"""Tests for authentication modules — seed logic and JWT edge cases."""

from sqlmodel import select

from wiregui.auth.jwt import create_access_token, decode_access_token
from wiregui.auth.passwords import hash_password, verify_password
from wiregui.auth.seed import seed_admin
from wiregui.models.user import User


# --- Password hashing (format guard) ---


def test_hash_is_not_plaintext():
    hashed = hash_password("plaintext")
    assert hashed != "plaintext"
    assert hashed.startswith("$2b$")


# --- JWT edge cases ---


def test_decode_invalid_token():
    assert decode_access_token("garbage.token.value") is None


def test_decode_tampered_token():
    token = create_access_token(user_id="user-123", role="admin")
    tampered = token[:-4] + "XXXX"
    assert decode_access_token(tampered) is None


# --- Admin seed ---


async def test_seed_admin_creates_user(session, monkeypatch):
    """seed_admin should create an admin when no users exist."""
    from contextlib import asynccontextmanager

    @asynccontextmanager
    async def mock_session():
        yield session

    monkeypatch.setattr("wiregui.auth.seed.async_session", mock_session)
    monkeypatch.setattr("wiregui.auth.seed.get_settings", lambda: type("S", (), {
        "admin_email": "seed-test@example.com",
        "admin_password": "seed-pass-123",
    })())

    await seed_admin()

    result = await session.execute(select(User).where(User.email == "seed-test@example.com"))
    admin = result.scalar_one()
    assert admin.role == "admin"
    assert verify_password("seed-pass-123", admin.password_hash)


async def test_seed_admin_skips_when_users_exist(session, monkeypatch):
    """seed_admin should not create a second admin if users already exist."""
    from contextlib import asynccontextmanager

    existing = User(email="existing@example.com", role="unprivileged")
    session.add(existing)
    await session.flush()

    @asynccontextmanager
    async def mock_session():
        yield session

    monkeypatch.setattr("wiregui.auth.seed.async_session", mock_session)

    await seed_admin()

    result = await session.execute(select(User))
    users = result.scalars().all()
    assert len(users) == 1
    assert users[0].email == "existing@example.com"