How to Test Token based Authentication in API by Playwright


What is Token-based Authentication?

Token-based authentication is a method used to verify the identity of a user or system trying to access a protected resource (like an API or web application). Instead of repeatedly sending a username and password, the system issues a token (a unique string, often in the form of a JWT – JSON Web Token) after a successful login.


How it generally works:

  • Login: The user sends their credentials (username & password) to the authentication server.
  • Token Issuance: If valid, the server generates a token and sends it back to the client.
  • Token Usage: The client includes this token in the Authorization header (usually as Bearer <token>) for all subsequent requests.
  • Validation: The server validates the token and grants or denies access to protected resources.
  • Expiry & Refresh: Tokens often expire after some time, so refresh tokens may be used to obtain a new one without re-login.


How to Handle Token-based Authentication in Playwright Java

When automating scenarios with Playwright, token handling is key to bypass login screens or test APIs securely. Here’s how it is conceptually managed:


(1) Obtain Token Programmatically or Manually:
  • You can call the authentication API endpoint (using Java HTTP client or Playwright’s request context) with credentials and capture the token.
  • Alternatively, use a pre-generated token provided by the developer or QA team.
(2) Store Token in Test Context:
  • Keep the token in a variable or configuration file so it can be reused across requests and sessions.
(3) Attach Token to Requests:
  • Use Playwright’s APIRequestContext in Java to send API requests with headers that include the token (Authorization: Bearer <token>).
  • For browser-based flows, inject the token into browser storage:
       LocalStorage/SessionStorage: Save the token where the application expects it.
       Cookies: If the app stores the token in cookies, set them before navigating.

(4) Re-use Authenticated State:
  • Once the browser is authenticated with the token, Playwright allows saving that state (cookies, local storage).
  • This state can then be reused in subsequent tests to skip login repeatedly.
(5) Token Expiry Handling:
  • If the token expires, the automation should either:
        Request a new token before test execution, or
        Use a refresh token flow if supported.


To test token-based authentication in an API using Playwright in Java, you typically perform the following steps:





















Workflow Explanation

  • Get the Authentication Token
    Send a POST (or appropriate) request to the authentication endpoint with credentials to get a token.
  • Use the Token in Headers
    For subsequent API calls, include the token in the Authorization header as a Bearer token.
  • Validate Response
    Use assertions to verify the status code and content of the protected endpoint's response.


Example Scenario

Let’s take an example of https://reqres.in/api/login which gives a token on successful login, and then use that token to call another API like https://reqres.in/api/users

https://reqres.in/api/login
































https://reqres.in/api/users


























Maven Dependencies

<dependency>
    <groupId>com.microsoft.playwright</groupId>
    <artifactId>playwright</artifactId>
    <version>1.44.0</version> <!-- Use latest -->
</dependency>




Java Code: Token-based API Testing Using Playwright

import com.microsoft.playwright.*;
import com.microsoft.playwright.options.*;

import java.util.*;

public class TokenBasedAuthTest {
    public static void main(String[] args) {
        try (Playwright playwright = Playwright.create()) {
            APIRequest request = playwright.request().newContext();

            // Step 1: Login to get the token
            APIResponse loginResponse = request.post("https://reqres.in/api/login", 
                RequestOptions.create()
                    .setHeader("Content-Type", "application/json")
                    .setData("{ \"email\": \"eve.holt@reqres.in\", \"password\": \"cityslicka\" }")
            );

            if (loginResponse.status() != 200) {
                System.out.println("Login failed! Status: " + loginResponse.status());
                return;
            }

            // Extract token from response JSON
            String token = loginResponse.json().get("token").toString();
            System.out.println("Token received: " + token);

            // Step 2: Use token in Authorization header to call protected resource
            APIResponse userResponse = request.get("https://reqres.in/api/users/2", 
                RequestOptions.create()
                    .setHeader("Authorization", "Bearer " + token)
            );

            System.out.println("User API Status Code: " + userResponse.status());
            System.out.println("User API Response: " + userResponse.text());

            if (userResponse.status() == 200) {
                System.out.println("Token-based API access successful.");
            } else {
                System.out.println("Access failed.");
            }
        }
    }
}



Code Steps:

(a) Login to get the token
(b) Extract token from response JSON
(c) Use token in Authorization header to call protected resource


Explanation

  • playwright.request().newContext() → Creates a new API context.
  • loginResponse.json().get("token") → Extracts token from login response.
  • "Authorization": "Bearer " + token → Adds the token to the headers for authentication.


Suggested Posts:

1. Automate GET API in Playwright
2. Automate POST API in Playwright
3. Automate PUT API in Playwright
4. Test Cookie Based Authentication in Playwright
5. Basic Authentication in Playwright

No comments:

Test Basic Authentication in API by Playwright


What is Basic authentication?

Basic Authentication is the process to verify a user by means of user's login credentials, it can be username and password. 


How Playwright Java Handles basic authentication?

Playwright provides a straightforward way to handle Basic Authentication by passing credentials when creating a BrowserContext.

  • A BrowserContext is like an isolated browser profile.
  • While creating the context, Playwright allows you to define HTTP credentials (username and password).
  • Once configured, every request made within that context automatically includes the necessary Authorization header, so you don’t need to manually handle it on each request.

Advantages of This Approach

  • No need to manually add headers for each request.
  • Works across all pages, frames, and API calls within the same context.
  • Ensures a secure and centralized way of handling credentials.






















Steps:

  • Set up Playwright.
  • Create a new browser context with HTTP credentials.
  • Navigate to a website that requires basic authentication.
  • Assert the successful authentication.

We’ll use the website:
https://httpbin.org/basic-auth/user/passwd

















It requires basic auth with:

  • Username: user

  • Password: passwd




Playwright Java Code Example:

import com.microsoft.playwright.*;

public class BasicAuthTest {
    public static void main(String[] args) {
        try (Playwright playwright = Playwright.create()) {
            // Create a browser
            Browser browser = playwright.chromium().launch(new BrowserType.LaunchOptions().setHeadless(false));

            // Set up HTTP Basic Auth credentials
            Browser.NewContextOptions contextOptions = new Browser.NewContextOptions()
                    .setHttpCredentials("user", "passwd");  // username: user, password: passwd

            // Create browser context with credentials
            BrowserContext context = browser.newContext(contextOptions);

            // Open a new page
            Page page = context.newPage();

            // Navigate to the Basic Auth test URL
            page.navigate("https://httpbin.org/basic-auth/user/passwd");

            // Verify if authentication is successful
            String bodyText = page.textContent("body");
            if (bodyText.contains("\"authenticated\": true")) {
                System.out.println("Basic authentication successful!");
            } else {
                System.out.println("Basic authentication failed.");
            }

            // Close browser
            browser.close();
        }
    }
}



Code explanation:

(a) After creating Browser object, we have to setup HTTP basic auth credentials by setHttpCredentials()
(b) Create browser context with credentials
(c) Create Page object
(d) Navigate to the URL
(e) Verify if authentication is successful



Output:

Basic authentication successful!




Maven Dependencies:

<dependency>
  <groupId>com.microsoft.playwright</groupId>
  <artifactId>playwright</artifactId>
  <version>1.44.0</version>
</dependency>

No comments:
Subscribe to: Posts (Atom)