Twitch
Lesson Description
The "Testing API Endpoints" Lesson is part of the full, Complete Go for Professional Developers course featured in this preview video. Here's what you'd learn in this lesson:
Melkey tests all the API routes with two new users. A workout is created with the first user. After creating a second user, an API call is sent by the second user attempting to modify a workout from the first user to ensure an error is thrown. The final code for the project is on the main branch.
Preview
CloseTranscript from the "Testing API Endpoints" Lesson
>> Melkey: So we just finished kind of doing some finishing touches on our workout store. And so in the following part of the course, the kind of final parts, we're gonna go through all of the different scenarios of curling, all of the endpoints that we have. So if you see, in the post notes dot txt underneath section 3.5 we have a ton of different curls that we're gonna be exploring here, okay?
So if you want to follow along, this is what we're going to be doing, and I'm gonna be on annotating everything that I do. So first, let's go ahead and quickly just tear down and tear up the go server. So go run main dot go. Any obvious issues, no, it's still on version five, which is great.
The next part, we still have Docker compose running. So our DB is running and we still have psql, okay? So again, we can check select all from workouts, everything's fairly empty. Select all from users. We have two users, John and Jack, which we will not be caring about, okay?
We're gonna be making some brand new users. We can still use them if you want, but I'm gonna prefer to just create new ones just to check if everything works as it should. I'm gonna make this new terminal, I'm gonna clear my terminal. And then the first request I'm gonna be making is creating a new user.
So if we go back into the section 3.5, there's this curl request here to create a new user. This one has this John Doe, I'm gonna just change this. Let's change this to Melkey. All right, and let's change this to melky@example.com, let's go ahead and grab this. Go back here, if we paste it, we now have our melkey user, okay?
This is good, we know we at least haven't regressed, right? There's nothing that mess this up for us.
>> Melkey: Next thing is now we know the username, melkey. I'm gonna go back to the post here, and the second curl request we have is to authenticate. I'm going to go ahead and grab this, I'm gonna go over here, I'm gonna paste it. I'm gonna make some changes, so it's no longer username john doe, it's gonna be username Melkey. All right, press enter, we have our auth token. Now what I'm gonna do, is I'm just gonna quickly, just copy this auth token and go back here. I'm gonna make another separate note that just says, text or tokens dot text. You don't need to necessarily do this, but to demonstrate and have user Melkey and token here. Okay, so this is a token associated with Melkey, it's a lot for 24 hours, it's something that we can control. We can, again, double check, select all from tokens, there you go. User ID three, that's Melkey, expires this time. The scope is authentication and it's hashed. Cool, we've also already seen this, it's nothing really new to us, okay? Now if I go back to post nose, you should see that we have this other request to create a workout, okay? So I'm gonna go ahead and just copy this, I'm gonna go over here, I'm gonna paste this. Now, if I run it with this bearer, this is a completely different token. This token is not the one I just copied over here. They're very different, right? This one begins RV-7, and this is one that I stored from many moons ago. So if I run this, token expired or invalid. Good, okay, so we have some letter protection for people trying to create workouts that they can't, their token expired or the permissions changed. So I rerun that exact same command. But this time I changed the bearer from that old random one that's in the postnotes dot txt file. And just bear with me as I go ahead and delete this. Okay, if I go back here, I'm gonna go grab the one that starts with RV-7, the one we just saw me create. If I send this now, we have this new workout, okay? So workout ID 3, user ID 3, jogging, I'm not a big fan of jogging. Select all from workouts, you can see here now my morning cardio, it belongs to me. Select all from work out underscore, entries.
>> Melkey: You can see that we have jogging. Okay, cool, so that's pretty nice, that's pretty cool. We have a way to allow people who are logged in correctly to make modifications. All right, that's pretty awesome. Now that we know this workout belongs to me, I'm going to do is I'm gonna make a new user. Let's go all the way back to our post underscore notes and let's go here. This is a request to create a user, right? So I've already created a username, Melkey. If I paste this, let's go ahead and make a new username. We're gonna call this one dustin, all right?
>> Melkey: It should be dustin@example.com, okay? If I click enter again, we know this works. We have our new user, dustin cool, and let's give dustin a token. So, let's authenticate, let's grab this. If you go over here, username, let's just put dustin here.
>> Melkey: Cool, we have the new auth token that belongs to Dustin. So now let's grab this. Let's go back here into the tokens dot txt node to remove this annoying line. So now user, this one belongs to a Dustin, and their token is like that, okay? So two very different tokens, one is RV-7, the other one's SYL. So the thing I want to validate is, can Dustin update my workout, or can Dustin delete my workout, right? Everything we just did, we have to kind of go back and fix it, it's gonna suck. However, if you can't, then we know that we have everything working accordingly, right? We've already validated that anonymous users can't do things that they're not allowed to do. We've already validated the validity of tokens. Now we need to make sure that we check that owners truly can update an owner's workout. So here and quickly clear this just so we have more room. Go back to post notes, and in here, we should have this pull request right here. So the last coral request in that file, I'm gonna go ahead and copy this, I'm gonna paste it. Few things we need to change. So here, instead of workout 6, I believe if we go here, it is what select all from workouts, it is workout 3, okay? So the ID of that workout is three, and quickly replace this. You can see the content of the body is updated cardio. So instead of jogging, I realized I was actually walking. And over here, I'm gonna bring back Dustin's token credentials. And we know Dustin did not create this workout the initial work, I did not create workout three. So if I paste this and I run this, you're not authorized to update this workout right? Which is expected, because now we actually have the logic that extracts the token. We know who the user belongs to. And if we kind of go back and remove Dustin's SYL token,
>> Melkey: And we go over here and grab Melkey's token that is definitely not expired. Go here and paste it, and if you run this, we now updated the cardio, and we can validate this from select all from workouts. And now it says updated cardio, a relaxed 45 minute walk after dinner.
>> Melkey: Next thing is now we know the username, melkey. I'm gonna go back to the post here, and the second curl request we have is to authenticate. I'm going to go ahead and grab this, I'm gonna go over here, I'm gonna paste it. I'm gonna make some changes, so it's no longer username john doe, it's gonna be username Melkey. All right, press enter, we have our auth token. Now what I'm gonna do, is I'm just gonna quickly, just copy this auth token and go back here. I'm gonna make another separate note that just says, text or tokens dot text. You don't need to necessarily do this, but to demonstrate and have user Melkey and token here. Okay, so this is a token associated with Melkey, it's a lot for 24 hours, it's something that we can control. We can, again, double check, select all from tokens, there you go. User ID three, that's Melkey, expires this time. The scope is authentication and it's hashed. Cool, we've also already seen this, it's nothing really new to us, okay? Now if I go back to post nose, you should see that we have this other request to create a workout, okay? So I'm gonna go ahead and just copy this, I'm gonna go over here, I'm gonna paste this. Now, if I run it with this bearer, this is a completely different token. This token is not the one I just copied over here. They're very different, right? This one begins RV-7, and this is one that I stored from many moons ago. So if I run this, token expired or invalid. Good, okay, so we have some letter protection for people trying to create workouts that they can't, their token expired or the permissions changed. So I rerun that exact same command. But this time I changed the bearer from that old random one that's in the postnotes dot txt file. And just bear with me as I go ahead and delete this. Okay, if I go back here, I'm gonna go grab the one that starts with RV-7, the one we just saw me create. If I send this now, we have this new workout, okay? So workout ID 3, user ID 3, jogging, I'm not a big fan of jogging. Select all from workouts, you can see here now my morning cardio, it belongs to me. Select all from work out underscore, entries.
>> Melkey: You can see that we have jogging. Okay, cool, so that's pretty nice, that's pretty cool. We have a way to allow people who are logged in correctly to make modifications. All right, that's pretty awesome. Now that we know this workout belongs to me, I'm going to do is I'm gonna make a new user. Let's go all the way back to our post underscore notes and let's go here. This is a request to create a user, right? So I've already created a username, Melkey. If I paste this, let's go ahead and make a new username. We're gonna call this one dustin, all right?
>> Melkey: It should be dustin@example.com, okay? If I click enter again, we know this works. We have our new user, dustin cool, and let's give dustin a token. So, let's authenticate, let's grab this. If you go over here, username, let's just put dustin here.
>> Melkey: Cool, we have the new auth token that belongs to Dustin. So now let's grab this. Let's go back here into the tokens dot txt node to remove this annoying line. So now user, this one belongs to a Dustin, and their token is like that, okay? So two very different tokens, one is RV-7, the other one's SYL. So the thing I want to validate is, can Dustin update my workout, or can Dustin delete my workout, right? Everything we just did, we have to kind of go back and fix it, it's gonna suck. However, if you can't, then we know that we have everything working accordingly, right? We've already validated that anonymous users can't do things that they're not allowed to do. We've already validated the validity of tokens. Now we need to make sure that we check that owners truly can update an owner's workout. So here and quickly clear this just so we have more room. Go back to post notes, and in here, we should have this pull request right here. So the last coral request in that file, I'm gonna go ahead and copy this, I'm gonna paste it. Few things we need to change. So here, instead of workout 6, I believe if we go here, it is what select all from workouts, it is workout 3, okay? So the ID of that workout is three, and quickly replace this. You can see the content of the body is updated cardio. So instead of jogging, I realized I was actually walking. And over here, I'm gonna bring back Dustin's token credentials. And we know Dustin did not create this workout the initial work, I did not create workout three. So if I paste this and I run this, you're not authorized to update this workout right? Which is expected, because now we actually have the logic that extracts the token. We know who the user belongs to. And if we kind of go back and remove Dustin's SYL token,
>> Melkey: And we go over here and grab Melkey's token that is definitely not expired. Go here and paste it, and if you run this, we now updated the cardio, and we can validate this from select all from workouts. And now it says updated cardio, a relaxed 45 minute walk after dinner.
Learn Straight from the Experts Who Shape the Modern Web
- In-depth Courses
- Industry Leading Experts
- Learning Paths
- Live Interactive Workshops