API POST Load testing using Swagger

I’m trying to do a load test on an API POST call. Here’s my code:

import http from 'k6/http';
import { check } from 'k6';

export default async function getTransactions() {
    const res = http.get('https://xxxxxxx.net?email=xxxxx&password=xxxx');
    check(res, { 'status was 200': (r) => r.status == 200 });

    const url = 'https://xxxxxx.net/api/jr/txn/session/v1'
    const payload = JSON.stringify({
        "atmId": [
            4
        ],
        "devtime0": 20231101000000,
        "devtime1": 20231111000000
  
    });
    const params = {
        headers: {
            'accept': '*/*',
            'access-control-allow-origin': '*',
            'content-type': 'application/json' ,
            'server': 'nginx/1.25.3',
        },
    };

    const transactionRes = http.post(url, payload, params)
    check(transactionRes, {'single transaction endpoint reached': (r) => r.status == 200});
}

First, I have a GET call to the log-in page which then passes through authentication via email and password in the URL “action?email=xxx&password=xxxx”

It should receive back cookies, and I then do a POST call to an API endpoint which I obtained from swagger. The POST call gives me an error indicating that status 200 was not reached. The AWS env and CORS security complicates matters since the current security doesn’t allow foreign tokens or API keys. External methods like swagger requires login with a stored session which I tried to simulate with the GET call first. I’m not quite sure how to proceed further, would much appreciate any guidance on this, thanks!

Edit: Response body:

{“path”:“/api/jr/txn/session/v1”,“error”:“Unauthorized”,“message”:“login”,“timestamp”:“2024-02-06T16:08:51.142Z”,“status”:401}

My current guess is that I need AWS Signature Version 4 set up for HTTP authorization. I’m a little confused because I thought the GET call would give me back cookies with that authentication?

Hey @ramenoir,
you should check if after the first request, the VU contains the expected cookies. You can check them following this example Cookies Example | Grafana k6 documentation.

If not then you have to check with your IT department what is the expected authentication method.

Let me know if it helps.

Hey @codebien! So I made progress on this and figured out that since the app uses Cookie authentication, I can send the session cookie from the GET request to the POST request. However I did encounter an issue, I tried printing out the response session cookie, however it’s empty. What this tells me is that I’m not actually successfully logging in to the application. The login page only accepts GET requests, so placing the email and password in the payload isn’t possible here. Here’s what the url in my GET call looks like:

const res = http.get('https://xxxx.xxxxx.net/xxxx/xxxxx/xxx/xxxx/action?email=xxxx%40xxxxxx.com&password=xxxxxx-985');

I’ve also tried doing it this way:

https://xxxxx%40xxxxxx.com:Xxxxxx-985@xxxx.xxxxx.net/xxxx/xxxxxx/xxxx/

However I’m receiving an empty object when I print out cookiesForURL:

    const vuJar = http.cookieJar();
    const cookies = vuJar.cookiesForURL(res.url);

    console.log('Cookie:' + JSON.stringify(cookies));

I replaced the ‘@’ character with %40, I don’t believe I need to do the same with digits or dashes(-). Perhaps I’m still not correctly sending in my email and password via URL? or maybe there’s another way to do it?