# backend/tests/test_health.py
# Tests the /health endpoint without spinning up real services.

import pytest


class TestHealthEndpoint:
    def test_health_returns_200(self, app_client):
        resp = app_client.get("/health")
        assert resp.status_code == 200

    def test_health_returns_ok_status(self, app_client):
        data = app_client.get("/health").json()
        assert data.get("status") == "ok"

    def test_health_no_auth_required(self, app_client):
        # Health must be accessible without a JWT — used by HF Spaces and Cloudflare Worker.
        resp = app_client.get("/health", headers={})
        assert resp.status_code == 200


class TestSecurityHeaders:
    def test_cors_header_not_present_for_wrong_origin(self, app_client):
        # CORS middleware should not add the allow-origin header for disallowed origins.
        resp = app_client.get(
            "/health",
            headers={"Origin": "https://evil.example.com"},
        )
        # Status is still 200 (CORS does not block server-side; it's a browser hint)
        assert resp.status_code == 200
        # The allow-origin header must not echo back a disallowed origin
        acao = resp.headers.get("access-control-allow-origin", "")
        assert "evil.example.com" not in acao

    def test_options_preflight_handled(self, app_client):
        resp = app_client.options(
            "/chat",
            headers={
                "Origin": "http://localhost:3000",
                "Access-Control-Request-Method": "POST",
            },
        )
        # FastAPI returns 200 or 204 for preflight
        assert resp.status_code in (200, 204)