Prerequisites
Introduction
Creating secure API endpoints is an essential aspect of Backend Engineering. It is not enough to develop an API that works as expected, but to make sure it can be accessed only by the selected users or testers.
One of the most common ways of securing API endpoints is by using hashes.
A hash is a unique long string of random numbers and letters generated with the use of a hashing algorithm such as MD5 (Message Digest 5) or SHA (Secure hash algorithm).
Using hash in an API endpoint
For this demonstration, I will be using an endpoint from a simple CRUD API i created that maintains a database of existing dog breeds. I secured the endpoint using a hash that will be generated using the SHA512 algorithm and by combining the name of the dog breed and a private key that only the permitted users have i.e SHA512(privateKey + dog-breed)
The endpoint to add a dog breed to the database expects the name of the dog breed, a unique code to identify it, a brief description, and a hash to ensure that only an authorised user can access that endpoint.
Such user can generate the hash by using a sha512 generator such as this.
This will be used in the request body as follows:
The user is able to access this endpoint because they were granted the correct private key and hash formula.
Now imagine this was a more complex API and a software tester had to test multiple scenarios for the CREATE and UPDATE endpoints. The tester would have to generate a hash for each test scenario, which would involve quite a lot of copying and pasting.
Postman to the rescue!
Using pre-requests script to generate a hash
With pre-requests script on Postman, you can automatically generate a hash and add it to your request. Pre-requests scripts are used to execute Javascript before a request runs. They are useful for pre-processing operations such as setting variable values, parameters, headers and body data.
In this example, we will be setting the value of the hash in the request body. First, the private key will have to be saved as a secure variable somewhere. Here, we save it as a collection variable.
The pre-requests script tab can be found right next to the body tab.
var requestObj = JSON.parse(pm.request.body.raw);
if(requestObj != "" && !requestObj.hash){
var privateKey = pm.collectionVariables.get("privateKey");
var hash = CryptoJS.SHA512(privateKey + requestObj.name);
var requestHash = CryptoJS.enc.Hex.stringify(hash);
requestObj.hash = requestHash;
pm.request.body.raw = JSON.stringify(requestObj);
console.log(requestObj);
}
Looking at the code above, first, we save the request body to a variable in JSON format. pm is a Postman Javascript object that provides access to request and response data, and variables. Then we perform a check to see if the request object is not empty and the hash variable has not been set. If the conditions are true, we fetch the private key from the collection variables and then generate the hash using CryptoJS which is a javascript library of cryptographic algorithms. Lastly, we set the hash variable in the request body and update the request.
To view the updated request body with the hash, we can also log the request body or log only the hash using:
console.log(requestHash)
As we can see, it is the same as the hash that was generated using the hash generator.
We do not have to set the hash variable manually here because it is automatically generated and set by the pre-request script before the request is sent.
Conclusion
With just a few lines of code, we can see how much time and effort can be saved during API testing and usage. Pre-request scripts are powerful additions to postman requests and are definitely worth utilizing.
Top comments (0)