/**
 * Ensures no API route that requires auth (requireAuth with optional role)
 * is in the auth skip list. When adding a new protected API, add its path prefix to
 * PROTECTED_PATH_PREFIXES in server/utils/authSkipPaths.js so these tests fail if it gets skipped.
 */
import { describe, it, expect } from 'vitest'
import { skipAuth, SKIP_PATHS, PROTECTED_PATH_PREFIXES } from '../../server/utils/authSkipPaths.js'

describe('authSkipPaths', () => {
  it('does not skip any protected path (auth required for these)', () => {
    for (const path of PROTECTED_PATH_PREFIXES) {
      expect(skipAuth(path)).toBe(false)
    }
    // Also check a concrete path under each prefix
    expect(skipAuth('/api/cameras')).toBe(false)
    expect(skipAuth('/api/devices')).toBe(false)
    expect(skipAuth('/api/devices/any-id')).toBe(false)
    expect(skipAuth('/api/me')).toBe(false)
    expect(skipAuth('/api/pois')).toBe(false)
    expect(skipAuth('/api/pois/any-id')).toBe(false)
    expect(skipAuth('/api/users')).toBe(false)
    expect(skipAuth('/api/users/any-id')).toBe(false)
  })

  it('skips known public paths', () => {
    expect(skipAuth('/api/auth/login')).toBe(true)
    expect(skipAuth('/api/auth/logout')).toBe(true)
    expect(skipAuth('/api/auth/config')).toBe(true)
    expect(skipAuth('/api/auth/oidc/authorize')).toBe(true)
    expect(skipAuth('/api/auth/oidc/callback')).toBe(true)
    expect(skipAuth('/api/health')).toBe(true)
    expect(skipAuth('/api/health/ready')).toBe(true)
    expect(skipAuth('/health')).toBe(true)
  })

  it('keeps SKIP_PATHS and PROTECTED_PATH_PREFIXES disjoint', () => {
    const skipSet = new Set(SKIP_PATHS)
    for (const path of PROTECTED_PATH_PREFIXES) {
      expect(skipSet.has(path)).toBe(false)
    }
  })
})