from datetime import UTC, datetime

from argon2 import PasswordHasher
from httpx import AsyncClient

from porchlight.authn.password import PasswordService
from porchlight.models import PasswordCredential, User
from tests.conftest import get_csrf_token


async def test_password_login_unknown_user_returns_error_fragment(client: AsyncClient) -> None:
    token = await get_csrf_token(client)
    res = await client.post(
        "/login/password",
        data={"username": "nobody", "password": "wrong"},
        headers={"HX-Request": "true", "X-CSRF-Token": token},
    )
    assert res.status_code == 200
    assert "Invalid username or password" in res.text
    assert 'role="alert"' in res.text


async def test_password_login_wrong_password_returns_error_fragment(client: AsyncClient) -> None:
    app = client._transport.app  # type: ignore[union-attr]
    user_repo = app.state.user_repo
    cred_repo = app.state.credential_repo

    user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
    await user_repo.create(user)

    svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
    await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("correct")))

    token = await get_csrf_token(client)
    res = await client.post(
        "/login/password",
        data={"username": "alice", "password": "wrong"},
        headers={"HX-Request": "true", "X-CSRF-Token": token},
    )
    assert res.status_code == 200
    assert "Invalid username or password" in res.text


async def test_password_login_success_sets_session_and_hx_redirect(client: AsyncClient) -> None:
    app = client._transport.app  # type: ignore[union-attr]
    user_repo = app.state.user_repo
    cred_repo = app.state.credential_repo

    user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
    await user_repo.create(user)

    svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
    await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("correct")))

    token = await get_csrf_token(client)
    res = await client.post(
        "/login/password",
        data={"username": "alice", "password": "correct"},
        headers={"HX-Request": "true", "X-CSRF-Token": token},
    )
    assert res.status_code == 200
    assert res.headers.get("HX-Redirect") == "/manage/credentials"


async def test_logout_clears_session_and_redirects(client: AsyncClient) -> None:
    token = await get_csrf_token(client)
    res = await client.post("/logout", headers={"HX-Request": "true", "X-CSRF-Token": token})
    assert res.status_code == 200
    assert res.headers.get("HX-Redirect") == "/login"