package auth

import (
	"log/slog"
	"testing"
)

func TestTokenHash(t *testing.T) {
	h1 := tokenHash("token-abc")
	h2 := tokenHash("token-abc")
	h3 := tokenHash("token-def")

	if h1 != h2 {
		t.Error("same input should produce same hash")
	}
	if h1 == h3 {
		t.Error("different inputs should produce different hashes")
	}
	if len(h1) != 64 { // SHA-256 hex
		t.Errorf("hash length: got %d, want 64", len(h1))
	}
}

func TestHasAdminRole(t *testing.T) {
	if !hasAdminRole([]string{"user", "admin"}) {
		t.Error("should detect admin role")
	}
	if hasAdminRole([]string{"user", "operator"}) {
		t.Error("should not detect admin role when absent")
	}
	if hasAdminRole(nil) {
		t.Error("nil roles should not be admin")
	}
}

func TestNewAuthenticator(t *testing.T) {
	a := NewAuthenticator(nil, slog.Default())
	if a == nil {
		t.Fatal("NewAuthenticator returned nil")
	}
	if a.cache == nil {
		t.Error("cache should be initialized")
	}
}

func TestClearCache(t *testing.T) {
	a := NewAuthenticator(nil, slog.Default())
	a.cache["test"] = &cachedClaims{info: &TokenInfo{Username: "test"}}
	a.ClearCache()
	if len(a.cache) != 0 {
		t.Error("cache should be empty after clear")
	}
}