package agentidp

import (
	"context"
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"testing"
)

func TestTokenServiceClient_IntrospectToken_Active(t *testing.T) {
	introspectResp := map[string]interface{}{
		"active": true,
		"sub":    "uuid-1",
		"exp":    9999999999,
	}
	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if r.Method != http.MethodPost || r.URL.Path != "/api/v1/token/introspect" {
			t.Errorf("unexpected: %s %s", r.Method, r.URL.Path)
		}
		if ct := r.Header.Get("Content-Type"); ct != "application/x-www-form-urlencoded" {
			t.Errorf("expected form content-type, got %q", ct)
		}
		if err := r.ParseForm(); err != nil {
			t.Fatalf("parse form: %v", err)
		}
		if r.FormValue("token") == "" {
			t.Error("missing 'token' form field")
		}
		w.Header().Set("Content-Type", "application/json")
		_ = json.NewEncoder(w).Encode(introspectResp)
	}))
	defer srv.Close()

	client := newTokenServiceClient(srv.URL, staticToken, &http.Client{})
	result, err := client.IntrospectToken(context.Background(), "some-token")
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	}
	if !result.Active {
		t.Error("expected active=true")
	}
	if result.Sub == nil || *result.Sub != "uuid-1" {
		t.Errorf("expected sub=uuid-1, got %v", result.Sub)
	}
}

func TestTokenServiceClient_IntrospectToken_Inactive(t *testing.T) {
	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("Content-Type", "application/json")
		_ = json.NewEncoder(w).Encode(map[string]interface{}{"active": false})
	}))
	defer srv.Close()

	client := newTokenServiceClient(srv.URL, staticToken, &http.Client{})
	result, err := client.IntrospectToken(context.Background(), "expired-token")
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	}
	if result.Active {
		t.Error("expected active=false")
	}
}

func TestTokenServiceClient_RevokeToken(t *testing.T) {
	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if r.Method != http.MethodPost || r.URL.Path != "/api/v1/token/revoke" {
			t.Errorf("unexpected: %s %s", r.Method, r.URL.Path)
		}
		if ct := r.Header.Get("Content-Type"); ct != "application/x-www-form-urlencoded" {
			t.Errorf("expected form content-type, got %q", ct)
		}
		w.WriteHeader(200)
		_, _ = w.Write([]byte("{}"))
	}))
	defer srv.Close()

	client := newTokenServiceClient(srv.URL, staticToken, &http.Client{})
	err := client.RevokeToken(context.Background(), "some-token")
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	}
}

func TestTokenServiceClient_IntrospectToken_Error(t *testing.T) {
	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("Content-Type", "application/json")
		w.WriteHeader(401)
		_ = json.NewEncoder(w).Encode(map[string]string{
			"code":    "UnauthorizedError",
			"message": "Invalid token.",
		})
	}))
	defer srv.Close()

	client := newTokenServiceClient(srv.URL, staticToken, &http.Client{})
	_, err := client.IntrospectToken(context.Background(), "bad-token")
	if err == nil {
		t.Fatal("expected error, got nil")
	}
	apiErr, ok := err.(*AgentIdPError)
	if !ok {
		t.Fatalf("expected *AgentIdPError, got %T", err)
	}
	if apiErr.HTTPStatus != 401 {
		t.Errorf("expected 401, got %d", apiErr.HTTPStatus)
	}
}