package auth

import (
	"testing"
	"time"
)

func TestSignAndVerify(t *testing.T) {
	svc := New("test-secret")

	token, err := svc.Sign("user42")
	if err != nil {
		t.Fatalf("Sign: %v", err)
	}
	if token == "" {
		t.Fatal("expected non-empty token")
	}

	claims, err := svc.Verify(token)
	if err != nil {
		t.Fatalf("Verify: %v", err)
	}
	if claims.UserID != "user42" {
		t.Errorf("expected UserID 'user42', got %q", claims.UserID)
	}
	if claims.ExpiresAt == nil || claims.ExpiresAt.Before(time.Now()) {
		t.Error("token should not be expired")
	}
}

func TestVerify_InvalidToken(t *testing.T) {
	svc := New("test-secret")
	_, err := svc.Verify("not.a.valid.token")
	if err == nil {
		t.Fatal("expected error for invalid token")
	}
}

func TestVerify_WrongSecret(t *testing.T) {
	svc1 := New("secret-a")
	svc2 := New("secret-b")

	token, err := svc1.Sign("user1")
	if err != nil {
		t.Fatalf("Sign: %v", err)
	}

	_, err = svc2.Verify(token)
	if err == nil {
		t.Fatal("expected error when verifying with different secret")
	}
}

func TestVerify_TamperedToken(t *testing.T) {
	svc := New("test-secret")
	token, _ := svc.Sign("admin")

	// Append garbage to corrupt the signature.
	tampered := token + "x"
	_, err := svc.Verify(tampered)
	if err == nil {
		t.Fatal("expected error for tampered token")
	}
}