Security tests: No auth

[savage-alex]

User Story
As an API tester
I want to have a test that calls each API operation with no security
So that any miss configured APIs without security are found automatically

Acceptance Criteria

• New configuration exists to enable feature
• New folder for path + (No Authentication) exists when imported to Postman
• Calls are made with authorization set to No Auth
• Response codes and schema validation match the 401 or 403 schemas

[nicklloyd]

Hey Alex - have you looked into variation testing?
ie: https://github.com/apideck-libraries/portman/blob/main/examples/testsuite-variation-tests/portman-config.crm.json#L33-L57

[savage-alex]

I had read the docs but failed to notice the examples here! I will setup some scenarios thanks!

[nicklloyd]

Indeed having a dedicated (sexy) docs site is on the list, just haven't found the bandwidth to get it done just yet...

Maybe to note, a bad token is not the same as no auth headers.... can use overwriteRequestHeaders to actually remove the authorization entirely...

https://github.com/apideck-libraries/portman#portman---overwrites-properties

{
  "overwrites": [
    {
      "openApiOperationId": "leadsAdd",
      "overwriteRequestHeaders": [
        {
          "key": "x-apideck-consumer-id",
          "value": "portman-id-{{$randomInt}}",
          "remove": true
        }
      ]
    }
  ]
}

[savage-alex]

Testing Postman if the security is set to bearer and you leave the token blank it results in No Authorization header being sent! result

[savage-alex]

NB: If you enter anything into the token the header is then included