package gatewayauthsessionuser_test

import (
	"net/http"
	"strings"
	"testing"

	"github.com/stretchr/testify/require"
)

func TestGatewayAuthsessionUserFirstRegistrationCreatesUserAndAllowsAccountRead(t *testing.T) {
	h := newGatewayAuthsessionUserHarness(t)

	const email = "created@example.com"

	challengeID := h.sendChallenge(t, email)
	code := lastMailCodeFor(t, h.mailStub, email)
	clientPrivateKey := newClientPrivateKey("first-registration")

	confirmResponse := h.confirmCode(t, challengeID, code, clientPrivateKey)
	var confirmBody struct {
		DeviceSessionID string `json:"device_session_id"`
	}
	requireJSONStatus(t, confirmResponse, http.StatusOK, &confirmBody)
	require.True(t, strings.HasPrefix(confirmBody.DeviceSessionID, "device-session-"))

	sessionRecord := h.waitForGatewaySession(t, confirmBody.DeviceSessionID)
	accountResponse := h.executeGetMyAccount(t, confirmBody.DeviceSessionID, "request-first-registration", clientPrivateKey)

	require.Equal(t, sessionRecord.UserID, accountResponse.Account.UserID)
	require.Equal(t, email, accountResponse.Account.Email)
	require.Equal(t, "en", accountResponse.Account.PreferredLanguage)
	require.Equal(t, gatewayAuthsessionUserTestTimeZone, accountResponse.Account.TimeZone)

	lookupResponse, lookup := h.lookupUserByEmail(t, email)
	require.Equalf(t, http.StatusOK, lookupResponse.StatusCode, "status=%d body=%s", lookupResponse.StatusCode, lookupResponse.Body)
	require.Equal(t, accountResponse.Account.UserID, lookup.User.UserID)
}

func TestGatewayAuthsessionUserExistingAccountKeepsCreateOnlySettings(t *testing.T) {
	h := newGatewayAuthsessionUserHarness(t)

	const email = "existing@example.com"

	created := h.ensureUser(t, email, "fr-FR", "Europe/Paris")
	require.Equal(t, "created", created.Outcome)

	challengeID := h.sendChallenge(t, email)
	code := lastMailCodeFor(t, h.mailStub, email)
	clientPrivateKey := newClientPrivateKey("existing-account")

	confirmResponse := h.confirmCode(t, challengeID, code, clientPrivateKey)
	var confirmBody struct {
		DeviceSessionID string `json:"device_session_id"`
	}
	requireJSONStatus(t, confirmResponse, http.StatusOK, &confirmBody)

	accountResponse := h.executeGetMyAccount(t, confirmBody.DeviceSessionID, "request-existing-account", clientPrivateKey)
	require.Equal(t, created.UserID, accountResponse.Account.UserID)
	require.Equal(t, "fr-FR", accountResponse.Account.PreferredLanguage)
	require.Equal(t, "Europe/Paris", accountResponse.Account.TimeZone)
}

func TestGatewayAuthsessionUserAcceptLanguageSetsLocalizedPreferredLanguage(t *testing.T) {
	h := newGatewayAuthsessionUserHarness(t)

	const email = "localized@example.com"

	challengeID := h.sendChallengeWithAcceptLanguage(t, email, "fr-FR, en;q=0.8")
	deliveries := h.mailStub.RecordedDeliveries()
	require.NotEmpty(t, deliveries)
	require.Equal(t, "fr-FR", deliveries[len(deliveries)-1].Locale)

	code := lastMailCodeFor(t, h.mailStub, email)
	clientPrivateKey := newClientPrivateKey("localized-account")

	confirmResponse := h.confirmCode(t, challengeID, code, clientPrivateKey)
	var confirmBody struct {
		DeviceSessionID string `json:"device_session_id"`
	}
	requireJSONStatus(t, confirmResponse, http.StatusOK, &confirmBody)

	accountResponse := h.executeGetMyAccount(t, confirmBody.DeviceSessionID, "request-localized-account", clientPrivateKey)
	require.Equal(t, "fr-FR", accountResponse.Account.PreferredLanguage)
	require.Equal(t, gatewayAuthsessionUserTestTimeZone, accountResponse.Account.TimeZone)
}

func TestGatewayAuthsessionUserBlockedEmailAndUserBehavior(t *testing.T) {
	h := newGatewayAuthsessionUserHarness(t)

	blockedAtSendEmail := "blocked-send@example.com"
	h.blockByEmail(t, blockedAtSendEmail)

	beforeBlockedSendDeliveries := len(h.mailStub.RecordedDeliveries())
	blockedChallengeID := h.sendChallenge(t, blockedAtSendEmail)
	require.NotEmpty(t, blockedChallengeID)
	require.Len(t, h.mailStub.RecordedDeliveries(), beforeBlockedSendDeliveries)

	blockedAtConfirmEmail := "blocked-confirm@example.com"
	challengeID := h.sendChallenge(t, blockedAtConfirmEmail)
	code := lastMailCodeFor(t, h.mailStub, blockedAtConfirmEmail)
	h.blockByEmail(t, blockedAtConfirmEmail)

	confirmResponse := h.confirmCode(t, challengeID, code, newClientPrivateKey("blocked-confirm"))
	require.Equal(t, http.StatusForbidden, confirmResponse.StatusCode)
	require.JSONEq(t, `{"error":{"code":"blocked_by_policy","message":"authentication is blocked by policy"}}`, confirmResponse.Body)

	lookupResponse, _ := h.lookupUserByEmail(t, blockedAtConfirmEmail)
	requireLookupNotFound(t, lookupResponse)
}