import { test, expect } from '@playwright/test';

const shouldRun = process.env.E2E_BRUTEFORCE === '1';

test.describe('Login brute-force throttle', () => {
  test.skip(!shouldRun, 'Set E2E_BRUTEFORCE=1 to run brute-force throttle check against the live/staging site.');

  test('repeated bad logins eventually trigger throttle', async ({ request }) => {
    const attemptPayload = {
      email: 'nonexistent-user@example.com',
      password: 'WrongPass123!',
    };

    const statuses: number[] = [];
    const bodies: string[] = [];

    for (let i = 0; i < 8; i += 1) {
      const response = await request.post('/login', {
        form: attemptPayload,
        failOnStatusCode: false,
      });
      statuses.push(response.status());
      bodies.push(await response.text());
    }

    const hitThrottle = statuses.includes(429) || bodies.some((body) => /too many.+attempt/i.test(body));

    expect(hitThrottle).toBeTruthy();
  });
});