import { describe, it, expect } from 'vitest';
import { createApp } from '../src/app';

const ORIGIN = 'http://localhost:5173';

describe('cors', () => {
  it('answers a CORS preflight for the SPA origin', async () => {
    const app = createApp();
    const res = await app.request('/api/activities', {
      method: 'OPTIONS',
      headers: {
        Origin: ORIGIN,
        'Access-Control-Request-Method': 'GET',
      },
    });
    expect(res.headers.get('access-control-allow-origin')).toBe(ORIGIN);
    const allowMethods = res.headers.get('access-control-allow-methods') ?? '';
    expect(allowMethods).toContain('GET');
  });

  it('exposes set-auth-token to the SPA origin', async () => {
    const app = createApp();
    const res = await app.request('/api/activities', {
      headers: { Origin: ORIGIN },
    });
    const expose = (res.headers.get('access-control-expose-headers') ?? '').toLowerCase();
    expect(expose).toContain('set-auth-token');
  });
});