package auth

import (
	"testing"
)

func TestVerifyPKCE_Plain(t *testing.T) {
	verifier := "test-verifier-12345"
	challenge := "test-verifier-12345"

	if !VerifyPKCE(verifier, challenge, PKCEMethodPlain) {
		t.Error("expected plain PKCE verification to succeed")
	}

	if VerifyPKCE("wrong-verifier", challenge, PKCEMethodPlain) {
		t.Error("expected plain PKCE verification to fail with wrong verifier")
	}
}

func TestVerifyPKCE_S256(t *testing.T) {
	// Test vector from RFC 7636
	verifier := "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
	challenge := ComputeS256Challenge(verifier)

	if !VerifyPKCE(verifier, challenge, PKCEMethodS256) {
		t.Error("expected S256 PKCE verification to succeed")
	}

	if VerifyPKCE("wrong-verifier", challenge, PKCEMethodS256) {
		t.Error("expected S256 PKCE verification to fail with wrong verifier")
	}
}

func TestVerifyPKCE_EmptyValues(t *testing.T) {
	if VerifyPKCE("", "challenge", PKCEMethodS256) {
		t.Error("expected PKCE verification to fail with empty verifier")
	}

	if VerifyPKCE("verifier", "", PKCEMethodS256) {
		t.Error("expected PKCE verification to fail with empty challenge")
	}
}

func TestVerifyPKCE_DefaultMethod(t *testing.T) {
	verifier := "test-verifier"
	challenge := "test-verifier"

	// Empty method should default to plain
	if !VerifyPKCE(verifier, challenge, "") {
		t.Error("expected PKCE verification with empty method to use plain")
	}
}

func TestComputeS256Challenge(t *testing.T) {
	// Known test case
	verifier := "abc123"
	challenge := ComputeS256Challenge(verifier)

	// Challenge should be base64url encoded without padding
	if challenge == "" {
		t.Error("expected non-empty challenge")
	}

	// Should not contain padding
	if len(challenge) > 0 && challenge[len(challenge)-1] == '=' {
		t.Error("challenge should not have padding")
	}

	// Same verifier should produce same challenge
	challenge2 := ComputeS256Challenge(verifier)
	if challenge != challenge2 {
		t.Error("same verifier should produce same challenge")
	}
}