Postman Tests
SlotsOne API — Full Regression Suite (Slots, European Roulette, American Roulette, Book of Dead, Wallet)
Download the collection and environment, then run the full regression suite in Postman or Newman. Includes pre-request scripts with Postman faker variables and post-response test assertions.
Test Coverage
| ID | Category | Description | Expects |
|---|---|---|---|
| AUTH-01 | Auth | POST /auth/register — new user, returns access_token | 201, access_token, token_type |
| AUTH-02 | Auth | POST /auth/register — duplicate email | 409, code: email_taken |
| AUTH-03 | Auth | POST /auth/register — invalid body (missing password) | 400, code: invalid_body |
| AUTH-04 | Auth | POST /auth/login — valid credentials, saves jwt_token | 200, access_token saved to env |
| AUTH-05 | Auth | POST /auth/login — wrong password | 401, code: invalid_credentials |
| AUTH-06 | Auth | POST /auth/login — missing body | 400, code: invalid_body |
| AUTH-07 | Auth | POST /auth/refresh — valid cookie, rotates token | 200, new access_token |
| AUTH-08 | Auth | POST /auth/refresh — no cookie | 401, code: missing_refresh_token |
| AUTH-09 | Auth | POST /auth/logout — revokes all refresh tokens | 204 No Content |
| TC-01 | Happy Path | POST /game/init — successful initialization | 200, session_id, config (min/max bet), balance |
| TC-02 | Happy Path | POST /spin — valid bet, full outcome | 200, spin_id, reel_matrix, win, balance |
| TC-03 | Happy Path | POST /spin — balance delta validation | balance_after = balance_before − bet + win |
| TC-04 | Happy Path | POST /spin — Free Spins bonus trigger | 200, bonus_triggered.type = free_spins |
| TC-05 | Negative | POST /spin — missing Authorization header | 401 Unauthorized |
| TC-06 | Negative | POST /spin — bet exceeds balance (999 999) | 422, code: insufficient_balance |
| TC-07 | Negative | POST /spin — negative bet amount (−100) | 400 Bad Request |
| TC-08 | Negative | POST /spin — duplicate Idempotency-Key | 409 or 200 with same spin_id |
| TC-09 | Negative | POST /spin — JWT with alg: none | 401 Unauthorized |
| TC-10 | Negative | GET /history — IDOR via foreign user_id param | 403 or 200 with own data only |
| TC-11 | Security | POST /spin — SQL injection in bet.amount | 4xx, no 500, SQL not executed |
| TC-12 | Security | POST /spin — XSS payload in session_id | 4xx, no <script> in response body |
| TC-13 | Security | POST /spin — rate limit (50 req/s via Runner) | 429 with Retry-After after threshold |
| TC-14 | Security | POST /spin — replay attack (intercepted request) | 200 same spin_id or 409, no double debit |
| TC-15 | Happy Path | GET /history — own spin history | 200, items[], total, limit, offset |
| TC-16 | Happy Path | GET /history — pagination (limit=2) | items.length ≤ 2, limit echoed |
| TC-17 | Negative | GET /history — no Authorization header | 401 Unauthorized |
| TC-18 | Negative | POST /spin — invalid session_id | 403, code: session_expired |
| TC-19 | Negative | POST /spin — game_id mismatch | 400, code: invalid_game_id |
| TC-20 | Negative | POST /spin — bet below min (0.001) | 422, code: invalid_bet |
| TC-21 | Negative | POST /spin — unsupported currency (EUR) | 422, code: invalid_currency |
| TC-22 | Negative | POST /spin — lines out of range (0) | 422, code: invalid_lines |
| TC-23 | Negative | POST /spin — idempotency key reused with different payload | 409, code: idempotency_key_reused |
| EUR-01 | EU Roulette | POST /roulette/init — session with 37-number config | 200, variant: european, numbers: 37 |
| EUR-02 | EU Roulette | POST /roulette/spin — straight + red bet | 200, winning_number 0-36, breakdown[] |
| EUR-03 | EU Roulette | POST /roulette/spin — split + column bet | 200, balance delta matches payout |
| EUR-04 | EU Roulette | POST /roulette/spin — La Partage on even-money bet (zero) | 200, half bet returned on 0 |
| EUR-05 | Negative | POST /roulette/spin — invalid bet type | 400, validation error |
| EUR-06 | Negative | POST /roulette/spin — bet exceeds balance | 422, insufficient_balance |
| AMR-01 | US Roulette | POST /american-roulette/init — 38-number config with 00 | 200, variant: american, numbers: 38 |
| AMR-02 | US Roulette | POST /american-roulette/spin — straight + red bet | 200, winning_number -1..36, breakdown[] |
| AMR-03 | US Roulette | POST /american-roulette/spin — Top Line bet (0, 00, 1, 2, 3) | 200, 6:1 payout on win |
| AMR-04 | Negative | POST /american-roulette/spin — no auth header | 401 Unauthorized |
| AMR-05 | Negative | POST /american-roulette/spin — zero bet amount | 400, validation error |
| BOD-01 | Book of Dead | POST /game/init — Init Book of Dead session | 200, session_id, game_id=slot_book_of_dead_001, paylines=10 |
| BOD-02 | Book of Dead | POST /spin — Spin with valid bet (10 lines) | 200, spin_id, 5×3 reel_matrix, win ≥ 0 |
| BOD-03 | Book of Dead | POST /spin — Verify BoD-specific symbols in matrix | Matrix contains BoD symbols (RichWilde, Osiris, Anubis, Horus, Book, A-10) |
| BOD-04 | Book of Dead | POST /spin — Verify config RTP ~96.21% | config.rtp close to 96.21 |
| WAL-01 | Wallet | POST /wallet/topup — Top up balance $500 | 200, credited=500, balance updated |
| WAL-02 | Wallet | POST /wallet/topup — Top up with zero amount | 400, validation error |
| WAL-03 | Wallet | POST /wallet/topup — Top up without auth | 401, unauthorized |
| WAL-04 | Wallet | POST /admin/api/players/{id}/topup — Admin top-up $100 | 200, credited=100, balance updated, txn recorded with type=topup |
| WAL-05 | Wallet | POST /admin/api/players/{id}/topup — Audit log created | AuditLog entry: BALANCE_ADJUSTMENT, admin ID, amount, txn ID |
| WAL-06 | Wallet | POST /admin/api/players/{id}/topup — Invalid amount (0, negative, >100k) | 400, validation error, balance unchanged |
| WAL-07 | Wallet | POST /admin/api/players/{id}/topup — Non-existent player | 404, "Player not found" |
| PF-01 | Provably Fair | GET /provably-fair/current — active seed pair | 200, server_seed_hash, client_seed, nonce |
| PF-02 | Provably Fair | POST /provably-fair/rotate — reveals old server seed | 200, previous seed revealed, new hash |
| PF-03 | Provably Fair | PUT /provably-fair/client-seed — update client seed | 200, client_seed updated |
Quick Start
- Open Postman and import
slots-collection.json— all variables are included in the collection. - Base URL is pre-configured to
https://pyavchik.space. Run Auth → Register first —jwt_tokenis saved automatically. - Run a single request: open it → Send → check the Test Results tab.
- Run the full suite: right-click the collection → Run collection.
Newman CLI
npx newman run slots-collection.json
With HTML report:
npx newman run slots-collection.json -r htmlextra --reporter-htmlextra-export report.html