<?php

declare(strict_types=1);

namespace App\Tests\Integration\Auth;

use App\Domain\Auth\Role;
use App\Domain\Auth\TokenKind;
use App\Tests\Integration\Support\AppTestCase;

/**
 * Behavioural tests for the /api/v1/auth/* endpoints. These verify the
 * upsert flows and OIDC role resolution from group mappings.
 */
final class AuthEndpointsTest extends AppTestCase
{
    public function testUpsertLocalCreatesUserOnFirstCall(): void
    {
        $token = $this->createToken(TokenKind::Service);
        $adminId = $this->createUser(Role::Admin, isLocal: true);

        $response = $this->request(
            'POST',
            '/api/v1/auth/users/upsert-local',
            [
                'Authorization' => 'Bearer ' . $token,
                'X-Acting-User-Id' => (string) $adminId,
                'Content-Type' => 'application/json',
            ],
            json_encode(['username' => 'second']) ?: null
        );
        self::assertSame(200, $response->getStatusCode());

        $body = $this->decode($response);
        self::assertIsInt($body['user_id']);
        self::assertSame('admin', $body['role']);
        self::assertNull($body['email']);
        self::assertSame('second', $body['display_name']);
        self::assertTrue($body['is_local']);
    }

    public function testUpsertLocalIsIdempotent(): void
    {
        $token = $this->createToken(TokenKind::Service);
        $adminId = $this->createUser(Role::Admin, isLocal: true);

        $headers = [
            'Authorization' => 'Bearer ' . $token,
            'X-Acting-User-Id' => (string) $adminId,
            'Content-Type' => 'application/json',
        ];
        $body = json_encode(['username' => 'idempotent']) ?: null;

        $first = $this->decode($this->request('POST', '/api/v1/auth/users/upsert-local', $headers, $body));
        $second = $this->decode($this->request('POST', '/api/v1/auth/users/upsert-local', $headers, $body));

        self::assertSame($first['user_id'], $second['user_id']);
    }

    public function testUpsertOidcResolvesRoleFromGroups(): void
    {
        $token = $this->createToken(TokenKind::Service);
        $adminId = $this->createUser(Role::Admin, isLocal: true);

        // Seed a role mapping: group "ops-group" → operator
        $this->db->insert('oidc_role_mappings', [
            'group_id' => 'ops-group',
            'role' => Role::Operator->value,
        ]);
        $this->db->insert('oidc_role_mappings', [
            'group_id' => 'admin-group',
            'role' => Role::Admin->value,
        ]);

        $response = $this->request(
            'POST',
            '/api/v1/auth/users/upsert-oidc',
            [
                'Authorization' => 'Bearer ' . $token,
                'X-Acting-User-Id' => (string) $adminId,
                'Content-Type' => 'application/json',
            ],
            json_encode([
                'subject' => 'sub-1',
                'email' => 'alice@example.com',
                'display_name' => 'Alice',
                'groups' => ['ops-group', 'admin-group'],
            ]) ?: null
        );
        self::assertSame(200, $response->getStatusCode());

        $body = $this->decode($response);
        self::assertSame('admin', $body['role'], 'highest matching role wins');
        self::assertSame('alice@example.com', $body['email']);
        self::assertSame('Alice', $body['display_name']);
        self::assertFalse($body['is_local']);
    }

    public function testUpsertOidcFallsBackToDefaultRoleWithNoMatchingGroup(): void
    {
        $token = $this->createToken(TokenKind::Service);
        $adminId = $this->createUser(Role::Admin, isLocal: true);

        $response = $this->request(
            'POST',
            '/api/v1/auth/users/upsert-oidc',
            [
                'Authorization' => 'Bearer ' . $token,
                'X-Acting-User-Id' => (string) $adminId,
                'Content-Type' => 'application/json',
            ],
            json_encode([
                'subject' => 'sub-default',
                'email' => 'b@example.com',
                'display_name' => 'B',
                'groups' => ['unknown-group'],
            ]) ?: null
        );
        self::assertSame(200, $response->getStatusCode());

        // Default in tests is Role::Viewer.
        self::assertSame('viewer', $this->decode($response)['role']);
    }

    public function testUpsertOidcRecomputesRoleOnSubsequentLogins(): void
    {
        $token = $this->createToken(TokenKind::Service);
        $adminId = $this->createUser(Role::Admin, isLocal: true);

        $this->db->insert('oidc_role_mappings', [
            'group_id' => 'g1',
            'role' => Role::Operator->value,
        ]);

        $headers = [
            'Authorization' => 'Bearer ' . $token,
            'X-Acting-User-Id' => (string) $adminId,
            'Content-Type' => 'application/json',
        ];

        $first = $this->decode($this->request(
            'POST',
            '/api/v1/auth/users/upsert-oidc',
            $headers,
            json_encode([
                'subject' => 'churn',
                'email' => 'c@example.com',
                'display_name' => 'C',
                'groups' => ['g1'],
            ]) ?: null
        ));
        self::assertSame('operator', $first['role']);

        // Subsequent login with no matching group → role drops to default viewer.
        $second = $this->decode($this->request(
            'POST',
            '/api/v1/auth/users/upsert-oidc',
            $headers,
            json_encode([
                'subject' => 'churn',
                'email' => 'c@example.com',
                'display_name' => 'C',
                'groups' => [],
            ]) ?: null
        ));
        self::assertSame($first['user_id'], $second['user_id']);
        self::assertSame('viewer', $second['role']);
    }

    public function testUpsertOidcRejectsAdminToken(): void
    {
        // Even an admin token can't call /auth/* — those are service-only.
        $token = $this->createToken(TokenKind::Admin, role: Role::Admin);

        $response = $this->request(
            'POST',
            '/api/v1/auth/users/upsert-local',
            [
                'Authorization' => 'Bearer ' . $token,
                'Content-Type' => 'application/json',
            ],
            json_encode(['username' => 'admin']) ?: null
        );
        self::assertSame(403, $response->getStatusCode());
    }
}