// Unit tests for the config-gating + domain helpers in google-oauth.js. The
// token-exchange / ID-token-verify path requires Google's servers and is covered
// by manual verification (see .env.example); here we lock down the pure logic
// that decides whether the feature is on and which domain is allowed.
import { test } from 'node:test';
import assert from 'node:assert/strict';
import { isConfigured, allowedDomain } from '../../src/auth/google-oauth.js';

function withEnv(vars, fn) {
  const saved = {};
  for (const k of Object.keys(vars)) { saved[k] = process.env[k];
    if (vars[k] === undefined) delete process.env[k]; else process.env[k] = vars[k]; }
  try { return fn(); }
  finally {
    for (const k of Object.keys(vars)) {
      if (saved[k] === undefined) delete process.env[k]; else process.env[k] = saved[k];
    }
  }
}

test('isConfigured is false unless client id, secret, and redirect are all set', () => {
  withEnv({ GOOGLE_CLIENT_ID: undefined, GOOGLE_CLIENT_SECRET: undefined, OAUTH_REDIRECT_URL: undefined }, () => {
    assert.equal(isConfigured(), false);
  });
  withEnv({ GOOGLE_CLIENT_ID: 'x', GOOGLE_CLIENT_SECRET: undefined, OAUTH_REDIRECT_URL: undefined }, () => {
    assert.equal(isConfigured(), false);
  });
  withEnv({ GOOGLE_CLIENT_ID: 'x', GOOGLE_CLIENT_SECRET: 'y', OAUTH_REDIRECT_URL: undefined }, () => {
    assert.equal(isConfigured(), false);
  });
  withEnv({ GOOGLE_CLIENT_ID: 'x', GOOGLE_CLIENT_SECRET: 'y', OAUTH_REDIRECT_URL: 'https://h/cb' }, () => {
    assert.equal(isConfigured(), true);
  });
});

test('allowedDomain normalizes and defaults to null', () => {
  withEnv({ GOOGLE_ALLOWED_DOMAIN: undefined }, () => assert.equal(allowedDomain(), null));
  withEnv({ GOOGLE_ALLOWED_DOMAIN: '' }, () => assert.equal(allowedDomain(), null));
  withEnv({ GOOGLE_ALLOWED_DOMAIN: '  WildDragon.NET ' }, () => assert.equal(allowedDomain(), 'wilddragon.net'));
});