import { describe, it, expect, beforeEach, afterEach } from 'vitest';
import { createTestApp, type TestContext } from '../helpers/setup.ts';
import { createUser } from '../../src/db/users.ts';
import { hashPassword } from '../../src/services/auth.ts';

describe('POST /api/v1/auth/login', () => {
  let ctx: TestContext;

  beforeEach(async () => {
    ctx = createTestApp();
    const hash = await hashPassword('secret');
    createUser(ctx.db, { username: 'alice', passwordHash: hash });
  });

  afterEach(async () => {
    await ctx.app.close();
    ctx.cleanup();
  });

  it('returns 200 and sets cookie on valid credentials', async () => {
    const res = await ctx.app.inject({
      method: 'POST',
      url: '/api/v1/auth/login',
      headers: { 'content-type': 'application/json' },
      body: JSON.stringify({ username: 'alice', password: 'secret' }),
    });
    expect(res.statusCode).toBe(200);
    expect(res.json()).toEqual({ ok: true });
    expect(res.headers['set-cookie']).toMatch(/token=/);
  });

  it('returns 401 on wrong password', async () => {
    const res = await ctx.app.inject({
      method: 'POST',
      url: '/api/v1/auth/login',
      headers: { 'content-type': 'application/json' },
      body: JSON.stringify({ username: 'alice', password: 'wrong' }),
    });
    expect(res.statusCode).toBe(401);
  });

  it('returns 401 on unknown user', async () => {
    const res = await ctx.app.inject({
      method: 'POST',
      url: '/api/v1/auth/login',
      headers: { 'content-type': 'application/json' },
      body: JSON.stringify({ username: 'ghost', password: 'x' }),
    });
    expect(res.statusCode).toBe(401);
  });

  it('returns 400 when fields are missing', async () => {
    const res = await ctx.app.inject({
      method: 'POST',
      url: '/api/v1/auth/login',
      headers: { 'content-type': 'application/json' },
      body: JSON.stringify({ username: 'alice' }),
    });
    expect(res.statusCode).toBe(400);
  });
});

describe('POST /api/v1/auth/logout', () => {
  let ctx: TestContext;
  let token: string;

  beforeEach(async () => {
    ctx = createTestApp();
    const hash = await hashPassword('secret');
    createUser(ctx.db, { username: 'alice', passwordHash: hash });

    const res = await ctx.app.inject({
      method: 'POST',
      url: '/api/v1/auth/login',
      headers: { 'content-type': 'application/json' },
      body: JSON.stringify({ username: 'alice', password: 'secret' }),
    });
    const cookie = res.headers['set-cookie'] as string;
    token = cookie.split(';')[0].replace('token=', '');
  });

  afterEach(async () => {
    await ctx.app.close();
    ctx.cleanup();
  });

  it('clears cookie on logout', async () => {
    const res = await ctx.app.inject({
      method: 'POST',
      url: '/api/v1/auth/logout',
      cookies: { token },
    });
    expect(res.statusCode).toBe(200);
    expect(res.headers['set-cookie']).toMatch(/token=;/);
  });

  it('returns 401 without cookie', async () => {
    const res = await ctx.app.inject({ method: 'POST', url: '/api/v1/auth/logout' });
    expect(res.statusCode).toBe(401);
  });
});