// api-tester.jsx — Postman-like saved-request module. Per-user private, // isolated from FlowBoard's project/task data. Three panes: // // ┌──────────────┬────────────────────────────────────────────────┐ // │ COLLECTIONS │ Method ▾ URL ───────────────────────── Send │ // │ │ Params · Headers · Body · Auth │ // │ + New │ ───────────────────────────────── │ // │ ▸ Stripe │ Response │ // │ GET ... │ 200 OK · 142ms · 4.3KB │ // │ POST .. │ Headers · Body │ // │ ▸ Internal │ │ // └──────────────┴────────────────────────────────────────────────┘ // // All persistence flows through api.apiTester.* — see public/src/api.js. const API_METHODS = ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"]; const API_AUTH_TYPES = [ { id: "none", label: "No auth" }, { id: "bearer", label: "Bearer token" }, { id: "basic", label: "Basic auth" }, { id: "apikey", label: "API key (header)" }, { id: "oauth2", label: "OAuth 2.0" }, ]; const API_BODY_TYPES = [ { id: "none", label: "None" }, { id: "json", label: "JSON" }, { id: "raw", label: "Raw text" }, { id: "urlencoded", label: "x-www-form-urlencoded" }, ]; function _newHeaderRow() { return { key: "", value: "", enabled: true }; } function _newCaptureRow() { return { var: "", source: "body", path: "", enabled: true }; } // Tiny JSON path walker — supports `$.foo.bar`, `foo.bar`, // `data.items[0].id`, `[0].name`. Plenty for "pull a token out of a // login response". Not a full JSONPath; we deliberately avoid the // jsonpath-plus baggage. Returns undefined when the path doesn't // resolve so the capture rule reports "not found". function _jsonPath(obj, path) { if (obj == null || !path) return undefined; // Strip leading `$.` or `$` const cleaned = String(path).replace(/^\$\.?/, "").trim(); if (!cleaned) return obj; // Tokenize by `.` and `[N]`. Empty tokens (from leading [) get // filtered. Numeric tokens index arrays; everything else is a key. const tokens = cleaned .replace(/\[(\d+)\]/g, ".$1") .split(".") .filter(Boolean); let cur = obj; for (const t of tokens) { if (cur == null) return undefined; cur = cur[t]; } return cur; } // Coerce captured values to strings for storage in the env (vars are // substituted into URL/header/body strings via `{{name}}` so anything // non-string would JSON-stringify into a confusing literal). function stringifyValues(map) { const out = {}; for (const k of Object.keys(map)) { const v = map[k]; if (v == null) continue; out[k] = (typeof v === "string") ? v : (typeof v === "object" ? JSON.stringify(v) : String(v)); } return out; } function _emptyRequest(name = "New request") { return { id: null, name, method: "GET", url: "", headers: [_newHeaderRow()], body: "", body_type: "none", auth_type: "none", auth_data: {}, // Post-response capture rules. Each row pulls a value out of the // response and writes it to the active environment so the next // request can use it via {{name}}. capture: [], }; } function ApiTesterView() { const [collections, setCollections] = React.useState([]); const [activeCid, setActiveCid] = React.useState(null); const [activeCollection, setActiveCollection] = React.useState(null); // full obj with requests + envs const [activeRid, setActiveRid] = React.useState(null); const [draft, setDraft] = React.useState(_emptyRequest()); const [response, setResponse] = React.useState(null); // { status, headers, body, duration_ms, bytes, truncated } const [running, setRunning] = React.useState(false); const [loading, setLoading] = React.useState(true); const [error, setError] = React.useState(""); const [envEditorOpen, setEnvEditorOpen] = React.useState(false); // Load collections list once on mount. React.useEffect(() => { let cancelled = false; (async () => { try { const list = await api.apiTester.listCollections(); if (cancelled) return; setCollections(Array.isArray(list) ? list : []); if (list && list.length) setActiveCid(list[0].id); } catch (e) { if (!cancelled) setError((e && e.message) || "Couldn't load collections."); } finally { if (!cancelled) setLoading(false); } })(); return () => { cancelled = true; }; }, []); // Whenever the active collection changes, fetch its full payload. React.useEffect(() => { if (!activeCid) { setActiveCollection(null); setActiveRid(null); return; } let cancelled = false; (async () => { try { const c = await api.apiTester.getCollection(activeCid); if (cancelled) return; setActiveCollection(c); // If the previously-active request is in this collection, keep it. const stillThere = c.requests && c.requests.find(r => r.id === activeRid); if (stillThere) { setDraft(_requestToDraft(stillThere)); } else if (c.requests && c.requests.length) { setActiveRid(c.requests[0].id); setDraft(_requestToDraft(c.requests[0])); } else { setActiveRid(null); setDraft(_emptyRequest()); } } catch (e) { if (!cancelled) setError((e && e.message) || "Couldn't load collection."); } })(); return () => { cancelled = true; }; }, [activeCid]); // Hydrate the editor when the active request changes within the // already-loaded collection. React.useEffect(() => { if (!activeCollection || !activeRid) return; const r = activeCollection.requests.find(x => x.id === activeRid); if (r) setDraft(_requestToDraft(r)); }, [activeRid]); function _requestToDraft(r) { return { id: r.id, name: r.name || "", method: r.method || "GET", url: r.url || "", headers: Array.isArray(r.headers) && r.headers.length ? r.headers : [_newHeaderRow()], body: r.body || "", body_type: r.body_type || "none", auth_type: r.auth_type || "none", auth_data: r.auth_data || {}, capture: Array.isArray(r.capture) ? r.capture : [], }; } async function newCollection() { const name = window.prompt("Name for the new collection:", "New collection"); if (!name) return; try { const c = await api.apiTester.createCollection({ name }); setCollections(cs => [...cs, c]); setActiveCid(c.id); } catch (e) { alert("Couldn't create: " + ((e && e.message) || "network error")); } } // Seed a starter collection so users can try the module without // typing out URLs from scratch. Targets httpbin.org because it's // a public, CORS-safe sandbox that echoes back exactly what you // send — perfect for verifying the proxy + auth + variable // substitution all line up. Five requests covering GET / POST + // JSON / headers echo / Bearer auth / API key auth, plus a // single "httpbin (production)" environment with the matching // baseUrl + token variables. const [seeding, setSeeding] = React.useState(false); async function loadSampleCollection() { if (seeding) return; setSeeding(true); try { const col = await api.apiTester.createCollection({ name: "Sample · httpbin", description: "Starter collection that hits httpbin.org — a public echo service. Click any request and Send to verify the proxy + auth + environment variables all work end-to-end.", }); // Environment with the variables the saved requests reference. const env = await api.apiTester.createEnvironment(col.id, { name: "httpbin (production)", variables: { baseUrl: "https://httpbin.org", // A plausible-looking token. httpbin's /bearer endpoint // accepts ANY non-empty bearer, so you'll get a 200 back // and see the token reflected in the response body. token: "demo-bearer-token-1234", apiKey: "demo-api-key-abcdef", }, }); // Wire that env as the collection's active env. await api.apiTester.patchCollection(col.id, { active_env_id: env.id }); // Five demo requests — each one demonstrates one piece of the // module so the user can flip through and see what works. const seeds = [ { name: "1. GET — basic request", method: "GET", url: "{{baseUrl}}/get?ping=hello", headers: [ { key: "Accept", value: "application/json", enabled: true }, ], body_type: "none", auth_type: "none", auth_data: {}, }, { name: "2. POST — JSON body", method: "POST", url: "{{baseUrl}}/post", headers: [{ key: "Accept", value: "application/json", enabled: true }], body_type: "json", body: JSON.stringify({ message: "Hello from FlowBoard's API Tester", ts: new Date().toISOString(), nested: { works: true, count: 3 }, }, null, 2), auth_type: "none", auth_data: {}, }, { name: "3. GET — see your headers", method: "GET", url: "{{baseUrl}}/headers", headers: [ { key: "X-Custom-Header", value: "this-is-a-test", enabled: true }, { key: "X-Disabled-Header", value: "you-shouldnt-see-this", enabled: false }, ], body_type: "none", auth_type: "none", auth_data: {}, }, { name: "4. GET — Bearer auth", method: "GET", url: "{{baseUrl}}/bearer", headers: [], body_type: "none", auth_type: "bearer", // {{token}} resolves from the env. Try editing the env to // an empty string and re-running — you'll get 401. auth_data: { token: "{{token}}" }, }, { name: "5. GET — API key (custom header)", method: "GET", url: "{{baseUrl}}/headers", headers: [], body_type: "none", auth_type: "apikey", auth_data: { header: "X-Api-Key", value: "{{apiKey}}" }, }, ]; for (const r of seeds) { await api.apiTester.createRequest(col.id, r); } // Refresh the list + open the new collection. const list = await api.apiTester.listCollections(); setCollections(list || []); setActiveCid(col.id); } catch (e) { alert("Couldn't load the sample: " + ((e && e.message) || "network error")); } finally { setSeeding(false); } } async function renameCollection() { if (!activeCollection) return; const name = window.prompt("Rename collection:", activeCollection.name); if (!name || name === activeCollection.name) return; try { const c = await api.apiTester.patchCollection(activeCollection.id, { name }); setCollections(cs => cs.map(x => x.id === c.id ? c : x)); setActiveCollection(ac => ({ ...ac, name: c.name })); } catch (e) { alert("Couldn't rename: " + ((e && e.message) || "network error")); } } async function deleteCollection() { if (!activeCollection) return; if (!confirm(`Delete "${activeCollection.name}"? This removes every saved request and environment in this collection.`)) return; try { await api.apiTester.deleteCollection(activeCollection.id); setCollections(cs => cs.filter(x => x.id !== activeCollection.id)); const next = collections.find(c => c.id !== activeCollection.id); setActiveCid(next ? next.id : null); } catch (e) { alert("Couldn't delete: " + ((e && e.message) || "network error")); } } async function newRequest() { if (!activeCollection) return; try { const r = await api.apiTester.createRequest(activeCollection.id, { name: "Untitled request", method: "GET", url: "", }); setActiveCollection(ac => ({ ...ac, requests: [...(ac.requests || []), r] })); setActiveRid(r.id); setDraft(_requestToDraft(r)); } catch (e) { alert("Couldn't create: " + ((e && e.message) || "network error")); } } async function saveRequest() { if (!activeCollection) return; if (!draft.id) { // Save as a new row in the active collection. try { const created = await api.apiTester.createRequest(activeCollection.id, { name: draft.name || "Untitled request", method: draft.method, url: draft.url, headers: draft.headers, body: draft.body, body_type: draft.body_type, auth_type: draft.auth_type, auth_data: draft.auth_data, capture: draft.capture || [], }); setActiveCollection(ac => ({ ...ac, requests: [...(ac.requests || []), created] })); setActiveRid(created.id); setDraft(_requestToDraft(created)); } catch (e) { alert("Couldn't save: " + ((e && e.message) || "network error")); } return; } try { const updated = await api.apiTester.patchRequest(draft.id, { name: draft.name, method: draft.method, url: draft.url, headers: draft.headers, body: draft.body, body_type: draft.body_type, auth_type: draft.auth_type, auth_data: draft.auth_data, capture: draft.capture || [], }); setActiveCollection(ac => ({ ...ac, requests: (ac.requests || []).map(r => r.id === updated.id ? updated : r), })); } catch (e) { alert("Couldn't save: " + ((e && e.message) || "network error")); } } async function deleteRequest(rid) { if (!confirm("Delete this saved request?")) return; try { await api.apiTester.deleteRequest(rid); setActiveCollection(ac => ({ ...ac, requests: (ac.requests || []).filter(r => r.id !== rid), })); if (activeRid === rid) { setActiveRid(null); setDraft(_emptyRequest()); } } catch (e) { alert("Couldn't delete: " + ((e && e.message) || "network error")); } } // Environment lookup — resolve {{name}} placeholders. Active env // is the one whose id matches collection.active_env_id. function activeVars() { if (!activeCollection || !activeCollection.active_env_id) return {}; const e = (activeCollection.environments || []).find(x => x.id === activeCollection.active_env_id); return (e && e.variables) || {}; } async function send() { if (running) return; setRunning(true); setResponse(null); try { const r = await api.apiTester.proxy({ method: draft.method, url: draft.url, headers: draft.headers, body: draft.body, body_type: draft.body_type, auth_type: draft.auth_type, auth_data: draft.auth_data, variables: activeVars(), }); // Evaluate post-response capture rules and stash the resolved // values into the active environment. This is what lets a // login request expose a {{token}} that subsequent requests // pick up automatically — the headline of the script feature. const captured = await applyCaptureRules(r); // Annotate the response so the panel below can show "Captured 2 // variables: token, user_id" after the run. setResponse({ ...r, _captured: captured }); } catch (e) { setResponse({ error: true, message: (e && e.body && (e.body.message || e.body.error)) || (e && e.message) || "Request failed", duration_ms: 0, }); } finally { setRunning(false); } } // Run each enabled capture rule against the response. Returns an // array of { var, value, source, path, ok } so the UI can summarise // what actually got pulled out (and which rules failed). Side // effect: writes resolved variables to the active environment. async function applyCaptureRules(resp) { const rules = Array.isArray(draft.capture) ? draft.capture : []; if (!rules.length || !resp) return []; if (resp.error) return []; // Parse the body once. JSON path rules need it parsed; non-JSON // bodies fall back to the raw string for header/status rules. let parsedBody = null; if (typeof resp.body === "string") { try { parsedBody = JSON.parse(resp.body); } catch { parsedBody = null; } } else if (resp.body && typeof resp.body === "object") { parsedBody = resp.body; } // Headers come back as { name: value } from the proxy; lowercase // the keys for case-insensitive lookup. const lowerHeaders = {}; if (resp.headers && typeof resp.headers === "object") { for (const k of Object.keys(resp.headers)) { lowerHeaders[k.toLowerCase()] = resp.headers[k]; } } const results = []; const setMap = {}; for (const rule of rules) { if (!rule || rule.enabled === false) continue; const varName = String(rule.var || "").trim(); if (!varName) continue; const source = String(rule.source || "body").toLowerCase(); const path = String(rule.path || "").trim(); let value; try { if (source === "header") { value = lowerHeaders[path.toLowerCase()]; } else if (source === "status") { value = resp.status; } else { // body — JSON path value = _jsonPath(parsedBody, path); } } catch { value = undefined; } const ok = value !== undefined && value !== null; results.push({ var: varName, value, source, path, ok }); if (ok) setMap[varName] = value; } // If we got at least one value AND the collection has an active // environment, persist the new variables to it. No active env → // we still surface the captured values in the result panel; the // user gets a hint to pick / create an environment to save them. if (Object.keys(setMap).length && activeCollection && activeCollection.active_env_id) { const envId = activeCollection.active_env_id; const env = (activeCollection.environments || []).find(e => e.id === envId); if (env) { const merged = { ...(env.variables || {}), ...stringifyValues(setMap) }; try { const updated = await api.apiTester.patchEnvironment(envId, { variables: merged }); // Reflect the new vars in local state so later requests in // the same session see them without a reload. setActiveCollection(ac => ({ ...ac, environments: (ac.environments || []).map(e => e.id === envId ? updated : e), })); } catch (e) { console.warn("[capture] couldn't save to environment:", e && e.message); } } } return results; } // Mark capture rules as "no env to save into" so the UI can prompt // the user without us guessing the wrong intent. const _hasActiveEnv = !!(activeCollection && activeCollection.active_env_id); // Auto-save the draft 800ms after the last edit, but only when // there's an active request id (don't accidentally create an // empty record from an idle pane). React.useEffect(() => { if (!draft.id) return; const t = setTimeout(() => { saveRequest(); }, 800); return () => clearTimeout(t); }, [draft.name, draft.method, draft.url, draft.body, draft.body_type, draft.auth_type, JSON.stringify(draft.headers), JSON.stringify(draft.auth_data), JSON.stringify(draft.capture)]); if (loading) { return (
Loading…
); } return (
{/* ── Left rail: collections + requests ─────────────────── */} {/* ── Main pane: editor + response ──────────────────────── */}
{!activeCollection ? (
🛰️

API Tester

Create a collection to start saving requests. Each user's collections are private — your tokens never leave your account.

The sample hits httpbin.org — a public echo service.
Five requests cover GET, POST + JSON, header echo, Bearer auth, and API-key auth, with a matching environment for {`{{baseUrl}}`} and {`{{token}}`}.

) : ( <> {/* ── Top bar — collection breadcrumb + environment picker + collection-level actions. Environment lives here (Postman-style) so it's always one click away from every request without leaving the rail visible. */}
{activeCollection.name} {/* Workspace-shared indicator. Shown when the user isn't the creator — makes it obvious why Rename / Delete are disabled and who to ask if they want a change. */} {activeCollection.is_mine === false && ( Shared{activeCollection.owner_name ? ` · ${activeCollection.owner_name}` : ""} )}
Environment
{/* ── Request title — single-line, click-to-edit */}
setDraft(d => ({ ...d, name: e.target.value }))}/>
{/* ── URL bar — method + URL + send */}
setDraft(d => ({ ...d, url: e.target.value }))} onKeyDown={(e) => { if (e.key === "Enter") send(); }}/>
{/* Tabs — headers / body / auth */} {/* Response panel */} )}
{envEditorOpen && activeCollection && ( setEnvEditorOpen(false)} onChange={(updated) => setActiveCollection(updated)}/> )}
); } // ── Request tabs (Headers / Body / Auth / Capture) ───────────────── function RequestTabs({ draft, setDraft }) { const [tab, setTab] = React.useState("headers"); const captureCount = (draft.capture || []).filter(r => r && r.enabled !== false && (r.var || "").trim()).length; return (
{tab === "headers" && setDraft(d => ({ ...d, headers: h }))}/>} {tab === "body" && } {tab === "auth" && } {tab === "capture" && setDraft(d => ({ ...d, capture: c }))}/>}
); } // ── Capture rules editor ─────────────────────────────────────────── // Rows of "var name | source (body / header / status) | json path | // enabled". After Send, each enabled rule is run against the // response and the resolved value is written to the active env. // // Examples: // var: token source: body path: $.access_token // var: user_id source: body path: $.user.id // var: csrf source: header path: x-csrf-token // var: code source: status path: (ignored) function CaptureEditor({ rules, onChange }) { const list = Array.isArray(rules) ? rules : []; function patch(i, p) { onChange(list.map((r, idx) => idx === i ? { ...r, ...p } : r)); } function remove(i) { onChange(list.filter((_, idx) => idx !== i)); } function add() { onChange([...list, _newCaptureRow()]); } return (
After the request runs, pull values out of the response and save them to the active environment. Reference them in any later request via {"{{var_name}}"}. Tip: a Login request can capture $.access_token as token, then a follow-up request uses Authorization: Bearer {"{{token}}"}.
Variable name Source Path
{list.length === 0 && (
No capture rules yet — add one below.
)} {list.map((r, i) => (
patch(i, { enabled: e.target.checked })} title="Enable / disable this capture rule"/> patch(i, { var: e.target.value })} placeholder="token" className="apit-input"/> patch(i, { path: e.target.value })} placeholder={ (r.source === "header") ? "x-csrf-token" : (r.source === "status") ? "(no path needed)" : "$.access_token" } disabled={r.source === "status"} className="apit-input apit-input-mono"/>
))}
); } function HeadersEditor({ headers, onChange }) { const list = Array.isArray(headers) ? headers : []; function patch(i, p) { onChange(list.map((h, idx) => idx === i ? { ...h, ...p } : h)); } function remove(i) { onChange(list.filter((_, idx) => idx !== i)); } function add() { onChange([...list, { key: "", value: "", enabled: true }]); } return (
{list.map((h, i) => (
patch(i, { enabled: e.target.checked })}/> patch(i, { key: e.target.value })}/> patch(i, { value: e.target.value })}/>
))}
); } function BodyEditor({ draft, setDraft }) { return (
{API_BODY_TYPES.map(bt => ( ))}
{draft.body_type !== "none" && (