package web

import (
	"net/http"
	"net/http/httptest"
	"net/url"
	"strings"
	"testing"

	"backend/internal/auth"
	"backend/internal/db/sqlc"
)

func TestCSRF_Debug(t *testing.T) {
	pool, cleanup := setupTestDB(t)
	defer cleanup()

	q := sqlc.New(pool)
	store := auth.NewStore(q)
	router := newTestRouter(q, store)

	// GET /login and collect cookies
	getReq := httptest.NewRequest(http.MethodGet, "/login", nil)
	getRec := httptest.NewRecorder()
	router.ServeHTTP(getRec, getReq)

	t.Logf("GET /login status: %d", getRec.Code)
	t.Logf("GET /login cookies:")
	for _, c := range getRec.Result().Cookies() {
		t.Logf("  %s=%s (httponly=%v, secure=%v)", c.Name, c.Value[:min(len(c.Value), 20)], c.HttpOnly, c.Secure)
	}

	body := getRec.Body.String()
	const needle = `name="_csrf" value="`
	idx := strings.Index(body, needle)
	if idx == -1 {
		t.Fatal("no _csrf hidden input found")
	}
	rest := body[idx+len(needle):]
	end := strings.Index(rest, `"`)
	token := rest[:end]
	t.Logf("Extracted CSRF token: %s...", token[:min(len(token), 20)])

	form := url.Values{"email": {"x@y.com"}, "password": {"correct-horse-12"}, "_csrf": {token}}
	postReq := httptest.NewRequest(http.MethodPost, "/login", strings.NewReader(form.Encode()))
	postReq.Header.Set("Content-Type", "application/x-www-form-urlencoded")
	for _, c := range getRec.Result().Cookies() {
		t.Logf("Adding cookie to POST: %s", c.Name)
		postReq.AddCookie(c)
	}
	t.Logf("POST cookies count: %d", len(getRec.Result().Cookies()))
	
	postRec := httptest.NewRecorder()
	router.ServeHTTP(postRec, postReq)
	t.Logf("POST /login status: %d", postRec.Code)
	if postRec.Code == 403 {
		t.Logf("403 body: %s", postRec.Body.String()[:min(len(postRec.Body.String()), 200)])
	}
}

func min(a, b int) int {
	if a < b {
		return a
	}
	return b
}