E2E: partner signup (dubinc#3613)

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: devkiran

.github/workflows/playwright.yaml

@@ -49,7 +49,11 @@ jobs:
       AXIOM_TOKEN: ""
       AXIOM_DATASET: ""
 
-      RESEND_API_KEY: "xx"
+      # RESEND_API_KEY must be unset so emails route through SMTP to MailHog
+      SMTP_HOST: "localhost"
+      SMTP_PORT: "1025"
+      SMTP_USER: "smtpUser"
+      SMTP_PASSWORD: "smtpPassword"
 
       EMBEDDING_SYNC_SECRET: "xx"
       ANTHROPIC_API_KEY: "xx"
@@ -77,6 +81,12 @@ jobs:
         ports:
           - 3306:3306
 
+      mailhog:
+        image: mailhog/mailhog:latest
+        ports:
+          - 1025:1025
+          - 8025:8025
+
     steps:
       - name: Check out code
         uses: actions/checkout@v4
@@ -127,23 +137,6 @@ jobs:
         working-directory: apps/web
         run: pnpm tsx playwright/seed.ts
 
-      # - name: Cache Next.js build
-      #   uses: actions/cache@v4
-      #   with:
-      #     path: apps/web/.next/cache
-      #     key: nextjs-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}-${{ hashFiles('apps/web/**/*.ts', 'apps/web/**/*.tsx') }}
-      #     restore-keys: |
-      #       nextjs-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}-
-      #       nextjs-${{ runner.os }}-
-
-      # - name: Cache Turbo
-      #   uses: actions/cache@v4
-      #   with:
-      #     path: .turbo
-      #     key: turbo-${{ runner.os }}-${{ github.sha }}
-      #     restore-keys: |
-      #       turbo-${{ runner.os }}-
-
       - name: Build application
         run: pnpm turbo build --filter=web
 

apps/web/lib/actions/create-user-account.ts

@@ -6,6 +6,7 @@ import { waitUntil } from "@vercel/functions";
 import { flattenValidationErrors } from "next-safe-action";
 import * as z from "zod/v4";
 import { createId } from "../api/create-id";
+import { skipAuthThrottling } from "../api/environment";
 import { hashPassword } from "../auth/password";
 import { signUpSchema } from "../zod/schemas/auth";
 import { throwIfAuthenticated } from "./auth/throw-if-authenticated";
@@ -30,13 +31,17 @@ export const createUserAccountAction = actionClient
 
     const signupAttemptKey = `signup:attempts:${email}`;
 
-    const { remaining: attemptsRemaining } = await ratelimit(
-      MAX_OTP_ATTEMPTS,
-      OTP_LOCKOUT_DURATION,
-    ).getRemaining(signupAttemptKey);
+    if (!skipAuthThrottling) {
+      const { remaining: attemptsRemaining } = await ratelimit(
+        MAX_OTP_ATTEMPTS,
+        OTP_LOCKOUT_DURATION,
+      ).getRemaining(signupAttemptKey);
 
-    if (attemptsRemaining <= 0) {
-      throw new Error("Too many failed attempts. You have to try again later.");
+      if (attemptsRemaining <= 0) {
+        throw new Error(
+          "Too many failed attempts. You have to try again later.",
+        );
+      }
     }
 
     const verificationToken = await prisma.emailVerificationToken.findUnique({

apps/web/playwright/README.md

@@ -8,18 +8,30 @@
    pnpm --filter web exec playwright install chromium
    ```
 
-2. Set environment variables in `apps/web/.env`:
+2. Start MailHog (used for email verification during signup):
 
    ```sh
-   # Required for credential-based tests
-   E2E_PARTNER_EMAIL=your-test-partner@example.com
-   E2E_PARTNER_PASSWORD=your-test-password
+   docker-compose -f apps/web/docker-compose.yml up -d mailhog
+   ```
+
+3. Set environment variables in `apps/web/.env`:
+
+   ```sh
+   # Required for login tests (seeded user)
+   E2E_PARTNER_EMAIL=partner1@dub-internal-test.com
+   E2E_PARTNER_PASSWORD=password
+
+   # SMTP must point to MailHog — signup tests read OTP emails from it
+   SMTP_HOST=localhost
+   SMTP_PORT=1025
+
+   # RESEND_API_KEY must NOT be set, otherwise emails go to Resend instead of MailHog
 
    # Optional — defaults to http://partners.localhost:8888
    PLAYWRIGHT_BASE_URL=http://partners.localhost:8888
    ```
 
-   The test user must exist in your local database with a password and ideally a partner profile. Partner onboarding tests use the same credentials; the onboarding flow will create or update the partner record (no separate onboarding-only user required).
+   The seeded test user (`E2E_PARTNER_EMAIL`) must exist in your local database — run `tsx apps/web/playwright/seed.ts` to create it. Signup tests generate a fresh user each run via MailHog email verification.
 
 ## Running tests
 

apps/web/playwright/auth.setup.ts

@@ -1,17 +1,46 @@
-import { expect, test as setup } from "@playwright/test";
-import { env } from "./env";
+import { nanoid } from "@dub/utils";
+import { expect, test } from "@playwright/test";
+import { extractOtp, waitForEmail } from "./mailhog";
+
+// Must satisfy: 8+ chars, uppercase, lowercase, digit
+const SIGNUP_PASSWORD = "Password123";
 
 const authFile = "playwright/.auth/partner.json";
 
-setup("authenticate as partner", async ({ page }) => {
-  await page.goto("/login");
-  await page.locator('input[name="email"]').fill(env.E2E_PARTNER_EMAIL);
-  await page.getByRole("button", { name: "Log in with email" }).click();
-  await expect(page.locator('input[type="password"]')).toBeVisible();
-  await page.locator('input[type="password"]').fill(env.E2E_PARTNER_PASSWORD);
-  await page.getByRole("button", { name: "Log in with password" }).click();
-  await page.waitForURL((url) =>
-    /^\/(programs|onboarding)/.test(new URL(url).pathname),
-  );
+test("sign up and verify new partner", async ({ page }) => {
+  const email = `${nanoid(10)}@dub-internal-test.com`;
+
+  // Go to registration page
+  await page.goto("/register");
+
+  // Step 1: Enter email and reveal password field
+  await page.locator('input[name="email"]').fill(email);
+  await page.getByRole("button", { name: "Sign Up" }).click();
+
+  // Step 2: Enter password and submit
+  const passwordInput = page.locator('input[name="password"]');
+  await expect(passwordInput).toBeVisible();
+  await passwordInput.fill(SIGNUP_PASSWORD);
+  await page.getByRole("button", { name: "Sign Up" }).click();
+
+  // Step 3: Verify email via OTP from MailHog
+  await expect(
+    page.getByRole("heading", { name: "Verify your email address" }),
+  ).toBeVisible();
+
+  const message = await waitForEmail(email);
+  const otp = extractOtp(message);
+
+  // The OTP input auto-focuses on desktop — type the digits directly
+  await page.keyboard.type(otp);
+
+  // Step 4: Wait for redirect to onboarding after auto-submit
+  // CI is slower; use domcontentloaded so we don't wait for full page load (images, etc.)
+  await page.waitForURL(/\/onboarding/, {
+    timeout: process.env.CI ? 30_000 : 15_000,
+    waitUntil: "domcontentloaded",
+  });
+
+  // Save authenticated state
   await page.context().storageState({ path: authFile });
 });

apps/web/playwright/mailhog.ts

@@ -0,0 +1,53 @@
+const MAILHOG_API = "http://localhost:8025/api";
+
+interface MailHogMessage {
+  Content: {
+    Body: string;
+    Headers: Record<string, string[]>;
+  };
+}
+
+interface MailHogSearchResponse {
+  total: number;
+  count: number;
+  start: number;
+  items: MailHogMessage[];
+}
+
+// Poll MailHog until an email arrives for the given recipient.
+export async function waitForEmail(
+  to: string,
+  { timeout = 30_000, interval = 1_000 } = {},
+): Promise<MailHogMessage> {
+  const deadline = Date.now() + timeout;
+
+  while (Date.now() < deadline) {
+    const res = await fetch(
+      `${MAILHOG_API}/v2/search?kind=to&query=${encodeURIComponent(to)}`,
+    );
+
+    if (res.ok) {
+      const data: MailHogSearchResponse = await res.json();
+
+      if (data.total > 0) {
+        return data.items[0];
+      }
+    }
+
+    await new Promise((r) => setTimeout(r, interval));
+  }
+
+  throw new Error(`No email received for ${to} within ${timeout}ms`);
+}
+
+// Extract the 6-digit OTP code from a MailHog message body.
+export function extractOtp(message: MailHogMessage): string {
+  const body = message.Content.Body;
+  const match = body.match(/\b(\d{6})\b/);
+
+  if (!match) {
+    throw new Error("Could not extract OTP from email body");
+  }
+
+  return match[1];
+}