<?php

declare(strict_types=1);

use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('renders an Entra-only admin login page', function () {
    $response = $this->get('/admin/login');

    $response->assertSuccessful();

    $response->assertSee('Sign in with Microsoft');
    $response->assertSee(route('auth.entra.redirect'), escape: false);

    $response->assertDontSee('type="password"', escape: false);
    $response->assertDontSee('Break-glass mode', escape: false);
});

it('redirects to the Entra authorize endpoint when configured', function () {
    config()->set('services.microsoft.client_id', 'test-client-id');
    config()->set('services.microsoft.client_secret', 'test-client-secret');
    config()->set('services.microsoft.redirect', 'https://example.test/auth/entra/callback');
    config()->set('services.microsoft.tenant', 'organizations');

    $response = $this->get(route('auth.entra.redirect'));

    $response->assertRedirect();
    $response->assertSessionHas('entra_state');

    $location = (string) $response->headers->get('Location');

    expect($location)->toContain('https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize');
    expect($location)->toContain('client_id=test-client-id');
    expect($location)->toContain('redirect_uri='.urlencode('https://example.test/auth/entra/callback'));
    expect($location)->toContain('response_type=code');
    expect($location)->toContain('scope=openid+profile+email');
});