import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
import express, { Request, Response } from "express";
import request from "supertest";
import cookieParser from "cookie-parser";
import { requireAuth } from "../src/middleware/auth.middleware";

function buildApp() {
  const app = express();
  app.use(express.json());
  app.use(cookieParser());
  app.get("/protected", requireAuth, (_req: Request, res: Response) => {
    res.json({ success: true });
  });
  return app;
}

describe("requireAuth middleware", () => {
  beforeEach(() => {
    process.env.SUPER_OAUTH_URL = "http://fake-oauth";
  });

  afterEach(() => {
    vi.unstubAllGlobals();
    delete process.env.SUPER_OAUTH_URL;
  });

  it("retourne 401 quand le token est invalide (SuperOAuth répond valid: false)", async () => {
    vi.stubGlobal(
      "fetch",
      vi.fn().mockResolvedValue({
        ok: true,
        json: async () => ({ success: true, data: { valid: false } }),
      })
    );

    const res = await request(buildApp())
      .get("/protected")
      .set("Authorization", "Bearer invalid-token");

    expect(res.status).toBe(401);
    expect(res.body.error).toBeDefined();
  });

  it("retourne 401 quand aucun cookie ni header Authorization", async () => {
    const fetchMock = vi.fn();
    vi.stubGlobal("fetch", fetchMock);

    const res = await request(buildApp()).get("/protected");

    expect(res.status).toBe(401);
    expect(res.body.message).toBe("Access token required");
    expect(fetchMock).not.toHaveBeenCalled();
  });
});