I`ll show you how to use Postman to test protected GraphQL API and run test collection using Newman from GithubActions!
Note: This article is part of opensource fullstack app
Postman as GraphQL IDE?
Postman is a well-known tool that helps you test your APIs.
Not yet, but I see the possibility of it becoming a powerfool tool for GraphQL.
Import GraphQL SDL
This has to be done manually! (Unfortunately) Postman does not support schema introspection.
Tests can be found in several scopes.
Scope is just place, where you can find them.
- Scope level Collection
- Section level Folder
- Scope level Request
Is there a initial script?
Postman does not have init script that runs once on startup! You can workaround this and implement it using variables!
How to sign-in with OAuth?
This depends on whether you are doing the tests manually or automated
If you run heedless from
CI/CD you need to write scripts and that can be difficult with some
oidc providers who have strict rules and check all security aspects.
For testing purposes, you can define a specific oidc
client_id:Postman. You can simply protect it with
ResourceOwnerPassword and create a test user for it.
Image from Okta
ResourceOwnerPassword is fully secured in this scenario:
- You have a special client (oidc client) and you need
Secretto use it.
- The test user still needs to provide his
- Will only be activated under a specific flag
- Will not be used publicly
- Can be restricted to a specific origin
Request access token
To request a new token, you must make an
asynchronous call to the oidc token endpoint.
1) Check if you have the token from the previous run
2) Validate the lifetime of the token.
- Token is valid - > uses the existing one
- Token has expired - > requests a new one
OAuth_Token_Exchange triggers the request with the function
Validation of the GraphQL response
json and you need to create a helper script to validate it. This script validates property by property with the option to ignore some.
Export test collection
For that you need to export the collection and the variables and use exported data in headless
Newman headless runner
Newman is CLI runner for postman collections. You can find it on Github.
npm install -g newman.
Run test collection from console (terminal):
(We use the
--insecure flag because we use untrusted developer certificates).
This is an example of the output
Integration in Build and CI/CD
The demo application uses
Nuke for build automation.
Nuke is a console application that contains all build logic defined as
Targets and allows you to run cross-platform and generate
Let us place
Newman in front of the
To better understand what
Target_E2E_Tests is. Let us take a look at the whole pipeline and the dependencies between the different targets.
Targets define named operation with specific actions.
You can find the full source code of the app, including identity, distributed logging, tracing and monitoring, in the open source
Newman sources sub-link (under postman folder):
Top comments (1)
Great article Dalibor! This is Ankit from SigNoz - an open-source APM tool. We are looking for great technical writers like you for our blog. You can check out more details about it here - signoz.io/technical-writer-program/
Feel free to reach out to me if you're interested - email@example.com