import { beforeEach, describe, expect, it, vi } from 'vitest'

const filesystem = vi.hoisted(() => ({
  mkdir: vi.fn(),
  appendFile: vi.fn(),
  readFile: vi.fn(),
  writeFile: vi.fn()
}))

vi.mock('fs/promises', () => ({
  default: filesystem
}))

import {
  cleanupPasswordResetLogs,
  fingerprintResetEmail,
  maskResetEmail,
  normalizeResetEmail,
  writePasswordResetLog
} from '../server/utils/password-reset-log.js'

describe('Password reset diagnostic log privacy helpers', () => {
  beforeEach(() => {
    vi.clearAllMocks()
  })

  it('normalisiert E-Mail-Adressen für Lookup und Korrelation', () => {
    expect(normalizeResetEmail(' User@Example.com ')).toBe('user@example.com')
    expect(fingerprintResetEmail(' User@Example.com ')).toBe(fingerprintResetEmail('user@example.com'))
  })

  it('maskiert die E-Mail-Adresse für Diagnoseausgaben', () => {
    const masked = maskResetEmail('ag2608@googlemail.com')

    expect(masked).toBe('ag***@go***.com')
    expect(masked).not.toContain('ag2608')
    expect(masked).not.toContain('googlemail')
  })

  it('entfernt Diagnoseeinträge nach 72 Stunden', async () => {
    const now = Date.parse('2026-05-27T12:00:00.000Z')
    filesystem.readFile.mockResolvedValue([
      JSON.stringify({ ts: '2026-05-24T11:59:59.000Z', requestId: 'alt' }),
      JSON.stringify({ ts: '2026-05-24T12:00:00.000Z', requestId: 'neu' }),
      ''
    ].join('\n'))

    const result = await cleanupPasswordResetLogs(now)

    expect(result).toEqual({ retained: 1, removed: 1 })
    expect(filesystem.writeFile).toHaveBeenCalledWith(
      expect.any(String),
      `${JSON.stringify({ ts: '2026-05-24T12:00:00.000Z', requestId: 'neu' })}\n`,
      'utf8'
    )
  })

  it('schreibt bereinigte Fehlerdetails ohne E-Mail oder Credentials', async () => {
    await writePasswordResetLog({
      requestId: 'r1',
      email: 'ag2608@googlemail.com',
      step: 'mail_send',
      status: 'failed',
      error: Object.assign(new Error('Versand an ag2608@googlemail.com fehlgeschlagen password=geheim'), { code: 'EAUTH' })
    })

    const payload = filesystem.appendFile.mock.calls[0][1]
    expect(payload).toContain('"errorCode":"EAUTH"')
    expect(payload).toContain('ag***@go***.com')
    expect(payload).toContain('password=[redacted]')
    expect(payload).not.toContain('ag2608@googlemail.com')
    expect(payload).not.toContain('geheim')
  })
})