sure/test/controllers/brex_items_controller_test.rb

# frozen_string_literal: true

require "test_helper"

class BrexItemsControllerTest < ActionDispatch::IntegrationTest
  setup do
    sign_in users(:family_admin)
    SyncJob.stubs(:perform_later)

    @family = families(:dylan_family)
    clear_brex_cache_entries
    @existing_item = brex_items(:one)
    @second_item = BrexItem.create!(
      family: @family,
      name: "Business Brex",
      token: "second_brex_token",
      base_url: "https://api.brex.com"
    )
  end

  teardown do
    clear_brex_cache_entries
  end

  test "create adds a new brex connection without overwriting existing credentials" do
    existing_token = @existing_item.token

    assert_difference "BrexItem.count", 1 do
      post brex_items_url, params: {
        brex_item: {
          name: "Joint Brex",
          token: "joint_brex_token",
          base_url: "https://api.brex.com"
        }
      }
    end

    assert_redirected_to accounts_path
    assert_equal existing_token, @existing_item.reload.token
    assert_equal "joint_brex_token", @family.brex_items.find_by!(name: "Joint Brex").token
  end

  test "create uses localized default name when submitted name is blank" do
    assert_difference "BrexItem.count", 1 do
      post brex_items_url, params: {
        brex_item: {
          name: "  ",
          token: "default_name_token",
          base_url: "https://api.brex.com"
        }
      }
    end

    assert_redirected_to accounts_path
    assert_equal I18n.t("brex_items.default_connection_name"), @family.brex_items.order(:created_at).last.name
  end

  test "update changes only the selected brex connection" do
    existing_token = @existing_item.token

    patch brex_item_url(@second_item), params: {
      brex_item: {
        name: "Renamed Business Brex",
        token: "updated_second_token",
        base_url: "https://api-staging.brex.com"
      }
    }

    assert_redirected_to accounts_path
    assert_equal existing_token, @existing_item.reload.token
    assert_equal "Renamed Business Brex", @second_item.reload.name
    assert_equal "updated_second_token", @second_item.token
    assert_equal "https://api-staging.brex.com", @second_item.base_url
  end

  test "update rejects arbitrary brex base url" do
    patch brex_item_url(@second_item), params: {
      brex_item: {
        name: "Renamed Business Brex",
        token: "updated_second_token",
        base_url: "https://evil.example.test"
      }
    }

    assert_redirected_to settings_providers_path
    assert_includes flash[:alert], "https://api.brex.com"
    assert_equal "https://api.brex.com", @second_item.reload.base_url
    assert_equal "second_brex_token", @second_item.token
  end

  test "blank token update preserves the selected brex token" do
    original_token = @second_item.token

    patch brex_item_url(@second_item), params: {
      brex_item: {
        name: "Renamed Business Brex",
        token: "",
        base_url: "https://api.brex.com"
      }
    }

    assert_redirected_to accounts_path
    assert_equal "Renamed Business Brex", @second_item.reload.name
    assert_equal original_token, @second_item.token
  end

  test "update expires selected brex account cache when credentials change" do
    Rails.cache.expects(:delete).with(brex_cache_key(@existing_item)).never
    Rails.cache.expects(:delete).with(brex_cache_key(@second_item)).once

    patch brex_item_url(@second_item), params: {
      brex_item: {
        name: "Renamed Business Brex",
        token: "updated_second_token",
        base_url: "https://api-staging.brex.com"
      }
    }

    assert_redirected_to accounts_path
  end

  test "update does not expire selected brex account cache for name-only changes" do
    Rails.cache.expects(:delete).never

    patch brex_item_url(@second_item), params: {
      brex_item: {
        name: "Renamed Business Brex"
      }
    }

    assert_redirected_to accounts_path
    assert_equal "Renamed Business Brex", @second_item.reload.name
  end

  test "preload accounts uses selected brex item cache key" do
    Rails.cache.expects(:read).with(brex_cache_key(@second_item)).returns(nil)
    Rails.cache.expects(:write).with(brex_cache_key(@second_item), brex_accounts_payload, expires_in: 5.minutes)

    provider = mock("brex_provider")
    provider.expects(:get_accounts).returns(accounts: brex_accounts_payload)
    Provider::Brex.expects(:new)
      .with(@second_item.token, base_url: @second_item.effective_base_url)
      .returns(provider)

    get preload_accounts_brex_items_url, params: { brex_item_id: @second_item.id }, as: :json

    assert_response :success
    response = JSON.parse(@response.body)
    assert_equal true, response["success"]
    assert_equal true, response["has_accounts"]
  end

  test "select accounts requires an explicit connection when multiple brex items exist" do
    get select_accounts_brex_items_url, params: { accountable_type: "Depository" }

    assert_redirected_to settings_providers_path
    assert_equal I18n.t("brex_items.select_accounts.select_connection"), flash[:alert]
  end

  test "select accounts renders the selected brex item id" do
    Rails.cache.expects(:read).with(brex_cache_key(@second_item)).returns(nil)
    Rails.cache.expects(:write).with(brex_cache_key(@second_item), brex_accounts_payload, expires_in: 5.minutes)

    provider = mock("brex_provider")
    provider.expects(:get_accounts).returns(accounts: brex_accounts_payload)
    Provider::Brex.expects(:new)
      .with(@second_item.token, base_url: @second_item.effective_base_url)
      .returns(provider)

    get select_accounts_brex_items_url, params: {
      brex_item_id: @second_item.id,
      accountable_type: "Depository"
    }

    assert_response :success
    assert_includes @response.body, %(name="brex_item_id")
    assert_includes @response.body, %(value="#{@second_item.id}")
  end

  test "select accounts rejects protocol relative return paths" do
    Rails.cache.expects(:read).with(brex_cache_key(@second_item)).returns(brex_accounts_payload)

    get select_accounts_brex_items_url, params: {
      brex_item_id: @second_item.id,
      accountable_type: "Depository",
      return_to: "//evil.example/accounts"
    }

    assert_response :success
    refute_includes @response.body, "//evil.example/accounts"
  end

  test "select accounts rejects backslash and unsafe local return paths" do
    [
      "/\\evil.example/accounts",
      "/%2fevil.example/accounts",
      "/%2Fevil.example/accounts",
      "/%5cevil.example/accounts",
      "/%5Cevil.example/accounts",
      "/\naccounts",
      "/ accounts",
      "/"
    ].each do |return_to|
      Rails.cache.expects(:read).with(brex_cache_key(@second_item)).returns(brex_accounts_payload)

      get select_accounts_brex_items_url, params: {
        brex_item_id: @second_item.id,
        accountable_type: "Depository",
        return_to: return_to
      }

      assert_response :success
      assert_select %(input[name="return_to"]) do |fields|
        assert fields.first["value"].blank?
      end
    end
  end

  test "select existing account rejects unsafe return paths" do
    account = @family.accounts.create!(
      name: "Manual Checking",
      balance: 0,
      currency: "USD",
      accountable: Depository.new
    )

    [
      "//evil.example/accounts",
      "\\evil.example/accounts",
      "/\\evil.example/accounts",
      "/%2fevil.example/accounts",
      "/%2Fevil.example/accounts",
      "/%5cevil.example/accounts",
      "/%5Cevil.example/accounts",
      "/\naccounts",
      "/ accounts",
      "   ",
      "/"
    ].each do |return_to|
      Rails.cache.expects(:read).with(brex_cache_key(@second_item)).returns(brex_accounts_payload)

      get select_existing_account_brex_items_url, params: {
        brex_item_id: @second_item.id,
        account_id: account.id,
        return_to: return_to
      }

      assert_response :success
      assert_select %(input[name="return_to"]) do |fields|
        assert fields.first["value"].blank?
      end
    end
  end

  test "select existing account preserves safe local return path" do
    account = @family.accounts.create!(
      name: "Manual Checking",
      balance: 0,
      currency: "USD",
      accountable: Depository.new
    )
    return_to = "/accounts?tab=manual"

    Rails.cache.expects(:read).with(brex_cache_key(@second_item)).returns(brex_accounts_payload)

    get select_existing_account_brex_items_url, params: {
      brex_item_id: @second_item.id,
      account_id: account.id,
      return_to: return_to
    }

    assert_response :success
    assert_select %(input[name="return_to"][value="#{return_to}"])
  end

  test "select existing account redirects when account id is invalid" do
    get select_existing_account_brex_items_url, params: {
      brex_item_id: @second_item.id,
      account_id: SecureRandom.uuid
    }

    assert_redirected_to accounts_path
    assert_equal I18n.t("brex_items.select_existing_account.no_account_specified"), flash[:alert]
  end

  test "select existing account renders the selected brex item id" do
    account = @family.accounts.create!(
      name: "Manual Checking",
      balance: 0,
      currency: "USD",
      accountable: Depository.new
    )

    Rails.cache.expects(:read).with(brex_cache_key(@second_item)).returns(nil)
    Rails.cache.expects(:write).with(brex_cache_key(@second_item), brex_accounts_payload, expires_in: 5.minutes)

    provider = mock("brex_provider")
    provider.expects(:get_accounts).returns(accounts: brex_accounts_payload)
    Provider::Brex.expects(:new)
      .with(@second_item.token, base_url: @second_item.effective_base_url)
      .returns(provider)

    get select_existing_account_brex_items_url, params: {
      brex_item_id: @second_item.id,
      account_id: account.id
    }

    assert_response :success
    assert_includes @response.body, %(name="brex_item_id")
    assert_includes @response.body, %(value="#{@second_item.id}")
  end

  test "link accounts uses selected brex item and allows duplicate upstream ids across items" do
    @existing_item.brex_accounts.create!(
      account_id: "shared_brex_account",
      name: "Shared Checking",
      currency: "USD",
      current_balance: 1000
    )

    provider = mock("brex_provider")
    provider.expects(:get_accounts).returns(accounts: brex_accounts_payload)
    Provider::Brex.expects(:new)
      .with(@second_item.token, base_url: @second_item.effective_base_url)
      .returns(provider)

    assert_difference -> { @second_item.brex_accounts.where(account_id: "shared_brex_account").count }, 1 do
      assert_difference "AccountProvider.count", 1 do
        post link_accounts_brex_items_url, params: {
          brex_item_id: @second_item.id,
          account_ids: [ "shared_brex_account" ],
          accountable_type: "Depository"
        }
      end
    end

    assert_redirected_to accounts_path
    assert_equal 1, @existing_item.brex_accounts.where(account_id: "shared_brex_account").count
  end

  test "link accounts does not silently use the first connection when multiple items exist" do
    assert_no_difference "BrexAccount.count" do
      assert_no_difference "Account.count" do
        post link_accounts_brex_items_url, params: {
          account_ids: [ "shared_brex_account" ],
          accountable_type: "Depository"
        }
      end
    end

    assert_redirected_to settings_providers_path
    assert_equal I18n.t("brex_items.link_accounts.select_connection"), flash[:alert]
  end

  test "link existing account does not silently use the first connection when multiple items exist" do
    account = @family.accounts.create!(
      name: "Manual Checking",
      balance: 0,
      currency: "USD",
      accountable: Depository.new
    )

    assert_no_difference "BrexAccount.count" do
      assert_no_difference "AccountProvider.count" do
        post link_existing_account_brex_items_url, params: {
          account_id: account.id,
          brex_account_id: "shared_brex_account"
        }
      end
    end

    assert_redirected_to settings_providers_path
    assert_equal I18n.t("brex_items.link_existing_account.select_connection"), flash[:alert]
  end

  test "link existing account requires account id" do
    assert_no_difference "AccountProvider.count" do
      post link_existing_account_brex_items_url, params: {
        brex_item_id: @second_item.id,
        brex_account_id: "shared_brex_account"
      }
    end

    assert_redirected_to accounts_path
    assert_equal I18n.t("brex_items.link_existing_account.no_account_specified"), flash[:alert]
  end

  test "link existing account redirects when account id is invalid" do
    assert_no_difference "AccountProvider.count" do
      post link_existing_account_brex_items_url, params: {
        brex_item_id: @second_item.id,
        account_id: SecureRandom.uuid,
        brex_account_id: "shared_brex_account"
      }
    end

    assert_redirected_to accounts_path
    assert_equal I18n.t("brex_items.link_existing_account.no_account_specified"), flash[:alert]
  end

  test "sync only queues a sync for the selected brex item" do
    assert_difference -> { Sync.where(syncable: @second_item).count }, 1 do
      assert_no_difference -> { Sync.where(syncable: @existing_item).count } do
        post sync_brex_item_url(@second_item)
      end
    end

    assert_response :redirect
  end

  test "complete account setup ignores unsupported account type and subtype params" do
    valid_brex_account = @second_item.brex_accounts.create!(
      account_id: "setup_valid",
      account_kind: "cash",
      name: "Setup Valid",
      currency: "USD",
      current_balance: 100
    )
    unsupported_brex_account = @second_item.brex_accounts.create!(
      account_id: "setup_unsupported",
      account_kind: "cash",
      name: "Setup Unsupported",
      currency: "USD",
      current_balance: 100
    )

    assert_difference "AccountProvider.count", 1 do
      post complete_account_setup_brex_item_url(@second_item), params: {
        account_types: {
          valid_brex_account.id => "Depository",
          unsupported_brex_account.id => "Investment",
          "not-a-brex-account" => "Depository"
        },
        account_subtypes: {
          valid_brex_account.id => "savings",
          unsupported_brex_account.id => "brokerage",
          "not-a-brex-account" => "checking"
        }
      }
    end

    assert_redirected_to accounts_path
    assert_equal "savings", valid_brex_account.reload.account.accountable.subtype
    assert_nil unsupported_brex_account.reload.account_provider
    assert_match(/skipped/i, flash[:notice])
  end

  test "complete account setup treats scalar setup params as empty" do
    assert_no_difference "AccountProvider.count" do
      post complete_account_setup_brex_item_url(@second_item), params: {
        account_types: "not-a-hash",
        account_subtypes: "also-not-a-hash"
      }
    end

    assert_redirected_to accounts_path
    assert_equal I18n.t("brex_items.complete_account_setup.no_accounts"), flash[:alert]
  end

  private

    def brex_accounts_payload
      [
        {
          id: "shared_brex_account",
          name: "Shared Checking",
          account_kind: "cash",
          status: "active",
          current_balance: { amount: 100_000, currency: "USD" },
          available_balance: { amount: 95_000, currency: "USD" }
        }
      ]
    end

    def brex_cache_key(brex_item)
      BrexItem::AccountFlow.cache_key(@family, brex_item)
    end

    def clear_brex_cache_entries
      return unless defined?(@family) && @family.present?
      return unless Rails.cache.respond_to?(:delete_matched)

      Rails.cache.delete_matched("brex_accounts_#{@family.id}_*")
    rescue NotImplementedError
      # Some test cache stores do not implement delete_matched; tests that depend
      # on cache state stub exact Brex cache keys instead of relying on globals.
    end
end