How do I test that an endpoint *shouldn't* work?

[tamoreton]

Say I have an API secured with basic auth and some credentials, set as environment variables. I want to test that an endpoint works when credentials are provided, and that it doesn't work when credentials are not provided.

How do I do this? I've tried a few approaches and none have had the results that I expected (actually, I was struggling to reason about some of them – I didn't find the JavaScript API Reference very clear).

I've tried:

test("should be ok", () => {
  expect(res.getStatus()).to.equal(200);
});

req.setHeader("authorization", "");

test("should prevent unauthorised access", () => {
  expect(res.getStatus()).to.equal(401);
});

and

test("should be ok", () => {
  expect(res.getStatus()).to.equal(200);
});

test("should prevent unauthorised access", () => {
  bru.setEnvVar("password", "wrongpass);
  expect(res.getStatus()).to.equal(401);
  bru.setEnvVar("password", "password");
});

[Sl-Alex]

In this case I would just create two requests: one with valid auth data (and check status 200), and one without (and check for 401)
There is a possibility to call some additional endpoint in a pre- or post-request script (see here), but IMHO it is much easier (and better) to create an additional request.

For example, this is how I test the very same endpoint: