POST /orders quantity:0 returns 500
Validation never runs for quantity:0 — the server divides by zero and crashes with a 500 instead of a clean 400.
PilotAPI is a deliberately-imperfect REST backend built for this track. Six endpoints, four seeded production defects, full request / response inspector, and reference suites in Playwright API, Rest Assured, and Postman. Find every bug, write the failing test that proves it, then ship the fix in your head.
Each bug is realistic — the kind of defect you'd actually triage in a real codebase. Use the explorer to reproduce them and the Run API test tab to write a failing assertion.
Validation never runs for quantity:0 — the server divides by zero and crashes with a 500 instead of a clean 400.
The desc flag is parsed but never applied. Catalog sorts ascending no matter what — easy to miss without a schema-level assertion.
Rate-limited responses return { error: 'too_many' } instead of the documented { code, retryAfterSeconds } contract.
Any authenticated user can fetch any order by guessing the id. Missing ownerId check in the controller.
Pick an endpoint, send a request, validate the response against the documented contract.
/auth/loginExpects 200Exchange credentials for a bearer token. The explorer auto-attaches the returned token to subsequent requests.