import { describe, expect, it } from "vitest";

import { permissions } from "@mrp/shared";

import { requirePermissions } from "../src/lib/rbac.js";

describe("rbac", () => {
  it("allows requests with all required permissions", () => {
    const middleware = requirePermissions([permissions.companyRead]);
    const request = {
      authUser: {
        id: "1",
        email: "admin@example.com",
        firstName: "Admin",
        lastName: "User",
        roles: ["Administrator"],
        permissions: [permissions.companyRead],
      },
    };
    const response = {
      status: () => response,
      json: (body: unknown) => body,
    };
    let nextCalled = false;

    middleware(request as never, response as never, () => {
      nextCalled = true;
    });

    expect(nextCalled).toBe(true);
  });
});