How do I make an "ad-hoc" API call to a Rails server in the context of the default Rails testing framework (minitest using Selenium for the end-to-end tests)?
I am working on a Rails app with views that contain client-side JavaScript that make API calls back to the server. The app is designed so that the only API calls should be coming from the web browser. (Is "API calls" the right term for what the JavaScript is doing? Are there separate terms for (a) background data requests from JavaScript running in a web browser and (b) data requests made by external applications such as a mobile app or command line interface? For what I'm working on right now, I'm specifically concerned about (a). I know that at a high level these are the same thing; but, the details of securing the two types of requests differ slightly.)
I would like to write some end-to-end tests that verify that a user can't access/modify another user's data by issuing requests to the server that aren't generated by my application's JavaScript code.
The main challenge is that issuing such "malicious"/"fake" server requests would require me to have access to both (a) the session cookie and (b) the CSRF token. How do I do that?
- Is there a way for the Ruby test code to use Selenium to obtain them from the browser? Or,
- Should I use Selenium to instruct the browser to execute the "custom" Javascript I want to make sure my server responds correctly to? Or,
- Should I skip the browser for these tests and simply issue a series of HTTP requests directly from the Ruby code? (This seems to be the more straightforward of the two, except for having to manage the session cookie and CSRF tokens "by hand".)
Or is there a simpler option "4" that I'm overlooking?