<?php

declare(strict_types=1);

namespace PhpQml\Bridge\Tests;

use PhpQml\Bridge\SessionAuthenticator;
use PHPUnit\Framework\Attributes\CoversClass;
use PHPUnit\Framework\TestCase;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;

#[CoversClass(SessionAuthenticator::class)]
final class SessionAuthenticatorTest extends TestCase
{
    public function testSupportsOnlyWhenAuthorizationHeaderPresent(): void
    {
        $auth = new SessionAuthenticator('s3cret');

        self::assertFalse($auth->supports(new Request()));

        $request = new Request();
        $request->headers->set('Authorization', 'Bearer s3cret');
        self::assertTrue($auth->supports($request));
    }

    public function testAuthenticateAcceptsMatchingBearerToken(): void
    {
        $auth    = new SessionAuthenticator('s3cret');
        $request = new Request();
        $request->headers->set('Authorization', 'Bearer s3cret');

        $passport = $auth->authenticate($request);

        self::assertInstanceOf(SelfValidatingPassport::class, $passport);
        self::assertSame('bridge', $passport->getBadge(\Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge::class)->getUserIdentifier());
    }

    public function testAuthenticateRejectsMissingBearerScheme(): void
    {
        $auth    = new SessionAuthenticator('s3cret');
        $request = new Request();
        $request->headers->set('Authorization', 'Basic deadbeef');

        $this->expectException(AuthenticationException::class);
        $this->expectExceptionMessage('Bearer token missing.');
        $auth->authenticate($request);
    }

    public function testAuthenticateRejectsWrongToken(): void
    {
        $auth    = new SessionAuthenticator('s3cret');
        $request = new Request();
        $request->headers->set('Authorization', 'Bearer wrong');

        $this->expectException(AuthenticationException::class);
        $this->expectExceptionMessage('Bearer token invalid.');
        $auth->authenticate($request);
    }

    public function testAuthenticateRejectsEmptyExpectedToken(): void
    {
        // Avoids passing a misconfigured (empty) deployment.
        $auth    = new SessionAuthenticator('');
        $request = new Request();
        $request->headers->set('Authorization', 'Bearer ');

        $this->expectException(AuthenticationException::class);
        $auth->authenticate($request);
    }

    public function testAuthenticationFailureProducesProblemJson(): void
    {
        $auth     = new SessionAuthenticator('s3cret');
        $response = $auth->onAuthenticationFailure(new Request(), new AuthenticationException('Bearer token invalid.'));

        self::assertSame(Response::HTTP_UNAUTHORIZED, $response->getStatusCode());
        self::assertSame('application/problem+json', $response->headers->get('Content-Type'));
        $body = json_decode((string) $response->getContent(), true);
        self::assertSame(401, $body['status']);
        self::assertSame('Unauthorized', $body['title']);
    }
}