"""Tests for authentication router (/api/auth)."""
import pytest
from httpx import AsyncClient

from tests.conftest import _create_user, auth_headers


class TestLogin:
    """POST /api/auth/login tests."""

    async def test_login_success(self, client: AsyncClient, db_session):
        """Successful login returns user data and API key."""
        user = await _create_user(
            db_session, username="loginuser", password="SecurePass1"
        )
        resp = await client.post(
            "/api/auth/login",
            json={"username": "loginuser", "password": "SecurePass1"},
        )
        assert resp.status_code == 200
        data = resp.json()
        assert data["user"]["username"] == "loginuser"
        assert "api_key" in data
        assert len(data["api_key"]) > 0

    async def test_login_wrong_password(self, client: AsyncClient, db_session):
        """Login with wrong password returns 401."""
        await _create_user(
            db_session, username="wrongpw", password="CorrectPass1"
        )
        resp = await client.post(
            "/api/auth/login",
            json={"username": "wrongpw", "password": "WrongPass1"},
        )
        assert resp.status_code == 401
        assert "Invalid" in resp.json()["detail"]

    async def test_login_unknown_user(self, client: AsyncClient):
        """Login with non-existent username returns 401."""
        resp = await client.post(
            "/api/auth/login",
            json={"username": "nonexistent", "password": "Anything1"},
        )
        assert resp.status_code == 401

    async def test_login_inactive_user(self, client: AsyncClient, db_session):
        """Login with inactive user returns 401."""
        await _create_user(
            db_session,
            username="inactive_user",
            password="InactivePass1",
            active=False,
        )
        resp = await client.post(
            "/api/auth/login",
            json={"username": "inactive_user", "password": "InactivePass1"},
        )
        assert resp.status_code == 401

    async def test_login_missing_fields(self, client: AsyncClient):
        """Login with missing fields returns 422."""
        resp = await client.post("/api/auth/login", json={"username": "only"})
        assert resp.status_code == 422

    async def test_login_returns_api_key(self, client: AsyncClient, db_session):
        """Login response contains a valid api_key string."""
        await _create_user(
            db_session, username="apikey_user", password="KeyPass123"
        )
        resp = await client.post(
            "/api/auth/login",
            json={"username": "apikey_user", "password": "KeyPass123"},
        )
        assert resp.status_code == 200
        api_key = resp.json()["api_key"]
        # API key should be a non-empty string (base64url, ~64 chars)
        assert isinstance(api_key, str)
        assert len(api_key) >= 32


class TestHealthAndAuth:
    """Health check and auth requirement tests."""

    async def test_health_check_no_auth(self, client: AsyncClient):
        """Health check endpoint works without authentication."""
        resp = await client.get("/api/health")
        assert resp.status_code == 200
        data = resp.json()
        assert data["status"] == "ok"
        assert "version" in data

    async def test_endpoint_requires_api_key(self, client: AsyncClient):
        """Protected endpoint returns 401 without API key."""
        resp = await client.get("/api/users")
        assert resp.status_code == 401
        assert "API key" in resp.json()["detail"] or "Missing" in resp.json()["detail"]