how to validate API Parameters in a generic way for all APIs of a collection?

[techwizardg]

We have a huge collection of APIs and all APIs needs to be validated for input parameters like string or valid values. Can this be achieved in a generic way by definition of rules or regular expressions as opposed to adding request parameter validation in every API of postman collection?

Can Portman help here?

[thim81]

hi @techwizardg

We have feature Fuzzing: https://github.com/apideck-libraries/portman?tab=readme-ov-file#portman---fuzzing-properties---beta-

Fuzzing changes the requests (body, query params, ... ) to unexpected values in an effort to cause unexpected behavior and errors in the API response. For Portman, we want to provide a simple form of Fuzzing, with the goal to trigger validation/error responses, which can be contract tested. The automatic fuzzing is based on the OpenAPI request properties, where for each fuzzing variation a new Postman request will be generated, with optional contract tests.

Can you share a couple of examples of what you are expecting?

[techwizardg]

Hi @thim81 ,

I wanted to find a generic way to validate API Parameters for their allowed values and validate if the right error codes are thrown

[Ravindra1510]

@thim81 please check sample payload and allowed values in description below. we want testcases including valid, invalid and blank values.

"sender": { "idType": "mobileNumber", "idValue": "7776473864", "productId": 12, "accountGroupId": "AG.234", "mpin": "1357" },

idType required string Enum: "mobileNumber" "userCode" "userProfileId" "emailId" identifier type to identify the user

idValue required string <= 100 characters identifier value of user associated with identifier type selected

mpin
string [ 4 .. 6 ] characters ^(\d{4}|\d{6})$ User's mobile PIN to authenticate the transaction request. Its optional parameter and required when request is initiated without User token. If both user token and mobile PIN is passed then mobile PIN takes the precedence

accountGroupId
string <= 30 characters ^[a-zA-Z0-9.]{30}$ unique id to identify the account group associated to user

productId
integer Enum: 12 11 13 Type of account to which the amount must be transferred. This is optional param, default account will be used if not passed

[thim81]

hi @Ravindra1510

The Fuzzing option in Portman does generate specific tests for required, minLength, ..., just make sure that they are defined in the OpenAPI specification. It does not do type checking since that would explode the number of tests in Postman. Not sure about the ENUM values, that could be an new feature to add to the Fuzzing generation.

For the ENUM, you could leverage a contentTest with an overwrite.

There is an example for Fuzzing: https://github.com/apideck-libraries/portman/tree/main/examples/testsuite-fuzzing-tests that you can use for inspiration.