module4_backend_project/test-security.js

const axios = require("axios");

const BASE_URL = process.env.TEST_URL || "http://localhost:3049";

async function testSecurityFeatures() {
  console.log("🔒 Testing Security Features\n");

  try {
    // Test 1: Rate Limiting
    console.log("1. Testing Rate Limiting...");
    const promises = [];
    for (let i = 0; i < 15; i++) {
      promises.push(axios.get(`${BASE_URL}/health`));
    }

    try {
      await Promise.all(promises);
      console.log("   ❌ Rate limiting not working (all requests succeeded)");
    } catch (error) {
      if (error.response?.status === 429) {
        console.log("   ✅ Rate limiting working correctly");
      } else {
        console.log("   ❌ Unexpected error:", error.message);
      }
    }

    // Test 2: Input Validation - Invalid Event ID
    console.log("\n2. Testing Input Validation...");
    try {
      await axios.get(`${BASE_URL}/events/invalid`);
      console.log("   ❌ Invalid event ID accepted");
    } catch (error) {
      if (error.response?.status === 400) {
        console.log("   ✅ Invalid event ID properly rejected");
      } else {
        console.log("   ❌ Unexpected error:", error.message);
      }
    }

    // Test 3: Input Validation - Invalid Purchase ID
    try {
      await axios.get(`${BASE_URL}/tickets/invalid-uuid`);
      console.log("   ❌ Invalid purchase ID accepted");
    } catch (error) {
      if (error.response?.status === 400) {
        console.log("   ✅ Invalid purchase ID properly rejected");
      } else {
        console.log("   ❌ Unexpected error:", error.message);
      }
    }

    // Test 4: Security Headers
    console.log("\n3. Testing Security Headers...");
    try {
      const response = await axios.get(`${BASE_URL}/health`);
      const headers = response.headers;

      const securityHeaders = {
        "X-Content-Type-Options": headers["x-content-type-options"],
        "X-Frame-Options": headers["x-frame-options"],
        "X-XSS-Protection": headers["x-xss-protection"],
        "Strict-Transport-Security": headers["strict-transport-security"],
      };

      console.log("   Security Headers:");
      Object.entries(securityHeaders).forEach(([header, value]) => {
        if (value) {
          console.log(`     ✅ ${header}: ${value}`);
        } else {
          console.log(`     ❌ ${header}: Missing`);
        }
      });
    } catch (error) {
      console.log("   ❌ Error checking security headers:", error.message);
    }

    // Test 5: Admin Rate Limiting
    console.log("\n4. Testing Admin Rate Limiting...");
    const adminPromises = [];
    for (let i = 0; i < 25; i++) {
      adminPromises.push(axios.get(`${BASE_URL}/admin/pdf-stats`));
    }

    try {
      await Promise.all(adminPromises);
      console.log("   ❌ Admin rate limiting not working");
    } catch (error) {
      if (error.response?.status === 429) {
        console.log("   ✅ Admin rate limiting working correctly");
      } else {
        console.log("   ❌ Unexpected error:", error.message);
      }
    }

    // Test 6: Purchase Rate Limiting
    console.log("\n5. Testing Purchase Rate Limiting...");
    const purchasePromises = [];
    for (let i = 0; i < 15; i++) {
      purchasePromises.push(axios.post(`${BASE_URL}/buy/1`));
    }

    try {
      await Promise.all(purchasePromises);
      console.log("   ❌ Purchase rate limiting not working");
    } catch (error) {
      if (error.response?.status === 429) {
        console.log("   ✅ Purchase rate limiting working correctly");
      } else {
        console.log("   ❌ Unexpected error:", error.message);
      }
    }

    console.log("\n✅ Security Tests Completed!");
  } catch (error) {
    console.error("❌ Test failed:", error.message);
  }
}

// Run the security tests
testSecurityFeatures();