Automated API test suite for the public Restful-Booker hotel booking API, built to demonstrate professional SQA practices end-to-end: test planning, test case design, negative & security testing, contract (schema) validation, request chaining, data-driven execution, CI integration, and defect reporting.
| Skill | Where to look |
|---|---|
| Formal test planning (IEEE-829 style) | TEST-PLAN.md |
| Test case design with traceability | docs/TEST-CASES.md — 16 cases mapped 1:1 to automated requests |
| Full CRUD lifecycle testing | Collection folder 03 - Bookings CRUD (Create → Read → Update → Patch → Delete → Verify 404) |
| Request chaining | Auth token + bookingId passed between requests via collection variables |
| Contract / schema testing | pm.response.to.have.jsonSchema() on booking creation |
| Negative & boundary testing | Invalid credentials, non-existent IDs, malformed JSON |
| Basic security testing | Mutations without a token asserted to return 403 |
| Dynamic test data | Pre-request scripts randomize names & prices → runs are self-contained and repeatable |
| Data-driven testing | data/booking-data.csv iterated via Newman -d |
| Non-functional checks | Collection-level response-time SLA on every request |
| CI/CD integration | .github/workflows/api-tests.yml — runs on push, PR, and nightly cron; publishes JUnit results + HTML report artifact |
| Defect reporting | docs/BUG-REPORT-TEMPLATE.md with 2 real defects found & documented |
This suite doesn't just pass — it found and documented two contract deviations in the API:
- DEF-001:
POST /authwith bad credentials returns200 OK+"Bad credentials"instead of401 Unauthorized. - DEF-002:
DELETE /booking/{id}returns201 Createdinstead of200/204.
See the defect log in docs/TEST-CASES.md and the worked bug report in docs/BUG-REPORT-TEMPLATE.md.
.
├── TEST-PLAN.md # Formal test plan (scope, approach, criteria, risks)
├── postman/
│ ├── Restful-Booker-API-Tests.postman_collection.json
│ └── environments/
│ └── qa.postman_environment.json
├── data/
│ └── booking-data.csv # Data-driven iterations for Newman
├── docs/
│ ├── TEST-CASES.md # Test case catalog + defect log
│ └── BUG-REPORT-TEMPLATE.md # Template + worked example
├── newman-reports/ # HTML/JUnit reports (generated, git-ignored)
└── .github/workflows/api-tests.yml # CI pipeline
- Import
postman/Restful-Booker-API-Tests.postman_collection.json. - Import
postman/environments/qa.postman_environment.jsonand select it. - Open the Collection Runner and run the whole collection (folder order matters: Auth before CRUD).
npm install -g newman newman-reporter-htmlextra
newman run postman/Restful-Booker-API-Tests.postman_collection.json \
-e postman/environments/qa.postman_environment.json \
-r cli,htmlextra \
--reporter-htmlextra-export newman-reports/report.htmlnewman run postman/Restful-Booker-API-Tests.postman_collection.json \
-e postman/environments/qa.postman_environment.json \
-d data/booking-data.csv \
--folder "03 - Bookings CRUD" \
-r cli,htmlextra --reporter-htmlextra-export newman-reports/data-driven-report.htmlEvery push, pull request, and a nightly cron trigger the suite automatically via GitHub Actions. Test results appear as a check on the commit; the HTML report is downloadable from the run's Artifacts.
The suite gates execution with a smoke check, generates its own randomized test data so runs are independent and repeatable against a shared public environment, chains state (token, bookingId) across requests to validate the true lifecycle rather than isolated calls, validates the response contract with JSON Schema (not just status codes), attacks the API with negative and unauthenticated requests to confirm error handling and authorization, and asserts a response-time SLA globally. Everything is version-controlled and runs headlessly in CI with human-readable HTML reporting.
Postman (Collection v2.1, Chai assertions, pre-request scripting) · Newman + htmlextra reporter · GitHub Actions · JSON Schema · CSV data files
- Target API is the public Restful-Booker practice service; the
admin/password123credentials are the vendor's published demo credentials (no secrets in this repo). - The demo instance resets periodically and can be slow on cold start — the smoke test warms it and SLAs are set accordingly.