/**
 * CSRF Controller Tests
 *
 * Tests CSRF token generation endpoint.
 */

import { describe, it, expect, vi } from "vitest";
import { CsrfController } from "./csrf.controller";
import { Response } from "express";

describe("CsrfController", () => {
  let controller: CsrfController;

  controller = new CsrfController();

  describe("getCsrfToken", () => {
    it("should generate and return a CSRF token", () => {
      const mockResponse = {
        cookie: vi.fn(),
      } as unknown as Response;

      const result = controller.getCsrfToken(mockResponse);

      expect(result).toHaveProperty("token");
      expect(typeof result.token).toBe("string");
      expect(result.token.length).toBe(64); // 32 bytes as hex = 64 characters
    });

    it("should set CSRF token in httpOnly cookie", () => {
      const mockResponse = {
        cookie: vi.fn(),
      } as unknown as Response;

      const result = controller.getCsrfToken(mockResponse);

      expect(mockResponse.cookie).toHaveBeenCalledWith(
        "csrf-token",
        result.token,
        expect.objectContaining({
          httpOnly: true,
          sameSite: "strict",
        })
      );
    });

    it("should set secure flag in production", () => {
      const originalEnv = process.env.NODE_ENV;
      process.env.NODE_ENV = "production";

      const mockResponse = {
        cookie: vi.fn(),
      } as unknown as Response;

      controller.getCsrfToken(mockResponse);

      expect(mockResponse.cookie).toHaveBeenCalledWith(
        "csrf-token",
        expect.any(String),
        expect.objectContaining({
          secure: true,
        })
      );

      process.env.NODE_ENV = originalEnv;
    });

    it("should not set secure flag in development", () => {
      const originalEnv = process.env.NODE_ENV;
      process.env.NODE_ENV = "development";

      const mockResponse = {
        cookie: vi.fn(),
      } as unknown as Response;

      controller.getCsrfToken(mockResponse);

      expect(mockResponse.cookie).toHaveBeenCalledWith(
        "csrf-token",
        expect.any(String),
        expect.objectContaining({
          secure: false,
        })
      );

      process.env.NODE_ENV = originalEnv;
    });

    it("should generate unique tokens on each call", () => {
      const mockResponse = {
        cookie: vi.fn(),
      } as unknown as Response;

      const result1 = controller.getCsrfToken(mockResponse);
      const result2 = controller.getCsrfToken(mockResponse);

      expect(result1.token).not.toBe(result2.token);
    });

    it("should set cookie with 24 hour expiry", () => {
      const mockResponse = {
        cookie: vi.fn(),
      } as unknown as Response;

      controller.getCsrfToken(mockResponse);

      expect(mockResponse.cookie).toHaveBeenCalledWith(
        "csrf-token",
        expect.any(String),
        expect.objectContaining({
          maxAge: 24 * 60 * 60 * 1000, // 24 hours
        })
      );
    });
  });
});