#!/usr/bin/env bash
# Test JWT authentication endpoints

set -euo pipefail

PROXMOX_HOST="${PROXMOX_HOST:-192.168.11.10}"
VMID=2501
HTTP_DOMAIN="rpc-http-prv.d-bis.org"
WS_DOMAIN="rpc-ws-prv.d-bis.org"

# Colors
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m'

pass() { echo -e "${GREEN}[PASS]${NC} $1"; }
fail() { echo -e "${RED}[FAIL]${NC} $1"; }
info() { echo -e "${YELLOW}[INFO]${NC} $1"; }

echo "=========================================="
echo "JWT Authentication Endpoint Tests"
echo "=========================================="
echo ""

# Generate a test token
info "Generating test token..."
TOKEN=$(./scripts/generate-jwt-token.sh test-user 1 2>/dev/null | grep "Token:" | tail -1 | awk '{print $2}')

if [ -z "$TOKEN" ]; then
    fail "Failed to generate token"
    exit 1
fi

pass "Token generated: ${TOKEN:0:30}..."

echo ""
info "Testing endpoints..."
echo ""

# Test 1: Health endpoint (no auth)
info "Test 1: Health endpoint (no auth required)"
RESPONSE=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
    "pct exec $VMID -- curl -k -s https://localhost/health 2>&1" || echo "error")

if [[ "$RESPONSE" == "healthy" ]]; then
    pass "Health endpoint accessible"
else
    fail "Health endpoint failed: $RESPONSE"
fi

# Test 2: RPC endpoint without token
info "Test 2: RPC endpoint without token (should fail)"
RESPONSE=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
    "pct exec $VMID -- curl -k -s -H 'Content-Type: application/json' -d '{\"jsonrpc\":\"2.0\",\"method\":\"eth_chainId\",\"params\":[],\"id\":1}' https://localhost 2>&1" || echo "error")

if echo "$RESPONSE" | grep -q "Unauthorized"; then
    pass "Unauthorized request correctly rejected"
else
    fail "Unauthorized request not rejected: $RESPONSE"
fi

# Test 3: RPC endpoint with valid token
info "Test 3: RPC endpoint with valid token (should succeed)"
RESPONSE=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
    "pct exec $VMID -- curl -k -s -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{\"jsonrpc\":\"2.0\",\"method\":\"eth_chainId\",\"params\":[],\"id\":1}' https://localhost 2>&1" || echo "error")

if echo "$RESPONSE" | grep -q "\"result\":\"0x8a\""; then
    pass "Valid token allows access"
else
    fail "Valid token rejected: $RESPONSE"
fi

# Test 4: RPC endpoint with invalid token
info "Test 4: RPC endpoint with invalid token (should fail)"
RESPONSE=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
    "pct exec $VMID -- curl -k -s -H 'Authorization: Bearer invalid-token-12345' -H 'Content-Type: application/json' -d '{\"jsonrpc\":\"2.0\",\"method\":\"eth_chainId\",\"params\":[],\"id\":1}' https://localhost 2>&1" || echo "error")

if echo "$RESPONSE" | grep -qE "(Unauthorized|Invalid|401)"; then
    pass "Invalid token correctly rejected"
else
    fail "Invalid token not rejected: $RESPONSE"
fi

echo ""
echo "=========================================="
info "All tests completed!"
echo "=========================================="