from app.rate_limit import TokenBucket
from conftest import admin_login


def test_token_bucket_allows_then_denies_then_refills():
    bucket = TokenBucket(capacity=3, refill_per_minute=60)  # 1 token/sec
    assert bucket.take("ip1") is True
    assert bucket.take("ip1") is True
    assert bucket.take("ip1") is True
    assert bucket.take("ip1") is False  # exhausted
    # Different key has its own bucket
    assert bucket.take("ip2") is True


def test_admin_login_rate_limits_after_burst(client):
    # Default config: 10 attempts/min/IP. Eleventh attempt should 429.
    # Exhaust on wrong-password attempts so the test doesn't depend on
    # the right password being unknown.
    for _ in range(10):
        response = client.post("/admin/login", json={"password": "wrong"})
        assert response.status_code == 401
    # Eleventh attempt: throttled
    response = client.post("/admin/login", json={"password": "wrong"})
    assert response.status_code == 429
    # Even a correct password is throttled until the bucket refills.
    response = client.post("/admin/login", json={"password": "admin-pass"})
    assert response.status_code == 429