import pytest


@pytest.mark.usefixtures('notify_db_session')
class TestSecurityHeaders:
    """Test security headers for ZAP scan compliance."""

    def test_options_request_returns_204_with_cors_headers(self, client):
        """Test that OPTIONS requests return 204 with proper CORS headers."""
        response = client.options('/')

        assert response.status_code == 204
        assert response.headers.get('Access-Control-Allow-Origin') == '*'
        assert response.headers.get('Access-Control-Allow-Methods') == 'GET, POST, PUT, DELETE, OPTIONS'
        assert response.headers.get('Access-Control-Allow-Headers') == 'Content-Type, Authorization'
        assert response.headers.get('Access-Control-Max-Age') == '3600'

    @pytest.mark.parametrize("endpoint", [
        '/_status',
        '/_status?simple=1',
        '/_status/live-service-and-organization-counts'
    ])
    def test_status_endpoints_have_cache_control_headers(self, client, endpoint):
        """Test that all status endpoints have proper cache-control headers."""
        response = client.get(endpoint)

        assert response.status_code == 200
        assert response.headers.get('Cache-Control') == 'no-cache, no-store, must-revalidate'
        assert response.headers.get('Pragma') == 'no-cache'
        assert response.headers.get('Expires') == '0'