package auth

import (
	"context"
	"testing"

	"ymhut-box/server/unified-management/internal/config"
	"ymhut-box/server/unified-management/internal/db"
)

func TestBootstrapShowsDefaultPasswordOnlyBeforeChange(t *testing.T) {
	root := t.TempDir()
	cfg := &config.Config{
		StorageDir: root,
		Database: config.DatabaseConfig{
			Provider:          "sqlite",
			SQLitePath:        root + "/test.sqlite",
			FailoverEnabled:   true,
			HealthIntervalSec: 3600,
		},
	}
	store, err := db.Open(cfg)
	if err != nil {
		t.Fatal(err)
	}
	defer store.Close()
	if err := store.EnsureDefaultAdmin(context.Background()); err != nil {
		t.Fatal(err)
	}
	service := NewService(store)
	payload, err := service.Bootstrap(context.Background())
	if err != nil {
		t.Fatal(err)
	}
	if payload["isDefaultPassword"] != true || payload["defaultPassword"] != "admin" {
		t.Fatalf("unexpected bootstrap payload: %#v", payload)
	}
	if err := store.ChangeAdminPassword(context.Background(), "admin", "admin", "changed"); err != nil {
		t.Fatal(err)
	}
	payload, err = service.Bootstrap(context.Background())
	if err != nil {
		t.Fatal(err)
	}
	if payload["isDefaultPassword"] != false || payload["defaultPassword"] != "" {
		t.Fatalf("default password leaked after change: %#v", payload)
	}
}