import json

import pytest

from core.models import AppUser


@pytest.mark.django_db
def test_login_sets_bounded_session_expiry(client, settings):
    settings.SESSION_COOKIE_AGE = 3600

    AppUser.objects.create_user(
        username="auth_user",
        email="auth@example.com",
        password="secret-pass-123",
    )

    response = client.post(
        "/api/auth/login",
        data=json.dumps({"username": "auth_user", "password": "secret-pass-123"}),
        content_type="application/json",
    )

    assert response.status_code == 200
    assert response.json()["success"] is True

    # Session should be persisted, but bounded to SESSION_COOKIE_AGE.
    assert 0 < client.session.get_expiry_age() <= settings.SESSION_COOKIE_AGE


@pytest.mark.django_db
def test_logout_forces_session_logout(client):
    AppUser.objects.create_user(
        username="logout_user",
        email="logout@example.com",
        password="secret-pass-123",
    )

    login_response = client.post(
        "/api/auth/login",
        data=json.dumps({"username": "logout_user", "password": "secret-pass-123"}),
        content_type="application/json",
    )
    assert login_response.status_code == 200

    assert client.get("/api/auth/me").status_code == 200

    logout_response = client.post("/api/auth/logout")
    assert logout_response.status_code == 200

    # Session is no longer authenticated after explicit logout.
    assert client.get("/api/auth/me").status_code == 401