Lecture 2 . Auth flows + JSON Schema

Auth flows + JSON Schema

Real APIs require credentials. Real responses must match a contract. This lecture covers Basic Auth, OAuth2 client_credentials against Spotify, dynamic token refresh on 401, and AJV-based schema validation with a custom expect matcher.

01The auth landscapeBasic, Bearer, OAuth2

An API call without credentials gets you anonymous access at best, a 401 at worst. Real services use one of three patterns: HTTP Basic Auth, opaque Bearer tokens, or OAuth2 access tokens. Playwright's request fixture supports all three equally well.

Scheme	Header	Where credentials live	Renewable?
Basic	`Authorization: Basic base64(user:pass)`	your `.env` or a secret manager	no, you keep using the same creds
Bearer (opaque)	`Authorization: Bearer xyz`	issued by an auth endpoint	via a refresh endpoint or a second login
OAuth2 client_credentials	`Authorization: Bearer xyz`	client_id + client_secret -> token endpoint	yes, with TTL in the response
OAuth2 authorization_code	`Authorization: Bearer xyz`	user browser flow + redirect	refresh_token

sequenceDiagram
  participant T as test
  participant API as protected API

  Note over T,API: Basic Auth
  T->>API: GET /me + Authorization: Basic base64(user:pass)
  API-->>T: 200 OR 401

  Note over T,API: OAuth2 client_credentials
  T->>API: POST /token + client_id + client_secret
  API-->>T: 200 { access_token, expires_in }
  T->>API: GET /me + Authorization: Bearer access_token
  API-->>T: 200

Basic Auth is one request, OAuth2 is two

02Basic Auth in PlaywrighthttpCredentials

Basic Auth is the simplest scheme - the username and password go on every request, base64-encoded. Playwright handles the encoding for you when you set httpCredentials on the context.

tests/basic-auth.api.spec.ts

import { test, expect, request } from '@playwright/test';

test('basic auth via httpCredentials', async () => {
  const ctx = await request.newContext({
    baseURL: 'https://httpbin.org',
    httpCredentials: { username: 'demo', password: 'pass' },
  });

  const res = await ctx.get('/basic-auth/demo/pass');
  expect(res.status()).toBe(200);
  expect((await res.json()).authenticated).toBe(true);

  const wrong = await ctx.get('/basic-auth/demo/different');
  expect(wrong.status()).toBe(401);

  await ctx.dispose();
});

Basic Auth over HTTPS only. The header is base64, NOT encrypted. Anyone watching plain HTTP can decode demo:pass in milliseconds. Use TLS or pick OAuth2.

The header is one line - everything sits in the value

03OAuth2 client_credentials against Spotifytwo-step

Spotify's public Web API ships with a free client credentials grant. You register a small app on the developer dashboard, get a client_id and a client_secret, exchange them for an access token, then use the token to read public data such as new releases.

Step 1 - get a token

lib/spotify.ts

import { request } from '@playwright/test';

export async function getSpotifyToken(id: string, secret: string) {
  const ctx = await request.newContext();
  const body = new URLSearchParams({ grant_type: 'client_credentials' });
  const creds = Buffer.from(`${id}:${secret}`).toString('base64');

  const res = await ctx.post('https://accounts.spotify.com/api/token', {
    headers: {
      'Authorization': `Basic ${creds}`,
      'Content-Type': 'application/x-www-form-urlencoded',
    },
    data: body.toString(),
  });
  if (!res.ok()) throw new Error(`token request failed: ${res.status()}`);
  const json = await res.json();
  await ctx.dispose();
  return json as { access_token: string; expires_in: number; token_type: 'Bearer' };
}

Step 2 - use the token

tests/spotify.api.spec.ts

import { test, expect, request } from '@playwright/test';
import { getSpotifyToken } from '../lib/spotify';

test('new releases endpoint returns 20 albums', async () => {
  const { access_token } = await getSpotifyToken(
    process.env.SPOTIFY_CLIENT_ID!,
    process.env.SPOTIFY_CLIENT_SECRET!,
  );

  const ctx = await request.newContext({
    baseURL: 'https://api.spotify.com',
    extraHTTPHeaders: { 'Authorization': `Bearer ${access_token}` },
  });

  const res = await ctx.get('/v1/browse/new-releases?limit=20');
  expect(res.status()).toBe(200);
  const body = await res.json();
  expect(body.albums.items).toHaveLength(20);
  await ctx.dispose();
});

sequenceDiagram
  participant T as test
  participant A as accounts.spotify.com
  participant API as api.spotify.com

  T->>A: POST /api/token (grant_type=client_credentials)
  Note over T,A: Authorization: Basic base64(id:secret)
  A-->>T: 200 { access_token, expires_in: 3600 }

  T->>API: GET /v1/browse/new-releases?limit=20
  Note over T,API: Authorization: Bearer access_token
  API-->>T: 200 { albums: { items: [...] } }

OAuth2 client_credentials - one POST for a token, then Bearer on every call

04Dynamic token refresh on 401resilience

Tokens expire. A long-running suite that grabbed a token at globalSetup may see it expire halfway through. The classic recovery is: on 401, fetch a fresh token and retry the request once.

lib/auto-refresh.ts

import { APIRequestContext, request } from '@playwright/test';
import { getSpotifyToken } from './spotify';

let currentToken: string | null = null;

async function freshContext(): Promise<APIRequestContext> {
  const { access_token } = await getSpotifyToken(
    process.env.SPOTIFY_CLIENT_ID!,
    process.env.SPOTIFY_CLIENT_SECRET!,
  );
  currentToken = access_token;
  return request.newContext({
    baseURL: 'https://api.spotify.com',
    extraHTTPHeaders: { 'Authorization': `Bearer ${access_token}` },
  });
}

export async function getWithRefresh(path: string) {
  let ctx = await freshContext();
  let res = await ctx.get(path);
  if (res.status() === 401) {
    await ctx.dispose();
    ctx = await freshContext();
    res = await ctx.get(path);
  }
  const body = await res.json();
  await ctx.dispose();
  return { status: res.status(), body };
}

flowchart TB
  S[start] --> C[get token if missing]
  C --> R[GET /v1/browse/new-releases]
  R -->|200| OK[return body]
  R -->|401| REF[fetch fresh token]
  REF --> R2[retry GET]
  R2 -->|200| OK
  R2 -->|401| FAIL[fail loudly]

Refresh once. If still 401, the credentials themselves are wrong

Why retry only once? If the credentials are wrong, retrying forever just hammers the auth server and locks the client. A single retry covers the "expired between request and now" race; everything else is a config bug.

05AJV - install and instantiateajv + ajv-formats

AJV is the fastest JSON Schema validator in the Node.js ecosystem. It compiles a schema once into a JavaScript function, then validates instances against it in microseconds.

install

npm install ajv ajv-formats --save-dev

lib/ajv.ts

import Ajv, { ErrorObject } from 'ajv';
import addFormats from 'ajv-formats';

const ajv = new Ajv({ allErrors: true, strict: false });
addFormats(ajv);  // date, date-time, email, uri, uuid, etc.

export { ajv };
export type { ErrorObject };

AJV compiles each schema once into a tight JS function

06Custom matcher - expect.extendtoMatchSchema

Calling ajv.validate(schema, body) directly works but yields ugly error messages. A custom expect matcher integrates with Playwright's reporter and gives you a clean failure with the full validation path.

lib/matcher.ts

import { expect } from '@playwright/test';
import { ajv } from './ajv';

expect.extend({
  toMatchSchema(received: unknown, schema: object) {
    const validate = ajv.compile(schema);
    const ok = validate(received);
    if (ok) return { pass: true, message: () => 'matched' };

    const details = (validate.errors ?? []).map(e =>
      `${e.instancePath || '(root)'} ${e.message}`
    ).join('\n');

    return {
      pass: false,
      message: () => `Schema mismatch:\n${details}`,
    };
  },
});

declare module '@playwright/test' {
  interface Matchers<R> {
    toMatchSchema(schema: object): R;
  }
}

Pull the matcher file into your global tests/setup.ts:

tests/setup.ts

import '../lib/matcher';

playwright.config.ts (excerpt)

export default defineConfig({
  globalSetup: './tests/setup.ts',
  // ...rest of config
});

07Authoring a JSON Schema (draft-07)$schema, type, required, properties

JSON Schema draft-07 is the practical default. Newer drafts (2019-09, 2020-12) add features but draft-07 has the widest ecosystem support.

Minimum viable schema

schemas/email.schema.json

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type": "object",
  "properties": {
    "email": { "type": "string", "format": "email" }
  },
  "required": ["email"],
  "additionalProperties": false
}

Constraint families

Strings - minLength, maxLength, pattern (regex), format (date, date-time, email, uri, uuid via ajv-formats)
Numbers - minimum, maximum, exclusiveMaximum, multipleOf
Arrays - items, minItems, maxItems, uniqueItems
Objects - properties, required, additionalProperties, patternProperties
Combinators - allOf, anyOf, oneOf, not

flowchart LR
  REQ[response.json] --> AJV[ajv.compile schema]
  AJV --> VAL{validate}
  VAL -->|ok| PASS[expect passes]
  VAL -->|errors| FAIL[expect fails with path + message]
  SCH[schemas/*.schema.json] --> AJV

The AJV pipeline - same shape whether you have 1 schema or 50

08The booking schemarestful-booker

The schema for a single booking returned by GET /booking/{id}:

schemas/booking.schema.json

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "booking",
  "type": "object",
  "properties": {
    "firstname": { "type": "string", "minLength": 1 },
    "lastname":  { "type": "string", "minLength": 1 },
    "totalprice": { "type": "number", "minimum": 0 },
    "depositpaid": { "type": "boolean" },
    "bookingdates": {
      "type": "object",
      "properties": {
        "checkin":  { "type": "string", "format": "date" },
        "checkout": { "type": "string", "format": "date" }
      },
      "required": ["checkin", "checkout"]
    },
    "additionalneeds": { "type": "string" }
  },
  "required": ["firstname", "lastname", "totalprice", "depositpaid", "bookingdates"],
  "additionalProperties": false
}

Use it in a spec

tests/booking-schema.api.spec.ts

import { test, expect } from '@playwright/test';
import bookingSchema from '../schemas/booking.schema.json';

test('GET /booking/1 matches schema', async ({ request }) => {
  const res = await request.get('https://restful-booker.herokuapp.com/booking/1');
  expect(res.status()).toBe(200);
  const body = await res.json();
  expect(body).toMatchSchema(bookingSchema);
});

tsconfig.json must allow importing JSON: set "resolveJsonModule": true under compilerOptions.

09Drift detectioncontract vs prod

Schema drift means a field changed in production without the schema being updated. Catch it by running the schema test against production daily and surfacing failures.

tests/drift.api.spec.ts

import { test, expect } from '@playwright/test';
import bookingSchema from '../schemas/booking.schema.json';

test.describe('contract drift', () => {
  test('/booking/{first} matches checked-in schema', async ({ request }) => {
    const list = await request.get('/booking');
    const ids = (await list.json()) as { bookingid: number }[];

    const res = await request.get(`/booking/${ids[0].bookingid}`);
    const body = await res.json();
    expect(body).toMatchSchema(bookingSchema);
  });
});

One extra field in prod, no matching schema entry - AJV blocks the merge

Tighten or loosen. additionalProperties: false is strict - useful for contract drift. additionalProperties: true is loose - good for forward compatibility on consumer-side tests. Pick one per direction.

DDrills - eight auth + schema exercises

1Basic Auth happy path

Write a test that uses httpCredentials to call httpbin.org/basic-auth/demo/pass and asserts authenticated: true.

Hint

Set httpCredentials: { username, password } on request.newContext().

2Basic Auth bad password

Send the wrong password to the same endpoint. Assert status 401 and that the body is empty.

Hint

Use the same path but a different password literal.

3Spotify token

Register a free app on the Spotify developer dashboard, put the id and secret in .env, and write a test that fetches a token and asserts expires_in: 3600.

Hint

Use process.env through dotenv-cli or Playwright's --env flag.

4Twenty new releases

Get a Spotify token and GET /v1/browse/new-releases?limit=20. Assert exactly twenty items and that each item has a non-empty name.

Hint

Map and assert with expect.arrayContaining or a small loop.

5Refresh on 401

Build the getWithRefresh() helper from section 4. Force a 401 by passing a junk token first, then confirm the retry succeeds with a fresh one.

Hint

Override currentToken to 'expired-fake' for the first call.

6Author the email schema

Write email.schema.json with a single email field of format: email. Validate { email: '[email protected]' } passes and { email: 'not-an-email' } fails.

Hint

Don't forget $schema and required.

7Schema for booking

Wire the booking schema into the booking spec. Run it against three different booking ids and assert all three match.

Hint

Loop over [1, 2, 3] with test.describe.parallel or generated tests.

8Drift report

Set additionalProperties: false. Manually add extra: 'x' to the response in a stub. Confirm AJV flags it. Then revert and confirm the real response still passes.

Hint

Use route.fulfill from lecture 3 - or stub via a wrapper.

SSolutions - Spotify token + schema validation

spotify-and-schema.api.spec.ts

import { test, expect, request } from '@playwright/test';
import Ajv from 'ajv';
import addFormats from 'ajv-formats';

const ajv = new Ajv({ allErrors: true, strict: false });
addFormats(ajv);

const newReleasesSchema = {
  type: 'object',
  properties: {
    albums: {
      type: 'object',
      properties: {
        items: { type: 'array', minItems: 1 },
      },
      required: ['items'],
    },
  },
  required: ['albums'],
};

test('spotify new releases match schema', async () => {
  const id = process.env.SPOTIFY_CLIENT_ID!;
  const secret = process.env.SPOTIFY_CLIENT_SECRET!;

  const creds = Buffer.from(`${id}:${secret}`).toString('base64');
  const auth = await request.newContext();
  const tokRes = await auth.post('https://accounts.spotify.com/api/token', {
    headers: { 'Authorization': `Basic ${creds}`, 'Content-Type': 'application/x-www-form-urlencoded' },
    data: 'grant_type=client_credentials',
  });
  const { access_token } = await tokRes.json();
  await auth.dispose();

  const api = await request.newContext({
    baseURL: 'https://api.spotify.com',
    extraHTTPHeaders: { 'Authorization': `Bearer ${access_token}` },
  });
  const res = await api.get('/v1/browse/new-releases?limit=20');
  expect(res.status()).toBe(200);
  const body = await res.json();

  const validate = ajv.compile(newReleasesSchema);
  const ok = validate(body);
  expect(ok, JSON.stringify(validate.errors, null, 2)).toBe(true);
  expect(body.albums.items).toHaveLength(20);
  await api.dispose();
});

SpotifySchemaTest.java

import com.microsoft.playwright.*;
import com.microsoft.playwright.options.RequestOptions;
import com.fasterxml.jackson.databind.*;
import com.networknt.schema.*;
import java.util.*;
import static org.junit.jupiter.api.Assertions.*;

public class SpotifySchemaTest {
  public static void main(String[] args) throws Exception {
    String id = System.getenv("SPOTIFY_CLIENT_ID");
    String secret = System.getenv("SPOTIFY_CLIENT_SECRET");
    String basic = Base64.getEncoder().encodeToString((id + ":" + secret).getBytes());

    try (Playwright pw = Playwright.create()) {
      APIRequestContext req = pw.request().newContext();
      var tokRes = req.post("https://accounts.spotify.com/api/token",
        RequestOptions.create()
          .setHeader("Authorization", "Basic " + basic)
          .setHeader("Content-Type", "application/x-www-form-urlencoded")
          .setData("grant_type=client_credentials"));
      String token = new ObjectMapper().readTree(tokRes.body()).get("access_token").asText();

      APIRequestContext api = pw.request().newContext(
        new APIRequest.NewContextOptions()
          .setBaseURL("https://api.spotify.com")
          .setExtraHTTPHeaders(Map.of("Authorization", "Bearer " + token)));
      var res = api.get("/v1/browse/new-releases?limit=20");
      assertEquals(200, res.status());

      JsonNode body = new ObjectMapper().readTree(res.body());
      JsonSchema schema = JsonSchemaFactory.getInstance(SpecVersion.VersionFlag.V7)
        .getSchema("{ \"type\": \"object\", \"required\": [\"albums\"] }");
      Set<ValidationMessage> errs = schema.validate(body);
      assertTrue(errs.isEmpty(), errs.toString());
    }
  }
}

test_spotify.py

import base64, os
from playwright.sync_api import sync_playwright
from jsonschema import validate, Draft7Validator

NEW_RELEASES = {
  "type": "object",
  "required": ["albums"],
  "properties": {
    "albums": {
      "type": "object",
      "required": ["items"],
      "properties": { "items": { "type": "array", "minItems": 1 } },
    }
  }
}

def test_new_releases():
  client_id = os.environ["SPOTIFY_CLIENT_ID"]
  secret = os.environ["SPOTIFY_CLIENT_SECRET"]
  basic = base64.b64encode(f"{client_id}:{secret}".encode()).decode()

  with sync_playwright() as pw:
    req = pw.request.new_context()
    tok = req.post("https://accounts.spotify.com/api/token",
      headers={"Authorization": f"Basic {basic}", "Content-Type": "application/x-www-form-urlencoded"},
      data="grant_type=client_credentials")
    token = tok.json()["access_token"]

    api = pw.request.new_context(
      base_url="https://api.spotify.com",
      extra_http_headers={"Authorization": f"Bearer {token}"})
    res = api.get("/v1/browse/new-releases?limit=20")
    assert res.status == 200
    body = res.json()
    Draft7Validator(NEW_RELEASES).validate(body)
    assert len(body["albums"]["items"]) == 20