snippets menu is available, which are predefined methods. Upon clicking on the snippet, it will get added to the code editor.
  • After writing a code if the user clicks on the Compile & Save button then the written code will compile and get saved only if there are no compilation errors.
  • If there are any compilation issues, then that is displayed in the console section and the user needs to rectify the errors accordingly.
  • Users can add multiple snippets and can add the same snippet any number of times.
• Removing prerequisite script
  • If the user wants to remove the pre requisite scripts, then clear the code editor and click on the Compile & Save button.

6. Assert

• What is Assert/Assertion?
  • Assertion is a code that executes after receiving the response.
  • It is used to check or analyze the response that is received from the server.
• Adding default assert
  • User can add 6 types of default assert and those are explained belowi. Verify status code
    Users need to select the checkbox to verify the status code.
    Select the operator from the dropdown and enter the expected value inside the textfield.

    ii.Verify Response time
    Users need to select the checkbox to verify the response time in milliseconds.
    Select the operator from the dropdown and enter the expected value inside the textfield.

    iii. Verify JSON path
    Users need to select the checkbox to verify the JSON path.
    Select the operator from the dropdown, enter the input inside the textfield and enter the JSON path expected to value the text field

Note: JSON path should always start with “response Body”.

iv. Verify header key
Users need to select the checkbox to verify the header key.
Select the operator from the dropdown, enter the expected header Key inside the textfield and enter the header path expected to value the text field.

v. Verify content type
Users need to select the checkbox to verify the content type.
Select the operator from the dropdown and enter the expected value inside the text field.

vi. Verify header Value
Users need to select the checkbox to verify the header value.
Select the operator from the dropdown, enter the header key inside the “Enter header key” textfield and enter expected header value inside the “Enter expected value”textfield.

Adding a custom assert

• User has been provided with a code editor where he can write the code manually.
• On the right side of the code editor snippets menu are available which are predefined methods, upon click on which will come and sit in the code editor.
• After writing a code if the user clicks on the Compile & Save button then the written code will compile and get saved only if there is no compilation error.
• If there are any compilation issues, then that would be displayed in the console section and the user needs to correct them accordingly.
• Users can add multiple snippets and also can add the same snippet any number of times.

Default snippets for Custom Assert

• Verify content type.
• Verify server
• Verify JSON Path
• Verify Status Code
• Verify Response Time
• Removing Default and custom assert script
  • Unselect the checkbox, If the user doesn’t want to send the Default assert.
  • If the user wants to remove the Custom Assert scripts, then clear the code editor and click on the “Compile & Save” button.

7. Capture Data from Response

• What is Capture Data from Response?
  • It is used to capture the response data from the response body and to store it in a variable.
  • If the user wants to capture a particular response and store it in variables, then the user can make use of Capture Data from Response.
• What are the responses can we capture in Capture Data from Response?
  • Get Status Code: This checkbox is used to capture the status code of the request which the user sent.
  • Get Response Time: This checkbox is used to capture the response time of the request which the user sent.
  • Get Response Body: This checkbox is used to capture the whole response body of the request which the user sent.
  • Get Headers: This checkbox is used to capture the response headers of the request which the user sent.
  • Get Value of JSON Path: This checkbox is used to capture the value of the key in which the user has provided a path from the response. The user is provided with 2 fields where he needs to provide a JSON path and needs to assign a variable.User can also Capture multiple data from Response body in respective variable by clicking on + icon of get value json path checkbox.
  • Get header for a key: This checkbox is used to capture the value of the response header key from the response. The user is provided with 2 fields where he needs to provide a response header key and needs to assign a variable.User can also Capture multiple data from Response header key in respective variable by clicking on + icon of get value json path checkbox.
  • Get Content Type: This checkbox is used to capture the Content Type of the request which the user sent.

• How to Capture a response in Capture Data from Response?
  • The user needs to select the check box for which he needs to capture the response.
  • After selecting the checkbox, it is expanded by default. Wherein the user has to assign the variable to the response in the Return Value text field.
  • Return Value text field is a searchable text field, where the user can search for a variable using “$” and assign the response to it.
  • Users can also assign a variable by creating a variable using the Create variable button.
  • Users can select multiple checkboxes and capture the data from the response.
  • After assigning the variable, when the user clicks on the ‘Send’ button the variable will be updated with the selected checkbox value.