API Testing Challenges 35 and 36 - How To - POST Unauthorised 401 403

This post and video shows how to complete the Unauthorised POST secret note challenges, which return status codes of 401 and 403 and fail to amend the secret note.

What are the API Challenges?

Our API Challenges Application has a fully functional cloud hosted API, and a set of challenges to work through.

POST Amend Secret Note Challenge

Most of the challenges simply require the correct payload, and an X-Challenger header to track the session. The authentication challenges require an extra header, the value for which can only be obtained with a username and password. This value is obtained when completing challenge 30.

The X-CHALLENGER header authenticates you to access a specific set of secret notes, and the X-AUTH-TOKEN authorizes you to gain access.

Authentication is “are you who you say you are” (X-CHALLENGER)
Authorization is “do you have the right permissions” (X-AUTH-TOKEN)

Both Challenge 35 and 36 are so similar that we have covered them in one post.

Following on from challenge 35 were we successfully amended a post. Now we try to repeat the same requests but

Challenge 35 - remove the X-AUTH-TOKEN header
Challenge 36 - the X-AUTH-TOKEN header has the wrong value

Challenge 35 POST Amend no AUTH TOKEN

Issue a POST request on the /secret/note end point with a note payload {“note”:“my note”} and receive 401 when no X-AUTH-TOKEN present

POST request means use the HTTP Verb POST
- e.g. POST /secret/note sends to the secret note endpoint
with a note payload include a JSON formatted object as the payload
no X-AUTH-TOKEN present means do not inlude a custom header named X-AUTH-TOKEN
add the X-CHALLENGER header to track progress and authenticate the request
Receive a 401 response because the X-AUTH-TOKEN is missing.

> POST /secret/note HTTP/1.1
> Host: apichallenges.herokuapp.com
> User-Agent: insomnia/2021.2.2
> X-CHALLENGER: x-challenger-guid
> Content-Type: application/json
> Accept: */*
> Content-Length: 23

| {
|   "note": "my note"
| }

* upload completely sent off: 23 out of 23 bytes
* Mark bundle as not supporting multiuse

< HTTP/1.1 403 Forbidden
< Connection: close
< Date: Sun, 25 Jul 2021 12:53:51 GMT
< X-Challenger: x-challenger-guid
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur

Challenge 36 POST Amend Invalid AUTH TOKEN

Issue a POST request on the /secret/note end point with a note payload {“note”:“my note”} and receive 403 when X-AUTH-TOKEN does not match a valid token

same basic message as Challenge 36 but the X-AUTH-TOKEN header is included, but the value does not match the value returned from challenge 30 /secret/token request.

> POST /secret/note HTTP/1.1
> Host: apichallenges.herokuapp.com
> User-Agent: insomnia/2021.2.2
> X-CHALLENGER: x-challenger-guid
> X-AUTH-TOKEN: bob
> Content-Type: application/json
> Accept: */*
> Content-Length: 23

| {
|   "note": "my note"
| }

< Connection: close
< Date: Sun, 25 Jul 2021 12:57:42 GMT
< X-Challenger: x-challenger-guid
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur