use std::collections::HashSet;

use hyperion_vault_core::auth::{
    fingerprint, fingerprints_match, generate_token, verify, FINGERPRINT_LEN,
};

#[test]
fn generated_tokens_are_unique() {
    let mut seen: HashSet<String> = HashSet::new();
    for _ in 0..50_000 {
        assert!(seen.insert(generate_token()), "token collision generated");
    }
}

#[test]
fn generated_tokens_are_url_safe_and_long() {
    let token = generate_token();
    assert!(
        token.len() >= 43,
        "32 random bytes base64url is at least 43 chars"
    );
    assert!(
        token
            .chars()
            .all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '_'),
        "token must be url-safe base64 without padding"
    );
}

#[test]
fn fingerprint_is_deterministic_and_fixed_length() {
    let token = generate_token();
    let a = fingerprint(&token);
    let b = fingerprint(&token);
    assert_eq!(a, b);
    assert_eq!(a.len(), FINGERPRINT_LEN);
}

#[test]
fn different_tokens_have_different_fingerprints() {
    let a = fingerprint(&generate_token());
    let b = fingerprint(&generate_token());
    assert_ne!(a, b);
}

#[test]
fn verify_accepts_matching_token() {
    let token = generate_token();
    let fp = fingerprint(&token);
    assert!(verify(&token, &fp));
}

#[test]
fn verify_rejects_wrong_token() {
    let fp = fingerprint(&generate_token());
    assert!(!verify(&generate_token(), &fp));
}

#[test]
fn verify_rejects_wrong_length_fingerprint() {
    let token = generate_token();
    assert!(!verify(&token, &[0u8; FINGERPRINT_LEN - 1]));
    assert!(!verify(&token, &[]));
    assert!(!verify(&token, &[0u8; FINGERPRINT_LEN + 5]));
}

#[test]
fn fingerprints_match_is_length_safe() {
    assert!(fingerprints_match(&[1, 2, 3], &[1, 2, 3]));
    assert!(!fingerprints_match(&[1, 2, 3], &[1, 2, 4]));
    assert!(!fingerprints_match(&[1, 2, 3], &[1, 2]));
    assert!(!fingerprints_match(&[1, 2, 3], &[]));
}