import pytest
from httpx import AsyncClient

from tests.conftest import get_csrf_token


@pytest.mark.asyncio
async def test_password_login_rate_limited(client: AsyncClient) -> None:
    """After 5 failed attempts, the 6th should be rate-limited."""
    token = await get_csrf_token(client)

    for _ in range(5):
        await client.post(
            "/login/password",
            data={"username": "nobody", "password": "wrong"},
            headers={"X-CSRF-Token": token},
        )

    response = await client.post(
        "/login/password",
        data={"username": "nobody", "password": "wrong"},
        headers={"X-CSRF-Token": token},
    )

    assert response.status_code == 429