describe('Account Settings', () => {
  const ADMIN_TOKEN = 'c86ae7afbe10fabe3c1d5e1a7fee74feaadfd5dc7be2ab62'
  const authHeaders = { Authorization: `Bearer ${ADMIN_TOKEN}` }

  it('can read current user profile', () => {
    cy.request({ url: '/api/me', headers: authHeaders }).then(res => {
      expect(res.body.username).to.eq('hera')
      expect(res.body.role).to.eq('admin')
      expect(res.body).to.have.property('display_name')
      expect(res.body).to.have.property('has_password')
    })
  })

  it('can update display name', () => {
    // Save original
    cy.request({ url: '/api/me', headers: authHeaders }).then(res => {
      const original = res.body.display_name
      // Update
      cy.request({
        method: 'PUT', url: `/api/users/${res.body.id}`, headers: authHeaders,
        body: { display_name: 'Cypress测试名' }
      }).then(r => expect(r.status).to.eq(200))
      // Verify
      cy.request({ url: '/api/me', headers: authHeaders }).then(r2 => {
        expect(r2.body.display_name).to.eq('Cypress测试名')
      })
      // Restore
      cy.request({
        method: 'PUT', url: `/api/users/${res.body.id}`, headers: authHeaders,
        body: { display_name: original || 'Hera' }
      })
    })
  })

  it('API rejects unauthenticated profile update', () => {
    cy.request({
      method: 'PUT', url: '/api/users/1',
      body: { display_name: 'hacked' },
      failOnStatusCode: false
    }).then(res => {
      expect(res.status).to.eq(403)
    })
  })
})