package auth

import (
	"context"
	"testing"
	"time"

	"bookra/apps/auth-service/internal/db"

	"github.com/google/uuid"
)

func TestGenerateTokensProducesVerifiableAccessAndRefreshTokens(t *testing.T) {
	service := NewService(nil, nil, "test-secret", "http://localhost:3000")
	name := "Token Tester"
	user := &db.User{
		ID:    uuid.MustParse("019daeaa-bc14-7712-9224-e347a96bd5c3"),
		Email: "tester@bookra.dev",
		Name:  &name,
	}

	tokens, err := service.generateTokensAt(user, time.Now().UTC())
	if err != nil {
		t.Fatalf("generate tokens: %v", err)
	}

	accessClaims, err := service.VerifyToken(tokens.AccessToken)
	if err != nil {
		t.Fatalf("verify access token: %v", err)
	}
	if accessClaims.Type != "access" {
		t.Fatalf("expected access type, got %s", accessClaims.Type)
	}

	refreshClaims, err := service.VerifyRefreshToken(tokens.RefreshToken)
	if err != nil {
		t.Fatalf("verify refresh token: %v", err)
	}
	if refreshClaims.Type != "refresh" {
		t.Fatalf("expected refresh type, got %s", refreshClaims.Type)
	}

	if _, err := service.VerifyToken(tokens.RefreshToken); err == nil {
		t.Fatal("expected refresh token to fail access verification")
	}
	if _, err := service.VerifyRefreshToken(tokens.AccessToken); err == nil {
		t.Fatal("expected access token to fail refresh verification")
	}
}

func TestRefreshTokensReturnsRotatedPair(t *testing.T) {
	service := NewService(nil, nil, "test-secret", "http://localhost:3000")
	user := &db.User{
		ID:    uuid.MustParse("019daeaa-bc14-7712-9224-e347a96bd5c3"),
		Email: "tester@bookra.dev",
	}

	original, err := service.generateTokens(user)
	if err != nil {
		t.Fatalf("generate tokens: %v", err)
	}

	refreshed, err := service.RefreshTokens(context.Background(), original.RefreshToken)
	if err != nil {
		t.Fatalf("refresh tokens: %v", err)
	}

	if refreshed.AccessToken == original.AccessToken {
		t.Fatal("expected rotated access token")
	}
	if refreshed.RefreshToken == original.RefreshToken {
		t.Fatal("expected rotated refresh token")
	}
	if _, err := service.VerifyToken(refreshed.AccessToken); err != nil {
		t.Fatalf("verify refreshed access token: %v", err)
	}
	if _, err := service.VerifyRefreshToken(refreshed.RefreshToken); err != nil {
		t.Fatalf("verify refreshed refresh token: %v", err)
	}
}

func TestRefreshTokensRejectsInvalidToken(t *testing.T) {
	service := NewService(nil, nil, "test-secret", "http://localhost:3000")

	if _, err := service.RefreshTokens(context.Background(), "bad-token"); err == nil {
		t.Fatal("expected invalid refresh token error")
	}
}