import test from "node:test";
import assert from "node:assert/strict";

test("auth is open when SCHEMETA_AUTH_TOKEN is not configured", async () => {
  delete process.env.SCHEMETA_AUTH_TOKEN;
  const mod = await import(`../src/server.js?auth_open=${Date.now()}`);
  const req = { headers: {} };
  assert.equal(mod.isAuthorizedRequest(req), true);
});

test("auth accepts bearer token when configured", async () => {
  process.env.SCHEMETA_AUTH_TOKEN = "topsecret";
  const mod = await import(`../src/server.js?auth_bearer=${Date.now()}`);
  assert.equal(mod.isAuthorizedRequest({ headers: {} }), false);
  assert.equal(mod.isAuthorizedRequest({ headers: { authorization: "Bearer topsecret" } }), true);
  assert.equal(mod.isAuthorizedRequest({ headers: { authorization: "Bearer wrong" } }), false);
});

test("auth accepts x-api-key when configured", async () => {
  process.env.SCHEMETA_AUTH_TOKEN = "topsecret";
  const mod = await import(`../src/server.js?auth_xapikey=${Date.now()}`);
  assert.equal(mod.isAuthorizedRequest({ headers: { "x-api-key": "topsecret" } }), true);
  assert.equal(mod.isAuthorizedRequest({ headers: { "x-api-key": "wrong" } }), false);
});