galaxy-game/integration/gatewayauthsessionusermail/gateway_authsession_user_mail_test.go

package gatewayauthsessionusermail_test

import (
	"bytes"
	"context"
	"crypto/ed25519"
	"crypto/sha256"
	"encoding/base64"
	"encoding/json"
	"errors"
	"io"
	"net/http"
	"net/url"
	"path/filepath"
	"runtime"
	"testing"
	"time"

	gatewayv1 "galaxy/gateway/proto/galaxy/gateway/v1"
	contractsgatewayv1 "galaxy/integration/internal/contracts/gatewayv1"
	"galaxy/integration/internal/harness"

	"github.com/redis/go-redis/v9"
	"github.com/stretchr/testify/require"
	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials/insecure"
)

const (
	gatewaySendEmailCodePath    = "/api/v1/public/auth/send-email-code"
	gatewayConfirmEmailCodePath = "/api/v1/public/auth/confirm-email-code"
	mailDeliveriesPath          = "/api/v1/internal/deliveries"

	testEmail    = "pilot@example.com"
	testTimeZone = "Europe/Kaliningrad"
)

func TestGatewayAuthsessionUserMailRegistrationCreatesUserProjectsSessionAndBypassesNotification(t *testing.T) {
	h := newGatewayAuthsessionUserMailHarness(t)

	clientPrivateKey := newClientPrivateKey("full-chain")
	challengeID := h.sendChallengeWithAcceptLanguage(t, testEmail, "fr-FR, en;q=0.8")

	list := h.eventuallyListDeliveries(t, url.Values{
		"source":      []string{"authsession"},
		"recipient":   []string{testEmail},
		"template_id": []string{"auth.login_code"},
	})
	require.Len(t, list.Items, 1)
	require.Equal(t, "authsession", list.Items[0].Source)
	require.Equal(t, "auth.login_code", list.Items[0].TemplateID)
	require.Equal(t, "fr-FR", list.Items[0].Locale)
	require.Equal(t, []string{testEmail}, list.Items[0].To)

	detail := h.getDelivery(t, list.Items[0].DeliveryID)
	code := templateVariableString(t, detail.TemplateVariables, "code")

	confirm := h.confirmCode(t, challengeID, code, clientPrivateKey)
	require.Equal(t, http.StatusOK, confirm.StatusCode, confirm.Body)

	var confirmBody confirmEmailCodeResponse
	require.NoError(t, decodeStrictJSONPayload([]byte(confirm.Body), &confirmBody))
	require.NotEmpty(t, confirmBody.DeviceSessionID)

	account := h.lookupUserByEmail(t, testEmail)
	require.Equal(t, testEmail, account.User.Email)
	require.Equal(t, "fr-FR", account.User.PreferredLanguage)
	require.Equal(t, testTimeZone, account.User.TimeZone)
	require.NotEmpty(t, account.User.UserID)

	record := h.waitForGatewaySession(t, confirmBody.DeviceSessionID)
	require.Equal(t, gatewaySessionRecord{
		DeviceSessionID: confirmBody.DeviceSessionID,
		UserID:          account.User.UserID,
		ClientPublicKey: encodePublicKey(clientPrivateKey.Public().(ed25519.PublicKey)),
		Status:          "active",
	}, record)

	conn := h.dialGateway(t)
	client := gatewayv1.NewEdgeGatewayClient(conn)
	stream, err := client.SubscribeEvents(context.Background(), newSubscribeEventsRequest(confirmBody.DeviceSessionID, "request-bootstrap", clientPrivateKey))
	require.NoError(t, err)
	assertBootstrapEvent(t, recvGatewayEvent(t, stream), h.responseSignerPublicKey, "request-bootstrap")

	length, err := h.redis.XLen(context.Background(), "notification:intents").Result()
	require.NoError(t, err)
	require.Zero(t, length)
}

type gatewayAuthsessionUserMailHarness struct {
	redis *redis.Client

	userServiceURL   string
	gatewayPublicURL string
	gatewayGRPCAddr  string
	mailInternalURL  string

	responseSignerPublicKey ed25519.PublicKey

	gatewayProcess     *harness.Process
	authsessionProcess *harness.Process
	userServiceProcess *harness.Process
	mailProcess        *harness.Process
}

type httpResponse struct {
	StatusCode int
	Body       string
	Header     http.Header
}

type sendEmailCodeResponse struct {
	ChallengeID string `json:"challenge_id"`
}

type confirmEmailCodeResponse struct {
	DeviceSessionID string `json:"device_session_id"`
}

type gatewaySessionRecord struct {
	DeviceSessionID string `json:"device_session_id"`
	UserID          string `json:"user_id"`
	ClientPublicKey string `json:"client_public_key"`
	Status          string `json:"status"`
	RevokedAtMS     *int64 `json:"revoked_at_ms,omitempty"`
}

type mailDeliveryListResponse struct {
	Items []mailDeliverySummary `json:"items"`
}

type mailDeliverySummary struct {
	DeliveryID string   `json:"delivery_id"`
	Source     string   `json:"source"`
	TemplateID string   `json:"template_id"`
	Locale     string   `json:"locale"`
	To         []string `json:"to"`
	Status     string   `json:"status"`
}

type mailDeliveryDetailResponse struct {
	DeliveryID        string         `json:"delivery_id"`
	Source            string         `json:"source"`
	TemplateID        string         `json:"template_id"`
	Locale            string         `json:"locale"`
	To                []string       `json:"to"`
	IdempotencyKey    string         `json:"idempotency_key"`
	Status            string         `json:"status"`
	TemplateVariables map[string]any `json:"template_variables,omitempty"`
}

type userLookupResponse struct {
	User accountView `json:"user"`
}

type accountView struct {
	UserID            string `json:"user_id"`
	Email             string `json:"email"`
	PreferredLanguage string `json:"preferred_language"`
	TimeZone          string `json:"time_zone"`
}

func newGatewayAuthsessionUserMailHarness(t *testing.T) *gatewayAuthsessionUserMailHarness {
	t.Helper()

	redisRuntime := harness.StartRedisContainer(t)
	redisClient := redis.NewClient(&redis.Options{
		Addr:            redisRuntime.Addr,
		Protocol:        2,
		DisableIdentity: true,
	})
	t.Cleanup(func() {
		require.NoError(t, redisClient.Close())
	})

	responseSignerPath, responseSignerPublicKey := harness.WriteResponseSignerPEM(t, t.Name())
	userServiceAddr := harness.FreeTCPAddress(t)
	mailInternalAddr := harness.FreeTCPAddress(t)
	authsessionPublicAddr := harness.FreeTCPAddress(t)
	authsessionInternalAddr := harness.FreeTCPAddress(t)
	gatewayPublicAddr := harness.FreeTCPAddress(t)
	gatewayGRPCAddr := harness.FreeTCPAddress(t)

	userServiceBinary := harness.BuildBinary(t, "userservice", "./user/cmd/userservice")
	mailBinary := harness.BuildBinary(t, "mail", "./mail/cmd/mail")
	authsessionBinary := harness.BuildBinary(t, "authsession", "./authsession/cmd/authsession")
	gatewayBinary := harness.BuildBinary(t, "gateway", "./gateway/cmd/gateway")

	userServiceProcess := harness.StartProcess(t, "userservice", userServiceBinary, map[string]string{
		"USERSERVICE_LOG_LEVEL":          "info",
		"USERSERVICE_INTERNAL_HTTP_ADDR": userServiceAddr,
		"USERSERVICE_REDIS_ADDR":         redisRuntime.Addr,
		"OTEL_TRACES_EXPORTER":           "none",
		"OTEL_METRICS_EXPORTER":          "none",
	})
	waitForUserServiceReady(t, userServiceProcess, "http://"+userServiceAddr)

	mailProcess := harness.StartProcess(t, "mail", mailBinary, map[string]string{
		"MAIL_LOG_LEVEL":                "info",
		"MAIL_INTERNAL_HTTP_ADDR":       mailInternalAddr,
		"MAIL_REDIS_ADDR":               redisRuntime.Addr,
		"MAIL_TEMPLATE_DIR":             moduleTemplateDir(t),
		"MAIL_SMTP_MODE":                "stub",
		"MAIL_STREAM_BLOCK_TIMEOUT":     "100ms",
		"MAIL_OPERATOR_REQUEST_TIMEOUT": time.Second.String(),
		"MAIL_SHUTDOWN_TIMEOUT":         "2s",
		"OTEL_TRACES_EXPORTER":          "none",
		"OTEL_METRICS_EXPORTER":         "none",
	})
	waitForMailReady(t, mailProcess, "http://"+mailInternalAddr)

	authsessionProcess := harness.StartProcess(t, "authsession", authsessionBinary, map[string]string{
		"AUTHSESSION_LOG_LEVEL":                              "info",
		"AUTHSESSION_PUBLIC_HTTP_ADDR":                       authsessionPublicAddr,
		"AUTHSESSION_PUBLIC_HTTP_REQUEST_TIMEOUT":            time.Second.String(),
		"AUTHSESSION_INTERNAL_HTTP_ADDR":                     authsessionInternalAddr,
		"AUTHSESSION_INTERNAL_HTTP_REQUEST_TIMEOUT":          time.Second.String(),
		"AUTHSESSION_REDIS_ADDR":                             redisRuntime.Addr,
		"AUTHSESSION_USER_SERVICE_MODE":                      "rest",
		"AUTHSESSION_USER_SERVICE_BASE_URL":                  "http://" + userServiceAddr,
		"AUTHSESSION_USER_SERVICE_REQUEST_TIMEOUT":           time.Second.String(),
		"AUTHSESSION_MAIL_SERVICE_MODE":                      "rest",
		"AUTHSESSION_MAIL_SERVICE_BASE_URL":                  "http://" + mailInternalAddr,
		"AUTHSESSION_MAIL_SERVICE_REQUEST_TIMEOUT":           time.Second.String(),
		"AUTHSESSION_REDIS_GATEWAY_SESSION_CACHE_KEY_PREFIX": "gateway:session:",
		"AUTHSESSION_REDIS_GATEWAY_SESSION_EVENTS_STREAM":    "gateway:session_events",
		"OTEL_TRACES_EXPORTER":                               "none",
		"OTEL_METRICS_EXPORTER":                              "none",
	})
	waitForAuthsessionPublicReady(t, authsessionProcess, "http://"+authsessionPublicAddr)

	gatewayProcess := harness.StartProcess(t, "gateway", gatewayBinary, map[string]string{
		"GATEWAY_LOG_LEVEL":                                                              "info",
		"GATEWAY_PUBLIC_HTTP_ADDR":                                                       gatewayPublicAddr,
		"GATEWAY_AUTHENTICATED_GRPC_ADDR":                                                gatewayGRPCAddr,
		"GATEWAY_SESSION_CACHE_REDIS_ADDR":                                               redisRuntime.Addr,
		"GATEWAY_SESSION_CACHE_REDIS_KEY_PREFIX":                                         "gateway:session:",
		"GATEWAY_SESSION_EVENTS_REDIS_STREAM":                                            "gateway:session_events",
		"GATEWAY_CLIENT_EVENTS_REDIS_STREAM":                                             "gateway:client_events",
		"GATEWAY_REPLAY_REDIS_KEY_PREFIX":                                                "gateway:replay:",
		"GATEWAY_RESPONSE_SIGNER_PRIVATE_KEY_PEM_PATH":                                   filepath.Clean(responseSignerPath),
		"GATEWAY_AUTH_SERVICE_BASE_URL":                                                  "http://" + authsessionPublicAddr,
		"GATEWAY_PUBLIC_AUTH_UPSTREAM_TIMEOUT":                                           (500 * time.Millisecond).String(),
		"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_PUBLIC_AUTH_RATE_LIMIT_REQUESTS":                 "100",
		"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_PUBLIC_AUTH_RATE_LIMIT_WINDOW":                   "1s",
		"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_PUBLIC_AUTH_RATE_LIMIT_BURST":                    "100",
		"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_SEND_EMAIL_CODE_IDENTITY_RATE_LIMIT_REQUESTS":    "100",
		"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_SEND_EMAIL_CODE_IDENTITY_RATE_LIMIT_WINDOW":      "1s",
		"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_SEND_EMAIL_CODE_IDENTITY_RATE_LIMIT_BURST":       "100",
		"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_CONFIRM_EMAIL_CODE_IDENTITY_RATE_LIMIT_REQUESTS": "100",
		"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_CONFIRM_EMAIL_CODE_IDENTITY_RATE_LIMIT_WINDOW":   "1s",
		"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_CONFIRM_EMAIL_CODE_IDENTITY_RATE_LIMIT_BURST":    "100",
		"OTEL_TRACES_EXPORTER":                                                           "none",
		"OTEL_METRICS_EXPORTER":                                                          "none",
	})
	harness.WaitForHTTPStatus(t, gatewayProcess, "http://"+gatewayPublicAddr+"/healthz", http.StatusOK)
	harness.WaitForTCP(t, gatewayProcess, gatewayGRPCAddr)

	return &gatewayAuthsessionUserMailHarness{
		redis:                   redisClient,
		userServiceURL:          "http://" + userServiceAddr,
		gatewayPublicURL:        "http://" + gatewayPublicAddr,
		gatewayGRPCAddr:         gatewayGRPCAddr,
		mailInternalURL:         "http://" + mailInternalAddr,
		responseSignerPublicKey: responseSignerPublicKey,
		gatewayProcess:          gatewayProcess,
		authsessionProcess:      authsessionProcess,
		userServiceProcess:      userServiceProcess,
		mailProcess:             mailProcess,
	}
}

func (h *gatewayAuthsessionUserMailHarness) sendChallengeWithAcceptLanguage(t *testing.T, email string, acceptLanguage string) string {
	t.Helper()

	response := postJSONValueWithHeaders(
		t,
		h.gatewayPublicURL+gatewaySendEmailCodePath,
		map[string]string{"email": email},
		map[string]string{"Accept-Language": acceptLanguage},
	)
	require.Equal(t, http.StatusOK, response.StatusCode, response.Body)

	var body sendEmailCodeResponse
	require.NoError(t, decodeStrictJSONPayload([]byte(response.Body), &body))
	require.NotEmpty(t, body.ChallengeID)
	return body.ChallengeID
}

func (h *gatewayAuthsessionUserMailHarness) confirmCode(t *testing.T, challengeID string, code string, clientPrivateKey ed25519.PrivateKey) httpResponse {
	t.Helper()

	return postJSONValue(t, h.gatewayPublicURL+gatewayConfirmEmailCodePath, map[string]string{
		"challenge_id":      challengeID,
		"code":              code,
		"client_public_key": encodePublicKey(clientPrivateKey.Public().(ed25519.PublicKey)),
		"time_zone":         testTimeZone,
	})
}

func (h *gatewayAuthsessionUserMailHarness) eventuallyListDeliveries(t *testing.T, query url.Values) mailDeliveryListResponse {
	t.Helper()

	var response mailDeliveryListResponse
	require.Eventually(t, func() bool {
		response = h.listDeliveries(t, query)
		return len(response.Items) > 0
	}, 10*time.Second, 50*time.Millisecond)

	return response
}

func (h *gatewayAuthsessionUserMailHarness) listDeliveries(t *testing.T, query url.Values) mailDeliveryListResponse {
	t.Helper()

	target := h.mailInternalURL + mailDeliveriesPath
	if encoded := query.Encode(); encoded != "" {
		target += "?" + encoded
	}

	request, err := http.NewRequest(http.MethodGet, target, nil)
	require.NoError(t, err)

	return doJSONRequest[mailDeliveryListResponse](t, request, http.StatusOK)
}

func (h *gatewayAuthsessionUserMailHarness) getDelivery(t *testing.T, deliveryID string) mailDeliveryDetailResponse {
	t.Helper()

	request, err := http.NewRequest(http.MethodGet, h.mailInternalURL+mailDeliveriesPath+"/"+url.PathEscape(deliveryID), nil)
	require.NoError(t, err)

	return doJSONRequest[mailDeliveryDetailResponse](t, request, http.StatusOK)
}

func (h *gatewayAuthsessionUserMailHarness) lookupUserByEmail(t *testing.T, email string) userLookupResponse {
	t.Helper()

	response := postJSONValue(t, h.userServiceURL+"/api/v1/internal/user-lookups/by-email", map[string]string{
		"email": email,
	})
	return decodeJSONResponse[userLookupResponse](t, response, http.StatusOK)
}

func (h *gatewayAuthsessionUserMailHarness) waitForGatewaySession(t *testing.T, deviceSessionID string) gatewaySessionRecord {
	t.Helper()

	deadline := time.Now().Add(5 * time.Second)
	for time.Now().Before(deadline) {
		payload, err := h.redis.Get(context.Background(), "gateway:session:"+deviceSessionID).Bytes()
		if err == nil {
			var record gatewaySessionRecord
			require.NoError(t, decodeStrictJSONPayload(payload, &record))
			return record
		}

		time.Sleep(25 * time.Millisecond)
	}

	t.Fatalf("gateway session projection for %s was not published in time", deviceSessionID)
	return gatewaySessionRecord{}
}

func (h *gatewayAuthsessionUserMailHarness) dialGateway(t *testing.T) *grpc.ClientConn {
	t.Helper()

	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
	defer cancel()

	conn, err := grpc.DialContext(
		ctx,
		h.gatewayGRPCAddr,
		grpc.WithTransportCredentials(insecure.NewCredentials()),
		grpc.WithBlock(),
	)
	require.NoError(t, err)
	t.Cleanup(func() {
		require.NoError(t, conn.Close())
	})

	return conn
}

func postJSONValue(t *testing.T, targetURL string, body any) httpResponse {
	t.Helper()

	return postJSONValueWithHeaders(t, targetURL, body, nil)
}

func postJSONValueWithHeaders(t *testing.T, targetURL string, body any, headers map[string]string) httpResponse {
	t.Helper()

	payload, err := json.Marshal(body)
	require.NoError(t, err)

	request, err := http.NewRequest(http.MethodPost, targetURL, bytes.NewReader(payload))
	require.NoError(t, err)
	request.Header.Set("Content-Type", "application/json")
	for key, value := range headers {
		if value == "" {
			continue
		}
		request.Header.Set(key, value)
	}

	return doRequest(t, request)
}

func doJSONRequest[T any](t *testing.T, request *http.Request, wantStatus int) T {
	t.Helper()

	response := doRequest(t, request)
	return decodeJSONResponse[T](t, response, wantStatus)
}

func decodeJSONResponse[T any](t *testing.T, response httpResponse, wantStatus int) T {
	t.Helper()

	require.Equal(t, wantStatus, response.StatusCode, response.Body)

	var decoded T
	require.NoError(t, decodeJSONPayload([]byte(response.Body), &decoded), response.Body)
	return decoded
}

func doRequest(t *testing.T, request *http.Request) httpResponse {
	t.Helper()

	client := &http.Client{
		Timeout: 5 * time.Second,
		Transport: &http.Transport{
			DisableKeepAlives: true,
		},
	}
	t.Cleanup(client.CloseIdleConnections)

	response, err := client.Do(request)
	require.NoError(t, err)
	defer response.Body.Close()

	payload, err := io.ReadAll(response.Body)
	require.NoError(t, err)

	return httpResponse{
		StatusCode: response.StatusCode,
		Body:       string(payload),
		Header:     response.Header.Clone(),
	}
}

func decodeStrictJSONPayload(payload []byte, target any) error {
	decoder := json.NewDecoder(bytes.NewReader(payload))
	decoder.DisallowUnknownFields()

	if err := decoder.Decode(target); err != nil {
		return err
	}
	if err := decoder.Decode(&struct{}{}); err != io.EOF {
		if err == nil {
			return errors.New("unexpected trailing JSON input")
		}
		return err
	}

	return nil
}

func decodeJSONPayload(payload []byte, target any) error {
	decoder := json.NewDecoder(bytes.NewReader(payload))

	if err := decoder.Decode(target); err != nil {
		return err
	}
	if err := decoder.Decode(&struct{}{}); err != io.EOF {
		if err == nil {
			return errors.New("unexpected trailing JSON input")
		}
		return err
	}

	return nil
}

func templateVariableString(t *testing.T, variables map[string]any, field string) string {
	t.Helper()

	value, ok := variables[field]
	require.True(t, ok, "template variable %q is missing", field)

	text, ok := value.(string)
	require.True(t, ok, "template variable %q must be a string", field)
	require.NotEmpty(t, text)

	return text
}

func newClientPrivateKey(label string) ed25519.PrivateKey {
	seed := sha256.Sum256([]byte("galaxy-integration-gateway-authsession-user-mail-client-" + label))
	return ed25519.NewKeyFromSeed(seed[:])
}

func encodePublicKey(publicKey ed25519.PublicKey) string {
	return base64.StdEncoding.EncodeToString(publicKey)
}

func newSubscribeEventsRequest(deviceSessionID string, requestID string, clientPrivateKey ed25519.PrivateKey) *gatewayv1.SubscribeEventsRequest {
	payloadHash := contractsgatewayv1.ComputePayloadHash(nil)

	request := &gatewayv1.SubscribeEventsRequest{
		ProtocolVersion: contractsgatewayv1.ProtocolVersionV1,
		DeviceSessionId: deviceSessionID,
		MessageType:     contractsgatewayv1.SubscribeMessageType,
		TimestampMs:     time.Now().UnixMilli(),
		RequestId:       requestID,
		PayloadHash:     payloadHash,
		TraceId:         "trace-" + requestID,
	}
	request.Signature = contractsgatewayv1.SignRequest(clientPrivateKey, contractsgatewayv1.RequestSigningFields{
		ProtocolVersion: request.GetProtocolVersion(),
		DeviceSessionID: request.GetDeviceSessionId(),
		MessageType:     request.GetMessageType(),
		TimestampMS:     request.GetTimestampMs(),
		RequestID:       request.GetRequestId(),
		PayloadHash:     request.GetPayloadHash(),
	})

	return request
}

func recvGatewayEvent(t *testing.T, stream grpc.ServerStreamingClient[gatewayv1.GatewayEvent]) *gatewayv1.GatewayEvent {
	t.Helper()

	eventCh := make(chan *gatewayv1.GatewayEvent, 1)
	errCh := make(chan error, 1)
	go func() {
		event, err := stream.Recv()
		if err != nil {
			errCh <- err
			return
		}
		eventCh <- event
	}()

	select {
	case event := <-eventCh:
		return event
	case err := <-errCh:
		require.NoError(t, err)
	case <-time.After(5 * time.Second):
		require.FailNow(t, "timed out waiting for gateway event")
	}

	return nil
}

func assertBootstrapEvent(t *testing.T, event *gatewayv1.GatewayEvent, responseSignerPublicKey ed25519.PublicKey, wantRequestID string) {
	t.Helper()

	require.Equal(t, contractsgatewayv1.ServerTimeEventType, event.GetEventType())
	require.Equal(t, wantRequestID, event.GetEventId())
	require.Equal(t, wantRequestID, event.GetRequestId())
	require.NoError(t, contractsgatewayv1.VerifyPayloadHash(event.GetPayloadBytes(), event.GetPayloadHash()))
	require.NoError(t, contractsgatewayv1.VerifyEventSignature(responseSignerPublicKey, event.GetSignature(), contractsgatewayv1.EventSigningFields{
		EventType:   event.GetEventType(),
		EventID:     event.GetEventId(),
		TimestampMS: event.GetTimestampMs(),
		RequestID:   event.GetRequestId(),
		TraceID:     event.GetTraceId(),
		PayloadHash: event.GetPayloadHash(),
	}))
}

func waitForUserServiceReady(t *testing.T, process *harness.Process, baseURL string) {
	t.Helper()

	client := &http.Client{Timeout: 250 * time.Millisecond}
	t.Cleanup(client.CloseIdleConnections)

	deadline := time.Now().Add(10 * time.Second)
	for time.Now().Before(deadline) {
		request, err := http.NewRequest(http.MethodGet, baseURL+"/api/v1/internal/users/user-missing/exists", nil)
		require.NoError(t, err)

		response, err := client.Do(request)
		if err == nil {
			_, _ = io.Copy(io.Discard, response.Body)
			response.Body.Close()
			if response.StatusCode == http.StatusOK {
				return
			}
		}

		time.Sleep(25 * time.Millisecond)
	}

	t.Fatalf("wait for userservice readiness: timeout\n%s", process.Logs())
}

func waitForMailReady(t *testing.T, process *harness.Process, baseURL string) {
	t.Helper()

	client := &http.Client{Timeout: 250 * time.Millisecond}
	t.Cleanup(client.CloseIdleConnections)

	deadline := time.Now().Add(10 * time.Second)
	for time.Now().Before(deadline) {
		request, err := http.NewRequest(http.MethodGet, baseURL+mailDeliveriesPath, nil)
		require.NoError(t, err)

		response, err := client.Do(request)
		if err == nil {
			_, _ = io.Copy(io.Discard, response.Body)
			response.Body.Close()
			if response.StatusCode == http.StatusOK {
				return
			}
		}

		time.Sleep(25 * time.Millisecond)
	}

	t.Fatalf("wait for mail readiness: timeout\n%s", process.Logs())
}

func waitForAuthsessionPublicReady(t *testing.T, process *harness.Process, baseURL string) {
	t.Helper()

	client := &http.Client{Timeout: 250 * time.Millisecond}
	t.Cleanup(client.CloseIdleConnections)

	deadline := time.Now().Add(10 * time.Second)
	for time.Now().Before(deadline) {
		response, err := postJSONValueMaybe(client, baseURL+gatewaySendEmailCodePath, map[string]string{
			"email": "",
		})
		if err == nil && response.StatusCode == http.StatusBadRequest {
			return
		}

		time.Sleep(25 * time.Millisecond)
	}

	t.Fatalf("wait for authsession public readiness: timeout\n%s", process.Logs())
}

func postJSONValueMaybe(client *http.Client, targetURL string, body any) (httpResponse, error) {
	payload, err := json.Marshal(body)
	if err != nil {
		return httpResponse{}, err
	}

	request, err := http.NewRequest(http.MethodPost, targetURL, bytes.NewReader(payload))
	if err != nil {
		return httpResponse{}, err
	}
	request.Header.Set("Content-Type", "application/json")

	response, err := client.Do(request)
	if err != nil {
		return httpResponse{}, err
	}
	defer response.Body.Close()

	responseBody, err := io.ReadAll(response.Body)
	if err != nil {
		return httpResponse{}, err
	}

	return httpResponse{
		StatusCode: response.StatusCode,
		Body:       string(responseBody),
		Header:     response.Header.Clone(),
	}, nil
}

func moduleTemplateDir(t *testing.T) string {
	t.Helper()

	return filepath.Join(repositoryRoot(t), "mail", "templates")
}

func repositoryRoot(t *testing.T) string {
	t.Helper()

	_, file, _, ok := runtime.Caller(0)
	if !ok {
		t.Fatal("resolve repository root: runtime caller is unavailable")
	}

	return filepath.Clean(filepath.Join(filepath.Dir(file), "..", ".."))
}