package auth

import (
	"net/http"
	"testing"
)

func TestExtractToken(t *testing.T) {
	tests := []struct {
		name      string
		header    string
		wantToken string
	}{
		{"valid bearer", "Bearer eyJhbGciOiJFZERTQSJ9.test.sig", "eyJhbGciOiJFZERTQSJ9.test.sig"},
		{"missing bearer prefix", "eyJhbGciOiJFZERTQSJ9.test.sig", ""},
		{"empty header", "", ""},
		{"lowercase bearer", "bearer token123", ""},
		{"only bearer", "Bearer ", ""},
		{"bearer with space", "Bearer  token123", " token123"},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r, _ := http.NewRequest("GET", "/", nil)
			if tt.header != "" {
				r.Header.Set("Authorization", tt.header)
			}

			got := ExtractToken(r)
			if got != tt.wantToken {
				t.Errorf("ExtractToken() = %q, want %q", got, tt.wantToken)
			}
		})
	}
}

func TestNewValidator(t *testing.T) {
	v := NewValidator("http://localhost:3001/api/auth/jwks")
	if v == nil {
		t.Fatal("NewValidator returned nil")
	}
}

func TestValidateTokenNoKeys(t *testing.T) {
	v := NewValidator("http://localhost:99999/jwks")

	_, err := v.ValidateToken("some.invalid.token")
	if err == nil {
		t.Error("expected error for token with no keys, got nil")
	}
}

func TestUserIDFromRequestNoAuth(t *testing.T) {
	v := NewValidator("http://localhost:99999/jwks")

	r, _ := http.NewRequest("GET", "/", nil)
	_, err := v.UserIDFromRequest(r)
	if err == nil {
		t.Error("expected error for request without auth header")
	}
}

func TestUserIDFromRequestEmptyBearer(t *testing.T) {
	v := NewValidator("http://localhost:99999/jwks")

	r, _ := http.NewRequest("GET", "/", nil)
	r.Header.Set("Authorization", "Bearer ")
	_, err := v.UserIDFromRequest(r)
	if err == nil {
		t.Error("expected error for empty bearer token")
	}
}