template-monorepo/test/e2e/member_test.go

//go:build e2e

package e2e

import (
	"encoding/json"
	"net/http"
	"net/url"
	"strconv"
	"testing"
	"time"

	membertotp "gateway/internal/model/member/totp"

	"github.com/stretchr/testify/require"
)

func TestMember_GetMe(t *testing.T) {
	e2eStep(t, "M-01", "GET", "/api/v1/members/me", "讀 profile（tenant/uid/status）")
	c := NewClient(t)
	env := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me", nil, true)
	var me struct {
		TenantID string `json:"tenant_id"`
		UID      string `json:"uid"`
		Status   string `json:"status"`
	}
	require.NoError(t, json.Unmarshal(env.Data, &me))
	require.Equal(t, c.Fixture.TenantID, me.TenantID)
	require.Equal(t, c.Fixture.UID, me.UID)
	require.Equal(t, "active", me.Status)
}

func TestMember_UpdateMe(t *testing.T) {
	e2eStep(t, "M-02", "PATCH", "/api/v1/members/me", "更新 display_name")
	c := NewClient(t)
	name := "E2E Updated Name"
	env := c.DoExpectOK(t, http.MethodPatch, "/api/v1/members/me", map[string]string{
		"display_name": name,
	}, true)
	var me struct {
		DisplayName string `json:"display_name"`
	}
	require.NoError(t, json.Unmarshal(env.Data, &me))
	require.Equal(t, name, me.DisplayName)
}

func TestMember_EmailVerification_FullFlow(t *testing.T) {
	e2eStep(t, "M-03/M-04", "POST", "/me/verifications/email/{start,confirm}", "業務 email OTP 申請 → 從 Redis 取碼 → 驗證 → email_verified=true")
	c := NewClient(t)
	target := "verified-e2e@example.com"

	startEnv := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/email/start", map[string]string{
		"target": target,
	}, true)
	var start struct {
		ChallengeID string `json:"challenge_id"`
		ExpiresIn   int    `json:"expires_in"`
	}
	require.NoError(t, json.Unmarshal(startEnv.Data, &start))
	require.NotEmpty(t, start.ChallengeID)
	require.Positive(t, start.ExpiresIn)

	code := FetchE2EOTP(t, start.ChallengeID)
	c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/email/confirm", map[string]string{
		"challenge_id": start.ChallengeID,
		"code":         code,
	}, true)

	env := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me", nil, true)
	var me struct {
		BusinessEmail         string `json:"business_email"`
		BusinessEmailVerified bool   `json:"business_email_verified"`
	}
	require.NoError(t, json.Unmarshal(env.Data, &me))
	require.Equal(t, target, me.BusinessEmail)
	require.True(t, me.BusinessEmailVerified)
}

func TestMember_PhoneVerification_FullFlow(t *testing.T) {
	e2eStep(t, "M-05/M-06", "POST", "/me/verifications/phone/{start,confirm}", "業務 phone OTP 申請 → 從 Redis 取碼 → 驗證 → phone_verified=true")
	c := NewClient(t)
	target := "+886912345678"

	startEnv := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/phone/start", map[string]string{
		"target": target,
	}, true)
	var start struct {
		ChallengeID string `json:"challenge_id"`
		ExpiresIn   int    `json:"expires_in"`
	}
	require.NoError(t, json.Unmarshal(startEnv.Data, &start))
	require.NotEmpty(t, start.ChallengeID)
	require.Positive(t, start.ExpiresIn)

	code := FetchE2EOTP(t, start.ChallengeID)
	c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/phone/confirm", map[string]string{
		"challenge_id": start.ChallengeID,
		"code":         code,
	}, true)

	env := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me", nil, true)
	var me struct {
		BusinessPhone         string `json:"business_phone"`
		BusinessPhoneVerified bool   `json:"business_phone_verified"`
	}
	require.NoError(t, json.Unmarshal(env.Data, &me))
	require.Equal(t, target, me.BusinessPhone)
	require.True(t, me.BusinessPhoneVerified)
}

func TestMember_TOTP_Status(t *testing.T) {
	e2eStep(t, "M-07", "GET", "/api/v1/members/me/totp", "查 TOTP 狀態（初始 enrolled=false）")
	c := NewClient(t)
	env := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me/totp", nil, true)
	var st struct {
		Enrolled bool `json:"enrolled"`
	}
	require.NoError(t, json.Unmarshal(env.Data, &st))
	require.False(t, st.Enrolled)
}

func TestMember_TOTP_FullFlow(t *testing.T) {
	e2eStep(t, "M-08~M-12", "POST", "/me/totp/*", "TOTP 全鏈路：enroll-start → confirm → verify → replay 403 → backup-codes → DELETE")
	c := NewClient(t)

	startEnv := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/totp/enroll-start", nil, true)
	var start struct {
		OtpauthURL string `json:"otpauth_url"`
		Digits     int    `json:"digits"`
		PeriodSec  int    `json:"period_seconds"`
	}
	require.NoError(t, json.Unmarshal(startEnv.Data, &start))
	require.NotEmpty(t, start.OtpauthURL)
	require.Positive(t, start.Digits)
	require.Positive(t, start.PeriodSec)

	code := codeFromOtpauthURL(t, start.OtpauthURL, start.Digits, start.PeriodSec)
	confirmEnv := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/totp/enroll-confirm", map[string]string{
		"code": code,
	}, true)
	var confirmed struct {
		BackupCodes []string `json:"backup_codes"`
	}
	require.NoError(t, json.Unmarshal(confirmEnv.Data, &confirmed))
	require.NotEmpty(t, confirmed.BackupCodes)

	statusEnv := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me/totp", nil, true)
	var status struct {
		Enrolled             bool `json:"enrolled"`
		BackupCodesRemaining int  `json:"backup_codes_remaining"`
	}
	require.NoError(t, json.Unmarshal(statusEnv.Data, &status))
	require.True(t, status.Enrolled)
	require.Equal(t, len(confirmed.BackupCodes), status.BackupCodesRemaining)

	c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/totp/verify", map[string]string{
		"code": code,
	}, true)

	replayEnv := c.DoExpectHTTP(t, http.MethodPost, "/api/v1/members/me/totp/verify", map[string]string{
		"code": code,
	}, true, http.StatusForbidden)
	require.NotEqual(t, int64(successCode), replayEnv.Code)

	backupEnv := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/totp/backup-codes", nil, true)
	var backup struct {
		BackupCodes []string `json:"backup_codes"`
	}
	require.NoError(t, json.Unmarshal(backupEnv.Data, &backup))
	require.NotEmpty(t, backup.BackupCodes)

	c.DoExpectOK(t, http.MethodDelete, "/api/v1/members/me/totp", nil, true)
	finalEnv := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me/totp", nil, true)
	var finalStatus struct {
		Enrolled bool `json:"enrolled"`
	}
	require.NoError(t, json.Unmarshal(finalEnv.Data, &finalStatus))
	require.False(t, finalStatus.Enrolled)
}

func codeFromOtpauthURL(t *testing.T, rawURL string, digits, periodSec int) string {
	t.Helper()
	u, err := url.Parse(rawURL)
	require.NoError(t, err)
	require.Equal(t, "otpauth", u.Scheme)
	require.Equal(t, "totp", u.Host)

	q := u.Query()
	secret, err := membertotp.DecodeSecret(q.Get("secret"))
	require.NoError(t, err)
	if digits <= 0 {
		digits, _ = strconv.Atoi(q.Get("digits"))
	}
	if periodSec <= 0 {
		periodSec, _ = strconv.Atoi(q.Get("period"))
	}
	code, err := membertotp.Generate(secret, time.Now(), time.Duration(periodSec)*time.Second, digits)
	require.NoError(t, err)
	return code
}
-												add member totp

											
										
										
											2026-05-21 23:52:39 +00:00
+								//go:build e2e
 								package e2e
 								import (
 									"encoding/json"
 									"net/http"
 									"net/url"
 									"strconv"
 									"testing"
 									"time"
 									membertotp "gateway/internal/model/member/totp"
 									"github.com/stretchr/testify/require"
 								)
 								func TestMember_GetMe(t *testing.T) {
-												test(e2e): 加 banner / e2e-list / k6 風格 user journey

讓「我有哪些測試、現在在測什麼」一眼看得到，並補上跨 endpoint 的狀態流測試：

每個測試開頭印中文 banner
- 新增 e2eStep(t, id, method, path, desc) helper（test/e2e/setup_test.go）
- 17 個 contract test 開頭加 banner，go test -v 會逐個顯示
    ▶ [M-01] GET /api/v1/members/me — 讀 profile（tenant/uid/status）
- 對外 ID 與 docs/e2e-testing.md 的測試覆蓋矩陣對齊

新增 make e2e-list
- scripts/e2e-list.sh 掃 _test.go，分兩節印 contract tests + journeys；
  每個 journey 列出所有 step ID + 描述（Step 用 ▶、SkipStep 用 ⊘）

scripts 彩色 step banner + optional MailHog
- scripts/e2e-lib.sh 抽共用 helpers（e2e_step/info/ok/warn、e2e_print_services）
- e2e-run.sh / e2e-up.sh 改用 step banner + 服務面板（執行完印出 Mongo/Redis/
  Gateway/MailHog 的 URL）
- E2E_WITH_SMTP=1 會額外起 MailHog（http://localhost:8025），方便肉眼確認流程

k6 風格 user journey
- 新增 test/e2e/journey.go：NewJourney + Step + SkipStep + Summary，
  任一步 fail 自動 skip 後續，輸出 ▶ [J-x.y] 階層 banner
- J-1 Tenant Owner 入職第一天（12 steps）：/me → PATCH → email verify
  → phone verify → TOTP enroll/verify/replay/disable
- J-2 Tenant Admin 建 qa_engineer 角色 → 指派 → 二人視角驗證 → 撤銷（8 steps）
- J-3 Session 生命週期 refresh → /me → logout → 舊 token 401（4 steps，ZZZ 排最後）
- J-4 完整註冊 → 登入（5 steps stub，標 SkipStep；接 ZITADEL container 後改 Step 即可）
- make e2e-journey / make test-e2e-journey 拆獨立 target；e2e-run.sh 透過
  E2E_MODE=journey + E2E_TEST_PATTERN_ZZZ 切換

docs/e2e-testing.md
- 首節改為「我現在有哪些測試？make e2e-list」並附 banner 範例輸出
- 加 Journeys 章節：journey 列表、執行範例、失敗時的輸出、寫新 journey 範本
- 補 e2e-journey / test-e2e-journey / E2E_WITH_SMTP 環境變數

Co-authored-by: Cursor <cursoragent@cursor.com>

											
										
										
											2026-05-22 09:18:36 +00:00
+									e2eStep(t, "M-01", "GET", "/api/v1/members/me", "讀 profile（tenant/uid/status）")
-												add member totp

											
										
										
											2026-05-21 23:52:39 +00:00
+									c := NewClient(t)
 									env := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me", nil, true)
 									var me struct {
 										TenantID string `json:"tenant_id"`
 										UID      string `json:"uid"`
 										Status   string `json:"status"`
 									}
 									require.NoError(t, json.Unmarshal(env.Data, &me))
 									require.Equal(t, c.Fixture.TenantID, me.TenantID)
 									require.Equal(t, c.Fixture.UID, me.UID)
 									require.Equal(t, "active", me.Status)
 								}
 								func TestMember_UpdateMe(t *testing.T) {
-												test(e2e): 加 banner / e2e-list / k6 風格 user journey

讓「我有哪些測試、現在在測什麼」一眼看得到，並補上跨 endpoint 的狀態流測試：

每個測試開頭印中文 banner
- 新增 e2eStep(t, id, method, path, desc) helper（test/e2e/setup_test.go）
- 17 個 contract test 開頭加 banner，go test -v 會逐個顯示
    ▶ [M-01] GET /api/v1/members/me — 讀 profile（tenant/uid/status）
- 對外 ID 與 docs/e2e-testing.md 的測試覆蓋矩陣對齊

新增 make e2e-list
- scripts/e2e-list.sh 掃 _test.go，分兩節印 contract tests + journeys；
  每個 journey 列出所有 step ID + 描述（Step 用 ▶、SkipStep 用 ⊘）

scripts 彩色 step banner + optional MailHog
- scripts/e2e-lib.sh 抽共用 helpers（e2e_step/info/ok/warn、e2e_print_services）
- e2e-run.sh / e2e-up.sh 改用 step banner + 服務面板（執行完印出 Mongo/Redis/
  Gateway/MailHog 的 URL）
- E2E_WITH_SMTP=1 會額外起 MailHog（http://localhost:8025），方便肉眼確認流程

k6 風格 user journey
- 新增 test/e2e/journey.go：NewJourney + Step + SkipStep + Summary，
  任一步 fail 自動 skip 後續，輸出 ▶ [J-x.y] 階層 banner
- J-1 Tenant Owner 入職第一天（12 steps）：/me → PATCH → email verify
  → phone verify → TOTP enroll/verify/replay/disable
- J-2 Tenant Admin 建 qa_engineer 角色 → 指派 → 二人視角驗證 → 撤銷（8 steps）
- J-3 Session 生命週期 refresh → /me → logout → 舊 token 401（4 steps，ZZZ 排最後）
- J-4 完整註冊 → 登入（5 steps stub，標 SkipStep；接 ZITADEL container 後改 Step 即可）
- make e2e-journey / make test-e2e-journey 拆獨立 target；e2e-run.sh 透過
  E2E_MODE=journey + E2E_TEST_PATTERN_ZZZ 切換

docs/e2e-testing.md
- 首節改為「我現在有哪些測試？make e2e-list」並附 banner 範例輸出
- 加 Journeys 章節：journey 列表、執行範例、失敗時的輸出、寫新 journey 範本
- 補 e2e-journey / test-e2e-journey / E2E_WITH_SMTP 環境變數

Co-authored-by: Cursor <cursoragent@cursor.com>

											
										
										
											2026-05-22 09:18:36 +00:00
+									e2eStep(t, "M-02", "PATCH", "/api/v1/members/me", "更新 display_name")
-												add member totp

											
										
										
											2026-05-21 23:52:39 +00:00
+									c := NewClient(t)
 									name := "E2E Updated Name"
 									env := c.DoExpectOK(t, http.MethodPatch, "/api/v1/members/me", map[string]string{
 										"display_name": name,
 									}, true)
 									var me struct {
 										DisplayName string `json:"display_name"`
 									}
 									require.NoError(t, json.Unmarshal(env.Data, &me))
 									require.Equal(t, name, me.DisplayName)
 								}
 								func TestMember_EmailVerification_FullFlow(t *testing.T) {
-												test(e2e): 加 banner / e2e-list / k6 風格 user journey

讓「我有哪些測試、現在在測什麼」一眼看得到，並補上跨 endpoint 的狀態流測試：

每個測試開頭印中文 banner
- 新增 e2eStep(t, id, method, path, desc) helper（test/e2e/setup_test.go）
- 17 個 contract test 開頭加 banner，go test -v 會逐個顯示
    ▶ [M-01] GET /api/v1/members/me — 讀 profile（tenant/uid/status）
- 對外 ID 與 docs/e2e-testing.md 的測試覆蓋矩陣對齊

新增 make e2e-list
- scripts/e2e-list.sh 掃 _test.go，分兩節印 contract tests + journeys；
  每個 journey 列出所有 step ID + 描述（Step 用 ▶、SkipStep 用 ⊘）

scripts 彩色 step banner + optional MailHog
- scripts/e2e-lib.sh 抽共用 helpers（e2e_step/info/ok/warn、e2e_print_services）
- e2e-run.sh / e2e-up.sh 改用 step banner + 服務面板（執行完印出 Mongo/Redis/
  Gateway/MailHog 的 URL）
- E2E_WITH_SMTP=1 會額外起 MailHog（http://localhost:8025），方便肉眼確認流程

k6 風格 user journey
- 新增 test/e2e/journey.go：NewJourney + Step + SkipStep + Summary，
  任一步 fail 自動 skip 後續，輸出 ▶ [J-x.y] 階層 banner
- J-1 Tenant Owner 入職第一天（12 steps）：/me → PATCH → email verify
  → phone verify → TOTP enroll/verify/replay/disable
- J-2 Tenant Admin 建 qa_engineer 角色 → 指派 → 二人視角驗證 → 撤銷（8 steps）
- J-3 Session 生命週期 refresh → /me → logout → 舊 token 401（4 steps，ZZZ 排最後）
- J-4 完整註冊 → 登入（5 steps stub，標 SkipStep；接 ZITADEL container 後改 Step 即可）
- make e2e-journey / make test-e2e-journey 拆獨立 target；e2e-run.sh 透過
  E2E_MODE=journey + E2E_TEST_PATTERN_ZZZ 切換

docs/e2e-testing.md
- 首節改為「我現在有哪些測試？make e2e-list」並附 banner 範例輸出
- 加 Journeys 章節：journey 列表、執行範例、失敗時的輸出、寫新 journey 範本
- 補 e2e-journey / test-e2e-journey / E2E_WITH_SMTP 環境變數

Co-authored-by: Cursor <cursoragent@cursor.com>

											
										
										
											2026-05-22 09:18:36 +00:00
+									e2eStep(t, "M-03/M-04", "POST", "/me/verifications/email/{start,confirm}", "業務 email OTP 申請 → 從 Redis 取碼 → 驗證 → email_verified=true")
-												add member totp

											
										
										
											2026-05-21 23:52:39 +00:00
+									c := NewClient(t)
 									target := "verified-e2e@example.com"
 									startEnv := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/email/start", map[string]string{
 										"target": target,
 									}, true)
 									var start struct {
 										ChallengeID string `json:"challenge_id"`
 										ExpiresIn   int    `json:"expires_in"`
 									}
 									require.NoError(t, json.Unmarshal(startEnv.Data, &start))
 									require.NotEmpty(t, start.ChallengeID)
 									require.Positive(t, start.ExpiresIn)
 									code := FetchE2EOTP(t, start.ChallengeID)
 									c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/email/confirm", map[string]string{
 										"challenge_id": start.ChallengeID,
 										"code":         code,
 									}, true)
 									env := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me", nil, true)
 									var me struct {
 										BusinessEmail         string `json:"business_email"`
 										BusinessEmailVerified bool   `json:"business_email_verified"`
 									}
 									require.NoError(t, json.Unmarshal(env.Data, &me))
 									require.Equal(t, target, me.BusinessEmail)
 									require.True(t, me.BusinessEmailVerified)
 								}
 								func TestMember_PhoneVerification_FullFlow(t *testing.T) {
-												test(e2e): 加 banner / e2e-list / k6 風格 user journey

讓「我有哪些測試、現在在測什麼」一眼看得到，並補上跨 endpoint 的狀態流測試：

每個測試開頭印中文 banner
- 新增 e2eStep(t, id, method, path, desc) helper（test/e2e/setup_test.go）
- 17 個 contract test 開頭加 banner，go test -v 會逐個顯示
    ▶ [M-01] GET /api/v1/members/me — 讀 profile（tenant/uid/status）
- 對外 ID 與 docs/e2e-testing.md 的測試覆蓋矩陣對齊

新增 make e2e-list
- scripts/e2e-list.sh 掃 _test.go，分兩節印 contract tests + journeys；
  每個 journey 列出所有 step ID + 描述（Step 用 ▶、SkipStep 用 ⊘）

scripts 彩色 step banner + optional MailHog
- scripts/e2e-lib.sh 抽共用 helpers（e2e_step/info/ok/warn、e2e_print_services）
- e2e-run.sh / e2e-up.sh 改用 step banner + 服務面板（執行完印出 Mongo/Redis/
  Gateway/MailHog 的 URL）
- E2E_WITH_SMTP=1 會額外起 MailHog（http://localhost:8025），方便肉眼確認流程

k6 風格 user journey
- 新增 test/e2e/journey.go：NewJourney + Step + SkipStep + Summary，
  任一步 fail 自動 skip 後續，輸出 ▶ [J-x.y] 階層 banner
- J-1 Tenant Owner 入職第一天（12 steps）：/me → PATCH → email verify
  → phone verify → TOTP enroll/verify/replay/disable
- J-2 Tenant Admin 建 qa_engineer 角色 → 指派 → 二人視角驗證 → 撤銷（8 steps）
- J-3 Session 生命週期 refresh → /me → logout → 舊 token 401（4 steps，ZZZ 排最後）
- J-4 完整註冊 → 登入（5 steps stub，標 SkipStep；接 ZITADEL container 後改 Step 即可）
- make e2e-journey / make test-e2e-journey 拆獨立 target；e2e-run.sh 透過
  E2E_MODE=journey + E2E_TEST_PATTERN_ZZZ 切換

docs/e2e-testing.md
- 首節改為「我現在有哪些測試？make e2e-list」並附 banner 範例輸出
- 加 Journeys 章節：journey 列表、執行範例、失敗時的輸出、寫新 journey 範本
- 補 e2e-journey / test-e2e-journey / E2E_WITH_SMTP 環境變數

Co-authored-by: Cursor <cursoragent@cursor.com>

											
										
										
											2026-05-22 09:18:36 +00:00
+									e2eStep(t, "M-05/M-06", "POST", "/me/verifications/phone/{start,confirm}", "業務 phone OTP 申請 → 從 Redis 取碼 → 驗證 → phone_verified=true")
-												add member totp

											
										
										
											2026-05-21 23:52:39 +00:00
+									c := NewClient(t)
 									target := "+886912345678"
 									startEnv := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/phone/start", map[string]string{
 										"target": target,
 									}, true)
 									var start struct {
 										ChallengeID string `json:"challenge_id"`
 										ExpiresIn   int    `json:"expires_in"`
 									}
 									require.NoError(t, json.Unmarshal(startEnv.Data, &start))
 									require.NotEmpty(t, start.ChallengeID)
 									require.Positive(t, start.ExpiresIn)
 									code := FetchE2EOTP(t, start.ChallengeID)
 									c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/verifications/phone/confirm", map[string]string{
 										"challenge_id": start.ChallengeID,
 										"code":         code,
 									}, true)
 									env := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me", nil, true)
 									var me struct {
 										BusinessPhone         string `json:"business_phone"`
 										BusinessPhoneVerified bool   `json:"business_phone_verified"`
 									}
 									require.NoError(t, json.Unmarshal(env.Data, &me))
 									require.Equal(t, target, me.BusinessPhone)
 									require.True(t, me.BusinessPhoneVerified)
 								}
 								func TestMember_TOTP_Status(t *testing.T) {
-												test(e2e): 加 banner / e2e-list / k6 風格 user journey

讓「我有哪些測試、現在在測什麼」一眼看得到，並補上跨 endpoint 的狀態流測試：

每個測試開頭印中文 banner
- 新增 e2eStep(t, id, method, path, desc) helper（test/e2e/setup_test.go）
- 17 個 contract test 開頭加 banner，go test -v 會逐個顯示
    ▶ [M-01] GET /api/v1/members/me — 讀 profile（tenant/uid/status）
- 對外 ID 與 docs/e2e-testing.md 的測試覆蓋矩陣對齊

新增 make e2e-list
- scripts/e2e-list.sh 掃 _test.go，分兩節印 contract tests + journeys；
  每個 journey 列出所有 step ID + 描述（Step 用 ▶、SkipStep 用 ⊘）

scripts 彩色 step banner + optional MailHog
- scripts/e2e-lib.sh 抽共用 helpers（e2e_step/info/ok/warn、e2e_print_services）
- e2e-run.sh / e2e-up.sh 改用 step banner + 服務面板（執行完印出 Mongo/Redis/
  Gateway/MailHog 的 URL）
- E2E_WITH_SMTP=1 會額外起 MailHog（http://localhost:8025），方便肉眼確認流程

k6 風格 user journey
- 新增 test/e2e/journey.go：NewJourney + Step + SkipStep + Summary，
  任一步 fail 自動 skip 後續，輸出 ▶ [J-x.y] 階層 banner
- J-1 Tenant Owner 入職第一天（12 steps）：/me → PATCH → email verify
  → phone verify → TOTP enroll/verify/replay/disable
- J-2 Tenant Admin 建 qa_engineer 角色 → 指派 → 二人視角驗證 → 撤銷（8 steps）
- J-3 Session 生命週期 refresh → /me → logout → 舊 token 401（4 steps，ZZZ 排最後）
- J-4 完整註冊 → 登入（5 steps stub，標 SkipStep；接 ZITADEL container 後改 Step 即可）
- make e2e-journey / make test-e2e-journey 拆獨立 target；e2e-run.sh 透過
  E2E_MODE=journey + E2E_TEST_PATTERN_ZZZ 切換

docs/e2e-testing.md
- 首節改為「我現在有哪些測試？make e2e-list」並附 banner 範例輸出
- 加 Journeys 章節：journey 列表、執行範例、失敗時的輸出、寫新 journey 範本
- 補 e2e-journey / test-e2e-journey / E2E_WITH_SMTP 環境變數

Co-authored-by: Cursor <cursoragent@cursor.com>

											
										
										
											2026-05-22 09:18:36 +00:00
+									e2eStep(t, "M-07", "GET", "/api/v1/members/me/totp", "查 TOTP 狀態（初始 enrolled=false）")
-												add member totp

											
										
										
											2026-05-21 23:52:39 +00:00
+									c := NewClient(t)
 									env := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me/totp", nil, true)
 									var st struct {
 										Enrolled bool `json:"enrolled"`
 									}
 									require.NoError(t, json.Unmarshal(env.Data, &st))
 									require.False(t, st.Enrolled)
 								}
 								func TestMember_TOTP_FullFlow(t *testing.T) {
-												test(e2e): 加 banner / e2e-list / k6 風格 user journey

讓「我有哪些測試、現在在測什麼」一眼看得到，並補上跨 endpoint 的狀態流測試：

每個測試開頭印中文 banner
- 新增 e2eStep(t, id, method, path, desc) helper（test/e2e/setup_test.go）
- 17 個 contract test 開頭加 banner，go test -v 會逐個顯示
    ▶ [M-01] GET /api/v1/members/me — 讀 profile（tenant/uid/status）
- 對外 ID 與 docs/e2e-testing.md 的測試覆蓋矩陣對齊

新增 make e2e-list
- scripts/e2e-list.sh 掃 _test.go，分兩節印 contract tests + journeys；
  每個 journey 列出所有 step ID + 描述（Step 用 ▶、SkipStep 用 ⊘）

scripts 彩色 step banner + optional MailHog
- scripts/e2e-lib.sh 抽共用 helpers（e2e_step/info/ok/warn、e2e_print_services）
- e2e-run.sh / e2e-up.sh 改用 step banner + 服務面板（執行完印出 Mongo/Redis/
  Gateway/MailHog 的 URL）
- E2E_WITH_SMTP=1 會額外起 MailHog（http://localhost:8025），方便肉眼確認流程

k6 風格 user journey
- 新增 test/e2e/journey.go：NewJourney + Step + SkipStep + Summary，
  任一步 fail 自動 skip 後續，輸出 ▶ [J-x.y] 階層 banner
- J-1 Tenant Owner 入職第一天（12 steps）：/me → PATCH → email verify
  → phone verify → TOTP enroll/verify/replay/disable
- J-2 Tenant Admin 建 qa_engineer 角色 → 指派 → 二人視角驗證 → 撤銷（8 steps）
- J-3 Session 生命週期 refresh → /me → logout → 舊 token 401（4 steps，ZZZ 排最後）
- J-4 完整註冊 → 登入（5 steps stub，標 SkipStep；接 ZITADEL container 後改 Step 即可）
- make e2e-journey / make test-e2e-journey 拆獨立 target；e2e-run.sh 透過
  E2E_MODE=journey + E2E_TEST_PATTERN_ZZZ 切換

docs/e2e-testing.md
- 首節改為「我現在有哪些測試？make e2e-list」並附 banner 範例輸出
- 加 Journeys 章節：journey 列表、執行範例、失敗時的輸出、寫新 journey 範本
- 補 e2e-journey / test-e2e-journey / E2E_WITH_SMTP 環境變數

Co-authored-by: Cursor <cursoragent@cursor.com>

											
										
										
											2026-05-22 09:18:36 +00:00
+									e2eStep(t, "M-08~M-12", "POST", "/me/totp/*", "TOTP 全鏈路：enroll-start → confirm → verify → replay 403 → backup-codes → DELETE")
-												add member totp

											
										
										
											2026-05-21 23:52:39 +00:00
+									c := NewClient(t)
 									startEnv := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/totp/enroll-start", nil, true)
 									var start struct {
 										OtpauthURL string `json:"otpauth_url"`
 										Digits     int    `json:"digits"`
 										PeriodSec  int    `json:"period_seconds"`
 									}
 									require.NoError(t, json.Unmarshal(startEnv.Data, &start))
 									require.NotEmpty(t, start.OtpauthURL)
 									require.Positive(t, start.Digits)
 									require.Positive(t, start.PeriodSec)
 									code := codeFromOtpauthURL(t, start.OtpauthURL, start.Digits, start.PeriodSec)
 									confirmEnv := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/totp/enroll-confirm", map[string]string{
 										"code": code,
 									}, true)
 									var confirmed struct {
 										BackupCodes []string `json:"backup_codes"`
 									}
 									require.NoError(t, json.Unmarshal(confirmEnv.Data, &confirmed))
 									require.NotEmpty(t, confirmed.BackupCodes)
 									statusEnv := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me/totp", nil, true)
 									var status struct {
 										Enrolled             bool `json:"enrolled"`
 										BackupCodesRemaining int  `json:"backup_codes_remaining"`
 									}
 									require.NoError(t, json.Unmarshal(statusEnv.Data, &status))
 									require.True(t, status.Enrolled)
 									require.Equal(t, len(confirmed.BackupCodes), status.BackupCodesRemaining)
 									c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/totp/verify", map[string]string{
 										"code": code,
 									}, true)
 									replayEnv := c.DoExpectHTTP(t, http.MethodPost, "/api/v1/members/me/totp/verify", map[string]string{
 										"code": code,
 									}, true, http.StatusForbidden)
 									require.NotEqual(t, int64(successCode), replayEnv.Code)
 									backupEnv := c.DoExpectOK(t, http.MethodPost, "/api/v1/members/me/totp/backup-codes", nil, true)
 									var backup struct {
 										BackupCodes []string `json:"backup_codes"`
 									}
 									require.NoError(t, json.Unmarshal(backupEnv.Data, &backup))
 									require.NotEmpty(t, backup.BackupCodes)
 									c.DoExpectOK(t, http.MethodDelete, "/api/v1/members/me/totp", nil, true)
 									finalEnv := c.DoExpectOK(t, http.MethodGet, "/api/v1/members/me/totp", nil, true)
 									var finalStatus struct {
 										Enrolled bool `json:"enrolled"`
 									}
 									require.NoError(t, json.Unmarshal(finalEnv.Data, &finalStatus))
 									require.False(t, finalStatus.Enrolled)
 								}
 								func codeFromOtpauthURL(t *testing.T, rawURL string, digits, periodSec int) string {
 									t.Helper()
 									u, err := url.Parse(rawURL)
 									require.NoError(t, err)
 									require.Equal(t, "otpauth", u.Scheme)
 									require.Equal(t, "totp", u.Host)
 									q := u.Query()
 									secret, err := membertotp.DecodeSecret(q.Get("secret"))
 									require.NoError(t, err)
 									if digits <= 0 {
 										digits, _ = strconv.Atoi(q.Get("digits"))
 									}
 									if periodSec <= 0 {
 										periodSec, _ = strconv.Atoi(q.Get("period"))
 									}
 									code, err := membertotp.Generate(secret, time.Now(), time.Duration(periodSec)*time.Second, digits)
 									require.NoError(t, err)
 									return code
 								}