<?php

declare(strict_types=1);

use App\Models\Tenant;
use App\Models\User;
use Illuminate\Foundation\Testing\DatabaseTransactions;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash;

uses(DatabaseTransactions::class);

beforeEach(function () {
    $this->tenant = Tenant::factory()->create();
    $this->user = User::factory()->create([
        'tenant_id' => $this->tenant->id,
        'password_hash' => Hash::make('current-pass-123'),
    ]);
    $this->actingAs($this->user);
});

test('POST /api/account/change-password меняет пароль при верном текущем', function () {
    $response = $this->postJson('/api/account/change-password', [
        'current_password' => 'current-pass-123',
        'password' => 'brand-new-pass-456',
        'password_confirmation' => 'brand-new-pass-456',
    ]);

    $response->assertOk();
    expect($response->json('last_password_change_at'))->not->toBeNull();

    $this->user->refresh();
    expect(Hash::check('brand-new-pass-456', $this->user->password_hash))->toBeTrue();
    expect(Hash::check('current-pass-123', $this->user->password_hash))->toBeFalse();

    // Событие записано в auth_log.
    $logged = DB::table('auth_log')
        ->where('user_id', $this->user->id)
        ->where('event', 'password_changed')
        ->exists();
    expect($logged)->toBeTrue();
});

test('POST /api/account/change-password: 422 при неверном текущем пароле', function () {
    $this->postJson('/api/account/change-password', [
        'current_password' => 'wrong-current-pass',
        'password' => 'brand-new-pass-456',
        'password_confirmation' => 'brand-new-pass-456',
    ])->assertStatus(422)->assertJsonValidationErrorFor('current_password');

    // Пароль НЕ изменён.
    $this->user->refresh();
    expect(Hash::check('current-pass-123', $this->user->password_hash))->toBeTrue();
});

test('POST /api/account/change-password: 422 при коротком новом пароле', function () {
    $this->postJson('/api/account/change-password', [
        'current_password' => 'current-pass-123',
        'password' => 'short',
        'password_confirmation' => 'short',
    ])->assertStatus(422)->assertJsonValidationErrorFor('password');
});

test('POST /api/account/change-password: 422 при несовпадении подтверждения', function () {
    $this->postJson('/api/account/change-password', [
        'current_password' => 'current-pass-123',
        'password' => 'brand-new-pass-456',
        'password_confirmation' => 'different-pass-789',
    ])->assertStatus(422)->assertJsonValidationErrorFor('password');
});

test('POST /api/account/change-password без auth: 401', function () {
    auth()->logout();
    $this->postJson('/api/account/change-password', [
        'current_password' => 'current-pass-123',
        'password' => 'brand-new-pass-456',
        'password_confirmation' => 'brand-new-pass-456',
    ])->assertStatus(401);
});

test('GET /api/account/security возвращает дату смены и список сессий', function () {
    $response = $this->getJson('/api/account/security');

    $response->assertOk();
    expect($response->json('sessions'))->toBeArray();
    expect($response->json())->toHaveKey('last_password_change_at');
});