import pytest

from l4d2web.app import create_app
from l4d2web.auth import hash_password
from l4d2web.db import init_db, session_scope
from l4d2web.models import User


@pytest.fixture
def client(tmp_path, monkeypatch):
    db_url = f"sqlite:///{tmp_path/'security.db'}"
    monkeypatch.setenv("DATABASE_URL", db_url)
    app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"})
    init_db()
    with session_scope() as session:
        session.add(User(username="alice", password_digest=hash_password("secret"), admin=False))
    return app.test_client()


def test_csrf_required(client) -> None:
    response = client.post("/servers", data={"name": "x"})
    assert response.status_code == 400


def test_login_rate_limit(client) -> None:
    for _ in range(20):
        client.post("/login", data={"username": "x", "password": "y"})

    response = client.post("/login", data={"username": "x", "password": "y"})
    assert response.status_code == 429