import { describe, it, expect, beforeAll } from "vitest";
import { NextRequest } from "next/server";

const SECRET = "test-secret";
beforeAll(() => {
  process.env.AUTH_SECRET = SECRET;
  process.env.OPERATOR_TOKEN_VERSION = "1";
});

import { signSession } from "./lib/auth-cookie";
import { middleware } from "./middleware";

async function makeReq(path: string, cookie?: string): Promise<NextRequest> {
  const url = new URL(`https://wabot.04080616.xyz${path}`);
  const headers = new Headers();
  if (cookie) headers.set("cookie", `session=${cookie}`);
  return new NextRequest(url, { headers });
}

async function validCookie(): Promise<string> {
  const now = Math.floor(Date.now() / 1000);
  return signSession(
    {
      userId: "00000000-0000-0000-0000-000000000000",
      role: "admin",
      iat: now,
      exp: now + 3600,
      v: 1,
    },
    SECRET,
  );
}

describe("middleware", () => {
  it("page request without a cookie redirects to /login?next=…", async () => {
    const r = await middleware(await makeReq("/dashboard"));
    expect(r.status).toBe(307);
    expect(r.headers.get("location")).toContain("/login");
    expect(r.headers.get("location")).toContain("next=%2Fdashboard");
  });

  it("/api/* request without a cookie returns 401 with no body", async () => {
    const r = await middleware(await makeReq("/api/events"));
    expect(r.status).toBe(401);
  });

  it("page request with a valid cookie passes through", async () => {
    const r = await middleware(await makeReq("/dashboard", await validCookie()));
    // NextResponse.next() returns a 200 with the x-middleware-next header.
    expect(r.status).toBe(200);
  });

  it("page request with a tampered cookie redirects to /login", async () => {
    const cookie = (await validCookie()).slice(0, -4) + "AAAA";
    const r = await middleware(await makeReq("/dashboard", cookie));
    expect(r.status).toBe(307);
    expect(r.headers.get("location")).toContain("/login");
  });

  it("allowlisted paths bypass auth (login, logout, health, manifest, icons)", async () => {
    for (const path of [
      "/login",
      "/logout",
      "/api/health",
      "/manifest.webmanifest",
      "/icon-192.png",
      "/favicon.ico",
    ]) {
      const r = await middleware(await makeReq(path));
      expect(r.status).toBe(200);
    }
  });

  it("/api/events and /api/qr/<id> are NOT in the allowlist (regression)", async () => {
    expect((await middleware(await makeReq("/api/events"))).status).toBe(401);
    expect(
      (
        await middleware(
          await makeReq("/api/qr/11111111-1111-1111-1111-111111111111"),
        )
      ).status,
    ).toBe(401);
  });
});