"""
测试 JWT 令牌编解码功能。
使用 mock 配置，不依赖真实密钥文件。
"""

import time

import pytest

from paste.security.token import encode_token, decode_token


class TestJwtToken:
    """JWT 令牌测试"""

    def test_encode_decode_basic(self):
        """基础编解码测试"""
        payload = {
            'user_id': 123,
            'username': 'test_user',
            'role': 'admin',
        }
        token = encode_token(**payload)
        assert token is not None
        assert isinstance(token, str)
        assert len(token) > 0

        decoded = decode_token(token)
        assert decoded is not None
        assert decoded.get('params', {}).get('user_id') == 123

    def test_token_contains_expected_fields(self):
        """验证 token 包含必要字段"""
        payload = {'user_id': 456, 'username': 'demo'}
        token = encode_token(**payload)
        decoded = decode_token(token)

        # 标准 JWT 字段
        assert 'iss' in decoded, "Token should have issuer"
        assert 'iat' in decoded, "Token should have issued-at time"
        assert 'exp' in decoded, "Token should have expiration time"

        # 自定义字段
        params = decoded.get('params', {})
        assert params.get('user_id') == 456
        assert params.get('username') == 'demo'

    def test_token_expiration(self):
        """验证 token 过期机制"""
        payload = {
            'user_id': 789,
            'username': 'expired_user',
            'exp': int(time.time()) - 3600,  # 1小时前过期
        }
        token = encode_token(**payload)

        with pytest.raises(Exception):
            decode_token(token)

    def test_token_tampering(self):
        """验证 token 防篡改"""
        payload = {'user_id': 999, 'username': 'hacker'}
        token = encode_token(**payload)

        # 篡改 token
        tampered_token = token[:-5] + 'XXXXX'

        with pytest.raises(Exception):
            decode_token(tampered_token)

    def test_empty_payload(self):
        """空 payload 处理"""
        token = encode_token()
        decoded = decode_token(token)
        assert decoded is not None