using FluentAssertions;
using foodmarket.IntegrationTests.Support;
using Xunit;

namespace foodmarket.IntegrationTests;

[Collection(ApiCollection.Name)]
public class TenantIsolationTests
{
    private readonly ApiFactory _factory;
    public TenantIsolationTests(ApiFactory factory) => _factory = factory;

    [Fact]
    public async Task Org_B_cannot_see_org_A_data()
    {
        var a = new ApiActor(_factory.CreateClient());
        var b = new ApiActor(_factory.CreateClient());
        await a.SignupAndLoginAsync($"iso-a-{Guid.NewGuid():N}");
        await b.SignupAndLoginAsync($"iso-b-{Guid.NewGuid():N}");

        var marker = $"A-CP-{Guid.NewGuid():N}";
        var createdId = await a.CreateCounterpartyAsync(marker);

        // A видит свой контрагент.
        var aList = await a.ListAsync("/api/catalog/counterparties?pageSize=200");
        aList.Should().Contain(c => c.GetProperty("id").GetString() == createdId);

        // B не видит ни id, ни имя контрагента A.
        var bList = await b.ListAsync("/api/catalog/counterparties?pageSize=200");
        bList.Should().NotContain(c => c.GetProperty("id").GetString() == createdId);
        bList.Should().NotContain(c => c.GetProperty("name").GetString() == marker);

        // B не может прочитать контрагент A напрямую по id (query-filter → 404).
        using var direct = await b.Http.GetAsync($"/api/catalog/counterparties/{createdId}");
        direct.StatusCode.Should().Be(System.Net.HttpStatusCode.NotFound);
    }
}