Is it possible to build an API-based authentication step into the testing of REST APIs?
I'm testing a REST API that includes an authentication action. The swagger file has a specific JSON model that needs to be passed in: the usual userid/password, plus a couple of other true/false flags. Successful authentication returns a session value in a custom header that needs to be captured and used in all subsequent API calls (just replay the header).
I can do the authentication manually, then edit the application definition to include the custom header, but it would be much easier if I could invoke the authentication API path with stored credential values.
- Can I capture a response header and include it as a custom header for the remainder of the test?
- Can I define an authentication mechanism that will work with this REST authentication scheme?
- If I can't do this, does this prevent the use of a swagger file for the test?
- If I have a custom header captured in a burp log, will a custom header specified in the application definition override its value?