package server

import (
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"testing"

	"git.wntrmute.dev/kyle/mcr/internal/auth"
)

func TestRoutesV2Authenticated(t *testing.T) {
	t.Helper()
	validator := &fakeValidator{
		claims: &auth.Claims{Subject: "alice", AccountType: "user", Roles: []string{"reader"}},
	}
	loginClient := &fakeLoginClient{token: "tok-abc", expiresIn: 3600}
	router := NewRouter(validator, loginClient, "mcr-test", nil)

	req := httptest.NewRequest(http.MethodGet, "/v2/", nil)
	req.Header.Set("Authorization", "Bearer valid-token")
	rec := httptest.NewRecorder()

	router.ServeHTTP(rec, req)

	if rec.Code != http.StatusOK {
		t.Fatalf("status: got %d, want %d", rec.Code, http.StatusOK)
	}

	ct := rec.Header().Get("Content-Type")
	if ct != "application/json" {
		t.Fatalf("Content-Type: got %q, want %q", ct, "application/json")
	}

	body := rec.Body.String()
	if body != "{}" {
		t.Fatalf("body: got %q, want %q", body, "{}")
	}
}

func TestRoutesV2Unauthenticated(t *testing.T) {
	t.Helper()
	validator := &fakeValidator{claims: nil, err: auth.ErrUnauthorized}
	loginClient := &fakeLoginClient{}
	router := NewRouter(validator, loginClient, "mcr-test", nil)

	req := httptest.NewRequest(http.MethodGet, "/v2/", nil)
	// No Authorization header.
	rec := httptest.NewRecorder()

	router.ServeHTTP(rec, req)

	if rec.Code != http.StatusUnauthorized {
		t.Fatalf("status: got %d, want %d", rec.Code, http.StatusUnauthorized)
	}

	wwwAuth := rec.Header().Get("WWW-Authenticate")
	want := `Bearer realm="/v2/token",service="mcr-test"`
	if wwwAuth != want {
		t.Fatalf("WWW-Authenticate: got %q, want %q", wwwAuth, want)
	}
}

func TestRoutesTokenEndpoint(t *testing.T) {
	t.Helper()
	// The validator should never be called for /v2/token.
	validator := &fakeValidator{claims: nil, err: auth.ErrUnauthorized}
	loginClient := &fakeLoginClient{token: "tok-from-login", expiresIn: 1800}
	router := NewRouter(validator, loginClient, "mcr-test", nil)

	req := httptest.NewRequest(http.MethodGet, "/v2/token", nil)
	req.SetBasicAuth("bob", "password")
	rec := httptest.NewRecorder()

	router.ServeHTTP(rec, req)

	if rec.Code != http.StatusOK {
		t.Fatalf("status: got %d, want %d", rec.Code, http.StatusOK)
	}

	var resp tokenResponse
	if err := json.NewDecoder(rec.Body).Decode(&resp); err != nil {
		t.Fatalf("decode response: %v", err)
	}
	if resp.Token != "tok-from-login" {
		t.Fatalf("token: got %q, want %q", resp.Token, "tok-from-login")
	}
	if resp.ExpiresIn != 1800 {
		t.Fatalf("expires_in: got %d, want %d", resp.ExpiresIn, 1800)
	}
	if resp.IssuedAt == "" {
		t.Fatal("issued_at: expected non-empty RFC 3339 timestamp")
	}
}