use crate::harness::{SiteBuilder, TestServer, server_with_site, test_config_with_site};

#[tokio::test]
async fn invalid_auth_returns_401() {
    let server = server_with_site().await;

    let cases: Vec<(&str, Option<&str>)> = vec![
        ("no header", None),
        ("wrong token", Some("Bearer wrong-token")),
        ("wrong scheme", Some("Basic dXNlcjpwYXNz")),
        ("empty header", Some("")),
        ("bearer without token", Some("Bearer ")),
    ];

    for (label, header_value) in &cases {
        let mut req = TestServer::client().post(server.url("/my-site"));
        if let Some(value) = header_value {
            req = req.header("Authorization", *value);
        }

        let resp = req.send().await.unwrap();
        assert_eq!(
            resp.status().as_u16(),
            401,
            "expected 401 for case: {label}"
        );
        let body = resp.text().await.unwrap();
        let json: serde_json::Value = serde_json::from_str(&body).unwrap();
        assert_eq!(
            json["error"], "unauthorized",
            "expected JSON error for case: {label}"
        );
    }
}

#[tokio::test]
async fn disabled_auth_allows_unauthenticated_requests() {
    let dir = tempfile::tempdir().unwrap().keep();
    let site = SiteBuilder::new("open-site", "https://example.com/repo.git", "").build();
    let server = TestServer::start(test_config_with_site(dir, site)).await;

    // POST without Authorization header → 202
    let resp = TestServer::client()
        .post(server.url("/open-site"))
        .send()
        .await
        .unwrap();
    assert_eq!(resp.status().as_u16(), 202);

    // POST with arbitrary Authorization header → 202 (token ignored)
    let resp = TestServer::client()
        .post(server.url("/open-site"))
        .header("Authorization", "Bearer anything")
        .send()
        .await
        .unwrap();
    assert_eq!(resp.status().as_u16(), 202);
}