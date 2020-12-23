How do I guarantee response integrity on a public facing API?

PHP
#1

I am on a team of developers working on an API accessible to 3rd-party clients. An important fix may necessitate changing a variable name in the response body. A mischievious or unwitting team member may have the urge to update a model/data structure, to the detriment of unsuspecting consumers, who will end up with broken apps.

A friend suggested baking variable names into unit tests for those endpoints. The tests fail when conflicting information arrives. I wonder if it isn’t impossible for developer to equally update the test parameters so his updates can merrily leave for the CI server.

Is this the standard practice? Is there a way to enforce avoidance of such situations?

#2

Your ‘unwitting’ developer realizes his blunder when the CI environment rejects his code because the unit tests fail, and reevaluates what he’s done.

“Mischievous” developer at that point is a malicious developer, who is intentionally bypassing sanity checks to release code changes he knows will fail.

Some, potentially. Mostly it’s just mitigation.

If your unit tests are kept by your testers, and your code is kept by the developers, you’d have to have a pair working together to bypass.

Note: Your API’s unit tests should already have ‘baked in’ variable names - otherwise how can they differentiate between pieces of data coming in?

If you tell me your API takes in 2 numbers, signal and mod, and I tell you my data is “6,3”, how do you know which one is which? How does your test know?