def test_login_success(client):
    response = client.post("/api/auth/login", json={"username": "admin", "password": "123456"})

    assert response.status_code == 200
    body = response.json()
    assert body["token"]
    assert body["token_type"] == "bearer"
    assert body["username"] == "admin"
    assert body["user"]["username"] == "admin"


def test_login_rejects_invalid_credentials(client):
    response = client.post("/api/auth/login", json={"username": "admin", "password": "wrong"})

    assert response.status_code == 401
    assert response.json()["detail"] == "Invalid credentials"


def test_me_returns_current_user(client):
    response = client.get("/api/auth/me")

    assert response.status_code == 200
    assert response.json()["username"] == "admin"


def test_business_routes_require_auth(app):
    from fastapi.testclient import TestClient

    with TestClient(app) as unauthenticated:
        response = unauthenticated.get("/api/projects")

    assert response.status_code == 401