// server/crypto/secrets.test.ts
import { describe, it, expect } from "vitest";
import { encryptSecret, decryptSecret } from "./secrets.js";

const KEY = "a".repeat(64); // 32 octets en hex

describe("secrets", () => {
  it("round-trip encrypt/decrypt restitue le texte clair", () => {
    const blob = encryptSecret("hunter2", KEY);
    expect(blob).not.toContain("hunter2");
    expect(decryptSecret(blob, KEY)).toBe("hunter2");
  });

  it("produit un blob différent à chaque chiffrement (IV aléatoire)", () => {
    expect(encryptSecret("x", KEY)).not.toBe(encryptSecret("x", KEY));
  });

  it("échoue si le blob a été altéré (tag GCM)", () => {
    const blob = encryptSecret("secret", KEY);
    const tampered = blob.slice(0, -2) + (blob.endsWith("a") ? "b" : "a");
    expect(() => decryptSecret(tampered, KEY)).toThrow();
  });
});