package service

import (
	"encoding/base64"
	"encoding/json"
	"net/http/httptest"
	"strings"
	"testing"

	"wx_service/config"
)

func TestCreateUploadTokenWithCallbackPolicy(t *testing.T) {
	t.Parallel()

	svc := NewQiniuService(config.QiniuConfig{
		AccessKey:        "ak-test",
		SecretKey:        "sk-test",
		Bucket:           "bucket-test",
		UploadURL:        "https://upload.qiniup.com",
		KeyPrefix:        "uploads/",
		CallbackURL:      "https://api.example.com/api/v1/common/upload/qiniu/callback",
		CallbackBody:     "key=$(key)&hash=$(etag)",
		CallbackBodyType: "application/x-www-form-urlencoded",
	})

	token, err := svc.CreateUploadToken(1, 2, "avatar.png")
	if err != nil {
		t.Fatalf("CreateUploadToken: %v", err)
	}

	tokenParts := strings.Split(token.Token, ":")
	if len(tokenParts) != 3 {
		t.Fatalf("unexpected token format: %s", token.Token)
	}

	policyRaw, err := base64.URLEncoding.WithPadding(base64.NoPadding).DecodeString(tokenParts[2])
	if err != nil {
		t.Fatalf("decode policy: %v", err)
	}

	var policy map[string]any
	if err := json.Unmarshal(policyRaw, &policy); err != nil {
		t.Fatalf("unmarshal policy: %v", err)
	}

	if got, _ := policy["callbackUrl"].(string); got != "https://api.example.com/api/v1/common/upload/qiniu/callback" {
		t.Fatalf("callbackUrl=%q, want callback endpoint", got)
	}
	if got, _ := policy["callbackBody"].(string); got != "key=$(key)&hash=$(etag)" {
		t.Fatalf("callbackBody=%q, want callback body", got)
	}
	if got, _ := policy["callbackBodyType"].(string); got != "application/x-www-form-urlencoded" {
		t.Fatalf("callbackBodyType=%q, want form type", got)
	}
}

func TestVerifyCallbackSignature(t *testing.T) {
	t.Parallel()

	cfg := config.QiniuConfig{
		AccessKey: "ak-test",
		SecretKey: "sk-test",
	}
	svc := NewQiniuService(cfg)

	body := []byte("key=uploads/test.png&hash=abc")
	req := httptest.NewRequest("POST", "http://example.com/api/v1/common/upload/qiniu/callback?x=1", strings.NewReader(string(body)))
	signing := req.URL.Path + "?" + req.URL.RawQuery + "\n" + string(body)
	sign := urlSafeBase64NoPad(hmacSHA1([]byte(cfg.SecretKey), []byte(signing)))
	req.Header.Set("Authorization", "QBox "+cfg.AccessKey+":"+sign)

	if err := svc.VerifyCallbackSignature(req, body); err != nil {
		t.Fatalf("VerifyCallbackSignature: %v", err)
	}
}

func TestVerifyCallbackSignatureInvalid(t *testing.T) {
	t.Parallel()

	cfg := config.QiniuConfig{
		AccessKey: "ak-test",
		SecretKey: "sk-test",
	}
	svc := NewQiniuService(cfg)

	body := []byte("key=uploads/test.png&hash=abc")
	req := httptest.NewRequest("POST", "http://example.com/api/v1/common/upload/qiniu/callback", strings.NewReader(string(body)))
	req.Header.Set("Authorization", "QBox ak-test:bad-sign")

	err := svc.VerifyCallbackSignature(req, body)
	if err == nil {
		t.Fatalf("expected signature verification error")
	}
	if err != ErrQiniuCallbackUnauthorized {
		t.Fatalf("error=%v, want=%v", err, ErrQiniuCallbackUnauthorized)
	}
}