package crypto

import (
	"testing"
)

func TestDefaultParams(t *testing.T) {
	p, err := DefaultParams()
	if err != nil {
		t.Fatalf("DefaultParams: %v", err)
	}
	if len(p.Salt) != 16 {
		t.Fatalf("expected 16-byte salt, got %d", len(p.Salt))
	}
}

func TestDeriveKey(t *testing.T) {
	p, _ := DefaultParams()
	key := DeriveKey("test-passphrase", p)
	if len(key) != 32 {
		t.Fatalf("expected 32-byte key, got %d", len(key))
	}

	// Same passphrase + params → same key
	key2 := DeriveKey("test-passphrase", p)
	if string(key) != string(key2) {
		t.Fatal("same passphrase should produce same key")
	}

	// Different passphrase → different key
	key3 := DeriveKey("other-passphrase", p)
	if string(key) == string(key3) {
		t.Fatal("different passphrase should produce different key")
	}
}

func TestEncryptDecryptBytes(t *testing.T) {
	p, _ := DefaultParams()
	key := DeriveKey("test", p)
	enc, err := NewEncryptor(key)
	if err != nil {
		t.Fatalf("NewEncryptor: %v", err)
	}

	plaintext := []byte("hello world")
	ct, err := enc.Encrypt(plaintext)
	if err != nil {
		t.Fatalf("Encrypt: %v", err)
	}

	pt, err := enc.Decrypt(ct)
	if err != nil {
		t.Fatalf("Decrypt: %v", err)
	}
	if string(pt) != string(plaintext) {
		t.Fatalf("expected %q, got %q", plaintext, pt)
	}
}

func TestEncryptDecryptString(t *testing.T) {
	p, _ := DefaultParams()
	key := DeriveKey("test", p)
	enc, _ := NewEncryptor(key)

	original := "sensitive@email.com"
	encoded, err := enc.EncryptString(original)
	if err != nil {
		t.Fatalf("EncryptString: %v", err)
	}

	decoded, err := enc.DecryptString(encoded)
	if err != nil {
		t.Fatalf("DecryptString: %v", err)
	}
	if decoded != original {
		t.Fatalf("expected %q, got %q", original, decoded)
	}
}

func TestDecryptWrongKey(t *testing.T) {
	p, _ := DefaultParams()
	key1 := DeriveKey("passphrase-1", p)
	key2 := DeriveKey("passphrase-2", p)

	enc1, _ := NewEncryptor(key1)
	enc2, _ := NewEncryptor(key2)

	ct, _ := enc1.Encrypt([]byte("secret"))
	_, err := enc2.Decrypt(ct)
	if err == nil {
		t.Fatal("expected error decrypting with wrong key")
	}
}

func TestDecryptTooShort(t *testing.T) {
	p, _ := DefaultParams()
	key := DeriveKey("test", p)
	enc, _ := NewEncryptor(key)

	_, err := enc.Decrypt([]byte("short"))
	if err == nil {
		t.Fatal("expected error for short ciphertext")
	}
}

func TestNewEncryptorBadKeyLength(t *testing.T) {
	_, err := NewEncryptor([]byte("too-short"))
	if err == nil {
		t.Fatal("expected error for bad key length")
	}
}

func TestEncryptProducesDifferentCiphertext(t *testing.T) {
	p, _ := DefaultParams()
	key := DeriveKey("test", p)
	enc, _ := NewEncryptor(key)

	pt := []byte("same plaintext")
	ct1, _ := enc.Encrypt(pt)
	ct2, _ := enc.Encrypt(pt)

	if string(ct1) == string(ct2) {
		t.Fatal("two encryptions of same plaintext should differ (random nonce)")
	}
}