const path = require('path')
const request = require('supertest')
const express = require('express')
const fs = require('fs')

// Import the middleware factory (don't name this `csp` to avoid shadowing!)
const createCspMiddleware = require('../index.cjs')

describe('Rapid configurable Content Security Policy middleware', () => {
  const validPolicyPath = path.join(__dirname, '../csp-policy.yml')
  const malformedPolicyPath = path.join(__dirname, 'bad-policy.yml')
  const customPolicyPath = path.join(__dirname, 'custom-policy.yml')

  beforeAll(() => {
    // Write a malformed YAML file (missing colon, bad list syntax)
    fs.writeFileSync(malformedPolicyPath, `default-src 'self'\nthis-is: [bad yaml]`)

    // Write a simple custom policy
    fs.writeFileSync(
      customPolicyPath,
      `
contentSecurityPolicy:
  directives:
    default-src: ["'self'"]
    script-src: ["'self'", "https://cdn.example.com"]
    `,
    )
  })

  afterAll(() => {
    fs.unlinkSync(malformedPolicyPath)
    fs.unlinkSync(customPolicyPath)
  })

  it('should load and apply CSP directives from YAML', async () => {
    const app = express()
    const csp = createCspMiddleware(validPolicyPath)
    app.use(csp)
    app.get('/', (req, res) => res.send('Hello World'))

    const res = await request(app).get('/')
    expect(res.headers['content-security-policy']).toBeDefined()
    expect(res.text).toBe('Hello World')
  })

  it('should include specific CSP directives in header', async () => {
    const app = express()
    const csp = createCspMiddleware(validPolicyPath)
    app.use(csp)
    app.get('/', (req, res) => res.send('Hello'))

    const res = await request(app).get('/')
    const cspHeader = res.headers['content-security-policy']

    expect(cspHeader).toMatch(/default-src 'self'/)
    expect(cspHeader).toMatch(/script-src 'self'[^;]*example\.com/)
    expect(cspHeader).toMatch(/style-src 'self'[^;]*'unsafe-inline'/)
  })

  it('should throw an error for malformed YAML', () => {
    expect(() => {
      createCspMiddleware(malformedPolicyPath)
    }).toThrow(/Implicit keys|bad indentation|unexpected token/i)
  })

  it('should apply a custom policy file correctly', async () => {
    const app = express()
    const csp = createCspMiddleware(customPolicyPath)
    app.use(csp)
    app.get('/', (req, res) => res.send('Test Custom'))

    const res = await request(app).get('/')
    const cspHeader = res.headers['content-security-policy']

    expect(cspHeader).toMatch(/default-src 'self'/)
    expect(cspHeader).toMatch(/script-src 'self' https:\/\/cdn\.example\.com/)
  })
})