"""Tenant isolation tests."""
import pytest
from httpx import AsyncClient


@pytest.mark.asyncio
async def test_get_my_tenant(client: AsyncClient, auth_headers, test_account):
    response = await client.get("/api/v1/tenants/me", headers=auth_headers)
    assert response.status_code == 200
    data = response.json()
    assert data["success"] is True
    assert data["data"]["subdomain"] == "testcemetery"


@pytest.mark.asyncio
async def test_tenant_isolation(client: AsyncClient, db_session):
    """Verify two tenants cannot see each other's data."""
    from src.apps.tenants.models.account import Account
    from src.apps.auth.models.user import User
    from src.core.security import hash_password, create_access_token, build_token_payload

    # Tenant A
    tenant_a = Account(
        organization_name="Cemetery A",
        subdomain="cemetery-a",
        contact_email="a@cemetery.com",
        plan="starter",
        status="active",
    )
    # Tenant B
    tenant_b = Account(
        organization_name="Cemetery B",
        subdomain="cemetery-b",
        contact_email="b@cemetery.com",
        plan="starter",
        status="active",
    )
    db_session.add_all([tenant_a, tenant_b])
    await db_session.flush()

    user_a = User(
        tenant_id=tenant_a.id,
        email="admin@cemetery-a.com",
        password_hash=hash_password("Password123"),
        first_name="Admin",
        last_name="A",
        role="administrator",
        status="active",
    )
    db_session.add(user_a)
    await db_session.flush()

    token_a = create_access_token(build_token_payload(user_a, tenant_a))
    headers_a = {"Authorization": f"Bearer {token_a}"}

    # User A should only see their own tenant
    resp = await client.get("/api/v1/tenants/me", headers=headers_a)
    assert resp.status_code == 200
    assert resp.json()["data"]["subdomain"] == "cemetery-a"