<?php

declare(strict_types=1);

namespace Tests\Feature\Auth;

use App\Models\TrustedDevice;
use App\Models\User;
use App\Services\MfaService;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;

class TrustedDeviceControllerTest extends TestCase
{
    use RefreshDatabase;

    public function test_index_returns_active_devices(): void
    {
        $user = User::factory()->create();
        $mfaService = app(MfaService::class);

        $mfaService->trustDevice($user, 'fp-1', '192.168.1.1', 'Chrome on macOS');
        $mfaService->trustDevice($user, 'fp-2', '192.168.1.2', 'Firefox on Windows');

        $response = $this->actingAs($user)->getJson('/api/v1/auth/trusted-devices');

        $response->assertOk();
        $this->assertCount(2, $response->json('data'));
    }

    public function test_index_excludes_expired_devices(): void
    {
        $user = User::factory()->create();
        $mfaService = app(MfaService::class);

        $device = $mfaService->trustDevice($user, 'fp-1', '192.168.1.1', 'Old Device');
        $device->update(['trusted_until' => now()->subDay()]);

        $mfaService->trustDevice($user, 'fp-2', '192.168.1.2', 'Active Device');

        $response = $this->actingAs($user)->getJson('/api/v1/auth/trusted-devices');

        $response->assertOk();
        $this->assertCount(1, $response->json('data'));
    }

    public function test_destroy_revokes_device(): void
    {
        $user = User::factory()->create();
        $device = app(MfaService::class)->trustDevice($user, 'fp-1', '192.168.1.1', 'Chrome');

        $response = $this->actingAs($user)->deleteJson("/api/v1/auth/trusted-devices/{$device->id}");

        $response->assertNoContent();
        $this->assertDatabaseMissing('trusted_devices', ['id' => $device->id]);
    }

    public function test_destroy_all_revokes_all_devices(): void
    {
        $user = User::factory()->create();
        $mfaService = app(MfaService::class);

        $mfaService->trustDevice($user, 'fp-1', '192.168.1.1', 'Device 1');
        $mfaService->trustDevice($user, 'fp-2', '192.168.1.2', 'Device 2');

        $response = $this->actingAs($user)->deleteJson('/api/v1/auth/trusted-devices');

        $response->assertNoContent();
        $this->assertDatabaseCount('trusted_devices', 0);
    }

    public function test_cannot_manage_other_users_devices(): void
    {
        $user = User::factory()->create();
        $otherUser = User::factory()->create();

        $device = app(MfaService::class)->trustDevice($otherUser, 'fp-1', '192.168.1.1', 'Other Device');

        // Try to delete other user's device — should succeed silently (no record found for this user)
        $response = $this->actingAs($user)->deleteJson("/api/v1/auth/trusted-devices/{$device->id}");

        $response->assertNoContent();

        // Other user's device should still exist
        $this->assertDatabaseHas('trusted_devices', ['id' => $device->id]);
    }

    public function test_unauthenticated_cannot_access_devices(): void
    {
        $this->getJson('/api/v1/auth/trusted-devices')
            ->assertUnauthorized();
    }
}