from app.core.config import Settings
from app.core.security import hash_password, hash_token, verify_password


def test_password_hash_roundtrip() -> None:
    password_hash = hash_password("a-very-long-password")
    assert password_hash != "a-very-long-password"
    assert verify_password("a-very-long-password", password_hash)
    assert not verify_password("wrong-password", password_hash)


def test_tokens_are_hashed() -> None:
    assert hash_token("secret") == hash_token("secret")
    assert hash_token("secret") != "secret"


def test_cors_origins_accept_comma_separated_env(monkeypatch) -> None:
    monkeypatch.setenv("JWT_SECRET_KEY", "test-jwt-secret")
    monkeypatch.setenv("SETTINGS_SECRET_KEY", "test-settings-secret")
    monkeypatch.setenv("CORS_ORIGINS", "http://localhost,http://localhost:5173")

    settings = Settings()

    assert settings.cors_origins == ["http://localhost", "http://localhost:5173"]