0

I am using RESTAssured for my api testing. When I test the API login endpoint using Postman, I get cookies for anti-forgery which the Postman (and the browser) uses with every call when using the application.

To replicate this behavior for API testing, I can make the call to authenticate but RESTAssured does not retrieve the cookies sent by the server same way Postman does.

How do I go about retrieving the cookies for subsequent API calls?

I have so far tried Postman and RESTAssured but can be flexible on the API testing library.

httpReq = RestAssured.given().log().all();
httpReq.contentType(ContentType.URLENC.withCharset("UTF-8"));
httpReq.formParam("Email", email);
httpReq.formParam("Password", password);
httpReq.formParam("__RequestVerificationToken", substr);

Map<String, String> authCookies = response.getCookies();

When I debug and watch authCookies, it is missing the relevant anti-forgery tokens. Adding the authCookies to subsequent requests results in 401 Bad Request.

daddycool
  • 107
  • 1
  • 1
  • 8
  • 1
    pardon me if my understanding is incorrect, do you mean to say that you cannot find the anti-forgery tokens returned as a part of your response ? – Wilfred Clement May 08 '19 at 16:56
  • Yes, as part of Chrome browser request at the time of authentication, cookies are there. Same in Postman. However, when I make the same request using Rest Assured, and also tested with Rest Easy, the tokens are not in the headers or cookies as part of the response object. – daddycool May 08 '19 at 17:25
  • 1
    Can you give it a try with Response.getDetailedCookies() ? – Wilfred Clement May 08 '19 at 17:49
  • Okay, so I tried and realized I fundamentally misunderstood how the xsrf tokens work. I was getting them as part of GET call initially to find the token embedded in the HTML. I got as far as being able to authenticate (got a 302 Found) but there is something else I am missing to use with subsequent requests. – daddycool May 08 '19 at 18:13

1 Answers1

1

Thanks to Wilfred's comment about getDetailedCookies() method.

The xsrf tokens are generated with the first reponse, given the __RequestVerificationToken and can be used in all calls including the api call that authenticates users.

Once authenticated, use the cookies that include xsrf and session cookies everywhere.

daddycool
  • 107
  • 1
  • 1
  • 8