Tutorials123: Playwright API Automation

Showing posts with label Playwright API Automation. Show all posts

How to Test Cookie based Authentication in API by Playwright

What are Cookies?

Cookies are small pieces of data stored by a web browser on the client side.
They are usually sent by the server in the HTTP response headers and stored by the browser.
On subsequent requests, the browser automatically attaches these cookies back to the server.
Cookies are used for:

- Session management (login sessions, user preferences, shopping carts).

- Personalization (themes, recommendations).

- Tracking (analytics, advertising)

What is Cookie-Based Authentication?

Cookie-based authentication is a mechanism where the server authenticates a user and creates a session.
After successful login, the server generates a session ID and stores it in the server-side session storage.
This session ID is sent back to the client as a cookie.
For every subsequent request, the browser automatically sends this cookie back, allowing the server to recognize the authenticated user.

Steps in Cookie-Based Authentication:

User provides login credentials (username/password).
Server verifies credentials and creates a session on the backend.
Server sends a Set-Cookie header with a unique session ID to the client.
Browser stores the cookie.
For each new request, the browser includes the cookie in the Cookie header.
Server checks the cookie, validates the session, and grants access.

Handling Cookie-Based Authentication in Playwright (Java)

In Playwright automation, cookie-based authentication can be handled in two ways:

1. Manual Login Once & Reuse Cookies

Automate login once by filling in username/password and submitting.
After login, extract cookies from the browser context.
Save these cookies into a file (e.g., JSON format).
In subsequent tests, load these cookies into the browser context so you don’t need to log in again.
This makes tests faster and avoids hitting the login page repeatedly.

2. Programmatic Cookie Injection

If you already have valid cookies (from API calls or manual login), you can directly inject them into the browser context in Playwright.
This bypasses the UI login flow.
Once cookies are added, Playwright will automatically attach them to all requests, and the session will be authenticated.

Why This is Useful in Automation?

Efficiency: Skips repetitive login steps in test cases.
Stability: Reduces flakiness by avoiding multiple login UI interactions.
Scalability: Multiple test cases can reuse the same authenticated session.

To test cookie-based authentication in API using Playwright in Java, you need to simulate the process of login, capture the authentication cookies, reuse them for subsequent requests, and validate access to protected resources.

Concept: Cookie-Based Authentication

The user sends credentials via a login API (usually POST).
Server responds with a Set-Cookie header (usually a session or JWT cookie).
The browser stores this cookie and sends it with every subsequent request.
You can use Playwright to extract, reuse, and assert using these cookies.

Steps in Playwright Java

Launch browser.
Navigate to login API or page and perform login.
Extract cookies using context.cookies().
Store or reuse those cookies for a new context/page to access protected resources.

Example: Cookie-Based Login Simulation

Let’s use https://www.saucedemo.com/ for login.

You can use any backend which sets cookies, or mock a cookie manually for demonstration.

Java Code: Simulate Cookie Auth in Playwright

import com.microsoft.playwright.*;

import java.util.*;

public class CookieAuthTest {
    public static void main(String[] args) {
        try (Playwright playwright = Playwright.create()) {
            Browser browser = playwright.chromium().launch(new BrowserType.LaunchOptions().setHeadless(false));
            BrowserContext context = browser.newContext();
            Page page = context.newPage();

            // Step 1: Navigate to website and simulate login
            page.navigate("https://www.saucedemo.com/");

            //Save cookies + localStorage/sessionStorage
            context.storageState(new BrowserContext.StorageStateOptions().setPath(Paths.get(storageStatePath)));

            // Simulate login (replace with actual selectors)
            page.locator("[name='user-name']").fill("standard_user");
            page.locator("[name='password']").fill("secret_sauce");
            page.locator("[name='login-button']").click();

            // Wait for navigation or successful login indication
            page.waitForURL("**/inventory.html");

            // Step 2: Extract cookies after login
            List<BrowserContext.Cookie> cookies = context.cookies();
            System.out.println("Extracted Cookies:");
            for (BrowserContext.Cookie cookie : cookies) {
                System.out.println(cookie.name + " = " + cookie.value);
            }

            // Step 3: Create new context with saved cookies (simulate another session)
            BrowserContext authContext = browser.newContext(new Browser.NewContextOptions().setStorageStatePath(Paths.get(storageStatePath)));
            authContext.addCookies(cookies);

            Page authPage = authContext.newPage();
            authPage.navigate("https://www.saucedemo.com/inventory.html"); // Protected resource

            // Step 4: Verify protected content is accessible
            if (authPage.locator(".header_label>div").isVisible()) {
                System.out.println("Authentication successful using cookie!");
            } else {
                System.out.println("Authentication failed.");
            }

            browser.close();
        }
    }
}

Code Steps:

(a) Create Playwright, Browser, BrowserContext and Page object

(b) Save cookies + localStorage/sessionStorage

(d) Simulate login (replace with actual selectors)

(e) Wait for navigation or successful login indication

(f) Extract cookies after login

(g) Create new context with saved cookies (simulate another session)

(h) Verify protected content is accessible

Explanation:

page.locator().fill() – Simulates user entering credentials.
context.cookies() – Gets all cookies after login.
authContext.addCookies(cookies) – Applies saved cookies to new context.
authPage.navigate() – Navigates to protected resource using cookie-based session.

How to Test Token based Authentication in API by Playwright

What is Token-based Authentication?

Token-based authentication is a method used to verify the identity of a user or system trying to access a protected resource (like an API or web application). Instead of repeatedly sending a username and password, the system issues a token (a unique string, often in the form of a JWT – JSON Web Token) after a successful login.

How it generally works:

Login: The user sends their credentials (username & password) to the authentication server.
Token Issuance: If valid, the server generates a token and sends it back to the client.
Token Usage: The client includes this token in the Authorization header (usually as Bearer <token>) for all subsequent requests.
Validation: The server validates the token and grants or denies access to protected resources.
Expiry & Refresh: Tokens often expire after some time, so refresh tokens may be used to obtain a new one without re-login.

How to Handle Token-based Authentication in Playwright Java

When automating scenarios with Playwright, token handling is key to bypass login screens or test APIs securely. Here’s how it is conceptually managed:

(1) Obtain Token Programmatically or Manually:

You can call the authentication API endpoint (using Java HTTP client or Playwright’s request context) with credentials and capture the token.
Alternatively, use a pre-generated token provided by the developer or QA team.

(2) Store Token in Test Context:

Keep the token in a variable or configuration file so it can be reused across requests and sessions.

(3) Attach Token to Requests:

Use Playwright’s APIRequestContext in Java to send API requests with headers that include the token (Authorization: Bearer <token>).
For browser-based flows, inject the token into browser storage:

LocalStorage/SessionStorage: Save the token where the application expects it.

Cookies: If the app stores the token in cookies, set them before navigating.

(4) Re-use Authenticated State:

Once the browser is authenticated with the token, Playwright allows saving that state (cookies, local storage).

This state can then be reused in subsequent tests to skip login repeatedly.

(5) Token Expiry Handling:

If the token expires, the automation should either:

Request a new token before test execution, or

Use a refresh token flow if supported.

To test token-based authentication in an API using Playwright in Java, you typically perform the following steps:

Workflow Explanation

Get the Authentication Token
Send a POST (or appropriate) request to the authentication endpoint with credentials to get a token.

Use the Token in Headers
For subsequent API calls, include the token in the Authorization header as a Bearer token.

Validate Response
Use assertions to verify the status code and content of the protected endpoint's response.

Example Scenario

Let’s take an example of https://reqres.in/api/login which gives a token on successful login, and then use that token to call another API like https://reqres.in/api/users

https://reqres.in/api/login

https://reqres.in/api/users

Maven Dependencies

<dependency>
    <groupId>com.microsoft.playwright</groupId>
    <artifactId>playwright</artifactId>
    <version>1.44.0</version> <!-- Use latest -->
</dependency>

Java Code: Token-based API Testing Using Playwright

import com.microsoft.playwright.*;
import com.microsoft.playwright.options.*;

import java.util.*;

public class TokenBasedAuthTest {
    public static void main(String[] args) {
        try (Playwright playwright = Playwright.create()) {
            APIRequest request = playwright.request().newContext();

            // Step 1: Login to get the token
            APIResponse loginResponse = request.post("https://reqres.in/api/login", 
                RequestOptions.create()
                    .setHeader("Content-Type", "application/json")
                    .setData("{ \"email\": \"eve.holt@reqres.in\", \"password\": \"cityslicka\" }")
            );

            if (loginResponse.status() != 200) {
                System.out.println("Login failed! Status: " + loginResponse.status());
                return;
            }

            // Extract token from response JSON
            String token = loginResponse.json().get("token").toString();
            System.out.println("Token received: " + token);

            // Step 2: Use token in Authorization header to call protected resource
            APIResponse userResponse = request.get("https://reqres.in/api/users/2", 
                RequestOptions.create()
                    .setHeader("Authorization", "Bearer " + token)
            );

            System.out.println("User API Status Code: " + userResponse.status());
            System.out.println("User API Response: " + userResponse.text());

            if (userResponse.status() == 200) {
                System.out.println("Token-based API access successful.");
            } else {
                System.out.println("Access failed.");
            }
        }
    }
}

Code Steps:

(a) Login to get the token

(b) Extract token from response JSON

Explanation

playwright.request().newContext() → Creates a new API context.
loginResponse.json().get("token") → Extracts token from login response.
"Authorization": "Bearer " + token → Adds the token to the headers for authentication.