import { afterEach, describe, expect, it, vi } from 'vitest';
import { SsoController } from './sso.controller.js';

describe('SsoController', () => {
  afterEach(() => {
    vi.unstubAllEnvs();
  });

  it('lists configured OIDC providers', () => {
    vi.stubEnv('WORKOS_CLIENT_ID', 'workos-client');
    vi.stubEnv('WORKOS_CLIENT_SECRET', 'workos-secret');
    vi.stubEnv('WORKOS_ISSUER', 'https://auth.workos.com/sso/client_123');

    const controller = new SsoController();
    const providers = controller.list();

    expect(providers.find((provider) => provider.id === 'workos')).toMatchObject({
      configured: true,
      loginMode: 'oidc',
      callbackPath: '/api/auth/oauth2/callback/workos',
      teamSync: { enabled: true, claim: 'organization_id' },
    });
  });

  it('prefers SAML fallback for Keycloak when only the SAML login URL is configured', () => {
    vi.stubEnv('KEYCLOAK_SAML_LOGIN_URL', 'https://sso.example.com/realms/mosaic/protocol/saml');

    const controller = new SsoController();
    const providers = controller.list();

    expect(providers.find((provider) => provider.id === 'keycloak')).toMatchObject({
      configured: true,
      loginMode: 'saml',
      samlFallback: {
        configured: true,
        loginUrl: 'https://sso.example.com/realms/mosaic/protocol/saml',
      },
    });
  });
});