package auth_test

import (
	"net/http"
	"net/http/httptest"
	"testing"

	"gitea.d-ma.be/mathias/gitea-mcp/internal/auth"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestBearerMiddleware_NoAuthHeader(t *testing.T) {
	srv := httptest.NewServer(auth.BearerMiddleware("https://gitea.example.com",
		http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
			w.WriteHeader(http.StatusOK)
		}),
	))
	defer srv.Close()

	resp, err := http.Post(srv.URL+"/mcp", "application/json", nil)
	require.NoError(t, err)
	defer func() { _ = resp.Body.Close() }()
	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
}

func TestBearerMiddleware_InvalidToken(t *testing.T) {
	// Mock Gitea that rejects the token
	giteaMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		w.WriteHeader(http.StatusUnauthorized)
	}))
	defer giteaMock.Close()

	srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL,
		http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
			w.WriteHeader(http.StatusOK)
		}),
	))
	defer srv.Close()

	req, _ := http.NewRequest(http.MethodPost, srv.URL+"/mcp", nil)
	req.Header.Set("Authorization", "Bearer bad-token")
	resp, err := http.DefaultClient.Do(req)
	require.NoError(t, err)
	defer func() { _ = resp.Body.Close() }()
	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
}

func TestBearerMiddleware_ValidToken(t *testing.T) {
	const token = "valid-pat"

	// Mock Gitea that accepts the token and returns a user
	giteaMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		assert.Equal(t, "token "+token, r.Header.Get("Authorization"))
		w.WriteHeader(http.StatusOK)
	}))
	defer giteaMock.Close()

	called := false
	srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL,
		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			called = true
			// Token must be available in context for downstream Gitea client
			assert.Equal(t, token, auth.TokenFromContext(r.Context()))
			w.WriteHeader(http.StatusOK)
		}),
	))
	defer srv.Close()

	req, _ := http.NewRequest(http.MethodPost, srv.URL+"/mcp", nil)
	req.Header.Set("Authorization", "Bearer "+token)
	resp, err := http.DefaultClient.Do(req)
	require.NoError(t, err)
	defer func() { _ = resp.Body.Close() }()
	assert.Equal(t, http.StatusOK, resp.StatusCode)
	assert.True(t, called)
}

func TestTokenFromContext_Empty(t *testing.T) {
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	assert.Equal(t, "", auth.TokenFromContext(req.Context()))
}