import { describe, expect, test } from "bun:test";
import {
  getAuthMode,
  mapOidcProfile,
  isAuthRoute,
  isProtectedPath,
  type AuthEnv,
} from "./auth-config";

describe("optional OIDC auth config", () => {
  test("disables auth when no OIDC settings are present", () => {
    const env: AuthEnv = {};

    expect(getAuthMode(env)).toEqual({ enabled: false, error: null });
  });

  test("does not enable auth when only non-OIDC auth settings are present", () => {
    const env: AuthEnv = {
      AUTH_SECRET: "session-secret",
      OIDC_PROVIDER_NAME: "Casdoor",
    };

    expect(getAuthMode(env)).toEqual({ enabled: false, error: null });
  });

  test("enables auth when all required OIDC settings are present", () => {
    const env: AuthEnv = {
      OIDC_ISSUER: "https://door.example.com",
      OIDC_CLIENT_ID: "analytics",
      OIDC_CLIENT_SECRET: "secret",
      AUTH_SECRET: "session-secret",
    };

    expect(getAuthMode(env)).toEqual({ enabled: true, error: null });
  });

  test("reports missing settings when OIDC config is partial", () => {
    const env: AuthEnv = {
      OIDC_ISSUER: "https://door.example.com",
      OIDC_CLIENT_ID: "analytics",
    };

    expect(getAuthMode(env)).toEqual({
      enabled: false,
      error: "Missing required auth environment variables: OIDC_CLIENT_SECRET, AUTH_SECRET",
    });
  });
});

describe("auth route matching", () => {
  test("protects analytics pages and API data routes", () => {
    expect(isProtectedPath("/")).toBe(true);
    expect(isProtectedPath("/logs")).toBe(true);
    expect(isProtectedPath("/detail/user/alice")).toBe(true);
    expect(isProtectedPath("/api/overview")).toBe(true);
    expect(isProtectedPath("/api/detail/user/alice")).toBe(true);
  });

  test("does not protect auth or static asset routes", () => {
    expect(isProtectedPath("/api/auth/signin")).toBe(false);
    expect(isProtectedPath("/_next/static/chunk.js")).toBe(false);
    expect(isProtectedPath("/favicon.ico")).toBe(false);
    expect(isProtectedPath("/icon.svg")).toBe(false);
  });

  test("detects auth routes", () => {
    expect(isAuthRoute("/api/auth/signin")).toBe(true);
    expect(isAuthRoute("/api/overview")).toBe(false);
  });
});

describe("OIDC profile mapping", () => {
  test("uses standard OIDC profile claims for the NextAuth user", () => {
    expect(
      mapOidcProfile({
        sub: "user-123",
        preferred_username: "alice",
        email: "alice@example.com",
        picture: "https://example.com/alice.png",
      })
    ).toEqual({
      id: "user-123",
      name: "alice",
      email: "alice@example.com",
      image: "https://example.com/alice.png",
    });
  });
});