16 July 2024 Leave a comment QA
As a developer, ensuring the quality and security of your REST APIs is crucial. One common challenge is testing APIs that require HMAC (Hash-based Message Authentication Code) authentication. This article provides a step-by-step guide to setting up and testing HMAC authentication using Postman, a popular tool for API testing.
Understanding HMAC Authentication
HMAC authentication involves signing each API request with a unique signature generated using a secret key. This ensures the integrity and authenticity of the request. The process typically involves:
- Generating a unique nonce (a random number used once).
- Creating a timestamp.
- Combining these values with the request method and URL to form a raw signature.
- Hashing the raw signature using a secret key to generate the HMAC signature.
Setting Up HMAC Authentication in Postman
Postman is a versatile tool that can be used to automate the HMAC signing process using pre-request scripts. Follow these steps to set up HMAC authentication:
Step 1: Load Required Libraries
To generate HMAC signatures, you need to load the necessary libraries. Postman provides access to popular libraries like CryptoJS. Use the following pre-request script:
<pre>
var key = 'my_api_key';
var base64Secret = 'my_b64_secret';
function newGuid() {
return 'xxxxxxxxxxxx4xxxyxxxxxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
var r = Math.random() * 16 | 0, v = c == 'x' ? r : r & 0x3 | 0x8;
return v.toString(16);
});
}
function epochTime() {
var d = new Date();
var t = d.getTime();
var o = t + "";
return o.substring(0, 10);
}
// Load required 3rd party JS libs via jQuery
$.when(
$.getScript( "https://cdnjs.cloudflare.com/ajax/libs/jsSHA/2.0.1/sha256.js" ),
$.getScript( "https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js" ),
$.getScript( "https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64-min.js" ),
$.Deferred(function( deferred ){
$( deferred.resolve );
})
).done(function(){
var time = epochTime();
var nonce = newGuid();
var method = request.method;
var encodedUri = encodeURIComponent(request.url).toLowerCase();
var requestBody = "";
var firstpass = true;
for(var param in request.data) {
if(!firstpass){
requestBody += "&";
}
requestBody += param + "=" + request.data[param];
firstpass = false;
}
var b64BodyContent = "";
if(requestBody){
b64BodyContent = CryptoJS.MD5(requestBody).toString(CryptoJS.enc.Base64);
}
var rawSignature = key + method + encodedUri + time + nonce + b64BodyContent;
var shaObj = new jsSHA("SHA-256", "TEXT");
shaObj.setHMACKey(base64Secret, "B64");
shaObj.update(rawSignature);
var signature = shaObj.getHMAC("B64");
postman.setEnvironmentVariable('key', key);
postman.setEnvironmentVariable('time', time);
postman.setEnvironmentVariable('nonce', nonce);
postman.setEnvironmentVariable('signature', signature);
});
</pre>
Step 2: Set Header Variables
Once the pre-request script is in place, you need to set the header variables in Postman. Use the environment variables defined in the script:
- key: {{key}}
- time: {{time}}
- nonce: {{nonce}}
- signature: {{signature}}
Alternative Tools for HMAC Authentication
While Postman is a popular choice, other tools like SoapUI can also be used for testing REST APIs with HMAC authentication. SoapUI provides a comprehensive platform for testing APIs and might be a good alternative if you face limitations with Postman.
Streamlining API Testing with Repeato
For teams looking to further streamline their testing processes, especially for mobile applications, Repeato offers a no-code test automation solution. Repeato is particularly effective for iOS and Android apps, leveraging computer vision and AI to create, run, and maintain automated tests efficiently. This can be especially beneficial for ensuring the quality and security of your mobile APIs.
For more information on setting up and using Repeato, visit our documentation page.
Like this article? there’s more where that came from!
- Resolving the “xcrun: error: invalid active developer path” Error on macOS
- Adding Existing Frameworks in Xcode 4: A Comprehensive Guide
- Disabling ARC for a Single File in Xcode: A Step-by-Step Guide
- Resolving the Xcode-Select Active Developer Directory Error
- Resolving the “Multiple Commands Produce” Error in Xcode 10