/**
 * Ensures no API route that requires auth (requireAuth with optional role)
 * is in the auth skip list. When adding a new protected API, add its path prefix to
 * PROTECTED_PATH_PREFIXES in server/utils/authHelpers.js so these tests fail if it gets skipped.
 */
import { describe, it, expect } from 'vitest'
import { skipAuth, SKIP_PATHS, PROTECTED_PATH_PREFIXES } from '../../server/utils/authHelpers.js'

describe('authSkipPaths', () => {
  it('does not skip any protected path', () => {
    const protectedPaths = [
      ...PROTECTED_PATH_PREFIXES,
      '/api/cameras',
      '/api/devices',
      '/api/devices/any-id',
      '/api/me',
      '/api/pois',
      '/api/pois/any-id',
      '/api/users',
      '/api/users/any-id',
    ]
    protectedPaths.forEach((path) => {
      expect(skipAuth(path)).toBe(false)
    })
  })

  it.each([
    '/api/auth/login',
    '/api/auth/logout',
    '/api/auth/config',
    '/api/auth/oidc/authorize',
    '/api/auth/oidc/callback',
    '/api/health',
    '/api/health/ready',
    '/health',
  ])('skips public path: %s', (path) => {
    expect(skipAuth(path)).toBe(true)
  })

  it('keeps SKIP_PATHS and PROTECTED_PATH_PREFIXES disjoint', () => {
    const skipSet = new Set(SKIP_PATHS)
    for (const path of PROTECTED_PATH_PREFIXES) {
      expect(skipSet.has(path)).toBe(false)
    }
  })
})