package natsb

import (
	"strings"
	"testing"
)

func TestBuildSafePublishableNATSURL(t *testing.T) {
	t.Parallel()

	t.Run("redacts single URL credentials", func(t *testing.T) {
		t.Parallel()

		raw := "nats://alice:supersecret@localhost:4222"
		sanitized := buildSafePublishableNATSURL(raw)

		if strings.Contains(sanitized, "supersecret") {
			t.Fatalf("expected password to be redacted, got %q", sanitized)
		}
		if !strings.Contains(sanitized, "alice:xxxxx@") {
			t.Fatalf("expected redacted URL to keep username, got %q", sanitized)
		}
	})

	t.Run("redacts credentials in gateway URL format", func(t *testing.T) {
		t.Parallel()

		raw := "nats://dev_nats:nats_password_123@dev-nats:4222"
		sanitized := buildSafePublishableNATSURL(raw)

		if strings.Contains(sanitized, "nats_password_123") {
			t.Fatalf("expected password to be redacted, got %q", sanitized)
		}
		if !strings.Contains(sanitized, "dev_nats:xxxxx@dev-nats:4222") {
			t.Fatalf("expected sanitized URL with redacted password, got %q", sanitized)
		}
	})

	t.Run("keeps URL without credentials unchanged", func(t *testing.T) {
		t.Parallel()

		raw := "nats://localhost:4222"
		sanitized := buildSafePublishableNATSURL(raw)
		if sanitized != raw {
			t.Fatalf("expected URL without credentials to remain unchanged, got %q", sanitized)
		}
	})

	t.Run("redacts each URL in server list", func(t *testing.T) {
		t.Parallel()

		raw := " nats://alice:one@localhost:4222, nats://bob:two@localhost:4223 "
		sanitized := buildSafePublishableNATSURL(raw)

		if strings.Contains(sanitized, "one") || strings.Contains(sanitized, "two") {
			t.Fatalf("expected passwords to be redacted, got %q", sanitized)
		}
		if !strings.Contains(sanitized, "alice:xxxxx@") || !strings.Contains(sanitized, "bob:xxxxx@") {
			t.Fatalf("expected both URLs to be redacted, got %q", sanitized)
		}
	})

	t.Run("returns invalid URL as-is", func(t *testing.T) {
		t.Parallel()

		raw := "not a url"
		sanitized := buildSafePublishableNATSURL(raw)
		if sanitized != raw {
			t.Fatalf("expected invalid URL to remain unchanged, got %q", sanitized)
		}
	})

	t.Run("redacts malformed URL credentials via fallback", func(t *testing.T) {
		t.Parallel()

		raw := "nats://alice:pa%ss@localhost:4222"
		sanitized := buildSafePublishableNATSURL(raw)

		if strings.Contains(sanitized, "pa%ss") {
			t.Fatalf("expected malformed password to be redacted, got %q", sanitized)
		}
		if !strings.Contains(sanitized, "alice:xxxxx@localhost:4222") {
			t.Fatalf("expected fallback redaction to preserve host and username, got %q", sanitized)
		}
	})

	t.Run("redacts URL without scheme when user info is present", func(t *testing.T) {
		t.Parallel()

		raw := "alice:topsecret@localhost:4222"
		sanitized := buildSafePublishableNATSURL(raw)

		if strings.Contains(sanitized, "topsecret") {
			t.Fatalf("expected password to be redacted, got %q", sanitized)
		}
		if !strings.Contains(sanitized, "alice:xxxxx@localhost:4222") {
			t.Fatalf("expected sanitized authority with redacted password, got %q", sanitized)
		}
	})
}