import { suite, test } from 'node:test'
import assert from 'node:assert'
import { TokenManager } from '../server/server.js'
import fs from 'node:fs/promises'
import path from 'node:path'
import { fileURLToPath } from 'node:url'

const __filename = fileURLToPath(import.meta.url)
const __dirname = path.dirname(__filename)

// Import the securityEnhancer to test isAdmin
import { securityEnhancer } from '../index.js'

suite('isAdmin functionality with tokens', () => {
  let tempDir
  let tokenManager
  let enhancer
  let adminUser
  let regularUser
  let adminToken
  let regularToken

  const setup = async () => {
    tempDir = path.join(__dirname, 'temp-admin-' + Date.now())
    await fs.mkdir(tempDir, { recursive: true })
    
    tokenManager = new TokenManager(tempDir)
    
    adminUser = {
      displayName: 'Admin User',
      email: 'admin@example.com',
      provider: 'github',
      id: 'admin123'
    }
    
    regularUser = {
      displayName: 'Regular User',
      email: 'user@example.com',
      provider: 'github',
      id: 'user456'
    }
    
    // Create tokens for both users
    const adminResult = await tokenManager.createToken(adminUser, 'admin-token')
    adminToken = adminResult.token
    
    const regularResult = await tokenManager.createToken(regularUser, 'regular-token')
    regularToken = regularResult.token
    
    // Create the enhancer with admin configuration
    const mockLog = console.log
    const mockLoga = console.log
    const mockArgv = { 
      status: tempDir,
      admin: adminUser  // Configure admin user
    }
    const mockBaseHandler = {
      getUser: (req) => req.user || null,
      isAuthorized: () => false,
      isAdmin: () => false  // Base handler doesn't grant admin access
    }
    
    enhancer = securityEnhancer(mockLog, mockLoga, mockArgv, mockBaseHandler)
  }

  const cleanup = async () => {
    if (tempDir) {
      await fs.rm(tempDir, { recursive: true, force: true })
    }
  }

  test('isAdmin returns true for tokens belonging to admin users', async () => {
    await setup()
    try {
      const req = {
        headers: {
          authorization: `Bearer ${adminToken}`
        }
      }
      
      // Set up token auth context (normally done by middleware)
      await enhancer.middleware(req, {}, () => {})
      
      // Test isAdmin
      const baseIsAdmin = () => false
      const isAdmin = enhancer.isAdmin(req, baseIsAdmin)
      
      assert.equal(isAdmin, true)
    } finally {
      await cleanup()
    }
  })

  test('isAdmin returns false for tokens belonging to regular users', async () => {
    await setup()
    try {
      const req = {
        headers: {
          authorization: `Bearer ${regularToken}`
        }
      }
      
      // Set up token auth context (normally done by middleware)
      await enhancer.middleware(req, {}, () => {})
      
      // Test isAdmin
      const baseIsAdmin = () => false
      const isAdmin = enhancer.isAdmin(req, baseIsAdmin)
      
      assert.equal(isAdmin, false)
    } finally {
      await cleanup()
    }
  })

  test('isAdmin respects base admin when base returns true', async () => {
    await setup()
    try {
      const req = {
        headers: {
          authorization: `Bearer ${regularToken}`
        }
      }
      
      // Set up token auth context (normally done by middleware)
      await enhancer.middleware(req, {}, () => {})
      
      // Test isAdmin with base admin returning true (session-based admin)
      const baseIsAdmin = () => true
      const isAdmin = enhancer.isAdmin(req, baseIsAdmin)
      
      assert.equal(isAdmin, true)
    } finally {
      await cleanup()
    }
  })

  test('isAdmin returns false when no token auth present', async () => {
    await setup()
    try {
      const req = { headers: {} }
      
      // Test isAdmin without token auth
      const baseIsAdmin = () => false
      const isAdmin = enhancer.isAdmin(req, baseIsAdmin)
      
      assert.equal(isAdmin, false)
    } finally {
      await cleanup()
    }
  })

  test('isAdmin returns false when no admin is configured', async () => {
    // Create enhancer without admin configuration
    const tempDir2 = path.join(__dirname, 'temp-no-admin-' + Date.now())
    await fs.mkdir(tempDir2, { recursive: true })
    
    try {
      const mockArgv = { status: tempDir2 } // No admin configured
      const mockBaseHandler = {
        getUser: () => null,
        isAuthorized: () => false,
        isAdmin: () => false
      }
      
      const enhancerNoAdmin = securityEnhancer(console.log, console.log, mockArgv, mockBaseHandler)
      
      const req = {
        tokenAuth: {
          user: adminUser,
          scopes: ['site:read', 'site:write'],
          tokenName: 'test-token'
        }
      }
      
      const baseIsAdmin = () => false
      const isAdmin = enhancerNoAdmin.isAdmin(req, baseIsAdmin)
      
      assert.equal(isAdmin, false)
    } finally {
      await fs.rm(tempDir2, { recursive: true, force: true })
    }
  })
})