use axum::{Router, routing::get};
use uuid::Uuid;

#[tokio::test]
async fn jwks_endpoint_allows_rs256_verification_via_auth_kit() {
    let app = Router::new().route(
        "/.well-known/jwks.json",
        get(iam_service::presentation::http::handlers::jwks::jwks_handler),
    );

    let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
    let addr = listener.local_addr().unwrap();
    let base_url = format!("http://{}", addr);

    let handle = tokio::spawn(async move {
        axum::serve(listener, app).await.unwrap();
    });

    let token = iam_service::utils::sign(
        Uuid::new_v4(),
        Uuid::new_v4(),
        vec!["Admin".to_string()],
        vec!["tenant:read".to_string()],
        vec![],
        0,
    )
    .unwrap();

    let cfg = auth_kit::jwt::JwtVerifyConfig::rs256_from_jwks(
        "iam-service",
        &format!("{}/.well-known/jwks.json", base_url),
    )
    .unwrap();

    let claims = auth_kit::jwt::verify(&token, &cfg).await.unwrap();
    assert_eq!(claims.iss, "iam-service");
    assert!(!claims.sub.is_empty());
    assert!(!claims.tenant_id.is_empty());

    handle.abort();
}