"""lasuite-docs — recipe-specific functional test (Phase 2 P3, ≥2 beyond parity).

The defining property of lasuite-docs as configured by the recipe is that its **backend API is
auth-protected** — OIDC tokens authorize access; anonymous requests are rejected. This test
proves the auth middleware is wired correctly: a sample backend endpoint (`/api/v1.0/users/me/`)
returns 401 Unauthorized without a token. Non-vacuous: a misconfigured backend serving anonymous
access would return 200; a broken auth middleware would return 500; a wrong route would return
404 — only a correctly-wired OIDC gate returns 401.

Distinct from the OIDC password-grant test against the keycloak dep (`test_oidc_with_keycloak`):
this proves **lasuite-docs's** own auth posture; that test proves the **SSO provider** can issue
tokens. Together they exercise both sides of the OIDC flow's plumbing.

Runs in the custom tier against the shared post-install deployment.
"""

from __future__ import annotations

import os
import sys

sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
from harness import http as harness_http  # noqa: E402


def test_users_me_requires_auth(live_app):
    """GET /api/v1.0/users/me/ without a Bearer token must return 401, not 200/404/500."""
    url = f"https://{live_app}/api/v1.0/users/me/"
    # Retry with broad acceptance: any 4xx (or specific 401) indicates the route exists + auth is
    # required. Reject 200 (anonymous access) and 5xx (broken backend).
    status, _ = harness_http.retry_http_get(url, expect_status=(401, 403), max_wait=60, interval=3)
    assert status in (401, 403), (
        f"GET {url} returned {status}, expected 401 (auth required). "
        f"200 = anonymous access leaked; 404 = route missing; 5xx = backend broken."
    )