<?php
declare(strict_types=1);

namespace Phred\Tests\Feature;

use PHPUnit\Framework\TestCase;
use Phred\Http\Kernel;
use Nyholm\Psr7\ServerRequest;

class SecurityTest extends TestCase
{
    public function test_secure_headers_are_present(): void
    {
        $kernel = new Kernel();
        $request = new ServerRequest('GET', '/_phred/health');

        $response = $kernel->handle($request);

        $this->assertEquals('nosniff', $response->getHeaderLine('X-Content-Type-Options'));
        $this->assertEquals('SAMEORIGIN', $response->getHeaderLine('X-Frame-Options'));
    }

    public function test_cors_headers_are_present(): void
    {
        $kernel = new Kernel();
        // Preflight request
        $request = new ServerRequest('OPTIONS', '/_phred/health');
        $request = $request->withHeader('Origin', 'http://example.com')
                          ->withHeader('Access-Control-Request-Method', 'GET');

        $response = $kernel->handle($request);

        $this->assertEquals('http://example.com', $response->getHeaderLine('Access-Control-Allow-Origin'));
    }

    public function testProfilingHeadersPresentInDebug(): void
    {
        putenv('APP_DEBUG=true');
        $_ENV['APP_DEBUG'] = 'true';
        $_SERVER['APP_DEBUG'] = 'true';
        \Phred\Support\Config::clear();
        $kernel = new Kernel();
        $request = new ServerRequest('GET', '/_phred/health');

        $response = $kernel->handle($request);

        $this->assertTrue($response->hasHeader('X-Phred-Timings'));
        $timings = json_decode($response->getHeaderLine('X-Phred-Timings'), true);
        $this->assertIsArray($timings);
    }
}