package middleware

import (
	"net/http"
	"net/http/httptest"
	"testing"
)

func TestCORSHandlerAllowsConfiguredOrigin(t *testing.T) {
	mw := NewCORSMiddleware([]string{"https://allowed.example"})
	nextCalled := false
	h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		nextCalled = true
		w.WriteHeader(http.StatusOK)
	}))

	req := httptest.NewRequest(http.MethodGet, "/", nil)
	req.Header.Set("Origin", "https://allowed.example")
	rr := httptest.NewRecorder()
	h.ServeHTTP(rr, req)

	if rr.Code != http.StatusOK {
		t.Fatalf("expected 200, got %d", rr.Code)
	}
	if rr.Header().Get("Access-Control-Allow-Origin") != "https://allowed.example" {
		t.Fatalf("unexpected allow-origin header: %q", rr.Header().Get("Access-Control-Allow-Origin"))
	}
	if rr.Header().Get("Access-Control-Allow-Credentials") != "true" {
		t.Fatalf("expected allow-credentials true, got %q", rr.Header().Get("Access-Control-Allow-Credentials"))
	}
	if !nextCalled {
		t.Fatal("expected next handler to be called")
	}
}

func TestCORSHandlerAllowsAnyOriginWhenWildcardConfigured(t *testing.T) {
	mw := NewCORSMiddleware([]string{"*"})
	h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		w.WriteHeader(http.StatusOK)
	}))

	req := httptest.NewRequest(http.MethodGet, "/", nil)
	req.Header.Set("Origin", "https://random.example")
	rr := httptest.NewRecorder()
	h.ServeHTTP(rr, req)

	if rr.Header().Get("Access-Control-Allow-Origin") != "https://random.example" {
		t.Fatalf("expected wildcard middleware to echo origin, got %q", rr.Header().Get("Access-Control-Allow-Origin"))
	}
	if rr.Header().Get("Access-Control-Allow-Credentials") != "true" {
		t.Fatalf("expected allow-credentials true, got %q", rr.Header().Get("Access-Control-Allow-Credentials"))
	}
}

func TestCORSHandlerAllowsSameHostOrigin(t *testing.T) {
	mw := NewCORSMiddleware(nil)
	h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		w.WriteHeader(http.StatusOK)
	}))

	req := httptest.NewRequest(http.MethodGet, "http://api.example:8080/path", nil)
	req.Host = "api.example:8080"
	req.Header.Set("Origin", "https://api.example")
	rr := httptest.NewRecorder()
	h.ServeHTTP(rr, req)

	if rr.Header().Get("Access-Control-Allow-Origin") != "https://api.example" {
		t.Fatalf("expected same-host origin to be allowed, got %q", rr.Header().Get("Access-Control-Allow-Origin"))
	}
	if rr.Header().Get("Access-Control-Allow-Credentials") != "true" {
		t.Fatalf("expected allow-credentials true, got %q", rr.Header().Get("Access-Control-Allow-Credentials"))
	}
}

func TestCORSHandlerDoesNotSetHeadersForDisallowedOrigin(t *testing.T) {
	mw := NewCORSMiddleware([]string{"https://allowed.example"})
	h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		w.WriteHeader(http.StatusOK)
	}))

	req := httptest.NewRequest(http.MethodGet, "/", nil)
	req.Header.Set("Origin", "https://blocked.example")
	rr := httptest.NewRecorder()
	h.ServeHTTP(rr, req)

	if rr.Header().Get("Access-Control-Allow-Origin") != "" {
		t.Fatalf("expected no allow-origin header, got %q", rr.Header().Get("Access-Control-Allow-Origin"))
	}
}

func TestCORSHandlerOptionsShortCircuits(t *testing.T) {
	mw := NewCORSMiddleware([]string{"https://allowed.example"})
	nextCalled := false
	h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		nextCalled = true
		w.WriteHeader(http.StatusOK)
	}))

	req := httptest.NewRequest(http.MethodOptions, "/", nil)
	req.Header.Set("Origin", "https://allowed.example")
	rr := httptest.NewRecorder()
	h.ServeHTTP(rr, req)

	if rr.Code != http.StatusNoContent {
		t.Fatalf("expected 204, got %d", rr.Code)
	}
	if rr.Header().Get("Access-Control-Allow-Credentials") != "true" {
		t.Fatalf("expected allow-credentials true, got %q", rr.Header().Get("Access-Control-Allow-Credentials"))
	}
	if nextCalled {
		t.Fatal("expected next handler not to be called for OPTIONS")
	}
}

func TestIsSameHost(t *testing.T) {
	tests := []struct {
		name        string
		origin      string
		requestHost string
		want        bool
	}{
		{name: "same host exact", origin: "https://api.example", requestHost: "api.example", want: true},
		{name: "same host with port", origin: "https://api.example", requestHost: "api.example:8080", want: true},
		{name: "case insensitive", origin: "https://API.EXAMPLE", requestHost: "api.example", want: true},
		{name: "different host", origin: "https://api.example", requestHost: "other.example", want: false},
		{name: "invalid origin", origin: "://bad", requestHost: "api.example", want: false},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			got := isSameHost(tc.origin, tc.requestHost)
			if got != tc.want {
				t.Fatalf("isSameHost(%q, %q) = %v, want %v", tc.origin, tc.requestHost, got, tc.want)
			}
		})
	}
}