use axum::extract::{Json, State};

use crate::{
    empty::Empty,
    test::fixtures,
    token::app::{LoginError, ValidateError},
};

#[tokio::test]
async fn password_change() {
    // Set up the environment
    let app = fixtures::scratch_app().await;
    let creds = fixtures::user::create_with_password(&app, &fixtures::now()).await;
    let cookie = fixtures::cookie::logged_in(&app, &creds, &fixtures::now()).await;
    let identity = fixtures::identity::from_cookie(&app, &cookie, &fixtures::now()).await;

    // Call the endpoint
    let (name, password) = creds;
    let to = fixtures::user::propose_password();
    let request = super::Request {
        password: password.clone(),
        to: to.clone(),
    };
    let (new_cookie, Empty) = super::handler(
        State(app.clone()),
        fixtures::now(),
        identity.clone(),
        cookie.clone(),
        Json(request),
    )
    .await
    .expect("changing passwords succeeds");

    // Verify that we have a new session
    assert_ne!(cookie.secret(), new_cookie.secret());

    // Verify that we're still ourselves
    let new_secret = new_cookie
        .secret()
        .expect("we should have a secret after changing our password");
    let (_, login) = app
        .tokens()
        .validate(&new_secret, &fixtures::now())
        .await
        .expect("the newly-issued secret should be valid");
    assert_eq!(identity.user, login);

    // Verify that our original token is no longer valid
    let validate_err = app
        .tokens()
        .validate(
            &cookie
                .secret()
                .expect("original identity cookie has a secret"),
            &fixtures::now(),
        )
        .await
        .expect_err("validating the original identity secret should fail");
    assert!(matches!(validate_err, ValidateError::InvalidToken));

    // Verify that our original password is no longer valid
    let login_err = app
        .tokens()
        .login(&name, &password, &fixtures::now())
        .await
        .expect_err("logging in with the original password should fail");
    assert!(matches!(login_err, LoginError::Rejected));

    // Verify that our new password is valid
    let secret = app
        .tokens()
        .login(&name, &to, &fixtures::now())
        .await
        .expect("logging in with the new password should succeed");
    let (_, login) = app
        .tokens()
        .validate(&secret, &fixtures::now())
        .await
        .expect("validating a newly-issued token secret succeeds");
    assert_eq!(identity.user, login);
}