import re

from salt import hash_password, verify_password


def test_hash_password_round_trip() -> None:
    salt, hashed = hash_password("correct horse battery staple")
    assert verify_password("correct horse battery staple", salt, hashed)
    assert not verify_password("wrong", salt, hashed)


def test_hash_password_returns_base64() -> None:
    salt, hashed = hash_password("secret")
    base64_pattern = re.compile(r"^[A-Za-z0-9+/]+={0,2}$")
    assert base64_pattern.fullmatch(salt)
    assert base64_pattern.fullmatch(hashed)


def test_verify_password_handles_invalid_base64() -> None:
    assert verify_password("secret", "**invalid**", "???") is False


def test_hash_password_with_algorithm_parameter():
    """Verify hash_password accepts algorithm parameter."""
    salt, hashed = hash_password("test", algorithm="pbkdf2")
    assert verify_password("test", salt, hashed, algorithm="pbkdf2")


def test_backward_compatibility_with_old_pbkdf2_hashes():
    """Verify existing PBKDF2 hashes still work without algorithm parameter."""
    # Simulate old hash created before algorithm parameter existed
    salt, hashed = hash_password("legacy-password")

    # Verify using old API (no algorithm parameter)
    assert verify_password("legacy-password", salt, hashed)
    assert not verify_password("wrong", salt, hashed)

    # Verify using new API with explicit pbkdf2
    assert verify_password("legacy-password", salt, hashed, algorithm="pbkdf2")