//go:build integration

package auth_test

import (
	"context"
	"testing"

	"github.com/ultisuite/ulti-backend/internal/integrationtest"
)

func TestUserProvisionedOnFirstRequest(t *testing.T) {
	h := integrationtest.RequireHarness(t)
	externalID := integrationtest.NewExternalID("provision")
	claims := integrationtest.RegularUser(externalID)
	client, err := h.Client(claims)
	integrationtest.FailIf(err, t, "client")

	resp, err := client.Get("/api/v1/mail/settings")
	integrationtest.FailIf(err, t, "GET settings")
	integrationtest.FailUnlessStatus(t, resp, 200)
	integrationtest.AssertUserProvisioned(t, h, externalID)
}

func TestDisabledUserForbidden(t *testing.T) {
	h := integrationtest.RequireHarness(t)
	externalID := integrationtest.NewExternalID("disabled")
	claims := integrationtest.RegularUser(externalID)
	client, err := h.Client(claims)
	integrationtest.FailIf(err, t, "client")

	resp, err := client.Get("/api/v1/mail/settings")
	integrationtest.FailIf(err, t, "provision user")
	integrationtest.FailUnlessStatus(t, resp, 200)

	if err := integrationtest.DisableUser(context.Background(), h, externalID); err != nil {
		t.Fatalf("disable user: %v", err)
	}

	resp, err = client.Get("/api/v1/mail/settings")
	integrationtest.FailIf(err, t, "GET after disable")
	if resp.Status != 403 {
		t.Fatalf("status = %d, want 403; body = %s", resp.Status, string(resp.Body))
	}
}