from fastapi import FastAPI, Request
from fastapi.testclient import TestClient


def test_health_no_auth_required():
    from cerbero_mcp.auth import install_auth_middleware
    fa = FastAPI()
    install_auth_middleware(fa, testnet_token="t", mainnet_token="m")

    @fa.get("/health")
    def h():
        return {"ok": True}

    c = TestClient(fa)
    r = c.get("/health")
    assert r.status_code == 200


def test_apidocs_no_auth_required():
    from cerbero_mcp.auth import install_auth_middleware
    fa = FastAPI(docs_url="/apidocs")
    install_auth_middleware(fa, testnet_token="t", mainnet_token="m")

    c = TestClient(fa)
    r = c.get("/apidocs")
    assert r.status_code == 200
    r = c.get("/openapi.json")
    assert r.status_code == 200


def test_missing_authorization_header_401():
    from cerbero_mcp.auth import install_auth_middleware
    fa = FastAPI()
    install_auth_middleware(fa, testnet_token="t", mainnet_token="m")

    @fa.get("/mcp-deribit/health")
    def h():
        return {"ok": True}

    c = TestClient(fa)
    r = c.get("/mcp-deribit/health")
    assert r.status_code == 401


def test_invalid_bearer_401():
    from cerbero_mcp.auth import install_auth_middleware
    fa = FastAPI()
    install_auth_middleware(fa, testnet_token="t", mainnet_token="m")

    @fa.get("/mcp-deribit/health")
    def h():
        return {"ok": True}

    c = TestClient(fa)
    r = c.get("/mcp-deribit/health", headers={"Authorization": "Bearer wrong"})
    assert r.status_code == 401


def test_testnet_token_sets_env_testnet():
    from cerbero_mcp.auth import install_auth_middleware

    fa = FastAPI()
    install_auth_middleware(fa, testnet_token="tk_test", mainnet_token="tk_live")

    @fa.get("/mcp-deribit/peek")
    def peek(request: Request):
        return {"env": request.state.environment}

    c = TestClient(fa)
    r = c.get(
        "/mcp-deribit/peek",
        headers={"Authorization": "Bearer tk_test", "X-Bot-Tag": "test-bot"},
    )
    assert r.status_code == 200
    assert r.json() == {"env": "testnet"}


def test_mainnet_token_sets_env_mainnet():
    from cerbero_mcp.auth import install_auth_middleware

    fa = FastAPI()
    install_auth_middleware(fa, testnet_token="tk_test", mainnet_token="tk_live")

    @fa.get("/mcp-deribit/peek")
    def peek(request: Request):
        return {"env": request.state.environment}

    c = TestClient(fa)
    r = c.get(
        "/mcp-deribit/peek",
        headers={"Authorization": "Bearer tk_live", "X-Bot-Tag": "test-bot"},
    )
    assert r.status_code == 200
    assert r.json() == {"env": "mainnet"}


def test_uses_compare_digest():
    """Verifica che _check_token usi secrets.compare_digest (timing-safe)."""
    import inspect

    from cerbero_mcp import auth

    src = inspect.getsource(auth)
    assert "compare_digest" in src, "auth.py deve usare secrets.compare_digest"


# ── X-Bot-Tag header ─────────────────────────────────────────────────────────

def test_missing_bot_tag_returns_400():
    from cerbero_mcp.auth import install_auth_middleware
    fa = FastAPI()
    install_auth_middleware(fa, testnet_token="t", mainnet_token="m")

    @fa.get("/mcp-deribit/health")
    def h():
        return {"ok": True}

    c = TestClient(fa)
    r = c.get("/mcp-deribit/health", headers={"Authorization": "Bearer t"})
    assert r.status_code == 400
    assert "X-Bot-Tag" in r.json()["error"]["message"]


def test_bot_tag_accepted_and_set_on_state():
    from cerbero_mcp.auth import install_auth_middleware
    fa = FastAPI()
    install_auth_middleware(fa, testnet_token="t", mainnet_token="m")

    @fa.get("/mcp-deribit/peek")
    def peek(request: Request):
        return {
            "env": request.state.environment,
            "bot_tag": request.state.bot_tag,
        }

    c = TestClient(fa)
    r = c.get(
        "/mcp-deribit/peek",
        headers={"Authorization": "Bearer t", "X-Bot-Tag": "scanner-alpha"},
    )
    assert r.status_code == 200
    assert r.json() == {"env": "testnet", "bot_tag": "scanner-alpha"}


def test_bot_tag_too_long_returns_400():
    from cerbero_mcp.auth import install_auth_middleware
    fa = FastAPI()
    install_auth_middleware(fa, testnet_token="t", mainnet_token="m")

    @fa.get("/mcp-deribit/health")
    def h():
        return {"ok": True}

    c = TestClient(fa)
    r = c.get(
        "/mcp-deribit/health",
        headers={"Authorization": "Bearer t", "X-Bot-Tag": "x" * 65},
    )
    assert r.status_code == 400


def test_bot_tag_not_required_on_health():
    """Health endpoint deve restare senza auth e senza bot tag."""
    from cerbero_mcp.auth import install_auth_middleware
    fa = FastAPI()
    install_auth_middleware(fa, testnet_token="t", mainnet_token="m")

    @fa.get("/health")
    def h():
        return {"ok": True}

    c = TestClient(fa)
    r = c.get("/health")
    assert r.status_code == 200