Run Collection Chrome Extension

[kinlane]

This is a request for a Google Chrome extension that will inject a text or image button into the Postman web interface. When the button is clicked it runs a specific collection. This is simply an exploratory exercise to understand different ways collection runs can be embedded into the workspace experience on Postman in the browser. Since almost anything can be run using a collection, including most of the contents in the workspace using the Postman API, or using any other 3rd party API, it opens up endless opportunities for introducing API Lifecycle capabilities into the workspace.

To better understand what is possible, let’s explore:

• Simple Chrome extension that injects a text link into Postman web interface via workspace in a specific location.
• Next, inject a link that runs a specific collection and environment, executing the capabilities present in the collection.
• We will have to figure out how to allow users to manage their Postman API keys using this Chrome extension.
• We will have to figure out the most optimal way to run the collection for the user and communicate the end state.

Let’s experiment with what is possible and report the findings here, opening up this project to the community.

[Gbahdeyboh]

So a few thoughts about how I think this could work, especially with the Postman API builder.

Developers can already generate collections for several things(Test, Monitor, Documentation, Mocking) on the API builder, so the first constraint is that they need to have already generated a collection on an API to run it.

These collections have relations with the APIs and hence can be queried.

My thoughts are:

• We create a tab on the extension that shows all the APIs a collection has been run on.
• We show a list of collections that these APIs have as relations.
• When we inject a run button and it is clicked, we can automatically infer which API they are currently on and show them a list of collections this API have as relations.
• We create a webhook for the selected collection.
• The collection they select from the list can be run using the created webhook directly.
• A settings tab will be provided. For now, it will only let them add and delete API keys.
• API keys will be encrypted and they won't be able to see the actual keys once added.
• They will be able to delete an API from their list of APIs on the collections menu.

The bit I am yet to completely figure out is how to communicate the end state of the collection run back to them in the extension and what state needs to be communicated back.

I have created a repository for this and would be pushing commits and leaving more thoughts here as I progress.

[Gbahdeyboh]

Some Updates...

I've been able to flesh out a mini mini version of this and I created a video walking through it and explaining how it works.

Here - https://share.vidyard.com/watch/wf3boQkpxgFqG31rYpqEex?

TL;DR

• The extension injects a run button
• It is able to fetch and show data of relevant APIs
• It is able to fetch relations of these APIs
• You can click the run button to run any of these relations.
• It shows you the results of the collection run in real-time.
• The collection is run on the server-side by Newman on a child process and uses web sockets for two-way communication.

Extension repository - https://github.com/postman-open-technologies/collection-run-extension Server Repository - https://github.com/postman-open-technologies/collection-run-server

[Gbahdeyboh]

One thing I am yet to completely figure out is how to handle API keys effectively & securely. I wasn't considering building a server-side application for the extension before, but the need arose. Since a server already exists, It might as well be good to introduce a mini authentication system, then store and maintain an encrypted version of the API keys in a database.

I'm not sure of what the pros and cons of this will be but I'll do a bit of research and play around with it to see what I find.

[kinlane]

I am very impressed with the progress on this. Apologies for my silence while off of work. I really enjoy following your thought process in the video you shared. You are really thinking through this in a creative, but powerful way. It also helps me think about what is possible and helps me generate more ideas.

I really like how you have done the Chrome Extension dropdown and experimented with the context of what is on screen. I hadn't thought about pulling collections based upon the API. This gets closer to where I might like to see the work go. Provide "Ops" collections that aren't in this workspace, but could run against an API. Just thinking out loud.

I am thinking some more about the possibilities, but would like to hear others thoughts about what can be next too. I will share more shortly.

[Gbahdeyboh]

Thanks, @kinlane.

That's an interesting idea. What would the Ops collections do? Do you think it'll be useful for things like performance checks and evaluations?

[Gbahdeyboh]

As regards securing the API keys, I think I've found an elegant approach to it and I'm fleshing it out already. Got stuck for a bit, but I should find a way around it soon.

I was previously making calls to the Postmans API from the client-side. That made sense since a server-side didn't exist initially. Since there is a server-side API now, I felt it is more ideal to move all requests to Postmans API to the server-side and create a stateless authentication mechanism.

So basically, a short-lived JWT authentication token that can be decoded to get the API keys on the server-side and used to authenticate the client-side. All requests to the Postmans API will have to go through the collections runner API to prevent the client-side from interfacing with the API keys.