/**
 * The external lunch dish-pick page is reached by attendees with NO account, via
 * a signed token link. It MUST be in the middleware public-path allowlist, or the
 * auth middleware redirects them to /login (a dead end for accountless users).
 */
import { describe, it, expect } from 'vitest'
import { authConfig } from '@/lib/auth.config'

function authorized(pathname: string, auth: unknown) {
  const fn = authConfig.callbacks!.authorized!
  return fn({
    auth: auth as never,
    request: { nextUrl: new URL(`http://localhost${pathname}`) } as never,
  } as never)
}

describe('middleware public paths', () => {
  it('allows the external lunch pick page without a session', () => {
    expect(authorized('/lunch/pick/some.signed.token', null)).toBe(true)
  })

  it('blocks a protected page without a session', () => {
    expect(authorized('/admin/logistics', null)).toBe(false)
  })
})