<?php

declare(strict_types=1);

use App\Support\Verification\VerificationReportSanitizer;

it('does not truncate next step URLs so required OAuth query params remain present', function (): void {
    $tenantId = 'b0091e5d-944f-4a34-bcd9-12cbfb7b75cf';
    $clientId = 'c9110351-1e46-43fe-865d-8a1ce896cc47';

    $veryLongRedirect = 'http://localhost/admin/consent/callback/'.str_repeat('x', 260);

    $url = sprintf(
        'https://login.microsoftonline.com/%s/v2.0/adminconsent?%s',
        $tenantId,
        http_build_query([
            'client_id' => $clientId,
            'state' => 'tenantpilot|123',
            'redirect_uri' => $veryLongRedirect,
            'scope' => 'https://graph.microsoft.com/.default',
        ]),
    );

    // This URL exceeds 200 chars; sanitizer must not drop the `scope`.
    expect(strlen($url))->toBeGreaterThan(200);

    $sanitized = VerificationReportSanitizer::sanitizeNextStepsPayload([
        ['label' => 'Grant admin consent', 'url' => $url],
    ]);

    expect($sanitized)
        ->toBeArray()
        ->not->toBeEmpty()
        ->and($sanitized[0]['url'] ?? null)->toContain('scope=')
        ->and($sanitized[0]['url'] ?? null)->toContain(urlencode('https://graph.microsoft.com/.default'));
});