/**
 * Authorization checks. These overlap with Phase 2 adversarial work but
 * belong here because they're foundational expectations on every endpoint:
 * guest can't hit host/admin; host can't hit admin.
 */
import { test, expect } from '../../fixtures/test';

const BASE = process.env.E2E_FRONTEND_URL ?? 'http://localhost:3101';

test.describe('Authorization escalation guards', () => {
  test('guest → POST /host/event/close returns 403', async ({ guest }) => {
    const g = await guest('Esc1');
    const res = await fetch(`${BASE}/api/v1/host/event/close`, {
      method: 'POST',
      headers: { Authorization: `Bearer ${g.jwt}` },
    });
    expect(res.status).toBe(403);
  });

  test('guest → GET /admin/config returns 403', async ({ guest }) => {
    const g = await guest('Esc2');
    const res = await fetch(`${BASE}/api/v1/admin/config`, {
      headers: { Authorization: `Bearer ${g.jwt}` },
    });
    expect(res.status).toBe(403);
  });

  test('host → GET /admin/config returns 403 (host ≠ admin)', async ({ host }) => {
    const res = await fetch(`${BASE}/api/v1/admin/config`, {
      headers: { Authorization: `Bearer ${host.jwt}` },
    });
    expect(res.status).toBe(403);
  });

  test('tampered JWT returns 401', async ({ guest }) => {
    const g = await guest('Tampered');
    const parts = g.jwt.split('.');
    // Flip a character in the signature.
    const tampered = `${parts[0]}.${parts[1]}.${parts[2].slice(0, -1)}${parts[2].endsWith('A') ? 'B' : 'A'}`;
    const res = await fetch(`${BASE}/api/v1/me/context`, {
      headers: { Authorization: `Bearer ${tampered}` },
    });
    expect(res.status).toBe(401);
  });

  test('expired session JWT returns 401', async ({ guest, db }) => {
    const g = await guest('Expired');
    await db.expireSession(g.userId);
    const res = await fetch(`${BASE}/api/v1/me/context`, {
      headers: { Authorization: `Bearer ${g.jwt}` },
    });
    expect(res.status).toBe(401);
  });
});