import request from "supertest";
import { describe, it, expect } from "vitest";
import { createApp } from "./app.js";

const app = createApp();

describe("security headers (helmet)", () => {
  it("sets X-Content-Type-Options to nosniff", async () => {
    const res = await request(app).get("/api/v1/health");
    expect(res.headers["x-content-type-options"]).toBe("nosniff");
  });

  it("sets X-Frame-Options to SAMEORIGIN", async () => {
    const res = await request(app).get("/api/v1/health");
    expect(res.headers["x-frame-options"]).toBe("SAMEORIGIN");
  });

  it("removes X-Powered-By header", async () => {
    const res = await request(app).get("/api/v1/health");
    expect(res.headers).not.toHaveProperty("x-powered-by");
  });

  it("sets Content-Security-Policy", async () => {
    const res = await request(app).get("/api/v1/health");
    expect(res.headers).toHaveProperty("content-security-policy");
  });
});

describe("auth rate limiting", () => {
  it("returns 429 after exceeding the auth limit", async () => {
    const testApp = createApp();
    const limit = 20;
    for (let i = 0; i < limit; i++) {
      await request(testApp).post("/api/auth/sign-in");
    }
    const res = await request(testApp).post("/api/auth/sign-in");
    expect(res.status).toBe(429);
  });
});