import { afterAll, beforeAll, describe, expect, it } from "vitest";
import request from "supertest";
import type { FastifyInstance } from "fastify";
import { PrismaClient } from "@prisma/client";
import argon2 from "argon2";
import { buildApp } from "../src/server";

const prisma = new PrismaClient();
let app: FastifyInstance;

function readCookieValue(setCookie: string[] | undefined, cookieName: string): string | null {
  if (!setCookie) return null;
  for (const raw of setCookie) {
    const firstPart = raw.split(";")[0] ?? "";
    const [name, value] = firstPart.split("=");
    if (name?.trim() === cookieName && value) return value.trim();
  }
  return null;
}

beforeAll(async () => {
  app = await buildApp({
    AUTH_DISABLED: false,
    SEED_DEFAULT_BUDGET: false,
    AUTH_MAX_FAILED_ATTEMPTS: 3,
    AUTH_LOCKOUT_WINDOW_MS: 120_000,
  });
  await app.ready();
});

afterAll(async () => {
  if (app) await app.close();
  await prisma.$disconnect();
});

describe("A07 Identification and Authentication Failures", () => {
  it("rejects weak passwords on registration and password updates", async () => {
    const regEmail = `weak-reg-${Date.now()}@test.dev`;
    const weakRegister = await request(app.server)
      .post("/auth/register")
      .send({ email: regEmail, password: "weakpass123" });
    expect(weakRegister.status).toBe(400);

    const email = `pw-update-${Date.now()}@test.dev`;
    const password = "SupersAFE123!";
    await prisma.user.create({
      data: { email, passwordHash: await argon2.hash(password), emailVerified: true },
    });
    const login = await request(app.server).post("/auth/login").send({ email, password });
    expect(login.status).toBe(200);
    const csrf = readCookieValue(login.headers["set-cookie"], "csrf");
    const sessionCookie = (login.headers["set-cookie"] ?? []).find((c) => c.startsWith("session="));
    expect(csrf).toBeTruthy();
    expect(sessionCookie).toBeTruthy();

    const weakUpdate = await request(app.server)
      .patch("/me/password")
      .set("Cookie", [sessionCookie as string, `csrf=${csrf}`])
      .set("x-csrf-token", csrf as string)
      .send({ currentPassword: password, newPassword: "weakpass123" });
    expect(weakUpdate.status).toBe(400);

    await prisma.user.deleteMany({ where: { email } });
  });

  it("locks login according to configured threshold/window", async () => {
    const email = `lockout-threshold-${Date.now()}@test.dev`;
    const password = "SupersAFE123!";
    await prisma.user.create({
      data: { email, passwordHash: await argon2.hash(password), emailVerified: true },
    });

    for (let i = 0; i < 2; i++) {
      const fail = await request(app.server).post("/auth/login").send({
        email,
        password: "WrongPass123!",
      });
      expect(fail.status).toBe(401);
    }

    const locked = await request(app.server).post("/auth/login").send({
      email,
      password: "WrongPass123!",
    });
    expect(locked.status).toBe(429);
    expect(locked.body.code).toBe("LOGIN_LOCKED");
    expect(locked.headers["retry-after"]).toBeTruthy();

    const blockedValid = await request(app.server).post("/auth/login").send({ email, password });
    expect(blockedValid.status).toBe(429);

    await prisma.user.deleteMany({ where: { email } });
  });
});