Actions
SQA #3932
open[SQA] Auth & Agency Onboarding API
Description
Test Case Design & Review¶
- Created comprehensive API test cases for the following endpoints:
/auth/v2/resend-email-verification-link/auth/v2/check-email-uniqueness/auth/v2/check-agency-name-uniqueness
- Reviewed API response contracts against expected business rules and validation logic.
API Automation (Postman)¶
- Implemented Pre-request scripts:
- Email normalisation (lowercase enforcement)
- Required variable validation (fail-fast)
- Dynamic test data setup (email, agency name, role)
- Implemented Post-request scripts:
- Safe JSON parsing with error handling
- Flexible assertions for success and failure responses
- Environment variable persistence for chained flows
- Conditional logic for uniqueness checks and resend behaviour
Security & Compliance Review¶
- Performed API security review on signup response:
- Identified security risks related to:
- Verification link exposure in API response
- JWT token leakage
- Email passed as URL query parameter
- Mapped findings against OWASP ASVS & API security best practices
- Provided secure response contract recommendations
- Identified security risks related to:
Defect Identification & Documentation¶
- Identified potential High-severity security vulnerability:
- Sensitive verification token exposed via API response
- Prepared defect details, including:
- Issue description
- Security impact
- Recommended mitigation
- Severity classification
Test Data & Utilities¶
- Generated reusable Postman utilities:
- Random secure password generator
- Lowercase email generator
- Environment-based test data management
- Improved test stability by eliminating case-sensitivity issues.
Test Execution & Validation¶
- Executed API test flows:
- Email uniqueness → Signup → Resend verification → Verify email
- Validated response structure, status codes, and business logic.
- Verified error handling and message consistency.
Actions