package mcp_test

import (
	"net/http"
	"net/http/httptest"
	"testing"

	"gitea.d-ma.be/mathias/gitea-mcp/internal/mcp"
	"github.com/stretchr/testify/assert"
)

func TestOriginAllowlist(t *testing.T) {
	allow := []string{"https://claude.ai", "https://api.anthropic.com"}
	called := false
	h := mcp.OriginAllowlist(allow)(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
		called = true
		w.WriteHeader(http.StatusOK)
	}))

	cases := []struct {
		name       string
		origin     string
		wantCode   int
		wantCalled bool
	}{
		{"allowed", "https://claude.ai", 200, true},
		{"allowed-2", "https://api.anthropic.com", 200, true},
		{"forbidden", "https://evil.example", 403, false},
		{"empty allowed (server-side caller)", "", 200, true},
	}

	for _, tc := range cases {
		t.Run(tc.name, func(t *testing.T) {
			called = false
			req := httptest.NewRequest(http.MethodPost, "/", nil)
			if tc.origin != "" {
				req.Header.Set("Origin", tc.origin)
			}
			rr := httptest.NewRecorder()
			h.ServeHTTP(rr, req)
			assert.Equal(t, tc.wantCode, rr.Code)
			assert.Equal(t, tc.wantCalled, called)
		})
	}
}