package jwt

import (
	"testing"
	"time"

	"github.com/golang-jwt/jwt/v5"
)

func TestJWTManagerGenerateAndParseAuthToken(t *testing.T) {
	mgr := NewJWTManager("secret", 2*time.Minute, 10*time.Minute)

	token, err := mgr.GenerateAuthToken("user-1", "alice")
	if err != nil {
		t.Fatalf("generate auth token: %v", err)
	}

	claims, err := mgr.ParseAuthToken(token)
	if err != nil {
		t.Fatalf("parse auth token: %v", err)
	}
	if claims.UserID != "user-1" {
		t.Fatalf("expected user id user-1, got %q", claims.UserID)
	}
	if claims.Username != "alice" {
		t.Fatalf("expected username alice, got %q", claims.Username)
	}
	if claims.TokenType != TokenTypeAuth {
		t.Fatalf("expected token type %q, got %q", TokenTypeAuth, claims.TokenType)
	}
}

func TestJWTManagerRejectsWrongTokenType(t *testing.T) {
	mgr := NewJWTManager("secret", time.Minute, time.Minute)

	refreshToken, err := mgr.GenerateRefreshToken("user-1", "alice")
	if err != nil {
		t.Fatalf("generate refresh token: %v", err)
	}
	if _, err := mgr.ParseAuthToken(refreshToken); err == nil {
		t.Fatal("expected error when parsing refresh token as auth token")
	}

	authToken, err := mgr.GenerateAuthToken("user-1", "alice")
	if err != nil {
		t.Fatalf("generate auth token: %v", err)
	}
	if _, err := mgr.ParseRefreshToken(authToken); err == nil {
		t.Fatal("expected error when parsing auth token as refresh token")
	}
}

func TestJWTManagerRejectsInvalidOrTamperedToken(t *testing.T) {
	mgr := NewJWTManager("secret", time.Minute, time.Minute)

	if _, err := mgr.ParseAuthToken("not-a-token"); err == nil {
		t.Fatal("expected parse error for malformed token")
	}

	token, err := mgr.GenerateAuthToken("user-1", "alice")
	if err != nil {
		t.Fatalf("generate auth token: %v", err)
	}

	otherMgr := NewJWTManager("different-secret", time.Minute, time.Minute)
	if _, err := otherMgr.ParseAuthToken(token); err == nil {
		t.Fatal("expected signature validation error with different secret")
	}
}

func TestJWTManagerRejectsExpiredToken(t *testing.T) {
	mgr := NewJWTManager("secret", -1*time.Second, time.Minute)

	token, err := mgr.GenerateAuthToken("user-1", "alice")
	if err != nil {
		t.Fatalf("generate expired auth token: %v", err)
	}

	if _, err := mgr.ParseAuthToken(token); err == nil {
		t.Fatal("expected expired token error")
	}
}

func TestJWTManagerRejectsNonHMACAlgorithm(t *testing.T) {
	mgr := NewJWTManager("secret", time.Minute, time.Minute)

	noneToken := jwt.NewWithClaims(jwt.SigningMethodNone, Claims{UserID: "u", Username: "n", TokenType: TokenTypeAuth})
	tokenStr, err := noneToken.SignedString(jwt.UnsafeAllowNoneSignatureType)
	if err != nil {
		t.Fatalf("sign none token: %v", err)
	}

	if _, err := mgr.ParseAuthToken(tokenStr); err == nil {
		t.Fatal("expected error for non-HMAC algorithm")
	}
}