<?php

use App\Actions\Fortify\ResetUserPassword;
use App\Models\InstanceSettings;
use App\Models\User;
use App\Notifications\TransactionalEmails\ResetPassword;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Notification;
use Illuminate\Support\Once;
use Illuminate\Validation\ValidationException;

uses(RefreshDatabase::class);

beforeEach(function () {
    Notification::fake();
    config([
        'app.maintenance.driver' => 'file',
        'cache.default' => 'array',
        'session.driver' => 'array',
    ]);
    InstanceSettings::unguarded(function () {
        InstanceSettings::query()->create([
            'id' => 0,
            'smtp_enabled' => true,
            'smtp_from_address' => 'test@example.com',
            'smtp_from_name' => 'MapleDeploy',
            'smtp_host' => 'localhost',
            'smtp_port' => 1025,
        ]);
    });
    Once::flush();
});

test('forgot password does not create a reset token for MapleDeploy revoked users', function () {
    $user = User::factory()->create([
        'email' => 'revoked@example.com',
        'remember_token' => 'mapledeploy-revoked:abc123',
    ]);

    $response = $this->post('/forgot-password', [
        'email' => 'revoked@example.com',
    ]);

    $response->assertSessionHas('status');
    expect(DB::table('password_reset_tokens')->where('email', $user->email)->exists())->toBeFalse();
    Notification::assertNothingSent();
});

test('forgot password still sends reset links for active users', function () {
    $user = User::factory()->create([
        'email' => 'active@example.com',
        'remember_token' => null,
    ]);

    $response = $this->post('/forgot-password', [
        'email' => 'active@example.com',
    ]);

    $response->assertSessionHas('status');
    expect(DB::table('password_reset_tokens')->where('email', $user->email)->exists())->toBeTrue();
    Notification::assertSentTo($user, ResetPassword::class);
});

test('reset password refuses MapleDeploy revoked users even with an existing token', function () {
    $user = User::factory()->create([
        'password' => Hash::make('old-password'),
        'remember_token' => 'mapledeploy-revoked:abc123',
    ]);

    expect(fn () => app(ResetUserPassword::class)->reset($user, [
        'password' => 'new-password',
        'password_confirmation' => 'new-password',
    ]))->toThrow(ValidationException::class);

    expect(Hash::check('old-password', $user->fresh()->password))->toBeTrue()
        ->and($user->fresh()->remember_token)->toBe('mapledeploy-revoked:abc123');
});

test('revoked users are logged out even when sessions are not database backed', function () {
    $user = User::factory()->create([
        'remember_token' => 'mapledeploy-revoked:abc123',
        'email_verified_at' => now(),
    ]);

    $response = $this->actingAs($user)->get('/');

    $response->assertRedirect(route('login'));
    $this->assertGuest();
});