from fastapi.testclient import TestClient


def test_login_and_tenant_isolation(app):
    with TestClient(app) as client_a, TestClient(app) as client_b:
        register_a = client_a.post(
            "/auth/register",
            json={"email": "a@example.com", "password": "strongpasswordA1"},
        )
        assert register_a.status_code == 200
        csrf_a = register_a.json()["csrf_token"]

        register_b = client_b.post(
            "/auth/register",
            json={"email": "b@example.com", "password": "strongpasswordB1"},
        )
        assert register_b.status_code == 200
        csrf_b = register_b.json()["csrf_token"]

        create_a = client_a.post(
            "/time-entries",
            headers={"x-csrf-token": csrf_a},
            json={
                "date": "2026-02-24",
                "start_time": "08:30",
                "end_time": "15:00",
                "break_minutes": 30,
            },
        )
        assert create_a.status_code == 200
        entry_id = create_a.json()["id"]

        list_b = client_b.get("/time-entries")
        assert list_b.status_code == 200
        assert list_b.json()["items"] == []

        patch_b = client_b.patch(
            f"/time-entries/{entry_id}",
            headers={"x-csrf-token": csrf_b},
            json={"break_minutes": 15},
        )
        assert patch_b.status_code == 404

        client_a.post("/auth/logout", headers={"x-csrf-token": csrf_a})
        login_a = client_a.post(
            "/auth/login",
            json={"email": "a@example.com", "password": "strongpasswordA1"},
        )
        assert login_a.status_code == 200

        me_a = client_a.get("/me")
        assert me_a.status_code == 200
        assert me_a.json()["email"] == "a@example.com"