"""API-level validation tests for user creation (SEC-004, SEC-007)."""


def test_create_user_weak_password_rejected(client, admin_user, admin_token):
    response = client.post(
        "/api/v1/users",
        json={
            "username": "newuser",
            "password": "123",
            "email": "new@test.com",
            "role": "viewer",
        },
        headers={"Authorization": f"Bearer {admin_token}"},
    )
    assert response.status_code == 422
    assert "password" in response.text.lower()


def test_create_user_reserved_username(client, admin_user, admin_token):
    response = client.post(
        "/api/v1/users",
        json={
            "username": "system",
            "password": "SecurePass123!@#",
            "email": "sys@test.com",
            "role": "viewer",
        },
        headers={"Authorization": f"Bearer {admin_token}"},
    )
    assert response.status_code == 422


def test_create_user_invalid_username_chars(client, admin_user, admin_token):
    response = client.post(
        "/api/v1/users",
        json={
            "username": "../admin",
            "password": "SecurePass123!@#",
            "email": "bad@test.com",
            "role": "viewer",
        },
        headers={"Authorization": f"Bearer {admin_token}"},
    )
    assert response.status_code == 422


def test_create_user_valid_password_accepted(client, admin_user, admin_token):
    response = client.post(
        "/api/v1/users",
        json={
            "username": "validuser99",
            "password": "ValidPass123!@#",
            "email": "valid@test.com",
            "role": "viewer",
        },
        headers={"Authorization": f"Bearer {admin_token}"},
    )
    assert response.status_code == 201
    assert response.json()["username"] == "validuser99"