import base64
import pytest


def test_encrypt_decrypt_roundtrip():
    """测试加密解密往返."""
    from app.security import encrypt_data, decrypt_data

    original = b"sensitive-secret-data"
    key = base64.b64encode(b'12345678901234567890123456789012').decode()

    encrypted = encrypt_data(original, key)
    assert encrypted != original
    assert isinstance(encrypted, bytes)
    assert len(encrypted) > len(original)  # nonce + ciphertext + tag

    decrypted = decrypt_data(encrypted, key)
    assert decrypted == original


def test_verify_api_token_success(test_env_vars):
    """测试 API token 验证成功."""
    from app.security import verify_api_token

    assert verify_api_token("Bearer test-token") is True


def test_verify_api_token_failure():
    """测试 API token 验证失败."""
    from app.security import verify_api_token

    assert verify_api_token("Bearer wrong-token") is False
    assert verify_api_token(None) is False
    assert verify_api_token("Basic token") is False