import { describe, expect, it } from "vitest";
import { isAllowedPushEndpoint } from "./pushEndpoint";

describe("isAllowedPushEndpoint", () => {
	// Behaviour gate: real subscriptions minted by the browser must keep working.
	it("allows genuine vendor push endpoints", () => {
		expect(
			isAllowedPushEndpoint("https://fcm.googleapis.com/fcm/send/abc123"),
		).toBe(true);
		expect(
			isAllowedPushEndpoint(
				"https://updates.push.services.mozilla.com/wpush/v2/abc",
			),
		).toBe(true);
		expect(isAllowedPushEndpoint("https://web.push.apple.com/QABC/def")).toBe(
			true,
		);
		expect(
			isAllowedPushEndpoint("https://db5p.notify.windows.com/w/?token=abc"),
		).toBe(true);
	});

	// The fix: arbitrary / internal / non-https endpoints must not be reachable.
	it("blocks SSRF and non-vendor endpoints", () => {
		expect(isAllowedPushEndpoint("http://fcm.googleapis.com/fcm/send/x")).toBe(
			false,
		); // not https
		expect(isAllowedPushEndpoint("https://evil.example.com/collect")).toBe(
			false,
		);
		expect(
			isAllowedPushEndpoint("http://169.254.169.254/latest/meta-data"),
		).toBe(false); // cloud metadata
		expect(isAllowedPushEndpoint("http://localhost:8080/internal")).toBe(false);
		expect(isAllowedPushEndpoint("https://127.0.0.1/internal")).toBe(false);
		expect(isAllowedPushEndpoint("http://10.0.0.5/admin")).toBe(false);
	});

	it("rejects look-alike hostnames", () => {
		expect(isAllowedPushEndpoint("https://fcm.googleapis.com.evil.com/x")).toBe(
			false,
		);
		expect(isAllowedPushEndpoint("https://notfcm.googleapis.com/x")).toBe(
			false,
		);
		expect(isAllowedPushEndpoint("not a url")).toBe(false);
		expect(isAllowedPushEndpoint("")).toBe(false);
	});
});