template-monorepo/test/e2e/journey_owner_test.go

//go:build e2e

package e2e

import (
	"encoding/json"
	"net/http"
	"testing"

	"github.com/stretchr/testify/require"
)

// TestJourney_OwnerOnboarding 模擬 Tenant Owner 入職第一天會走的完整流程：
// 已 login（seed 提供 JWT）→ 看自己 → 更新 profile → 驗證業務 email → 驗證 phone
// → 綁定 TOTP → step-up 驗碼 → 解除 TOTP → logout。
//
// 是「狀態流」測試：每步都用上一步的結果（challenge_id / display_name / OTP code），
// 任一步 fail 後續自動 skip，便於一眼定位斷點。
func TestJourney_OwnerOnboarding(t *testing.T) {
	j := NewJourney(t, "J-1", "Tenant Owner 入職第一天（已登入後完整 onboarding）")
	defer j.Summary()

	c := NewClient(t)

	var (
		emailTarget    = "owner-journey@example.com"
		phoneTarget    = "+886900111222"
		emailChallenge string
		phoneChallenge string
		otpauthURL     string
		totpDigits     int
		totpPeriod     int
		totpCode       string
	)

	j.Step("1", "GET /me — 用 seed JWT 確認自己是 tenant_owner 且 status=active", func(t *testing.T) {
		env := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me", nil, true)
		var me struct {
			TenantID string `json:"tenant_id"`
			UID      string `json:"uid"`
			Status   string `json:"status"`
		}
		require.NoError(t, json.Unmarshal(env.Data, &me))
		require.Equal(t, c.Fixture.UID, me.UID)
		require.Equal(t, "active", me.Status)
	})

	j.Step("2", "PATCH /me — 更新 display_name", func(t *testing.T) {
		env := c.DoExpectOK(t, http.MethodPatch, "/api/v1/members/me", map[string]string{
			"display_name": "Journey Owner",
		}, true)
		var me struct {
			DisplayName string `json:"display_name"`
		}
		require.NoError(t, json.Unmarshal(env.Data, &me))
		require.Equal(t, "Journey Owner", me.DisplayName)
	})

	j.Step("3", "POST /me/verifications/email/start — 申請業務 email OTP", func(t *testing.T) {
		env := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/email/start", map[string]string{
			"target": emailTarget,
		}, true)
		var start struct {
			ChallengeID string `json:"challenge_id"`
		}
		require.NoError(t, json.Unmarshal(env.Data, &start))
		require.NotEmpty(t, start.ChallengeID)
		emailChallenge = start.ChallengeID
	})

	j.Step("4", "POST /me/verifications/email/confirm — 從 Redis 取碼後驗證", func(t *testing.T) {
		require.NotEmpty(t, emailChallenge, "missing email challenge from step 3")
		code := FetchE2EOTP(t, emailChallenge)
		c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/email/confirm", map[string]string{
			"challenge_id": emailChallenge,
			"code":         code,
		}, true)
	})

	j.Step("5", "GET /me — 確認 business_email_verified=true", func(t *testing.T) {
		env := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me", nil, true)
		var me struct {
			BusinessEmail         string `json:"business_email"`
			BusinessEmailVerified bool   `json:"business_email_verified"`
		}
		require.NoError(t, json.Unmarshal(env.Data, &me))
		require.Equal(t, emailTarget, me.BusinessEmail)
		require.True(t, me.BusinessEmailVerified, "expected email_verified=true after confirm")
	})

	j.Step("6", "POST /me/verifications/phone/start — 申請業務 phone OTP", func(t *testing.T) {
		env := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/phone/start", map[string]string{
			"target": phoneTarget,
		}, true)
		var start struct {
			ChallengeID string `json:"challenge_id"`
		}
		require.NoError(t, json.Unmarshal(env.Data, &start))
		phoneChallenge = start.ChallengeID
	})

	j.Step("7", "POST /me/verifications/phone/confirm — 取碼後驗證", func(t *testing.T) {
		require.NotEmpty(t, phoneChallenge)
		code := FetchE2EOTP(t, phoneChallenge)
		c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/phone/confirm", map[string]string{
			"challenge_id": phoneChallenge,
			"code":         code,
		}, true)
	})

	j.Step("8", "POST /me/totp/enroll-start — 開始綁定 TOTP", func(t *testing.T) {
		env := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/totp/enroll-start", nil, true)
		var start struct {
			OtpauthURL string `json:"otpauth_url"`
			Digits     int    `json:"digits"`
			PeriodSec  int    `json:"period_seconds"`
		}
		require.NoError(t, json.Unmarshal(env.Data, &start))
		require.NotEmpty(t, start.OtpauthURL)
		otpauthURL = start.OtpauthURL
		totpDigits = start.Digits
		totpPeriod = start.PeriodSec
	})

	j.Step("9", "POST /me/totp/enroll-confirm — 用 otpauth_url 算當下 TOTP code 確認綁定", func(t *testing.T) {
		require.NotEmpty(t, otpauthURL)
		totpCode = codeFromOtpauthURL(t, otpauthURL, totpDigits, totpPeriod)
		env := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/totp/enroll-confirm", map[string]string{
			"code": totpCode,
		}, true)
		var confirmed struct {
			BackupCodes []string `json:"backup_codes"`
		}
		require.NoError(t, json.Unmarshal(env.Data, &confirmed))
		require.NotEmpty(t, confirmed.BackupCodes, "enroll-confirm should return backup codes exactly once")
	})

	j.Step("10", "POST /me/totp/verify — step-up 驗碼成功", func(t *testing.T) {
		require.NotEmpty(t, totpCode)
		c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/totp/verify", map[string]string{
			"code": totpCode,
		}, true)
	})

	j.Step("11", "POST /me/totp/verify (replay) — 同 code 再打應該 403（重放保護）", func(t *testing.T) {
		require.NotEmpty(t, totpCode)
		env := c.DoExpectHTTP(t, http.MethodPost, "/api/v1/members/me/totp/verify", map[string]string{
			"code": totpCode,
		}, true, http.StatusForbidden)
		require.NotEqual(t, int64(successCode), env.Code)
	})

	j.Step("12", "DELETE /me/totp — 解除綁定", func(t *testing.T) {
		c.DoExpectOK(t, http.MethodDelete, "/api/v1/members/me/totp", nil, true)
		env := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me/totp", nil, true)
		var st struct {
			Enrolled bool `json:"enrolled"`
		}
		require.NoError(t, json.Unmarshal(env.Data, &st))
		require.False(t, st.Enrolled)
	})
}
-												test(e2e): 加 banner / e2e-list / k6 風格 user journey

讓「我有哪些測試、現在在測什麼」一眼看得到，並補上跨 endpoint 的狀態流測試：

每個測試開頭印中文 banner
- 新增 e2eStep(t, id, method, path, desc) helper（test/e2e/setup_test.go）
- 17 個 contract test 開頭加 banner，go test -v 會逐個顯示
    ▶ [M-01] GET /api/v1/members/me — 讀 profile（tenant/uid/status）
- 對外 ID 與 docs/e2e-testing.md 的測試覆蓋矩陣對齊

新增 make e2e-list
- scripts/e2e-list.sh 掃 _test.go，分兩節印 contract tests + journeys；
  每個 journey 列出所有 step ID + 描述（Step 用 ▶、SkipStep 用 ⊘）

scripts 彩色 step banner + optional MailHog
- scripts/e2e-lib.sh 抽共用 helpers（e2e_step/info/ok/warn、e2e_print_services）
- e2e-run.sh / e2e-up.sh 改用 step banner + 服務面板（執行完印出 Mongo/Redis/
  Gateway/MailHog 的 URL）
- E2E_WITH_SMTP=1 會額外起 MailHog（http://localhost:8025），方便肉眼確認流程

k6 風格 user journey
- 新增 test/e2e/journey.go：NewJourney + Step + SkipStep + Summary，
  任一步 fail 自動 skip 後續，輸出 ▶ [J-x.y] 階層 banner
- J-1 Tenant Owner 入職第一天（12 steps）：/me → PATCH → email verify
  → phone verify → TOTP enroll/verify/replay/disable
- J-2 Tenant Admin 建 qa_engineer 角色 → 指派 → 二人視角驗證 → 撤銷（8 steps）
- J-3 Session 生命週期 refresh → /me → logout → 舊 token 401（4 steps，ZZZ 排最後）
- J-4 完整註冊 → 登入（5 steps stub，標 SkipStep；接 ZITADEL container 後改 Step 即可）
- make e2e-journey / make test-e2e-journey 拆獨立 target；e2e-run.sh 透過
  E2E_MODE=journey + E2E_TEST_PATTERN_ZZZ 切換

docs/e2e-testing.md
- 首節改為「我現在有哪些測試？make e2e-list」並附 banner 範例輸出
- 加 Journeys 章節：journey 列表、執行範例、失敗時的輸出、寫新 journey 範本
- 補 e2e-journey / test-e2e-journey / E2E_WITH_SMTP 環境變數

Co-authored-by: Cursor <cursoragent@cursor.com>

											
										
										
											2026-05-22 09:18:36 +00:00
+								//go:build e2e
 								package e2e
 								import (
 									"encoding/json"
 									"net/http"
 									"testing"
 									"github.com/stretchr/testify/require"
 								)
 								// TestJourney_OwnerOnboarding 模擬 Tenant Owner 入職第一天會走的完整流程：
 								// 已 login（seed 提供 JWT）→ 看自己 → 更新 profile → 驗證業務 email → 驗證 phone
 								// → 綁定 TOTP → step-up 驗碼 → 解除 TOTP → logout。
 								//
 								// 是「狀態流」測試：每步都用上一步的結果（challenge_id / display_name / OTP code），
 								// 任一步 fail 後續自動 skip，便於一眼定位斷點。
 								func TestJourney_OwnerOnboarding(t *testing.T) {
 									j := NewJourney(t, "J-1", "Tenant Owner 入職第一天（已登入後完整 onboarding）")
 									defer j.Summary()
 									c := NewClient(t)
 									var (
 										emailTarget    = "owner-journey@example.com"
 										phoneTarget    = "+886900111222"
 										emailChallenge string
 										phoneChallenge string
 										otpauthURL     string
 										totpDigits     int
 										totpPeriod     int
 										totpCode       string
 									)
 									j.Step("1", "GET /me — 用 seed JWT 確認自己是 tenant_owner 且 status=active", func(t *testing.T) {
 										env := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me", nil, true)
 										var me struct {
 											TenantID string `json:"tenant_id"`
 											UID      string `json:"uid"`
 											Status   string `json:"status"`
 										}
 										require.NoError(t, json.Unmarshal(env.Data, &me))
 										require.Equal(t, c.Fixture.UID, me.UID)
 										require.Equal(t, "active", me.Status)
 									})
 									j.Step("2", "PATCH /me — 更新 display_name", func(t *testing.T) {
 										env := c.DoExpectOK(t, http.MethodPatch, "/api/v1/members/me", map[string]string{
 											"display_name": "Journey Owner",
 										}, true)
 										var me struct {
 											DisplayName string `json:"display_name"`
 										}
 										require.NoError(t, json.Unmarshal(env.Data, &me))
 										require.Equal(t, "Journey Owner", me.DisplayName)
 									})
 									j.Step("3", "POST /me/verifications/email/start — 申請業務 email OTP", func(t *testing.T) {
 										env := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/email/start", map[string]string{
 											"target": emailTarget,
 										}, true)
 										var start struct {
 											ChallengeID string `json:"challenge_id"`
 										}
 										require.NoError(t, json.Unmarshal(env.Data, &start))
 										require.NotEmpty(t, start.ChallengeID)
 										emailChallenge = start.ChallengeID
 									})
 									j.Step("4", "POST /me/verifications/email/confirm — 從 Redis 取碼後驗證", func(t *testing.T) {
 										require.NotEmpty(t, emailChallenge, "missing email challenge from step 3")
 										code := FetchE2EOTP(t, emailChallenge)
 										c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/email/confirm", map[string]string{
 											"challenge_id": emailChallenge,
 											"code":         code,
 										}, true)
 									})
 									j.Step("5", "GET /me — 確認 business_email_verified=true", func(t *testing.T) {
 										env := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me", nil, true)
 										var me struct {
 											BusinessEmail         string `json:"business_email"`
 											BusinessEmailVerified bool   `json:"business_email_verified"`
 										}
 										require.NoError(t, json.Unmarshal(env.Data, &me))
 										require.Equal(t, emailTarget, me.BusinessEmail)
 										require.True(t, me.BusinessEmailVerified, "expected email_verified=true after confirm")
 									})
 									j.Step("6", "POST /me/verifications/phone/start — 申請業務 phone OTP", func(t *testing.T) {
 										env := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/phone/start", map[string]string{
 											"target": phoneTarget,
 										}, true)
 										var start struct {
 											ChallengeID string `json:"challenge_id"`
 										}
 										require.NoError(t, json.Unmarshal(env.Data, &start))
 										phoneChallenge = start.ChallengeID
 									})
 									j.Step("7", "POST /me/verifications/phone/confirm — 取碼後驗證", func(t *testing.T) {
 										require.NotEmpty(t, phoneChallenge)
 										code := FetchE2EOTP(t, phoneChallenge)
 										c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/phone/confirm", map[string]string{
 											"challenge_id": phoneChallenge,
 											"code":         code,
 										}, true)
 									})
 									j.Step("8", "POST /me/totp/enroll-start — 開始綁定 TOTP", func(t *testing.T) {
 										env := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/totp/enroll-start", nil, true)
 										var start struct {
 											OtpauthURL string `json:"otpauth_url"`
 											Digits     int    `json:"digits"`
 											PeriodSec  int    `json:"period_seconds"`
 										}
 										require.NoError(t, json.Unmarshal(env.Data, &start))
 										require.NotEmpty(t, start.OtpauthURL)
 										otpauthURL = start.OtpauthURL
 										totpDigits = start.Digits
 										totpPeriod = start.PeriodSec
 									})
 									j.Step("9", "POST /me/totp/enroll-confirm — 用 otpauth_url 算當下 TOTP code 確認綁定", func(t *testing.T) {
 										require.NotEmpty(t, otpauthURL)
 										totpCode = codeFromOtpauthURL(t, otpauthURL, totpDigits, totpPeriod)
 										env := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/totp/enroll-confirm", map[string]string{
 											"code": totpCode,
 										}, true)
 										var confirmed struct {
 											BackupCodes []string `json:"backup_codes"`
 										}
 										require.NoError(t, json.Unmarshal(env.Data, &confirmed))
 										require.NotEmpty(t, confirmed.BackupCodes, "enroll-confirm should return backup codes exactly once")
 									})
 									j.Step("10", "POST /me/totp/verify — step-up 驗碼成功", func(t *testing.T) {
 										require.NotEmpty(t, totpCode)
 										c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/totp/verify", map[string]string{
 											"code": totpCode,
 										}, true)
 									})
 									j.Step("11", "POST /me/totp/verify (replay) — 同 code 再打應該 403（重放保護）", func(t *testing.T) {
 										require.NotEmpty(t, totpCode)
 										env := c.DoExpectHTTP(t, http.MethodPost, "/api/v1/members/me/totp/verify", map[string]string{
 											"code": totpCode,
 										}, true, http.StatusForbidden)
 										require.NotEqual(t, int64(successCode), env.Code)
 									})
 									j.Step("12", "DELETE /me/totp — 解除綁定", func(t *testing.T) {
 										c.DoExpectOK(t, http.MethodDelete, "/api/v1/members/me/totp", nil, true)
 										env := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me/totp", nil, true)
 										var st struct {
 											Enrolled bool `json:"enrolled"`
 										}
 										require.NoError(t, json.Unmarshal(env.Data, &st))
 										require.False(t, st.Enrolled)
 									})
 								}