Better Practices
Published in

Better Practices

Negative testing for more resilient APIs

Unhappy path test cases to ensure proper input validation and error handling

Photo by Intricate Explorer on Unsplash

Happy path vs. Unhappy path

  • User creates a new account
  • User signs in with their new credentials
  • User retrieves information about their account
  • User creates a new account without providing all required inputs
  • User signs in with invalid credentials
  • User pastes a SQL query that gets executed (maliciously or unintentionally)

Trying to break the Unbreakable API

“How to break an API” livestream

A Recommended Testing Flow

Try it out in Postman
  1. Fork the collection: Fork the collection Testing Flow for Lite to your workspace. You may need to enable your public profile if you haven’t already.
  2. Create a new user: Find the User create request, and update the values under the Body tab. Hit Send to create the new user, and also set a collection variable called userToken that can be used in subsequent calls.
  3. Step through the collection: Explore the positive and negative test scenarios outlined in the remaining folders. Under the Authorization tab, notice the authorization method used for each request. Under the Pre-request Script and Tests tabs, notice code that runs before and after you send each request.
  4. Run the collection automatically: This collection can also be run to automate your testing flow. This is done using the Runner in Postman, Newman from the command line, or Monitors on Postman servers. Remember to set up a new, unique user under the User create request before running the collection in its entirety.

Positive and Negative testing

  • Retrieve all movies
  • Create a new movie
  • Retrieve the new movie by ID
pm.test("Status code is 200", function () {;});
  • Retrieve all movies, using an authorization token when not needed
  • Create a new movie, using an invalid authorization token
  • Delete the movie, when cascade is not set on database cleanup
pm.test("Status code is 401", function () {;});

The importance of negative testing



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store