import { afterEach, describe, expect, it, vi } from 'vitest';
import type { NextConfig } from 'next';

async function loadConfig(): Promise<NextConfig> {
  vi.resetModules();
  const mod = await import('@/next.config');
  return mod.default;
}

describe('Security response headers', () => {
  afterEach(() => {
    delete process.env.ALLOWED_FRAME_ANCESTORS;
  });

  describe('default (no ALLOWED_FRAME_ANCESTORS)', () => {
    it('nextConfig.headers() is defined', async () => {
      const config = await loadConfig();
      expect(config.headers).toBeDefined();
      expect(typeof config.headers).toBe('function');
    });

    it('includes X-Frame-Options SAMEORIGIN on all routes', async () => {
      const config = await loadConfig();
      const headerGroups = await config.headers!();
      const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;

      expect(allRouteGroup).toBeDefined();
      expect(allRouteGroup.headers).toContainEqual({
        key: 'X-Frame-Options',
        value: 'SAMEORIGIN',
      });
    });

    it("includes Content-Security-Policy frame-ancestors 'self'", async () => {
      const config = await loadConfig();
      const headerGroups = await config.headers!();
      const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;

      expect(allRouteGroup).toBeDefined();
      expect(allRouteGroup.headers).toContainEqual({
        key: 'Content-Security-Policy',
        value: "frame-ancestors 'self'",
      });
    });
  });

  describe('with ALLOWED_FRAME_ANCESTORS', () => {
    it('appends allowed origins to frame-ancestors', async () => {
      process.env.ALLOWED_FRAME_ANCESTORS = 'https://partner.example.com';
      const config = await loadConfig();
      const headerGroups = await config.headers!();
      const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;

      expect(allRouteGroup.headers).toContainEqual({
        key: 'Content-Security-Policy',
        value: "frame-ancestors 'self' https://partner.example.com",
      });
    });

    it('omits X-Frame-Options when custom ancestors are set', async () => {
      process.env.ALLOWED_FRAME_ANCESTORS = 'https://partner.example.com';
      const config = await loadConfig();
      const headerGroups = await config.headers!();
      const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;

      const xfo = allRouteGroup.headers.find((h) => h.key === 'X-Frame-Options');
      expect(xfo).toBeUndefined();
    });

    it('supports multiple space-separated origins', async () => {
      process.env.ALLOWED_FRAME_ANCESTORS = 'https://a.example.com https://b.example.com';
      const config = await loadConfig();
      const headerGroups = await config.headers!();
      const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;

      expect(allRouteGroup.headers).toContainEqual({
        key: 'Content-Security-Policy',
        value: "frame-ancestors 'self' https://a.example.com https://b.example.com",
      });
    });
  });
});