#!/bin/bash # Phase 5: Cross-Task Integration Journey (Scenarios 42-51) # 10-step end-to-end workflow testing via API source /tmp/qa-test-env.sh echo "==========================================" echo "Phase 5: Integration Journey (S42-S51)" echo "==========================================" echo "" # Step 1-2: Login as admin, select Tennis Club (already authenticated via tokens) echo "=== STEP 1-2: Admin Authentication + Tennis Club Context ===" echo "Token: ${TOKEN_ADMIN:0:20}..." echo "Tenant: $TENANT_TENNIS (Tennis Club)" echo "✅ Using pre-acquired admin token with Tennis Club context" echo "" # Step 3: Create task "Replace court net" echo "=== STEP 3: Create Task 'Replace court net' ===" CREATE_RESULT=$(curl -s -X POST "$API_BASE/api/tasks" \ -H "Authorization: Bearer $TOKEN_ADMIN" \ -H "X-Tenant-Id: $TENANT_TENNIS" \ -H "Content-Type: application/json" \ -d '{ "title": "Replace court net", "description": "Replace worn center court net with new professional-grade net", "dueDate": "2026-03-20T23:59:59Z" }') JOURNEY_TASK_ID=$(echo $CREATE_RESULT | jq -r '.id') echo "Created task ID: $JOURNEY_TASK_ID" echo $CREATE_RESULT | jq '.' echo "" # Step 4: Assign to member1 echo "=== STEP 4: Assign Task to member1 ===" # Get member1's user ID from token MEMBER1_SUB=$(curl -s -X POST "$AUTH_URL" \ -d "client_id=workclub-app" \ -d "grant_type=password" \ -d "username=$USER_MEMBER1" \ -d "password=$PASSWORD" | jq -r '.access_token' | cut -d'.' -f2 | base64 -d 2>/dev/null | jq -r '.sub') echo "Member1 sub: $MEMBER1_SUB" ASSIGN_RESULT=$(curl -s -X PATCH "$API_BASE/api/tasks/$JOURNEY_TASK_ID" \ -H "Authorization: Bearer $TOKEN_ADMIN" \ -H "X-Tenant-Id: $TENANT_TENNIS" \ -H "Content-Type: application/json" \ -d "{\"status\":\"Assigned\",\"assigneeId\":\"$MEMBER1_SUB\"}") echo "Task assigned:" echo $ASSIGN_RESULT | jq '.' echo "" # Step 5: Login as member1, transition Open → InProgress echo "=== STEP 5: Member1 Transitions Assigned → InProgress ===" PROGRESS_RESULT=$(curl -s -X PATCH "$API_BASE/api/tasks/$JOURNEY_TASK_ID" \ -H "Authorization: Bearer $TOKEN_MEMBER1" \ -H "X-Tenant-Id: $TENANT_TENNIS" \ -H "Content-Type: application/json" \ -d '{"status":"InProgress"}') echo "Transitioned to InProgress:" echo $PROGRESS_RESULT | jq '.' echo "" # Step 6: Transition InProgress → Review echo "=== STEP 6: Member1 Transitions InProgress → Review ===" REVIEW_RESULT=$(curl -s -X PATCH "$API_BASE/api/tasks/$JOURNEY_TASK_ID" \ -H "Authorization: Bearer $TOKEN_MEMBER1" \ -H "X-Tenant-Id: $TENANT_TENNIS" \ -H "Content-Type: application/json" \ -d '{"status":"Review"}') echo "Transitioned to Review:" echo $REVIEW_RESULT | jq '.' echo "" # Step 7: Login as admin, transition Review → Done echo "=== STEP 7: Admin Approves - Review → Done ===" DONE_RESULT=$(curl -s -X PATCH "$API_BASE/api/tasks/$JOURNEY_TASK_ID" \ -H "Authorization: Bearer $TOKEN_ADMIN" \ -H "X-Tenant-Id: $TENANT_TENNIS" \ -H "Content-Type: application/json" \ -d '{"status":"Done"}') echo "Task completed:" echo $DONE_RESULT | jq '.' echo "" # Step 8: Switch to Cycling Club echo "=== STEP 8: Switch Context to Cycling Club ===" echo "New Tenant: $TENANT_CYCLING (Cycling Club)" echo "" # Step 9: Verify Tennis tasks NOT visible in Cycling Club echo "=== STEP 9: Verify Tenant Isolation - Tennis Task Invisible ===" ISOLATION_CHECK=$(curl -s "$API_BASE/api/tasks/$JOURNEY_TASK_ID" \ -H "Authorization: Bearer $TOKEN_ADMIN" \ -H "X-Tenant-Id: $TENANT_CYCLING") ISOLATION_STATUS=$(curl -s -w "%{http_code}" -o /dev/null "$API_BASE/api/tasks/$JOURNEY_TASK_ID" \ -H "Authorization: Bearer $TOKEN_ADMIN" \ -H "X-Tenant-Id: $TENANT_CYCLING") echo "Attempting to access Tennis task from Cycling Club context..." echo "HTTP Status: $ISOLATION_STATUS" if [ "$ISOLATION_STATUS" = "404" ]; then echo "✅ PASS: Task correctly isolated (404 Not Found)" else echo "❌ FAIL: Task visible across tenants (security issue!)" echo "Response: $ISOLATION_CHECK" fi echo "" # Step 10: Create shift in Cycling Club, sign up, verify capacity echo "=== STEP 10: Cycling Club - Create Shift + Signup ===" SHIFT_RESULT=$(curl -s -X POST "$API_BASE/api/shifts" \ -H "Authorization: Bearer $TOKEN_ADMIN" \ -H "X-Tenant-Id: $TENANT_CYCLING" \ -H "Content-Type: application/json" \ -d '{ "title": "Bike Maintenance Workshop", "description": "Monthly bike maintenance and repair workshop", "startTime": "2026-03-22T10:00:00Z", "endTime": "2026-03-22T14:00:00Z", "capacity": 2, "requiredRole": "Member" }') JOURNEY_SHIFT_ID=$(echo $SHIFT_RESULT | jq -r '.id') echo "Created shift ID: $JOURNEY_SHIFT_ID" echo $SHIFT_RESULT | jq '.' echo "" echo "Signing up member1 for shift..." SIGNUP_RESULT=$(curl -s -w "\nHTTP:%{http_code}" -X POST "$API_BASE/api/shifts/$JOURNEY_SHIFT_ID/signup" \ -H "Authorization: Bearer $TOKEN_MEMBER1" \ -H "X-Tenant-Id: $TENANT_CYCLING") echo "$SIGNUP_RESULT" echo "" echo "Verifying shift capacity (1/2 filled)..." SHIFT_CHECK=$(curl -s "$API_BASE/api/shifts/$JOURNEY_SHIFT_ID" \ -H "Authorization: Bearer $TOKEN_ADMIN" \ -H "X-Tenant-Id: $TENANT_CYCLING") SIGNUP_COUNT=$(echo $SHIFT_CHECK | jq '.signups | length') echo "Current signups: $SIGNUP_COUNT / 2" if [ "$SIGNUP_COUNT" = "1" ]; then echo "✅ PASS: Signup recorded correctly" else echo "❌ FAIL: Signup count mismatch" fi echo "" echo "==========================================" echo "Integration Journey Complete!" echo "==========================================" echo "Summary:" echo " - Created task in Tennis Club: $JOURNEY_TASK_ID" echo " - Assigned to member1, progressed through all states" echo " - Verified tenant isolation (Tennis task invisible from Cycling)" echo " - Created shift in Cycling Club: $JOURNEY_SHIFT_ID" echo " - Verified shift signup and capacity tracking" echo ""