use crate::harness::TestHarness;

#[tokio::test]
async fn post_without_token_returns_403() {
    let mut h = TestHarness::new().await;
    let user_id = h.login_as("alice").await;
    let comm_id = h.create_community("Test", "test").await;
    let _cat_id = h.create_category(comm_id, "General", "general").await;
    h.add_membership(user_id, comm_id, "member").await;

    let resp = h
        .client
        .post_form_no_csrf(
            "/p/test/general/new",
            "title=Hello&body=World",
        )
        .await;

    assert_eq!(resp.status.as_u16(), 403);
}

#[tokio::test]
async fn post_with_valid_token_succeeds() {
    let mut h = TestHarness::new().await;
    let user_id = h.login_as("bob").await;
    let comm_id = h.create_community("Test", "test").await;
    let _cat_id = h.create_category(comm_id, "General", "general").await;
    h.add_membership(user_id, comm_id, "member").await;

    // GET page to get CSRF token
    h.client.get("/p/test/general/new").await;

    // POST with valid token (auto-injected by client)
    let resp = h
        .client
        .post_form("/p/test/general/new", "title=Hello&body=World")
        .await;

    // Should redirect (303 See Other) on success
    assert!(
        resp.status.is_redirection() || resp.status.is_success(),
        "Expected success/redirect, got {}",
        resp.status
    );
}

#[tokio::test]
async fn post_with_wrong_token_returns_403() {
    let mut h = TestHarness::new().await;
    let user_id = h.login_as("carol").await;
    let comm_id = h.create_community("Test", "test").await;
    let _cat_id = h.create_category(comm_id, "General", "general").await;
    h.add_membership(user_id, comm_id, "member").await;

    // GET page to establish session
    h.client.get("/p/test/general/new").await;

    let resp = h
        .client
        .post_form_with_token(
            "/p/test/general/new",
            "title=Hello&body=World",
            "totally-wrong-token",
        )
        .await;

    assert_eq!(resp.status.as_u16(), 403);
}

#[tokio::test]
async fn csrf_token_stable_across_requests() {
    let mut h = TestHarness::new().await;
    h.login_as("dave").await;

    h.client.get("/").await;
    let token1 = h.client.csrf_token().unwrap().to_string();

    h.client.get("/").await;
    let token2 = h.client.csrf_token().unwrap().to_string();

    assert_eq!(token1, token2);
}