"""Tests for PKCE implementation"""

import pytest
from starpunk.auth import _generate_pkce_verifier, _generate_pkce_challenge


def test_generate_pkce_verifier():
    """Test PKCE verifier generation"""
    verifier = _generate_pkce_verifier()

    # Length should be 43 characters
    assert len(verifier) == 43

    # Should only contain URL-safe characters
    assert verifier.replace('-', '').replace('_', '').isalnum()


def test_generate_pkce_verifier_unique():
    """Test that verifiers are unique"""
    verifier1 = _generate_pkce_verifier()
    verifier2 = _generate_pkce_verifier()

    assert verifier1 != verifier2


def test_generate_pkce_challenge():
    """Test PKCE challenge generation with known values"""
    # Example from RFC 7636
    verifier = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
    challenge = _generate_pkce_challenge(verifier)

    # Expected challenge for this verifier
    expected = "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM"
    assert challenge == expected


def test_pkce_challenge_deterministic():
    """Test that challenge is deterministic"""
    verifier = _generate_pkce_verifier()
    challenge1 = _generate_pkce_challenge(verifier)
    challenge2 = _generate_pkce_challenge(verifier)

    assert challenge1 == challenge2


def test_different_verifiers_different_challenges():
    """Test that different verifiers produce different challenges"""
    verifier1 = _generate_pkce_verifier()
    verifier2 = _generate_pkce_verifier()

    challenge1 = _generate_pkce_challenge(verifier1)
    challenge2 = _generate_pkce_challenge(verifier2)

    assert challenge1 != challenge2


def test_pkce_challenge_length():
    """Test challenge is correct length"""
    verifier = _generate_pkce_verifier()
    challenge = _generate_pkce_challenge(verifier)

    # SHA256 hash -> 32 bytes -> 43 characters base64url (no padding)
    assert len(challenge) == 43