import { describe, it, expect, vi, afterEach } from "vitest";
import { NextRequest } from "next/server";

// Simulate an authenticated session so the middleware does not redirect
// and CSP headers are set on every response.
vi.mock("./server/auth-edge.js", () => ({
  auth: (handler: (req: NextRequest & { auth: object | null }) => unknown) => (req: NextRequest) =>
    handler(Object.assign(req, { auth: { user: { id: "test-user", email: "test@test.com" } } })),
}));

async function importMiddleware(nodeEnv: string) {
  vi.stubEnv("NODE_ENV", nodeEnv);
  vi.resetModules();
  const mod = await import("./middleware.js");
  // middleware is the default export (wrapped by auth())
  return mod.default as (req: NextRequest) => Promise<Response>;
}

describe("middleware — Content-Security-Policy", () => {
  afterEach(() => {
    vi.unstubAllEnvs();
    vi.resetModules();
  });

  it("sets a Content-Security-Policy header on every response", async () => {
    const middleware = await importMiddleware("production");
    const req = new NextRequest("http://localhost:3100/");
    const res = await middleware(req);
    expect(res.headers.get("Content-Security-Policy")).toBeTruthy();
  });

  it("production: script-src contains a nonce and does NOT contain unsafe-inline or unsafe-eval", async () => {
    const middleware = await importMiddleware("production");
    const req = new NextRequest("http://localhost:3100/dashboard");
    const res = await middleware(req);
    const csp = res.headers.get("Content-Security-Policy") ?? "";
    const scriptSrc = csp.split(";").find((d: string) => d.trim().startsWith("script-src")) ?? "";
    expect(scriptSrc).toMatch(/'nonce-[A-Za-z0-9+/=]+'/);
    expect(scriptSrc).not.toContain("'unsafe-inline'");
    expect(scriptSrc).not.toContain("'unsafe-eval'");
  });

  it("production: each request gets a unique nonce", async () => {
    const middleware = await importMiddleware("production");
    const res1 = await middleware(new NextRequest("http://localhost:3100/a"));
    const res2 = await middleware(new NextRequest("http://localhost:3100/b"));
    const nonce1 = res1.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1];
    const nonce2 = res2.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1];
    expect(nonce1).toBeTruthy();
    expect(nonce2).toBeTruthy();
    expect(nonce1).not.toBe(nonce2);
  });

  it("production: x-nonce request header matches the nonce in the CSP response header", async () => {
    const middleware = await importMiddleware("production");
    const req = new NextRequest("http://localhost:3100/settings");
    const res = await middleware(req);
    const cspNonce = res.headers.get("Content-Security-Policy")?.match(/'nonce-([^']+)'/)?.[1];
    // The nonce is forwarded on the request (for server components) — not readable from
    // the response directly, but verifiable via the CSP header consistency.
    expect(cspNonce).toBeTruthy();
    expect(cspNonce?.length).toBeGreaterThan(10);
  });

  it("development: script-src includes unsafe-eval and unsafe-inline for HMR", async () => {
    const middleware = await importMiddleware("development");
    const req = new NextRequest("http://localhost:3100/");
    const res = await middleware(req);
    const csp = res.headers.get("Content-Security-Policy") ?? "";
    const scriptSrc = csp.split(";").find((d: string) => d.trim().startsWith("script-src")) ?? "";
    expect(scriptSrc).toContain("'unsafe-eval'");
    expect(scriptSrc).toContain("'unsafe-inline'");
  });

  it("frame-ancestors is always 'none' regardless of environment", async () => {
    for (const env of ["production", "development"] as const) {
      const middleware = await importMiddleware(env);
      const res = await middleware(new NextRequest("http://localhost:3100/"));
      const csp = res.headers.get("Content-Security-Policy") ?? "";
      expect(csp).toContain("frame-ancestors 'none'");
    }
  });

  it("connect-src has no wildcards — browser cannot call external hosts directly", async () => {
    const middleware = await importMiddleware("production");
    const res = await middleware(new NextRequest("http://localhost:3100/"));
    const csp = res.headers.get("Content-Security-Policy") ?? "";
    const connectSrc = csp.split(";").find((d: string) => d.trim().startsWith("connect-src")) ?? "";
    expect(connectSrc).toMatch(/connect-src\s+'self'\s*$/);
    expect(connectSrc).not.toContain("*");
    expect(connectSrc).not.toContain("openai.com");
    expect(connectSrc).not.toContain("azure.com");
    expect(connectSrc).not.toContain("googleapis.com");
  });

  it("object-src, frame-src are 'none' to block legacy plugin and iframe vectors", async () => {
    const middleware = await importMiddleware("production");
    const res = await middleware(new NextRequest("http://localhost:3100/"));
    const csp = res.headers.get("Content-Security-Policy") ?? "";
    expect(csp).toContain("object-src 'none'");
    expect(csp).toContain("frame-src 'none'");
  });

  it("worker-src restricts web workers to same-origin and blob: (for Next.js)", async () => {
    const middleware = await importMiddleware("production");
    const res = await middleware(new NextRequest("http://localhost:3100/"));
    const csp = res.headers.get("Content-Security-Policy") ?? "";
    expect(csp).toContain("worker-src 'self' blob:");
  });
});

describe("middleware — API allowlist (default-deny)", () => {
  afterEach(() => {
    vi.unstubAllEnvs();
    vi.resetModules();
  });

  it("allows allowlisted API routes through", async () => {
    const middleware = await importMiddleware("production");
    for (const url of [
      "http://localhost:3100/api/trpc/project.list",
      "http://localhost:3100/api/auth/signin",
      "http://localhost:3100/api/sse/timeline",
      "http://localhost:3100/api/cron/health-check",
      "http://localhost:3100/api/reports/allocations",
      "http://localhost:3100/api/health",
      "http://localhost:3100/api/ready",
      "http://localhost:3100/api/perf",
    ]) {
      const res = await middleware(new NextRequest(url));
      expect(res.status).not.toBe(404);
    }
  });

  it("returns 404 for non-allowlisted /api/* routes", async () => {
    const middleware = await importMiddleware("production");
    for (const url of [
      "http://localhost:3100/api/debug",
      "http://localhost:3100/api/internal/secret",
      "http://localhost:3100/api/admin/users",
    ]) {
      const res = await middleware(new NextRequest(url));
      expect(res.status).toBe(404);
    }
  });
});

describe("isApiAllowlisted helper", () => {
  it("exported via module for testing", async () => {
    const { isApiAllowlisted } = await import("./middleware.js");
    expect(isApiAllowlisted("/api/trpc/foo")).toBe(true);
    expect(isApiAllowlisted("/api/debug")).toBe(false);
    expect(isApiAllowlisted("/api/healthz")).toBe(false);
    expect(isApiAllowlisted("/api/health")).toBe(true);
  });
});