use adapters_auth::JwtTokenIssuer;
use domain::errors::DomainError;
use domain::ports::TokenIssuer;
use domain::value_objects::SystemId;

#[tokio::test]
async fn issue_and_verify_roundtrip() {
    let issuer = JwtTokenIssuer::new("test-secret-key-long-enough-32chars!!");
    let user_id = SystemId::new();
    let token = issuer.issue(&user_id, "user").await.unwrap();
    let (verified_id, verified_role) = issuer.verify(&token).await.unwrap();
    assert_eq!(verified_id, user_id);
    assert_eq!(verified_role, "user");
}

#[tokio::test]
async fn rejects_invalid_token() {
    let issuer = JwtTokenIssuer::new("test-secret-key-long-enough-32chars!!");
    let result = issuer.verify("not.a.valid.jwt").await;
    assert!(matches!(result, Err(DomainError::Unauthorized(_))));
}