import { EncryptionService } from '../src/vault/encryption.service';

describe('EncryptionService', () => {
  let service: EncryptionService;

  beforeEach(() => {
    // 32-byte key as 64-char hex string
    process.env.ENCRYPTION_KEY = 'a'.repeat(64);
    service = new EncryptionService();
  });

  it('encrypts and decrypts a string', () => {
    const plaintext = 'my-secret-password';
    const encrypted = service.encrypt(plaintext);
    expect(encrypted).not.toEqual(plaintext);
    expect(encrypted.startsWith('v1:')).toBe(true);
    expect(service.decrypt(encrypted)).toEqual(plaintext);
  });

  it('produces different ciphertext for same plaintext (random IV)', () => {
    const plaintext = 'same-input';
    const a = service.encrypt(plaintext);
    const b = service.encrypt(plaintext);
    expect(a).not.toEqual(b);
    expect(service.decrypt(a)).toEqual(plaintext);
    expect(service.decrypt(b)).toEqual(plaintext);
  });

  it('throws on tampered ciphertext', () => {
    const encrypted = service.encrypt('test');
    const parts = encrypted.split(':');
    parts[3] = 'ff' + parts[3].slice(2); // tamper ciphertext
    expect(() => service.decrypt(parts.join(':'))).toThrow();
  });

  it('handles empty string', () => {
    const encrypted = service.encrypt('');
    expect(service.decrypt(encrypted)).toEqual('');
  });

  it('handles unicode', () => {
    const plaintext = 'p@$$w0rd-日本語-🔑';
    const encrypted = service.encrypt(plaintext);
    expect(service.decrypt(encrypted)).toEqual(plaintext);
  });
});