// Parity tests for the auth bridge: the browser must produce the same NATS nkey and
// the same signed control-plane request bytes as the Go client, or it would not
// authenticate on either plane (issue 0001, Phase 1).

import { describe, it, expect } from "vitest";
import vectors from "./testdata/vectors.json";
import { hexToBytes, bytesToHex, base64ToBytes } from "./crypto.js";
import { nkeyPublic, canonicalRequest, signedHeaders } from "./busauth.js";

describe("NATS nkey encoding", () => {
  it("derives the same user nkey ('U...') as Go from the Ed25519 pubkey", () => {
    const v = vectors.nkey;
    expect(nkeyPublic(hexToBytes(v.sign_pub_hex))).toBe(v.nkey_public);
  });
});

describe("control-plane request signing", () => {
  it("builds the same canonical request bytes as Go", () => {
    const v = vectors.control_request;
    const got = canonicalRequest(v.method, v.path, v.ts, v.nonce, hexToBytes(v.body_hex));
    expect(bytesToHex(got)).toBe(v.canonical_hex);
  });

  it("produces the same Ed25519 signature as Go (X-Unibus-Sig)", () => {
    const v = vectors.control_request;
    const headers = signedHeaders(
      hexToBytes(vectors.sign.sign_pub_hex),
      hexToBytes(v.sign_priv_hex),
      v.method,
      v.path,
      v.ts,
      v.nonce,
      hexToBytes(v.body_hex),
    );
    // X-Unibus-Sig is base64-standard; decode and compare hex to the Go vector.
    expect(bytesToHex(base64ToBytes(headers["X-Unibus-Sig"]))).toBe(v.sig_hex);
    expect(headers["X-Unibus-Pub"]).toBe(vectors.sign.sign_pub_hex);
    expect(headers["X-Unibus-Ts"]).toBe(v.ts);
    expect(headers["X-Unibus-Nonce"]).toBe(v.nonce);
  });
});