import { describe, it, expect, vi, afterEach } from 'vitest';
import Fastify from 'fastify';
import type { FastifyInstance } from 'fastify';
import { createAuthMiddleware } from '../src/middleware/auth.js';

let app: FastifyInstance;

afterEach(async () => {
  if (app) await app.close();
});

function setupApp(findSession: (token: string) => Promise<{ userId: string; expiresAt: Date } | null>) {
  app = Fastify({ logger: false });
  const authMiddleware = createAuthMiddleware({ findSession });

  app.addHook('preHandler', authMiddleware);
  app.get('/protected', async (request) => {
    return { userId: request.userId };
  });

  return app.ready();
}

describe('auth middleware', () => {
  it('returns 401 when no Authorization header', async () => {
    await setupApp(async () => null);
    const res = await app.inject({ method: 'GET', url: '/protected' });
    expect(res.statusCode).toBe(401);
    expect(res.json<{ error: string }>().error).toContain('Authorization');
  });

  it('returns 401 when header is not Bearer', async () => {
    await setupApp(async () => null);
    const res = await app.inject({
      method: 'GET',
      url: '/protected',
      headers: { authorization: 'Basic abc123' },
    });
    expect(res.statusCode).toBe(401);
  });

  it('returns 401 when token is empty', async () => {
    await setupApp(async () => null);
    const res = await app.inject({
      method: 'GET',
      url: '/protected',
      headers: { authorization: 'Bearer ' },
    });
    expect(res.statusCode).toBe(401);
    expect(res.json<{ error: string }>().error).toContain('Empty');
  });

  it('returns 401 when token not found', async () => {
    await setupApp(async () => null);
    const res = await app.inject({
      method: 'GET',
      url: '/protected',
      headers: { authorization: 'Bearer invalid-token' },
    });
    expect(res.statusCode).toBe(401);
    expect(res.json<{ error: string }>().error).toContain('Invalid');
  });

  it('returns 401 when token is expired', async () => {
    const pastDate = new Date(Date.now() - 86400_000);
    await setupApp(async () => ({ userId: 'user-1', expiresAt: pastDate }));
    const res = await app.inject({
      method: 'GET',
      url: '/protected',
      headers: { authorization: 'Bearer expired-token' },
    });
    expect(res.statusCode).toBe(401);
    expect(res.json<{ error: string }>().error).toContain('expired');
  });

  it('passes valid token and sets userId', async () => {
    const futureDate = new Date(Date.now() + 86400_000);
    await setupApp(async () => ({ userId: 'user-42', expiresAt: futureDate }));
    const res = await app.inject({
      method: 'GET',
      url: '/protected',
      headers: { authorization: 'Bearer valid-token' },
    });
    expect(res.statusCode).toBe(200);
    expect(res.json<{ userId: string }>().userId).toBe('user-42');
  });

  it('calls findSession with the token', async () => {
    const findSession = vi.fn(async () => ({
      userId: 'user-1',
      expiresAt: new Date(Date.now() + 86400_000),
    }));
    await setupApp(findSession);
    await app.inject({
      method: 'GET',
      url: '/protected',
      headers: { authorization: 'Bearer my-token' },
    });
    expect(findSession).toHaveBeenCalledWith('my-token');
  });
});