Testing Authenticated REST Calls with Behat and Drupal

Prerequisites: Drupal, Behat, Composer, REST

There are plenty of posts out there describing how to make REST calls from a Behat test apparatus. What if, however, you need to take things a step further and make these calls as an authenticated user instead of just an anonymous user? As it turns out, this is both more involved and easier than you might think.

The back end for this project is a composer-based Drupal 8 site, hosted on Pantheon and initially setup with Pantheon’s Build Tools plugin for their Terminus utility. The site exposes a set of endpoints intended for use by a private app and so most of the functionality is restricted to authenticated users. The site also uses cookie-based authentication and requires a JSON request format for incoming calls.

In order to write tests for this scenario, we have to overcome two main obstacles:

  1. We need to be able to specify the payload, method and endpoint for the outgoing REST call and also inspect the responses.
  2. We need to be able to make calls as a user with a particular Drupal role.

As you may already know, Behat (plus Mink) combined with the Behat Drupal Extension has some very nice conveniences, including Behat Steps like

[Given|*] I am logged in as a/an :role

This step creates a user with the given role, then deletes the user when the test is over. All steps in between are executed as the newly created user.

If you search the internet for “Behat REST plugin”, you’ll find a number of solutions, some of which directly use Guzzle to make HTTP calls and some of which extend MinkContext. Choosing one that extends MinkContext is key in this scenario because we want to leverage the benefits given to us by the “…logged in as…” step. We went with the nifty Behatch extension. As you can see from the Behatch instructions, installation of the this extension is pretty simple, requiring only a composer command and some minor edits to your behat.yml file.

So far, so good. We can now make REST calls using steps like

Then I send a "GET" request to "my/cool/rest/api"

or even make a POST request, specifying the raw body with a PyString. We can also inspect the responses.

There are a couple of complications, however. First, our calls need to add a Content-Type header equal to application/json. Luckily, Behatch includes the step

[Then|*] I add :name header equal to :value

The second issue is that we need to maintain the CSRF token required by Drupal web services. Luckily, Drupal 8 has a default way to get the token, so all you have to do is write some custom steps in your Behat context to get it and add it to your outgoing calls. Your custom context might contain something like this:

   * @Given I get the CSRF Token
  public function getCSRF() {
    $this->csrf = $this->getSession()->getPage()->getContent();

   * @Then I add CSRF Token to request
  public function addCSRF() {
    $this->request->setHttpHeader('X-CSRF-TOKEN', $this->csrf);

Finally, a feature might contain something like this:

  Given I am logged in as an "authenticated"
  Given I get the CSRF Token

  Then I add CSRF Token to request
  Then I add "Content-Type" header equal to "application/json"
  When I send a "GET" request to "/my/cool/api?_format=json"
  Then I should get a "200" HTTP response

  Then I add CSRF Token to request
  Then I add "Content-Type" header equal to "application/json"
  When I send a "POST" request to "/my/cool/api?_format=json" with body:
      "name": [{
        "value": "mitsuha"
      "title": [{
        "value": "Your Name"
  Then I should get a "201" HTTP response

  Then I add CSRF Token to request
  Then I add "Content-Type" header equal to "application/json"
  When I send a "DELETE" request to "/my/cool/api?_format=json"
  Then I should get a "204" HTTP response

And so, with just some minor custom coding, we are now able to write Behat automated tests for our REST endpoints that require authentication in Drupal.

Texas Camp is Ready for You!

This year's location is San Antonio, Texas at Codeup, October 18-19, 2019 (We greatly appreciate Codeup's generosity in sponsoring the location).  

We invite all professional and amateur Drupal developers, those persons who are curious about the Drupal environment, and those interested in networking with Drupal companies and their employees.  It's also aimed at those interested in fine tuning their skills and participating in sprints.

The website is live!!!

Be sure to check the website routinely to stay up-to-date with the latest information on this year's camp.
Checkout the Website

Sessions, Panels, and Lightning Talks

The call for presentations ends on Sunday, September 15 @ midnight CST.

Submit Presentation


The call for trainings ends on Sunday, September 15 @ midnight CST.

Submit Training

Tickets are now available

Before you buy your ticket, there are some things you should know.  Please review ALL the options. 

Community $35 - Designed for those who wouldn't be able to attend at the regular price.  We ask that if you can afford the regular price tickets or if your tickets are paid or reimbursed by your employer, please choose the regular tickets. The price is lower because of our generous sponsors.  Be sure to thank them!  LIMITED AVAILABILITY

Early Nerd $50 - Designed to benefit those who sign up first and early (in comparison to a regular ticket) LIMITED AVAILABILITY

Individual Sponsor $250 - For those attendees who wish to support Texas Camp and the Texas Drupal community (or those with excess professional development budgets :wink:).  Thanks for supporting Texas Camp! You'll get a ticket and, as a token of our appreciation, we'll add your name to our sponsor page. Your donation is tax deductible.

Regular $75 -  Covers the costs for one attendee.

OPTIONAL: If you and a few other employees of your company would like pool your separate individual sponsorships into a company sponsorship with your company name shown instead of individual names, just send us an email at hello@texascamp.org and we will get your company the recognition it deserves.

Purchase a ticket

After your purchase

Please fill out the 2019 Texas Camp Questionnaire, we want to make the camp the best we can for you.

Fill out the survey


TexasCamp 2019

TexasCamp 2019 has been scheduled!

TexasCamp is a DrupalCamp camp that moves around Texas each year.  This year it will be in San Antonio, at CodeUp, on Oct 19-20.

Details TBA, but go to the site and sign up for the newsletter to receive updates.


September North Texas Drupal Meetup

Please join us in September for our next North Texas Drupal meetup.  The topic will be :

ZSM: a case study in Drupal 8 configuration management

Drupal 8's configuration management system promises not only a means of preserving module configurations in code, but also a means of dynamically changing Views, fields, and other configurations to met the needs of multiple clients out of a single project codebase.

Michael Nolan from Cerium Software LLC will discuss the Zeomine Server Monitor (ZSM) open source project maintained by CeriumSoft, and how they use D8's configuration management system to build ZSM settings servers that are tailored to the use cases of differing clients. You will learn how to dynamically alter views and fields of "core" objects via add-on-modules, so that dashboards, entity reference settings, and so on will seamlessly update every time you want to add new content types, enable a feature for one client but not another, and so on.

After reviewing the ZSM case study, developers may optionally join in for a workshop in which they will create a simple 3-module library inventory system, in which they can add or remove "book" or "video" content types from a core checkout form.

Date: Tuesday, September 10, 2019

Location: Improving, Plano, TX

Time: 6:30 Networking, 7:00 pm Presentation

We will also be streaming this event, more details later.

Hope to see everyone there!

About our presenter:

Michael Nolan is the founder of Cerium Software LLC, a startup that focuses on automation for university and market research. CeriumSoft maintains the ERC360 broader impact reporting software, along with the Zeomine web crawler and server monitor projects.

May North Texas Drupal Meetup

Join us on May 14th for the next North Texas Drupal Meetup : Introduction to Drupal 8 Development with Drupal Console
Learn how to get started creating custom modules quickly using Drupal Console, a command line boilerplate code generator.
In this session we'll build a custom "Meetup Field" type that accepts a meetup.com group name when editing content, and when the content is viewed, lists the meetup's upcoming events!
You'll see it built and get the code!
6:30 - Pizza and Networking
7:00 - Presentation
About our presenter:
Mark Hanna is Senior Developer for Skvare, a Dallas based web development shop specializing in Drupal and CiviCRM hosting and development for non-profit organizations. For the past 9 years he's been building Drupal websites and developing custom Drupal modules and CiviCRM extensions.


April North Texas Drupal Meetup

Join us on April 9th as Allan Chappell from Four Kitchens lets us know that Drupal 7 development can still be fun and modern.
Yes, I know this is during DrupalCon! But lots of us aren't going, so we are going to plan this anyway - please RSVP soon if you plan to go or comment if you can't, and if enough people will be here and want to attend we will have it - otherwise, we will push it into a later month.
6:30 - Pizza and Networking
7:00 - Presentation
From Allan-
As a support technical lead, the majority of support offerings are still in Drupal 7. With that said, your development practices do not have to lag behind those who get Drupal 8 OOP projects.
I will give some neat tips about using XAutoload and composer for Drupal 7 to make developing Drupal 7 use the same muscles and continue to be fun.

About Allan-

Senior Support Lead @ Four Kitchens
Allan brings solid practical solutions to the table for any level of technical complexity. He has a bachelor’s degree in computer information systems specializing in web development, and is a Zend Certified PHP Engineer and an Acquia Certified Developer. He specializes in DevOps, automated testing, automated code delivery, and continuous integration

It's Time to Upgrade to Drupal 8


As a Drupal site user you already enjoy the best open source platform for your website or web application, with millions of man hours of development time over 15 years and tens of thousands of available modules to add functionality. But if you are still on Drupal 7, you are missing out on some important features, and you won't be ready when Drupal 7 goes end-of-life and loses community support for bug fixes and security updates.

Drupal 8 was released on Nov 19, 2015- the end result of over 3,000 core contributors, and the biggest update to Drupal ever.  This update included hundreds of improvements, some which include:

  • Mobile-first, responsive, HTML5 output and mobile content-editing and site management support with a new mobile-friendly admin toolbar
  • Significantly improved overall website performance and load times (an important SEO factor!), including BigPipe - first developed at Facebook
  • Much better support for content editors, with built in WYSIWYG editing, in-context editing, and previews
  • Much improved support for media management, including drag&drop image uploads, and native audio and video support with the new Media module in Drupal 8.5
  • Full translatability and localization out of the box- with 100 languages available - and you can even moderate different language versions of the same page independently
  • Enhanced accessibility and WAI-ARIA compliance
  • Drupal 8 can be a central repository to manage and serve all your decoupled data- to advanced Javascript (React, Angular, ..) user interfaces, mobile applications, Alexa or Google home devices, video walls, whatever!
And for the developer-centric:

  • REST-first native web services
  • Modern PHP standards and practices, with integration of popular libraries such as Composer, Symfony2, Guzzle, and Twig
  • Comprehensive content modeling out of the box with entities, fields, and views
  • Enhanced caching and best-of-class integration with CDNs and reverse proxies
  • Full compatibility with PHP7, and the PostgreSQL and SQLite databases
  • Reliable configuration management for safe and straightforward deployment of changes between environments

Three+ years later, Drupal 8 is very stable and full featured. And it is time to upgrade.

But I bet you are thinking, "well if Drupal 8 is now three years old, then maybe I should just wait for Drupal 9?".  Drupal 9 is scheduled for release on June 3, 2020. But Drupal 9 will be a different beast altogether.

One of Drupal's strengths (and weaknesses, honestly) has always been that with each new major version, Drupal breaks with old constraining technology (and what we call technical debt) and rebuilds with new better components, internal code, and modern third party systems.  While this does make each new version of Drupal the best open source CMS available - 15 years later Drupal is still the top choice for ambitious web experiences - it does require a more complex upgrade process between major versions.

But that ends with Drupal 9.  From Drupal's founder, Dries Buytaert, in his post Making Drupal Upgrades Easy Forever:

We see a way to keep innovating while providing a smooth upgrade path and learning curve from Drupal 8 to Drupal 9 ... we will continue to introduce new features and backwards-compatible changes in Drupal 8 releases. In the process, we sometimes have to deprecate old systems. Instead of removing old systems, we will keep them in place and encourage module maintainers to update to the new systems. This means that modules and custom code will continue to work ... Over time, maintaining backwards compatibility will become increasingly complex. Eventually, we will reach a point where we simply have too much deprecated code in Drupal 8. At that point, we will choose to remove the deprecated systems and release that as Drupal 9.
This means that Drupal 9.0 should be almost identical to the last Drupal 8 release, minus the deprecated code. It means that when modules take advantage of the latest Drupal 8 APIs and avoid using deprecated code, they should work on Drupal 9. Updating from Drupal 8's latest version to Drupal 9.0.0 should be as easy as updating between minor versions of Drupal 8. It also means that Drupal 9 gives us a clean slate to start innovating more rapidly again.

Dries goes on to suggest this:

If you are planning to migrate directly from Drupal 7 to Drupal 9, you should reconsider that approach. In this new model, it might be more beneficial to upgrade to Drupal 8. Once you’ve migrated your site to Drupal 8, subsequent upgrades will be much simpler.

Drupal 7 support officially ends in 2021. Which means no more updates. But don't wait until then! Upgrade now to Drupal 8 while there is plenty of time, and so you can enjoy the benefits.

And we can help - we have already upgraded dozens of Drupal 7 sites to Drupal 8, and they all work better and run faster. And are ready for Drupal 9

North Texas Drupal Users Group September Meetup- Drupal 8 Revisted

The summer doldrums and vacations are over, time to get back to the North Texas Drupal Users Group meetups that FireRoad Digital organizes.

We'll be taking another look at Drupal 8, as it approaches its one year anniversary, and its upcoming 8.2 release.

We have a great speaker for this meetup, from one of the biggest Drupal agencies in the word - FFW Center of Excellence Director Ray Saltini.

Full details and RSVP on our NTXDUG Meetup page.  See you there!

Mobile Performance with Drupal - Part 1, Testing

I don't think you need yet another blog post to tell you mobile is becoming a bigger and bigger thing. Your website has to look good and perform well on mobile - you know that. But is it? How do you tell? How do you improve?

We here at FireRoad Digital are very data driven. So our process for improving mobile performance for our client Drupal sites uses the same general methodology we use for most everything:

  1. Implement best practices techniques for implementatng a certain functionality or improvement, based on our experience with developing and enhancing literally figuratively millions of Drupal websites
  2. Test, measure, analyze the results
  3. Iterate based on what we've learned

Let's look at our own FireRoad website as an example of this process. We developed it in Drupal 7 to be mobile responsive from the beginning, meaning it dynamically optimizes how the content and user interface is displayed and interacted with by the viewer based on the device being used. So we've already done part of Step 1- the basics- but for the sake of example, let's do some testing and analyzing of the initial website before we would normally go through our typical optimizatition process.

We can also use this opportunity to try out Test My Site, a new super easy to use and understand website usability and performance test tool from Google. Based on their PageSpeed Insights, which has been embedded in their other tools such as the Google Search Console, this tool doesn't require a Google account to use and provides results easily understandable results, with clear actions for improvement.

Let's be brave (and transparent) and run this tool on fireroaddigital.com

Google mobile test - first screen


Click TEST NOW and the tool will scan and process your site for a few seconds, and dispense some wisdom about mobile viewing habits and statistics while you wait.

Shortly you will see the results summary page, which for our site is ..


Google mobile test results summary


Our "mobile friendliness score is good" !  Good ... but looks like we could improve.  Click on the GET MY FREE REPORT button and Google will send you a lovely PDF with more details and action items. We can also step through the different categories right now and drill into the details.  Just scroll down ...


Google mobile test results- friendlinessGoogle mobile test results- SpeedGoogle mobile test results- Desktop

So what to do next?  The first category - Mobile Friendliness - shows how well we developed our mobile look & feel to both look good on mobile devices, as well as be optimized for mobile interaction. Looks like we've done pretty well there- the general process of developing Drupal mobile friendliness deserves a blog post of its own, including Drupal theming, media querries, Bootstrap and grids, and lots more ... which we totally should get around to writing one of these days. But looks like there are still a few points we could eke out with some tweaking.

We did the worse on the second category - Mobile Speed. We already run on the fastest, most powerful Drupal hosting platform around - Pantheon - with plenty of processing power, RAM, SSD drives, Varnish caching, and just about anythng else that can be done to increase server response. Since we are not directly managing our web server (with good reason), we do have limited options on what we can change there. On the client side, maybe some of our images are too large to download on mobile quickly. Maybe we should us e a Content Delivery Network. Maybe we haven't configured caching on the client side correctly. Lots of options here.

And thirdly, this test looks at our desktop speed. There will be some similar criteria as the mobile speed, with more leeway given since desktop users typically have more bandwidth available and larger images are needed to fill up bigger desktop monitors.  We did well, but we won't ever be satisfied with a B+.

in parts 2,3 and 4 of this series we will look at each category - why we received the grade we did and what specifically we can do to improve each number. Stay tuned - we are going for 100 / 100 / 100 !

Longer Title and Descriptions on Google Search Results

In their often unannounced, sneaky fashion, Google has apparently snuck in an update to search results pages (SERP) that increases the size of the display Titles and Descriptions.  This gives webmasters and SEOs more room to describe and market pages!

The previous generally-accepted guidance for page title lengths was around 55 characters before Google chopped it off ... now it looks like you can to 65-70 characters.

For page descriptions, 150-160 characters was the consensus length, which generally came in around 2 lines ... now we are sometimes seeing 3 lines, and up to 15-20 more characters per line. That is a lot more space to descirbe your pages.

Here is a very recent example of a Google search:

So what to do with this new exciting update? Update your pages with longer page titles and meta descriptions! Give it a day or two, then check your search results and see how it looks. Iterate and tweak as needed.

And how do you do that on your Drupal website?  Our Implementing Google Ranking Factors in Drupal guide will give you the step-by-step details, or you can just make sure you are running the Drupal Metatag module and use it to set detailed, active and unique description and page titles for you home page and all other pages on your site. Be sure to check your Google Search Console results for what Google thinks of your page titles and descriptions.