"""P14.1 — Auth API tests.

Covers:
- Login with valid credentials
- Login with invalid credentials
- Token refresh
- Protected endpoint access with/without token
"""
import pytest


class TestAuth:
    """Authentication endpoints."""

    def test_login_success(self, client, db, make_user):
        """Valid login returns JWT token."""
        user = make_user(username="testuser", password="testpass123")
        
        resp = client.post(
            "/auth/token",
            data={"username": "testuser", "password": "testpass123"}
        )
        assert resp.status_code == 200
        data = resp.json()
        assert "access_token" in data
        assert data["token_type"] == "bearer"

    def test_login_invalid_password(self, client, db, make_user):
        """Invalid password returns 401."""
        make_user(username="testuser", password="testpass123")
        
        resp = client.post(
            "/auth/token",
            data={"username": "testuser", "password": "wrongpass"}
        )
        assert resp.status_code == 401

    def test_login_nonexistent_user(self, client, db):
        """Non-existent user returns 401."""
        resp = client.post(
            "/auth/token",
            data={"username": "nosuchuser", "password": "anypass"}
        )
        assert resp.status_code == 401

    def test_protected_endpoint_without_token(self, client):
        """Accessing protected endpoint without token returns 401."""
        resp = client.get("/users/me")
        assert resp.status_code == 401

    def test_protected_endpoint_with_token(self, client, db, make_user, auth_header):
        """Accessing protected endpoint with valid token succeeds."""
        user = make_user()
        
        resp = client.get("/users/me", headers=auth_header(user))
        assert resp.status_code == 200
        data = resp.json()
        assert data["id"] == user.id
        assert data["username"] == user.username