Add Performance Test Project to JavaScript Repository

.github/instructions/code-review.instructions.md

@@ -0,0 +1,136 @@
+---
+description: 'Code review instructions for GitHub Copilot'
+applyTo: '**'
+excludeAgent: ["coding-agent"]
+---
+
+## General Review Principles
+
+When performing a code review, follow these principles:
+
+1. **Be specific**: Reference exact lines, files, and provide concrete examples
+2. **Provide context**: Explain WHY something is an issue and the potential impact
+3. **Suggest solutions**: Show corrected code when applicable, not just what's wrong
+4. **Be constructive**: Focus on improving the code, not criticizing the author
+5. **Recognize good practices**: Acknowledge well-written code and smart solutions
+6. **Be pragmatic**: Not every suggestion needs immediate implementation
+7. **Group related comments**: Avoid multiple comments about the same topic
+
+## Code Quality Standards
+
+When performing a code review, check for:
+
+### Clean Code
+- Descriptive and meaningful names for variables, methods, and classes
+- Single Responsibility Principle: each function/class does one thing well
+- DRY (Don't Repeat Yourself): no code duplication
+- Avoid deeply nested code (max 3-4 levels)
+- Avoid magic numbers and strings (use constants)
+- Code should be self-documenting; comments only when necessary
+
+### Error Handling
+- Proper error handling at appropriate levels
+- Meaningful error messages
+- No silent failures or ignored exceptions
+- Fail fast: validate inputs early
+- Use appropriate error types/exceptions
+
+## Security Review
+
+When performing a code review, check for security issues:
+
+- **Sensitive Data**: No passwords, API keys, tokens, or PII in code or logs
+- **Input Validation**: All user inputs are validated and sanitized
+- **SQL Injection**: Use parameterized queries, never string concatenation
+- **Authentication**: Proper authentication checks before accessing resources
+- **Authorization**: Verify user has permission to perform action
+- **Cryptography**: Use established libraries, never roll your own crypto
+- **Dependency Security**: Check for known vulnerabilities in dependencies
+
+## Testing Standards
+
+When performing a code review, verify test quality:
+
+- **Coverage**: Critical paths and new functionality must have tests
+- **Test Names**: Descriptive names that explain what is being tested
+- **Test Structure**: Clear Arrange-Act-Assert or Given-When-Then pattern
+- **Independence**: Tests should not depend on each other or external state
+- **Assertions**: Use specific assertions, avoid generic assertTrue/assertFalse
+- **Edge Cases**: Test boundary conditions, null values, empty collections
+- **Mock Appropriately**: Mock external dependencies, not domain logic
+
+## Architecture and Design
+
+When performing a code review, verify architectural principles:
+
+- **Separation of Concerns**: Clear boundaries between layers/modules
+- **Dependency Direction**: High-level modules don't depend on low-level details
+- **Interface Segregation**: Prefer small, focused interfaces
+- **Loose Coupling**: Components should be independently testable
+- **High Cohesion**: Related functionality grouped together
+- **Consistent Patterns**: Follow established patterns in the codebase
+
+## Documentation Standards
+
+When performing a code review, check documentation:
+
+- **Complex Logic**: Non-obvious logic should have explanatory comments
+- **README Updates**: Update README when adding features or changing setup
+- **Breaking Changes**: Document any breaking changes clearly
+- **Examples**: Provide usage examples for complex features
+
+## Comment Format Template
+
+When performing a code review, use this format for comments:
+
+```markdown
+**[PRIORITY] Category: Brief title**
+
+Detailed description of the issue or suggestion.
+
+**Why this matters:**
+Explanation of the impact or reason for the suggestion.
+
+**Suggested fix:**
+[code example if applicable]
+
+**Reference:** [link to relevant documentation or standard]
+```
+
+## Review Checklist
+
+When performing a code review, systematically verify:
+
+### Code Quality
+- [ ] Code follows consistent style and conventions
+- [ ] Names are descriptive and follow naming conventions
+- [ ] Functions/methods are small and focused
+- [ ] No code duplication
+- [ ] Complex logic is broken into simpler parts
+- [ ] Error handling is appropriate
+- [ ] No commented-out code or TODO without tickets
+
+### Security
+- [ ] No sensitive data in code or logs
+- [ ] Input validation on all user inputs
+- [ ] No SQL injection vulnerabilities
+- [ ] Authentication and authorization properly implemented
+- [ ] Dependencies are up-to-date and secure
+
+### Testing
+- [ ] New code has appropriate test coverage
+- [ ] Tests are well-named and focused
+- [ ] Tests cover edge cases and error scenarios
+- [ ] Tests are independent and deterministic
+- [ ] No tests that always pass or are commented out
+
+### Architecture
+- [ ] Follows established patterns and conventions
+- [ ] Proper separation of concerns
+- [ ] No architectural violations
+- [ ] Dependencies flow in correct direction
+
+### Documentation
+- [ ] Complex logic has explanatory comments
+- [ ] README is updated if needed
+- [ ] Breaking changes are documented

.github/workflows/run-performance-tests.yaml

@@ -0,0 +1,52 @@
+name: Run Performance Tests
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  actions: read
+  checks: write
+
+jobs:
+  performance-test:
+    name: Run k6 Performance Tests
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Setup k6
+      uses: grafana/setup-k6-action@v1
+
+    - name: Run ping performance tests
+      uses: grafana/run-k6-action@v1
+      env:
+        BASE_URL: ${{ secrets.BASE_URL }}
+        API_USERNAME: ${{ secrets.API_USERNAME }}
+        API_PASSWORD: ${{ secrets.API_PASSWORD }}
+      with:
+        path: ./performance/tests/ping-performance-tests.js
+
+    - name: Run auth performance tests
+      uses: grafana/run-k6-action@v1
+      env:
+        BASE_URL: ${{ secrets.BASE_URL }}
+        API_USERNAME: ${{ secrets.API_USERNAME }}
+        API_PASSWORD: ${{ secrets.API_PASSWORD }}
+      with:
+        path: ./performance/tests/auth-performance-tests.js
+
+    - name: Run booking performance tests
+      uses: grafana/run-k6-action@v1
+      env:
+        BASE_URL: ${{ secrets.BASE_URL }}
+        API_USERNAME: ${{ secrets.API_USERNAME }}
+        API_PASSWORD: ${{ secrets.API_PASSWORD }}
+      with:
+        path: ./performance/tests/booking-performance-tests.js

README.md

@@ -1 +1,15 @@
-# demo-rest-api-tests-javascript
+# demo-rest-api-tests-javascript
+
+JavaScript-based test suites for the [Restful Booker API](https://restful-booker.herokuapp.com). This repository is organized by test layer, with each layer living in its own top-level folder alongside its own dependencies, configuration, and documentation.
+
+## Test Layers
+
+| Folder | Type | Tool |
+|---|---|---|
+| `performance/` | Performance & load testing | [k6](https://k6.io) |
+
+Each folder contains its own `README.md` with setup instructions, how to run the tests, and any relevant configuration details.
+
+## API Under Test
+
+All test layers target the [Restful Booker API](https://restful-booker.herokuapp.com), a publicly hosted demo API that exposes endpoints for health checks, authentication, and hotel booking management.

performance/README.md

@@ -0,0 +1,61 @@
+Performance tests for the [Restful Booker API](https://restful-booker.herokuapp.com) written in JavaScript using [k6](https://k6.io).
+
+## Overview
+
+This project contains load and performance tests that validate the Restful Booker API under concurrent traffic. Tests are organized by endpoint and use a shared load profile with ramp-up and ramp-down stages.
+
+**Endpoints covered:**
+
+| Test Suite | Endpoint                                                                                                    | Operations       |
+| ---------- | ----------------------------------------------------------------------------------------------------------- | ---------------- |
+| Ping       | `GET /ping`                                                                                               | Health check     |
+| Auth       | `POST /auth`                                                                                              | Token generation |
+| Booking    | `GET /booking`, `POST /booking`, `GET /booking/{id}`, `PUT /booking/{id}`, `DELETE /booking/{id}` | Full CRUD        |
+
+## Prerequisites
+
+- [k6](https://k6.io/docs/get-started/installation/) installed and available on your `PATH`
+
+## Running the Tests
+
+From the `performance/` directory:
+
+```bash
+# Run individual test suites
+npm run test:ping
+npm run test:auth
+npm run test:booking
+
+# Run a quick smoke test (1 VU, 1 iteration)
+npm run test:smoke
+
+# Run all suites sequentially
+npm run test:all
+```
+
+## Configuration
+
+The following environment variables can be set to override defaults:
+
+| Variable         | Default                                  | Description   |
+| ---------------- | ---------------------------------------- | ------------- |
+| `BASE_URL`     | `https://restful-booker.herokuapp.com` | API base URL  |
+
+Example:
+
+```bash
+k6 run -e BASE_URL=https://my-api.example.com tests/booking-performance-tests.js
+```
+
+## Performance Thresholds
+
+All test suites enforce the following global thresholds:
+
+| Metric                        | Threshold |
+| ----------------------------- | --------- |
+| Error rate                    | < 1%      |
+| 95th percentile response time | < 3000 ms |
+| 99th percentile response time | < 5000 ms |
+| Check pass rate               | > 95%     |
+
+Individual suites apply tighter per-endpoint thresholds on top of these defaults.

performance/config/environments.js

@@ -0,0 +1,3 @@
+export const BASE_URL = __ENV.BASE_URL || 'https://restful-booker.herokuapp.com';
+export const API_USERNAME = __ENV.API_USERNAME;
+export const API_PASSWORD = __ENV.API_PASSWORD;

performance/config/thresholds.js

@@ -0,0 +1,6 @@
+// Threshold definitions shared across all performance test scripts.
+export const defaultThresholds = {
+  http_req_failed: ['rate<0.01'],
+  http_req_duration: ['p(95)<3000', 'p(99)<5000'],
+  checks: ['rate>0.95'],
+};

performance/helpers/auth-helper.js

@@ -0,0 +1,16 @@
+import http from 'k6/http';
+import { BASE_URL, API_USERNAME, API_PASSWORD } from '../config/environments.js';
+
+export function getAuthToken() {
+  const payload = JSON.stringify({
+    username: API_USERNAME,
+    password: API_PASSWORD,
+  });
+
+  const params = {
+    headers: { 'Content-Type': 'application/json' },
+  };
+
+  const res = http.post(`${BASE_URL}/auth`, payload, params);
+  return res.json('token');
+}

performance/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "restful-booker-api-performance-tests",
+  "version": "1.0.0",
+  "description": "K6 performance tests for the Restful Booker API",
+  "scripts": {
+    "test:ping": "k6 run tests/ping-performance-tests.js",
+    "test:auth": "k6 run tests/auth-performance-tests.js",
+    "test:booking": "k6 run tests/booking-performance-tests.js",
+    "test:smoke": "k6 run --vus 1 --iterations 1 tests/booking-performance-tests.js",
+    "test:all": "npm run test:ping && npm run test:auth && npm run test:booking"
+  }
+}

performance/tests/auth-performance-tests.js

@@ -0,0 +1,38 @@
+import http from 'k6/http';
+import { check, sleep } from 'k6';
+import { BASE_URL, API_USERNAME, API_PASSWORD } from '../config/environments.js';
+import { defaultThresholds } from '../config/thresholds.js';
+
+export const options = {
+  stages: [
+    { duration: '10s', target: 5 },
+    { duration: '20s', target: 5 },
+    { duration: '10s', target: 0 },
+  ],
+  thresholds: {
+    ...defaultThresholds,
+    'http_req_duration{endpoint:auth}': ['p(95)<2000'],
+  },
+};
+
+export default function () {
+  const payload = JSON.stringify({
+    username: API_USERNAME,
+    password: API_PASSWORD,
+  });
+
+  const params = {
+    headers: { 'Content-Type': 'application/json' },
+    tags: { endpoint: 'auth' },
+  };
+
+  const res = http.post(`${BASE_URL}/auth`, payload, params);
+
+  check(res, {
+    'POST /auth returns 200': (r) => r.status === 200,
+    'POST /auth response contains token': (r) =>
+      r.json('token') !== undefined && r.json('token') !== null,
+  });
+
+  sleep(1);
+}