package store

import (
	"testing"
	"time"
)

func TestUpdateAccountChangesFieldsKeepsPasswordWhenBlank(t *testing.T) {
	s := openTemp(t)
	if _, err := s.AddAccount(sampleAccount()); err != nil { // RO, password "s3cr3t"
		t.Fatalf("AddAccount: %v", err)
	}
	upd := sampleAccount()
	upd.Mode = "RW"
	upd.IMAPPort = 143
	upd.SMTPHost = "smtp.example.com"
	upd.SMTPPort = 587
	upd.SMTPSecurity = "starttls"
	upd.Password = "" // blank => keep existing password
	if err := s.UpdateAccount(upd); err != nil {
		t.Fatalf("UpdateAccount: %v", err)
	}
	got, err := s.GetAccount("work")
	if err != nil {
		t.Fatalf("GetAccount: %v", err)
	}
	if got.Mode != "RW" || got.IMAPPort != 143 || got.SMTPHost != "smtp.example.com" || got.SMTPPort != 587 {
		t.Fatalf("fields not updated: %+v", got)
	}
	if got.Password != "s3cr3t" {
		t.Fatalf("blank password should preserve existing, got %q", got.Password)
	}
}

func TestUpdateAccountReEncryptsNewPassword(t *testing.T) {
	s := openTemp(t)
	_, _ = s.AddAccount(sampleAccount())
	upd := sampleAccount()
	upd.Password = "n3wpass"
	if err := s.UpdateAccount(upd); err != nil {
		t.Fatalf("UpdateAccount: %v", err)
	}
	got, _ := s.GetAccount("work")
	if got.Password != "n3wpass" {
		t.Fatalf("password not updated: %q", got.Password)
	}
	// And it is encrypted at rest.
	var blob []byte
	_ = s.db.QueryRow("SELECT enc_password FROM accounts WHERE name='work'").Scan(&blob)
	if string(blob) == "n3wpass" || len(blob) == 0 {
		t.Fatalf("new password not encrypted at rest")
	}
}

func TestUpdateAccountMissing(t *testing.T) {
	s := openTemp(t)
	if err := s.UpdateAccount(sampleAccount()); err == nil {
		t.Fatal("updating a non-existent account must error")
	}
}

func TestRecentAuditForFiltersByAccount(t *testing.T) {
	s := openTemp(t)
	now := time.Date(2026, 6, 22, 0, 0, 0, 0, time.UTC)
	_ = s.Audit(now, AuditEntry{Account: "a", Action: "list", Target: "INBOX", Result: "allowed"})
	_ = s.Audit(now, AuditEntry{Account: "b", Action: "send", Target: "x@y.com", Result: "allowed"})
	_ = s.Audit(now, AuditEntry{Account: "a", Action: "get", Target: "1", Result: "allowed"})

	all, err := s.RecentAuditFor("", 50)
	if err != nil || len(all) != 3 {
		t.Fatalf("RecentAuditFor all: len=%d err=%v", len(all), err)
	}
	onlyA, err := s.RecentAuditFor("a", 50)
	if err != nil || len(onlyA) != 2 {
		t.Fatalf("RecentAuditFor a: len=%d err=%v", len(onlyA), err)
	}
	for _, e := range onlyA {
		if e.Account != "a" {
			t.Fatalf("filter leaked account %q", e.Account)
		}
	}
}