# frozen_string_literal: true

require 'spec_helper'

describe Osso::Oauth do
  let(:client) { create(:oauth_client) }

  describe 'get /oauth/authorize' do
    describe 'with a valid client ID and redirect URI' do
      describe 'for a domain that does not belong to an enterprise' do
        # TODO: better error handling and test
        it 'renders an error page' do
          described_class.set(:views, spec_views)

          create(:enterprise_with_okta, domain: 'foo.com')

          get(
            '/oauth/authorize',
            domain: 'bar.org',
            client_id: client.identifier,
            response_type: 'code',
            redirect_uri: client.redirect_uri_values.sample,
          )

          expect(last_response.status).to eq(200)
        end
      end

      describe 'for an enterprise domain with one SAML provider' do
        it 'redirects to /auth/saml/:provider_id' do
          enterprise = create(:enterprise_with_okta, oauth_client: client)

          get(
            '/oauth/authorize',
            domain: enterprise.domain,
            client_id: client.identifier,
            response_type: 'code',
            redirect_uri: client.redirect_uri_values.sample,
          )

          provider_id = enterprise.identity_providers.first.id

          expect(last_response).to be_redirect
          follow_redirect!
          expect(last_request.url).to match("auth/saml/#{provider_id}")
        end
      end

      describe 'for an enterprise domain with multiple SAML providers' do
        it 'renders the multiple providers screen' do
          enterprise = create(:enterprise_with_multiple_providers, oauth_client: client)

          get(
            '/oauth/authorize',
            domain: enterprise.domain,
            client_id: client.identifier,
            response_type: 'code',
            redirect_uri: client.redirect_uri_values.sample,
          )

          expect(last_response).to be_ok
          expect(last_response.body).to eq("MULITPLE PROVIDERS")
        end
      end
    end
  end

  describe 'post /oauth/token' do
    describe 'with a valid unexpired code, client secret, client ID and redirect URI' do
      it 'returns an access token' do
        user = create(:user)
        code = user.authorization_codes.valid.first

        post(
          '/oauth/token',
          client_id: client.identifier,
          client_secret: client.secret,
          grant_type: 'authorization_code',
          redirect_uri: code.redirect_uri,
          code: code.token,
        )

        expect(last_response.status).to eq(200)
        expect(last_json_response.to_h).to match(
          access_token: a_string_matching(/\w{64}/),
          expires_in: an_instance_of(Integer),
          token_type: 'bearer',
        )
      end
    end
  end

  describe 'get /oauth/me' do
    describe 'with a valid unexpired access token' do
      it 'returns the user' do
        user = create(:user)
        code = user.authorization_codes.valid.first

        get(
          '/oauth/me',
          access_token: code.access_token.to_bearer_token,
        )

        expect(last_response.status).to eq(200)
        expect(last_json_response).to eq(
          email: user.email,
          id: user.id,
          idp: 'Okta',
        )
      end
    end

    describe 'with an expired access token' do
      it 'returns 404' do
        code = create(:authorization_code)
        code.access_token.expired!

        get(
          '/oauth/me',
          access_token: code.access_token.to_bearer_token,
        )

        expect(last_response.status).to eq(404)
      end
    end

    describe 'with an invalid access token' do
      it 'returns 404' do
        get(
          '/oauth/me',
          access_token: SecureRandom.hex(32),
        )

        expect(last_response.status).to eq(404)
      end
    end
  end
end