import { expect, test } from '@playwright/test';

test.describe('Admin Auth Split', () => {
  test('blocks external identities on internal management login', async ({ page }) => {
    await page.route('**/api/gateway/users/auth/internal/login', async (route) => {
      await route.fulfill({
        status: 200,
        contentType: 'application/json',
        body: JSON.stringify({
          success: true,
          audience: 'public',
          user: {
            audience: 'public',
            user_type: 'external_user',
          },
        }),
      });
    });

    await page.goto('/login');
    await expect(page.getByRole('heading', { name: 'Employee Login' })).toBeVisible();
    await page.getByPlaceholder('Enter your email').fill('external.user@example.com');
    await page.getByPlaceholder('Enter your password').fill('StrongPass123!');
    await page.getByRole('button', { name: 'Sign in' }).click();

    await expect(page.getByText('External users are not allowed on management login. Please use the external user login.')).toBeVisible();
    await expect(page).toHaveURL(/\/login/);
  });

  test('allows internal identities and lands on admin shell', async ({ page }) => {
    await page.route('**/api/gateway/users/auth/internal/login', async (route) => {
      await route.fulfill({
        status: 200,
        contentType: 'application/json',
        body: JSON.stringify({
          success: true,
          audience: 'admin',
          user: {
            audience: 'admin',
            user_type: 'employee',
          },
        }),
      });
    });

    await page.route('**/api/gateway/users/auth/me', async (route) => {
      await route.fulfill({
        status: 200,
        contentType: 'application/json',
        body: JSON.stringify({
          id: 'admin-1',
          audience: 'admin',
          userType: 'employee',
          role: { name: 'Super Admin' },
        }),
      });
    });

    await page.goto('/login');
    await expect(page.getByRole('heading', { name: 'Employee Login' })).toBeVisible();
    await page.getByPlaceholder('Enter your email').fill('admin@nxtgauge.com');
    await page.getByPlaceholder('Enter your password').fill('StrongPass123!');
    await page.getByRole('button', { name: 'Sign in' }).click();

    await expect(page).toHaveURL(/\/admin/);
    await expect(page.getByRole('heading', { name: 'Dashboard' })).toBeVisible();
  });

  test('redirects back to login if admin session resolves as external identity', async ({ page }) => {
    await page.context().addCookies([
      {
        name: 'nxtgauge_admin_session',
        value: 'internal_management',
        domain: '127.0.0.1',
        path: '/',
      },
    ]);

    await page.route('**/api/gateway/users/auth/me', async (route) => {
      await route.fulfill({
        status: 200,
        contentType: 'application/json',
        body: JSON.stringify({
          audience: 'public',
          user_type: 'external_user',
        }),
      });
    });

    await page.goto('/admin');
    await expect(page).toHaveURL(/\/login\?from=%2Fadmin/);
  });
});