import { describe, expect, it } from "vitest";
import { decryptToken, encryptToken, generateKey, keyFromBase64, keyToBase64 } from "./token-store";

describe("token-store — libsodium crypto_secretbox round-trip", () => {
  it("encrypts and decrypts a token round-trip", async () => {
    const key = await generateKey();
    const plain = "AQXxxx-fake-access-token-zzz";
    const ct = await encryptToken(plain, key);
    expect(ct).not.toContain(plain);
    const back = await decryptToken(ct, key);
    expect(back).toBe(plain);
  });

  it("produces different ciphertexts for the same plaintext (random nonce)", async () => {
    const key = await generateKey();
    const plain = "same-plaintext";
    const a = await encryptToken(plain, key);
    const b = await encryptToken(plain, key);
    expect(a).not.toBe(b);
  });

  it("fails to decrypt with wrong key", async () => {
    const k1 = await generateKey();
    const k2 = await generateKey();
    const ct = await encryptToken("secret", k1);
    let err: unknown;
    try {
      await decryptToken(ct, k2);
    } catch (e) {
      err = e;
    }
    expect(err).toBeDefined();
  });

  it("key serialization round-trip", async () => {
    const key = await generateKey();
    const b64 = await keyToBase64(key);
    const back = await keyFromBase64(b64);
    expect(back).toEqual(key);
  });
});