"""Tests fuer src/auth.py - Magic-Link-Token + JWT Round-Trip."""
import pytest
from auth import generate_magic_token, create_token, decode_token


def test_magic_token_is_url_safe_and_random():
    t1 = generate_magic_token()
    t2 = generate_magic_token()
    assert t1 != t2
    # token_urlsafe(32) -> 43 Zeichen base64-url
    assert 40 <= len(t1) <= 50
    # Nur URL-safe Zeichen
    assert all(c.isalnum() or c in "-_" for c in t1)


def test_jwt_round_trip():
    token = create_token(admin_id=42, email="info@aegis-sight.de", username="info")
    payload = decode_token(token)
    assert payload["sub"] == "42"
    assert payload["email"] == "info@aegis-sight.de"
    assert payload["username"] == "info"
    assert payload["role"] == "portal_admin"
    assert payload["iss"] == "aegissight-portal"
    assert payload["aud"] == "aegissight-portal"


def test_jwt_username_default_from_email():
    """Wenn kein username uebergeben wird, kommt der local-part der Email."""
    token = create_token(admin_id=1, email="someone@example.com")
    payload = decode_token(token)
    assert payload["username"] == "someone"


def test_decode_invalid_token_raises():
    from fastapi import HTTPException
    with pytest.raises(HTTPException) as exc:
        decode_token("not.a.valid.jwt")
    assert exc.value.status_code == 401