Kata 6: Are You Authorized?
SmartFashion is a clothes store. It has an API which can be used by their own website or other websites they have partnered with, hence the need for the API.
The API is basically a CRUD (Create, Read, Update, Delete) API.
Basic Clients can:
- Search for items
- Buy items
Admin Clients can also:
- Add items
- Remove items
- Update items
Test that the API correctly handles user authorization and authentication. Access to the system can be either Admin or Basic Client. Assume that the API lets clients use a login operation that allows for identification of users and their access level. Read up on API Security in our articles State of API Security and Best Practices: Security Vulnerability Testing.
Highlight the text below to reveal the clues:
- Example: Ensure that Basic clients cannot update items directly.
- Try to be realistic and check the security of the system as well. For example, check for SQL injection when logging in.