use crate::common::{setup_app, spawn_server};

#[tokio::test]
async fn test_protected_route_requires_auth() {
    let (app, _db) = setup_app().await;
    let (base_url, client) = spawn_server(app).await;

    // No token → 401
    let resp = client
        .get(format!("{}/api/v1/protected/ping", base_url))
        .send().await.unwrap();
    assert_eq!(resp.status(), 401, "Protected route should require auth");

    // With token → 200
    let email = format!("protected_{}@test.com", uuid::Uuid::new_v4());
    let reg = client
        .post(format!("{}/api/v1/auth/register", base_url))
        .json(&serde_json::json!({"email": email, "password": "SuperSecureP@ssw0rd2024!"}))
        .send().await.unwrap();
    let token: serde_json::Value = reg.json().await.unwrap();

    let resp = client
        .get(format!("{}/api/v1/protected/ping", base_url))
        .bearer_auth(token["access_token"].as_str().unwrap())
        .send().await.unwrap();
    assert_eq!(resp.status(), 200, "Protected route should succeed with valid token");
}

#[tokio::test]
async fn test_refresh_and_logout_all() {
    let (app, _db) = setup_app().await;
    let (base_url, client) = spawn_server(app).await;

    // Register + login to get a valid session
    let email = format!("refresh_{}@test.com", uuid::Uuid::new_v4());
    let reg = client
        .post(format!("{}/api/v1/auth/register", base_url))
        .json(&serde_json::json!({"email": email, "password": "SuperSecureP@ssw0rd2024!"}))
        .send().await.unwrap();
    let _token: serde_json::Value = reg.json().await.unwrap();

    // Refresh should work
    let refreshed = client
        .post(format!("{}/api/v1/auth/refresh", base_url))
        .send().await.unwrap();
    assert!(refreshed.status().is_success(), "Refresh should succeed with cookie");
    let new_token: serde_json::Value = refreshed.json().await.unwrap();
    assert!(new_token["access_token"].is_string());

    // Logout all
    let resp = client
        .post(format!("{}/api/v1/protected/auth/logout-all", base_url))
        .bearer_auth(new_token["access_token"].as_str().unwrap())
        .send().await.unwrap();
    assert!(resp.status().is_success(), "logout-all should succeed");

    // After logout-all, refresh should fail
    let fail = client
        .post(format!("{}/api/v1/auth/refresh", base_url))
        .send().await.unwrap();
    assert_eq!(fail.status(), 401, "Refresh should fail after logout-all");
}