package auth

import (
	"net/http"
	"testing"

	"ds2api/internal/config"
)

func TestJWTCreateVerify(t *testing.T) {
	token, err := CreateJWT(1)
	if err != nil {
		t.Fatalf("create jwt failed: %v", err)
	}
	payload, err := VerifyJWT(token)
	if err != nil {
		t.Fatalf("verify jwt failed: %v", err)
	}
	if payload["role"] != "admin" {
		t.Fatalf("unexpected payload: %#v", payload)
	}
}

func TestVerifyAdminRequest(t *testing.T) {
	token, _ := CreateJWT(1)
	req, _ := http.NewRequest(http.MethodGet, "/admin/config", nil)
	req.Header.Set("Authorization", "Bearer "+token)
	if err := VerifyAdminRequest(req); err != nil {
		t.Fatalf("expected token accepted: %v", err)
	}
}

func TestVerifyJWTWithStoreValidAfter(t *testing.T) {
	t.Setenv("DS2API_CONFIG_JSON", `{"admin":{"password_hash":"`+HashAdminPassword("oldpass")+`"}}`)
	store := config.LoadStore()
	token, err := CreateJWTWithStore(1, store)
	if err != nil {
		t.Fatalf("create jwt failed: %v", err)
	}
	if _, err := VerifyJWTWithStore(token, store); err != nil {
		t.Fatalf("verify before invalidation failed: %v", err)
	}
	if err := store.Update(func(c *config.Config) error {
		c.Admin.JWTValidAfterUnix = 1<<62 - 1
		return nil
	}); err != nil {
		t.Fatalf("set valid-after failed: %v", err)
	}
	if _, err := VerifyJWTWithStore(token, store); err == nil {
		t.Fatal("expected token invalid after valid-after update")
	}
}

func TestVerifyJWTWithStoreSameSecondInvalidationAndRelogin(t *testing.T) {
	t.Setenv("DS2API_CONFIG_JSON", `{"admin":{"password_hash":"`+HashAdminPassword("oldpass")+`"}}`)
	store := config.LoadStore()

	oldToken, err := CreateJWTWithStore(1, store)
	if err != nil {
		t.Fatalf("create old jwt failed: %v", err)
	}
	oldPayload, err := VerifyJWTWithStore(oldToken, store)
	if err != nil {
		t.Fatalf("verify old jwt before invalidation failed: %v", err)
	}
	oldIAT, _ := oldPayload["iat"].(float64)

	if err := store.Update(func(c *config.Config) error {
		c.Admin.JWTValidAfterUnix = int64(oldIAT)
		return nil
	}); err != nil {
		t.Fatalf("set valid-after failed: %v", err)
	}

	if _, err := VerifyJWTWithStore(oldToken, store); err == nil {
		t.Fatal("expected old token invalid when iat == valid-after")
	}

	newToken, err := CreateJWTWithStore(1, store)
	if err != nil {
		t.Fatalf("create new jwt failed: %v", err)
	}
	if _, err := VerifyJWTWithStore(newToken, store); err != nil {
		t.Fatalf("expected new token valid after invalidation cutoff: %v", err)
	}
}