//go:build integration
// +build integration

package integration

import (
	"net/http"
	"testing"
)

func TestIntegration_Candidates(t *testing.T) {
	client := newTestClient()
	companyID, userID := setupTestCompanyAndUser(t)
	defer cleanupTestData()

	t.Run("List Candidates - Unauthorized", func(t *testing.T) {
		client.setAuthToken("")
		resp, err := client.get("/api/v1/candidates")
		if err != nil {
			t.Fatalf("Request failed: %v", err)
		}
		defer resp.Body.Close()

		if resp.StatusCode != http.StatusUnauthorized {
			t.Errorf("Expected 401, got %d", resp.StatusCode)
		}
	})

	t.Run("List Candidates - As Admin", func(t *testing.T) {
		token := createAuthToken(t, userID, companyID, []string{"admin"})
		client.setAuthToken(token)

		resp, err := client.get("/api/v1/candidates")
		if err != nil {
			t.Fatalf("Request failed: %v", err)
		}
		defer resp.Body.Close()

		if resp.StatusCode != http.StatusOK {
			t.Errorf("Expected 200, got %d", resp.StatusCode)
		}
	})

	t.Run("List Candidates - As Candidate (Forbidden)", func(t *testing.T) {
		candID := createTestCandidate(t)
		token := createAuthToken(t, candID, companyID, []string{"candidate"})
		client.setAuthToken(token)

		resp, err := client.get("/api/v1/candidates")
		if err != nil {
			t.Fatalf("Request failed: %v", err)
		}
		defer resp.Body.Close()

		// Candidates shouldn't mock list all candidates
		if resp.StatusCode != http.StatusForbidden {
			t.Errorf("Expected 403, got %d", resp.StatusCode)
		}
	})
}