I`ll show you how to use Postman to test protected GraphQL API and run test collection using Newman from GithubActions!
Note: This article is part of opensource fullstack app
Postman as GraphQL IDE?
Postman is a well-known tool that helps you test your APIs.
Postman supports:
- REST
- WebSockets
- GraphQL
Not yet, but I see the possibility of it becoming a powerfool tool for GraphQL.
Import GraphQL SDL
This has to be done manually! (Unfortunately) Postman does not support schema introspection.
Pre-requests scripts
The Pre-Request and Tests can be found in several scopes.
Scope is just place, where you can find them.
- Scope level Collection
- Section level Folder
- Scope level Request
Is there a initial script?
Postman does not have init script that runs once on startup! You can workaround this and implement it using variables!
How to sign-in with OAuth?
This depends on whether you are doing the tests manually or automated
If you run heedless from CI/CD you need to write scripts and that can be difficult with some oidc providers who have strict rules and check all security aspects.
For testing purposes, you can define a specific oidc client_id:Postman. You can simply protect it with ResourceOwnerPassword and create a test user for it.
Image from Okta
The ResourceOwnerPassword is fully secured in this scenario:
- You have a special client (oidc client) and you need
Secretto use it. - The test user still needs to provide his
nameandpassword. - Will only be activated under a specific flag
- Will not be used publicly
- Can be restricted to a specific origin
Request access token
To request a new token, you must make an asynchronous call to the oidc token endpoint.
Pre-scripts:
1) Check if you have the token from the previous run
2) Validate the lifetime of the token.
- Token is valid - > uses the existing one
- Token has expired - > requests a new one
The OAuth_Token_Exchange triggers the request with the function pm.sendRequest(...).
Validation of the GraphQL response
GraphQL returns json and you need to create a helper script to validate it. This script validates property by property with the option to ignore some.
Export test collection
For that you need to export the collection and the variables and use exported data in headless ci/cd runner.
Export collection:
Export enviroment:
Newman headless runner
Newman is CLI runner for postman collections. You can find it on Github.
Install with: npm install -g newman.
Run test collection from console (terminal):
(We use the --insecure flag because we use untrusted developer certificates).
This is an example of the output
Integration in Build and CI/CD
The demo application uses Nuke for build automation.
Nuke is a console application that contains all build logic defined as Targets and allows you to run cross-platform and generate .yaml for CI/CD pipelines.
Let us place Newman in front of the Cypress tests.
To better understand what Target_E2E_Tests is. Let us take a look at the whole pipeline and the dependencies between the different targets.
Targets define named operation with specific actions.
Github-Action run:
Repository
You can find the full source code of the app, including identity, distributed logging, tracing and monitoring, in the open source
Github repo:
https://github.com/damikun/trouble-training
Newman sources sub-link (under postman folder):
https://github.com/damikun/trouble-training/tree/main/Src/Tests
Top comments (1)
Great article Dalibor! This is Ankit from SigNoz - an open-source APM tool. We are looking for great technical writers like you for our blog. You can check out more details about it here - signoz.io/technical-writer-program/
Feel free to reach out to me if you're interested - ankit.anand@signoz.io