<?php

namespace Tests\Feature\Security\Authorization;

use App\Models\Admin;
use App\Models\Bank;
use App\Models\Organization;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Livewire\Livewire;
use Tests\TestCase;

/**
 * Message Settings Authorization Tests
 *
 * Tests that users can only modify their own profile message settings
 * and cannot manipulate session to modify other profiles' settings.
 *
 * @group security
 * @group authorization
 * @group idor
 * @group critical
 */
class MessageSettingsAuthorizationTest extends TestCase
{
    use RefreshDatabase;

    /**
     * Test user can access their own message settings
     *
     * @test
     */
    public function user_can_access_own_message_settings()
    {
        $user = User::factory()->create();
        $this->actingAs($user, 'web');

        session(['activeProfileType' => User::class]);
        session(['activeProfileId' => $user->id]);

        $response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);

        $response->assertStatus(200);
        $response->assertSet('systemMessage', true); // Default value
    }

    /**
     * Test user cannot access another user's message settings via session manipulation
     *
     * @test
     */
    public function user_cannot_access_another_users_message_settings()
    {
        $user1 = User::factory()->create();
        $user2 = User::factory()->create();

        $this->actingAs($user1, 'web');

        // Malicious attempt: manipulate session to access user2's settings
        session(['activeProfileType' => User::class]);
        session(['activeProfileId' => $user2->id]); // Different user!

        $response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);

        $response->assertStatus(403);
    }

    /**
     * Test user cannot update another user's message settings
     *
     * @test
     */
    public function user_cannot_update_another_users_message_settings()
    {
        $user1 = User::factory()->create();
        $user2 = User::factory()->create();

        $this->actingAs($user1, 'web');

        // Malicious attempt: manipulate session to update user2's settings
        session(['activeProfileType' => User::class]);
        session(['activeProfileId' => $user2->id]);

        $response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class)
            ->set('systemMessage', false)
            ->call('updateMessageSettings');

        $response->assertStatus(403);
    }

    /**
     * Test organization can access their own message settings
     *
     * @test
     */
    public function organization_can_access_own_message_settings()
    {
        $user = User::factory()->create();
        $organization = Organization::factory()->create();
        $organization->users()->attach($user->id);

        $this->actingAs($organization, 'organization');

        session(['activeProfileType' => Organization::class]);
        session(['activeProfileId' => $organization->id]);

        $response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);

        $response->assertStatus(200);
    }

    /**
     * Test organization cannot access another organization's message settings
     *
     * @test
     */
    public function organization_cannot_access_another_organizations_message_settings()
    {
        $user = User::factory()->create();
        $org1 = Organization::factory()->create();
        $org2 = Organization::factory()->create();

        $org1->users()->attach($user->id);
        // User is NOT linked to org2

        $this->actingAs($org1, 'organization');

        // Malicious attempt: manipulate session to access org2's settings
        session(['activeProfileType' => Organization::class]);
        session(['activeProfileId' => $org2->id]);

        $response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);

        $response->assertStatus(403);
    }

    /**
     * Test admin can access their own message settings
     *
     * @test
     */
    public function admin_can_access_own_message_settings()
    {
        $user = User::factory()->create();
        $admin = Admin::factory()->create();
        $admin->users()->attach($user->id);

        $this->actingAs($admin, 'admin');

        session(['activeProfileType' => Admin::class]);
        session(['activeProfileId' => $admin->id]);

        $response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);

        $response->assertStatus(200);
    }

    /**
     * Test bank can access their own message settings
     *
     * @test
     */
    public function bank_can_access_own_message_settings()
    {
        $user = User::factory()->create();
        $bank = Bank::factory()->create();
        $bank->managers()->attach($user->id);

        $this->actingAs($bank, 'bank');

        session(['activeProfileType' => Bank::class]);
        session(['activeProfileId' => $bank->id]);

        $response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);

        $response->assertStatus(200);
    }

    /**
     * Test user can update their own message settings
     *
     * @test
     */
    public function user_can_update_own_message_settings()
    {
        $user = User::factory()->create();
        $this->actingAs($user, 'web');

        session(['activeProfileType' => User::class]);
        session(['activeProfileId' => $user->id]);

        $response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class)
            ->set('systemMessage', false)
            ->set('paymentReceived', true)
            ->set('chatUnreadDelay', 24)
            ->call('updateMessageSettings');

        $response->assertStatus(200);
        $response->assertDispatched('saved');

        // Verify settings were saved
        $this->assertDatabaseHas('message_settings', [
            'messageable_type' => User::class,
            'messageable_id' => $user->id,
            'system_message' => false,
            'payment_received' => true,
            'chat_unread_delay' => 24,
        ]);
    }

    /**
     * Test cross-profile access: user logged in as user trying to access org settings
     *
     * @test
     */
    public function user_cannot_access_organization_message_settings_via_session()
    {
        $user = User::factory()->create();
        $organization = Organization::factory()->create();
        $user->organizations()->attach($organization->id);

        // Login as regular user (web guard)
        $this->actingAs($user, 'web');

        // Try to access organization settings via session manipulation
        session(['activeProfileType' => Organization::class]);
        session(['activeProfileId' => $organization->id]);

        $response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);

        // Should fail because authenticated as User but trying to access Organization profile
        $response->assertStatus(403);
    }

    /**
     * Test unauthenticated user cannot access message settings
     *
     * @test
     */
    public function unauthenticated_user_cannot_access_message_settings()
    {
        $user = User::factory()->create();

        session(['activeProfileType' => User::class]);
        session(['activeProfileId' => $user->id]);

        $response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);

        $response->assertStatus(401);
    }

    /**
     * Test message settings default values are created on first access
     *
     * @test
     */
    public function message_settings_default_values_created_on_first_access()
    {
        $user = User::factory()->create();
        $this->actingAs($user, 'web');

        session(['activeProfileType' => User::class]);
        session(['activeProfileId' => $user->id]);

        // User has no message settings yet
        $this->assertDatabaseMissing('message_settings', [
            'messageable_type' => User::class,
            'messageable_id' => $user->id,
        ]);

        $response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);

        $response->assertStatus(200);

        // Default settings should be created
        $this->assertDatabaseHas('message_settings', [
            'messageable_type' => User::class,
            'messageable_id' => $user->id,
            'system_message' => true,
            'payment_received' => true,
            'star_received' => true,
        ]);
    }
}