/**
 * Phase 2 browser chaos — odd browser environments. JS disabled,
 * clock skew, localStorage quota exhaustion, hostile extensions.
 */
import { test, expect } from '../../fixtures/test';

test.describe('Browser chaos — environment', () => {
  test('JavaScript disabled — app surfaces SOMETHING (not white screen)', async ({ browser }) => {
    const ctx = await browser.newContext({ javaScriptEnabled: false });
    const page = await ctx.newPage();
    const res = await page.goto('http://localhost:3101/join');
    // SvelteKit's adapter-node SSR should at least return the basic HTML shell.
    expect(res?.status()).toBeLessThan(500);
    const html = await page.content();
    expect(html.length).toBeGreaterThan(200);
    await ctx.close();
  });

  test('localStorage quota exhausted — writing JWT does not crash the app', async ({ page, guest, signIn }) => {
    const g = await guest('QuotaFull');

    // Pre-fill localStorage with junk to push us near the quota.
    await page.goto('http://localhost:3101/');
    await page.evaluate(() => {
      try {
        const big = 'x'.repeat(1024 * 1024); // 1 MiB chunks
        for (let i = 0; i < 5; i++) localStorage.setItem(`__junk_${i}`, big);
      } catch {
        /* hit the quota — fine */
      }
    });

    // Now sign in — even if the storage write throws, the app must handle it.
    const errors: Error[] = [];
    page.on('pageerror', (e) => errors.push(e));
    await signIn(page, g).catch(() => {
      /* signIn relies on writing to localStorage; failure here is the assertion */
    });

    // Cleanup so other tests aren't affected.
    await page.evaluate(() => {
      for (let i = 0; i < 5; i++) localStorage.removeItem(`__junk_${i}`);
    });

    // Unhandled errors are the failure mode we care about.
    expect(errors.filter((e) => !/storage|quota/i.test(e.message))).toHaveLength(0);
  });

  test('hostile extension simulation: CSS hiding bottom nav does not break navigation', async ({ page, guest, signIn }) => {
    const g = await guest('HostileCss');
    await signIn(page, g);
    await page.goto('/feed');

    // Inject CSS that hides the entire bottom nav (like an aggressive content blocker would).
    await page.addStyleTag({ content: 'nav { display: none !important; }' });

    // The link is still in the DOM and reachable by URL even if visually hidden.
    await page.goto('/account');
    await expect(page).toHaveURL(/\/account$/);
  });

  test('clock skew: browser ahead by 1 hour — JWT still valid (no nbf claim)', async ({ page, guest, signIn }) => {
    const g = await guest('ClockSkew');

    // Override Date.now() to be 1h in the future BEFORE the JWT check.
    await page.addInitScript(() => {
      const real = Date.now;
      const offset = 3600 * 1000;
      Date.now = () => real() + offset;
    });

    await signIn(page, g);
    await page.goto('/feed');
    await expect(page.getByRole('link', { name: 'Galerie' })).toBeVisible();
  });

  test('clock skew: browser behind by 2 days — JWT exp may be in the past, app handles 401', async ({ page, guest, signIn }) => {
    const g = await guest('ClockBack');

    await page.addInitScript(() => {
      const real = Date.now;
      const offset = 2 * 86400 * 1000;
      Date.now = () => real() - offset;
    });

    // Client-side `getExpiry()` in auth.ts may think the token is expired and clear it.
    // Either way, the app must not crash.
    await signIn(page, g).catch(() => {});
    await page.goto('/');
    const url = new URL(page.url());
    expect(['/join', '/feed', '/'].includes(url.pathname) || url.pathname === '/').toBe(true);
  });
});