#!/bin/bash
# Test script for the unified WhatsApp webhook
# Usage: ./scripts/test-webhook.sh [port]

PORT=${1:-9001}
BASE_URL="http://localhost:${PORT}"
APP_SECRET="9f2c29491cd6f8cd81aa6672c7ad91fc"

echo "=== WhatsApp Webhook Test Suite ==="
echo "Target: ${BASE_URL}"
echo ""

# Helper: sign payload and POST
send_webhook() {
  local payload="$1"
  local desc="$2"

  # Generate HMAC-SHA256 signature
  local signature="sha256=$(echo -n "$payload" | openssl dgst -sha256 -hmac "$APP_SECRET" | awk '{print $2}')"

  echo "--- Test: $desc ---"
  local response
  response=$(curl -s -w "\n%{http_code}" -X POST "${BASE_URL}/api/integrations/whatsapp/webhook" \
    -H "Content-Type: application/json" \
    -H "x-hub-signature-256: ${signature}" \
    -d "$payload" 2>/dev/null)

  local body=$(echo "$response" | head -n -1)
  local code=$(echo "$response" | tail -1)
  echo "HTTP $code: $body"
  echo ""
}

# ── Test 1: GET verification (should 403 with wrong token) ──
echo "--- Test 1: GET verification (invalid token) ---"
curl -s "${BASE_URL}/api/integrations/whatsapp/webhook?hub.mode=subscribe&hub.verify_token=wrong&hub.challenge=test123" -w "\nHTTP %{http_code}\n" 2>/dev/null
echo ""

# ── Test 2: POST without signature (should 403) ──
echo "--- Test 2: POST without signature ---"
curl -s -X POST "${BASE_URL}/api/integrations/whatsapp/webhook" \
  -H "Content-Type: application/json" \
  -d '{"object":"whatsapp_business_account","entry":[]}' \
  -w "\nHTTP %{http_code}\n" 2>/dev/null
echo ""

# ── Test 3: Valid signature, empty entries (should 200) ──
PAYLOAD='{"object":"whatsapp_business_account","entry":[]}'
send_webhook "$PAYLOAD" "Valid signature, empty entries"

# ── Test 4: Valid signature, invalid object (should 400) ──
PAYLOAD='{"object":"instagram","entry":[]}'
SIG="sha256=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$APP_SECRET" | awk '{print $2}')"
echo "--- Test 4: Invalid object type ---"
curl -s -X POST "${BASE_URL}/api/integrations/whatsapp/webhook" \
  -H "Content-Type: application/json" \
  -H "x-hub-signature-256: ${SIG}" \
  -d "$PAYLOAD" -w "\nHTTP %{http_code}\n" 2>/dev/null
echo ""

# ── Test 5: Simulated incoming message (unknown phone_number_id) ──
PAYLOAD='{"object":"whatsapp_business_account","entry":[{"id":"123456","changes":[{"value":{"messaging_product":"whatsapp","metadata":{"display_phone_number":"15551234567","phone_number_id":"TEST_PHONE_ID_123"},"contacts":[{"profile":{"name":"Test Customer"},"wa_id":"97412345678"}],"messages":[{"from":"97412345678","id":"wamid.test123","timestamp":"1712345678","text":{"body":"Hello, I want to book an appointment"},"type":"text"}]},"field":"messages"}]}]}'
send_webhook "$PAYLOAD" "Incoming message (unknown org)"

# ── Test 6: Status update (should be handled gracefully) ──
PAYLOAD='{"object":"whatsapp_business_account","entry":[{"id":"123456","changes":[{"value":{"messaging_product":"whatsapp","metadata":{"display_phone_number":"15551234567","phone_number_id":"TEST_PHONE_ID_123"},"statuses":[{"id":"wamid.test123","status":"delivered","timestamp":"1712345679","recipient_id":"97412345678"}]},"field":"messages"}]}]}'
send_webhook "$PAYLOAD" "Status update (no messages)"

echo "=== Tests Complete ==="