"""bluesky-pds — recipe-specific functional test (Phase 2 P3).

GETs the atproto session endpoint `/xrpc/com.atproto.server.getSession` WITHOUT an auth header.
Asserts the PDS responds with 401 Unauthorized — proves the auth subsystem is wired correctly:
- 200 = anonymous access leaked (would be a security bug).
- 401 = correctly enforced.
- 404 = route missing (PDS misconfigured).
- 5xx = backend broken.

Distinguishes "the atproto XRPC server is alive AND its auth contract is enforced" from generic
HTTP 200 health. Non-vacuous: each non-401 status indicates a different class of defect.
"""

from __future__ import annotations

import os
import sys

sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
from harness import http as harness_http  # noqa: E402


def test_get_session_requires_auth(live_app):
    """GET /xrpc/com.atproto.server.getSession (no token) → 401."""
    url = f"https://{live_app}/xrpc/com.atproto.server.getSession"
    status, body = harness_http.retry_http_get(url, expect_status=401, max_wait=60, interval=3)
    assert status == 401, (
        f"GET {url} returned {status}, expected 401 (auth required). "
        f"200 = anonymous leak; 404 = route missing; 5xx = backend broken. "
        f"body: {body!r}"
    )
    # The XRPC error envelope is JSON with an `error` field per the atproto spec.
    assert isinstance(body, dict) and body.get("error"), (
        f"expected XRPC JSON error envelope; got: {body!r}"
    )