Slots API — Regression Suite

Test
Guide

32 requests · 4 categories

Auth AUTH-01–09 Happy Path TC-01–04, 15–16 Negative TC-05–10, 17–23 Security TC-11–14
Download Collection Test Overview
Setup

Files

Import both files into Postman before running the suite.

File Description
slots-collection.json Requests + test scripts (TC-01 … TC-14)
Setup

Collection Variables

All variables are included in the collection. Variables marked auto are set by pre-request/post-response scripts at runtime.

Variable Example Description
base_url https://pyavchik.space API base URL (use http://localhost:3001 for local dev)
jwt_token eyJhbGciOiJSUzI1NiIs… JWT Bearer token (obtain from POST /auth/login)
session_id set by TC-01 Game session identifier — auto-populated by TC-01
user_id 12345 User ID used for IDOR checks (TC-10)
game_id slot_mega_fortune_001 Game ID passed to /game/init
last_spin_id auto Saved by TC-02 from spin response
balance_before_spin auto Saved by TC-02 for delta validation in TC-03
idempotency_key auto Saved by TC-08 for replay tests
Tests

Test Cases

23 test cases across three categories. TC-01 runs first and seeds session_id for all subsequent requests.

Auth
AUTH-01
POST /auth/register — new user; test script auto-saves access_token to jwt_token env variable
201 · access_token
AUTH-02
POST /auth/register — duplicate email (same address as above) → email_taken
409 · email_taken
AUTH-03
POST /auth/register — missing password field → invalid_body
400 · invalid_body
AUTH-04
POST /auth/login — valid credentials; auto-saves jwt_token and sets refresh_token cookie for subsequent requests
200 · token saved
AUTH-05
POST /auth/login — correct email, wrong password → invalid_credentials
401 · invalid_credentials
AUTH-06
POST /auth/login — empty body, both fields missing → invalid_body
400 · invalid_body
AUTH-07
POST /auth/refresh — uses the refresh_token cookie set by Login; returns new access_token and rotates the cookie
200 · new access_token
AUTH-08
POST /auth/refresh — no refresh_token cookie (Cookie header deliberately empty) → missing_refresh_token
401 · missing_refresh_token
AUTH-09
POST /auth/logout — revokes all refresh tokens for the user, clears the refresh_token cookie; subsequent /refresh calls return 401
204 No Content
Happy Path
TC-01
POST /game/init — successful game initialization, returns session_id, config (min/max bet), and starting balance
200 · session_id · balance
TC-02
POST /spin — valid bet, verifies full outcome structure; saves last_spin_id and balance_before_spin
200 · spin_id · reel_matrix
TC-03
POST /spin — balance delta validation: balance_after = balance_before − bet + win
balance delta correct
TC-04
POST /spin — bonus trigger structure check: if bonus_triggered is present, type must be free_spins or bonus
bonus_triggered.type valid
TC-15
GET /history — returns the authenticated user's own spin history; validates items, total, limit, offset fields
200 · items[] · total
TC-16
GET /history — pagination: limit=2 returns at most 2 items and echoes the correct limit and offset values
items.length ≤ 2 · limit echoed
Negative Testing
TC-05
POST /spin — missing Authorization header entirely
401 Unauthorized
TC-06
POST /spin — bet exceeds balance (amount: 999999); triggers insufficient_balance error code
422 · insufficient_balance
TC-07
POST /spin — negative bet amount (−100); must be rejected at validation layer
400 Bad Request
TC-08
POST /spin — duplicate Idempotency-Key sent twice; second request must not create a new spin
409 or 200 + same spin_id
TC-09
POST /spin — JWT with alg: none (unsigned token); must be rejected
401 Unauthorized
TC-10
GET /history?user_id=99999 — IDOR check; response must be 403 or return only the authenticated user's own data
403 or own data only
TC-17
GET /history — no Authorization header; history endpoint must be protected
401 Unauthorized
TC-18
POST /spin — completely invalid session_id; session lookup fails → session_expired
403 · session_expired
TC-19
POST /spin — game_id does not match the session's registered game → invalid_game_id
400 · invalid_game_id
TC-20
POST /spin — bet amount 0.001 below MIN_BET (0.1) → invalid_bet
422 · invalid_bet
TC-21
POST /spin — unsupported currency EUR; only USD is accepted → invalid_currency
422 · invalid_currency
TC-22
POST /spin — lines: 0 is outside valid range (1–20) → invalid_lines
422 · invalid_lines
TC-23
POST /spin — reuses the idempotency_key from TC-08 with a different bet amount (2.0 vs 1.0); payload mismatch must be rejected
409 · idempotency_key_reused
Security Testing
TC-11
POST /spin — SQL injection in bet.amount: "1; DROP TABLE spins;--"; must return 4xx, not 500
4xx · no 500 · no exec
TC-12
POST /spin — XSS payload in session_id: <script>alert(1)</script>; response body must not echo unescaped markup
4xx · no <script> in body
TC-13
POST /spin — rate limit test; full check requires 50+ req/s via Collection Runner; single entry validates 200/429 and Retry-After header on 429
429 + Retry-After
TC-14
POST /spin — replay attack; identical intercepted request sent twice; second must not cause a double debit
200 same spin_id or 409
Tests

Book of Dead

4 test cases covering session initialization, spin mechanics, symbol validation, and RTP configuration for the Book of Dead slot.

Happy Path
BOD-01
POST /game/init — game_id: "slot_book_of_dead_001"; returns session_id, game_id matches request, config includes 10 paylines, RTP ~96.21%, high volatility
200 · session_id · config
BOD-02
POST /spin — send spin with lines: 10; response contains a 5×3 reel_matrix and a valid win breakdown
200 · 5×3 reel_matrix · win
BOD-03
Verify BoD Symbols — reel_matrix values must be drawn from game-specific symbols: RichWilde, Osiris, Anubis, Horus, Book, A, K, Q, J, 10
symbols ∈ valid set
BOD-04
Verify Config RTP — config.rtp should be approximately 96.21
rtp ≈ 96.21
Tests

Wallet

3 test cases covering wallet top-up, input validation, and authentication enforcement.

Happy Path
WAL-01
POST /wallet/topup — {"amount": 500}; expects credited: 500 and updated balance reflecting the deposit
200 · credited=500 · balance
Negative Testing
WAL-02
POST /wallet/topup — invalid amount {"amount": 0} or {"amount": -1}; must be rejected at validation layer
400 Bad Request
Security Testing
WAL-03
POST /wallet/topup — no Authorization header; endpoint must require authentication
401 Unauthorized
Running

In Postman

Run individual requests or the full suite from the Postman desktop client.

1
Import — click Import → select slots-collection.json. All variables are included in the collection.
2
Run Auth → Register — the test script automatically saves jwt_token to collection variables. Session IDs are populated by init requests.
3
Single request — open any TC → click Send → check the Test Results tab at the bottom.
4
Full suite — right-click the collection → Run collection (see Collection Runner below).
Running

Collection Runner

Execute all 14 test cases in sequence with a single click. Folder order: Happy Path → Negative → Security.

1
Right-click Slots API - Full RegressionRun collection.
2
Ensure the collection is selected (no separate environment needed).
3
Set options: Iterations1 (full single pass). Delay100 ms between requests (prevents accidental rate-limit on happy path).
4
Click Run Slots API - Full Regression — all requests execute in order and results appear in the report panel.
Running

Newman CLI

Run the entire suite headlessly from the terminal — useful for CI pipelines and automated regression.

Install
npm install -g newman newman-reporter-htmlextra
# Or use npx (no install needed)
Run collection
cd postman
npx newman run slots-collection.json
With HTML report (htmlextra)
npx newman run slots-collection.json \
  -r htmlextra --reporter-htmlextra-export report.html
Additional options
# 200 ms delay (reduce load / avoid rate limit)
npx newman run slots-collection.json --delay-request 200

# 10-second request timeout
npx newman run slots-collection.json --timeout-request 10000

# Override base URL from CLI
npx newman run slots-collection.json \
  --global-var "base_url=https://api.casino-staging.com"
Reference

Notes

Edge cases and setup hints for specific test cases.

TC-06 — Insufficient Balance
For a stable 422, use a bet larger than the current balance (e.g. 999999) or a user account with zero balance. Using a realistic balance makes the test flaky if the account has been topped up.
🔑
TC-08 — Idempotency
To reliably verify idempotency, run TC-08 twice with the exact same Idempotency-Key. Either set a fixed idempotency_key value in the environment, or edit the request header to a constant string before the second run.
TC-13 — Rate Limit
A full rate-limit check requires a separate scenario with 50+ iterations in a short window (use the Collection Runner with iterations set to 60 and delay 0). The single collection entry only validates the response is 200 or 429 and checks for a Retry-After header when the limit is hit.