rusty_common/auth/exchanges/

binance.rs

//! Binance authentication implementation - Performance optimized for HFT
//!
//! This module provides high-performance HMAC/Ed25519-based authentication for Binance API.
//! Optimized with stack allocation, pre-allocated constants, and zero-copy operations.

use crate::collections::FxHashMap;
use crate::{CommonError, Result, SmartString};
use base64::{Engine as _, engine::general_purpose::STANDARD as BASE64};
use ed25519_dalek::{Signer, SigningKey, VerifyingKey};
use hmac::{Hmac, Mac};
use pkcs8::{
    PrivateKeyInfo,
    der::{Decode, asn1::OctetString},
};
use serde::Serialize;
use sha2::Sha256;
use smallvec::SmallVec;
use std::time::{SystemTime, UNIX_EPOCH};
use uuid::Uuid;

type HmacSha256 = Hmac<Sha256>;

/// Binance header key constants for type safety and performance
pub mod header_keys {
    use crate::SmartString;

    /// The header key for the API key.
    pub const X_MBX_APIKEY: &str = "X-MBX-APIKEY";
    /// The header key for the content type.
    pub const CONTENT_TYPE: &str = "Content-Type";
    /// The value for the application/json content type.
    pub const APPLICATION_JSON: &str = "application/json";
    /// The value for the application/x-www-form-urlencoded content type.
    pub const APPLICATION_FORM: &str = "application/x-www-form-urlencoded";

    /// Pre-allocated SmartString constants for zero-allocation header creation
    #[must_use]
    pub fn x_mbx_apikey() -> SmartString {
        X_MBX_APIKEY.into()
    }
    /// Returns the `Content-Type` header value as a `SmartString`.
    pub fn content_type() -> SmartString {
        CONTENT_TYPE.into()
    }
    #[must_use]
    /// Returns the `application/json` content type as a `SmartString`.
    pub fn application_json() -> SmartString {
        APPLICATION_JSON.into()
    }
    #[must_use]
    /// Returns the `application/x-www-form-urlencoded` content type as a `SmartString`.
    pub fn application_form() -> SmartString {
        APPLICATION_FORM.into()
    }
}

/// Binance API key type
#[derive(Debug, Clone)]
pub enum BinanceKeyType {
    /// HMAC-SHA256 (deprecated but still supported)
    Hmac(SmartString),
    /// Ed25519 (recommended for best performance and security)
    Ed25519(SigningKey),
}

/// WebSocket session logon message for Binance
#[derive(Debug, Clone, Serialize)]
pub struct BinanceWsLogonMessage {
    /// A unique identifier for the request.
    pub id: SmartString,
    /// The method to be called, e.g., `session.logon`.
    pub method: SmartString,
    /// The parameters for the logon request.
    pub params: BinanceWsLogonParams,
}

/// The parameters for a WebSocket logon request.
#[derive(Debug, Clone, Serialize)]
pub struct BinanceWsLogonParams {
    /// The API key for authentication.
    #[serde(rename = "apiKey")]
    pub api_key: SmartString,
    /// The signature for the request.
    pub signature: SmartString,
    /// The timestamp for the request.
    pub timestamp: u64,
}

/// Binance authentication implementation for Spot API
#[derive(Debug, Clone)]
pub struct BinanceAuth {
    /// API key for HMAC authentication, or empty for Ed25519
    api_key: SmartString,
    key_type: BinanceKeyType,
}

impl BinanceAuth {
    /// Create new Binance auth with HMAC key
    #[must_use]
    pub const fn new_hmac(api_key: SmartString, secret_key: SmartString) -> Self {
        Self {
            api_key,
            key_type: BinanceKeyType::Hmac(secret_key),
        }
    }

    /// Create new Binance auth with Ed25519 key
    ///
    /// Supports two private key formats (base64-encoded):
    ///
    /// ## Format 1: Raw 32-byte key
    /// - Direct 32-byte Ed25519 private key
    /// - Example: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
    ///
    /// ## Format 2: DER-encoded key (PKCS#8 format)
    /// - ASN.1 DER structure per RFC 8410
    /// - Structure: SEQUENCE { version, algorithm, privateKey }
    /// - Example: "MC4CAQAwBQYDK2VwBCIEINTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU"
    ///
    /// # Errors
    /// Returns `CommonError::Auth` if:
    /// - Base64 decoding fails
    /// - Key format is not recognized
    /// - DER structure is malformed
    pub fn new_ed25519(api_key: SmartString, private_key: SmartString) -> Result<Self> {
        let private_key_bytes = BASE64.decode(private_key.as_str()).map_err(|e| {
            CommonError::Auth(crate::safe_format!("Invalid Ed25519 private key: {e}"))
        })?;

        // Check if it's already a raw 32-byte key
        if private_key_bytes.len() == 32 {
            let mut key_array = [0u8; 32];
            key_array.copy_from_slice(&private_key_bytes);
            let signing_key = SigningKey::from_bytes(&key_array);

            return Ok(Self {
                api_key,
                key_type: BinanceKeyType::Ed25519(signing_key),
            });
        }

        // Try to parse as DER/PKCS#8 format using the pkcs8 crate
        // This is more secure and handles all variations properly
        if let Ok(pki) = PrivateKeyInfo::from_der(&private_key_bytes) {
            // Use the `der` crate's `OctetString` to safely parse the private key,
            // falling back to the raw private_key field. This is more robust than
            // manual byte-checking of the ASN.1 structure.
            let key_data = OctetString::from_der(pki.private_key)
                .map(|s| s.as_bytes().to_vec())
                .unwrap_or_else(|_| pki.private_key.to_vec());

            if key_data.len() == 32 {
                let mut key_array = [0u8; 32];
                key_array.copy_from_slice(&key_data);
                let signing_key = SigningKey::from_bytes(&key_array);

                return Ok(Self {
                    api_key,
                    key_type: BinanceKeyType::Ed25519(signing_key),
                });
            }
        }

        Err(CommonError::Auth(SmartString::from(
            "Invalid Ed25519 private key format. Expected either 32-byte raw key or valid PKCS#8 DER format",
        )))
    }

    /// Generate Ed25519 public key for API registration
    pub fn get_ed25519_public_key(&self) -> Result<SmartString> {
        match &self.key_type {
            BinanceKeyType::Ed25519(signing_key) => {
                let verifying_key: VerifyingKey = signing_key.verifying_key();
                Ok(BASE64.encode(verifying_key.as_bytes()).into())
            }
            _ => Err(CommonError::Auth(SmartString::from(
                "Not an Ed25519 key type",
            ))),
        }
    }

    /// Optimized parameter string building using SmallVec for stack allocation
    /// Uses SmallVec<[SmartString; 8]> to avoid heap allocation for typical parameter counts
    /// Enhanced with auth module's optimized implementation
    #[must_use]
    pub fn build_query_string_optimized(params: &[(&str, &str)]) -> SmartString {
        if params.is_empty() {
            return SmartString::new();
        }

        // Use SmallVec to avoid heap allocation for typical parameter counts (< 8)
        let mut param_strings: SmallVec<[SmartString; 8]> = SmallVec::with_capacity(params.len());
        let mut buffer = SmartString::new();

        for (key, value) in params {
            Self::encode_params_zero_copy(value, &mut buffer).unwrap_or_default();
            let param = crate::safe_format!("{}={}", key, buffer.as_str());
            param_strings.push(param);
        }

        // Join using iterator to minimize allocations
        SmartString::from(
            param_strings
                .iter()
                .map(|s| s.as_str())
                .collect::<SmallVec<[&str; 8]>>()
                .join("&"),
        )
    }

    /// URL-encode the provided parameter string using a pre-allocated buffer.
    ///
    /// This performs zero-copy encoding to avoid unpredictable heap
    /// allocations on critical paths.
    pub fn encode_params_zero_copy(params: &str, buffer: &mut SmartString) -> Result<()> {
        super::url_encode_params(params, buffer)
    }

    /// Get current timestamp in milliseconds (performance optimized)
    fn get_timestamp_ms() -> Result<u64> {
        SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .map_err(|e| CommonError::Auth(crate::safe_format!("System time error: {e}")))
            .map(|d| d.as_millis() as u64)
    }

    /// Generate signature for REST API request
    fn generate_signature(&self, payload: &str) -> Result<SmartString> {
        match &self.key_type {
            BinanceKeyType::Hmac(secret) => {
                let mut mac = HmacSha256::new_from_slice(secret.as_bytes())
                    .map_err(|e| CommonError::Auth(crate::safe_format!("HMAC error: {e}")))?;
                mac.update(payload.as_bytes());
                let result = mac.finalize();
                Ok(hex::encode(result.into_bytes()).into())
            }
            BinanceKeyType::Ed25519(signing_key) => {
                let signature = signing_key.sign(payload.as_bytes());
                Ok(BASE64.encode(signature.to_bytes()).into())
            }
        }
    }

    /// Generate REST API authentication headers (optimized for performance)
    /// Returns headers directly as HashMap to avoid conversion overhead in hot paths
    pub fn generate_headers(
        &self,
        method: &str,
        _path: &str,
        _params: Option<&[(&str, &str)]>,
        body: Option<&str>,
    ) -> Result<FxHashMap<SmartString, SmartString>> {
        let mut headers = FxHashMap::default(); // FxHashMap doesn't support with_capacity

        // Always add API key header
        headers.insert(header_keys::x_mbx_apikey(), self.api_key.clone());

        // Add content type based on method
        match method.to_uppercase().as_str() {
            "POST" | "PUT" | "DELETE" => {
                if body.is_some() {
                    headers.insert(header_keys::content_type(), header_keys::application_json());
                } else {
                    headers.insert(header_keys::content_type(), header_keys::application_form());
                }
            }
            _ => {} // GET requests don't need content-type
        }

        Ok(headers)
    }

    /// Generate signed query string for REST API requests
    /// This includes the signature and should be appended to the URL
    pub fn generate_signed_query_string(
        &self,
        params: Option<&[(&str, &str)]>,
    ) -> Result<SmartString> {
        let timestamp = Self::get_timestamp_ms()?;
        let recv_window = 5000u64; // 5 seconds (Binance default)

        let timestamp_str = timestamp.to_string();
        let recv_window_str = recv_window.to_string();

        let mut all_params = Vec::new();

        // Add existing params
        if let Some(params) = params {
            all_params.extend_from_slice(params);
        }

        // Add timestamp and recvWindow
        all_params.push(("timestamp", &timestamp_str));
        all_params.push(("recvWindow", &recv_window_str));

        let payload = Self::build_query_string_optimized(&all_params);
        let signature = self.generate_signature(&payload)?;

        let mut signed_query = payload;
        signed_query.push_str("&signature=");
        signed_query.push_str(&signature);

        Ok(signed_query)
    }

    /// Generate parameters with signature for signed requests
    pub fn generate_signed_params(&self, params: &[(&str, &str)]) -> Result<SmartString> {
        let timestamp = Self::get_timestamp_ms()?;
        let recv_window = 5000u64;

        let timestamp_str = timestamp.to_string();
        let recv_window_str = recv_window.to_string();

        let mut all_params = params.to_vec();
        all_params.push(("timestamp", &timestamp_str));
        all_params.push(("recvWindow", &recv_window_str));

        let payload = Self::build_query_string_optimized(&all_params);
        let signature = self.generate_signature(&payload)?;

        let mut signed_params = payload;
        signed_params.push_str("&signature=");
        signed_params.push_str(&signature);

        Ok(signed_params)
    }
}

impl BinanceAuth {
    /// Generate WebSocket session logon message
    pub fn generate_ws_logon_message(&self) -> Result<BinanceWsLogonMessage> {
        // Only Ed25519 keys are supported for WebSocket session authentication
        match &self.key_type {
            BinanceKeyType::Ed25519(_) => {
                let timestamp = Self::get_timestamp_ms()?;
                let payload = crate::safe_format!("timestamp={timestamp}");
                let signature = self.generate_signature(&payload)?;

                // For Ed25519, use public key as apiKey if no API key is provided
                let api_key = if self.api_key.is_empty() {
                    self.get_ed25519_public_key()?
                } else {
                    self.api_key.clone()
                };

                Ok(BinanceWsLogonMessage {
                    id: Uuid::new_v4().to_string().into(),
                    method: "session.logon".into(),
                    params: BinanceWsLogonParams {
                        api_key,
                        signature,
                        timestamp,
                    },
                })
            }
            BinanceKeyType::Hmac(_) => Err(CommonError::Auth(SmartString::from(
                "WebSocket session authentication requires Ed25519 keys. HMAC keys are not supported for WebSocket session auth.",
            ))),
        }
    }

    /// Generate WebSocket authentication message
    pub fn generate_ws_auth(&self) -> Result<SmartString> {
        // Only Ed25519 keys are supported for WebSocket session authentication
        match &self.key_type {
            BinanceKeyType::Ed25519(_) => {
                let logon_message = self.generate_ws_logon_message()?;
                simd_json::to_string(&logon_message)
                    .map(|s| s.into())
                    .map_err(|e| {
                        CommonError::Auth(crate::safe_format!(
                            "Failed to serialize WebSocket logon message: {e}"
                        ))
                    })
            }
            BinanceKeyType::Hmac(_) => Err(CommonError::Auth(SmartString::from(
                "WebSocket session authentication requires Ed25519 keys. HMAC keys are not supported.",
            ))),
        }
    }

    /// Generate timestamp in milliseconds
    pub fn generate_timestamp() -> Result<u64> {
        Self::get_timestamp_ms()
    }

    /// Generate timestamp in nanoseconds for high-precision timing
    pub fn generate_timestamp_nanos() -> Result<u128> {
        SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .map_err(|e| CommonError::Auth(crate::safe_format!("System time error: {e}")))
            .map(|d| d.as_nanos())
    }

    /// Fast parameter count for pre-allocation decisions
    #[inline]
    #[must_use]
    pub fn param_count(params: Option<&[(&str, &str)]>) -> usize {
        params.map_or(0, |p| p.len())
    }

    /// Generate joined parameter string (for backward compatibility)
    #[must_use]
    pub fn generate_joined_param(params: &[(&str, &str)]) -> Option<SmartString> {
        if params.is_empty() {
            None
        } else {
            Some(Self::build_query_string_optimized(params))
        }
    }

    /// Get API key
    #[must_use]
    pub fn api_key(&self) -> &str {
        &self.api_key
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_build_query_string() {
        let params = [("symbol", "BTCUSDT"), ("side", "BUY"), ("type", "LIMIT")];
        let result = BinanceAuth::build_query_string_optimized(&params);
        assert_eq!(result, "symbol=BTCUSDT&side=BUY&type=LIMIT");
    }

    #[test]
    fn test_build_query_string_optimized() {
        let params = [("symbol", "BTCUSDT"), ("side", "BUY"), ("type", "LIMIT")];
        let result = BinanceAuth::build_query_string_optimized(&params);
        assert_eq!(result, "symbol=BTCUSDT&side=BUY&type=LIMIT");
    }

    #[test]
    fn test_encode_params_zero_copy() {
        let input = "param=value with spaces";
        let mut buffer = SmartString::new();
        BinanceAuth::encode_params_zero_copy(input, &mut buffer).unwrap();
        assert_eq!(buffer, "param%3Dvalue%20with%20spaces");

        // Verify that safe characters remain unchanged
        let safe_input = "ABC-_.~";
        BinanceAuth::encode_params_zero_copy(safe_input, &mut buffer).unwrap();
        assert_eq!(buffer, safe_input);
    }

    #[test]
    fn test_hmac_auth_creation() {
        let auth = BinanceAuth::new_hmac("test_api_key".into(), "test_secret".into());
        assert_eq!(auth.api_key(), "test_api_key");
    }

    #[test]
    fn test_ed25519_raw_key_format() {
        // Test with a raw 32-byte Ed25519 private key (base64 encoded)
        // This is a test key - never use in production
        let raw_key_base64 = "1Dm2fKi3BRmgY9qMZ7F1PZQE+C8OLgKPUkZJfT/oD3w=";

        let result =
            BinanceAuth::new_ed25519("test_api_key".into(), SmartString::from(raw_key_base64));

        assert!(
            result.is_ok(),
            "Failed to parse raw Ed25519 key: {:?}",
            result.err()
        );
        let auth = result.unwrap();
        assert_eq!(auth.api_key(), "test_api_key");

        // Verify it's an Ed25519 key
        match &auth.key_type {
            BinanceKeyType::Ed25519(_) => (),
            _ => panic!("Expected Ed25519 key type"),
        }
    }

    #[test]
    fn test_ed25519_der_format() {
        // Test with a DER-encoded Ed25519 private key (PKCS#8 format)
        // This is a test key - never use in production
        // Format: SEQUENCE { version, algorithm, privateKey }
        let der_key_base64 = "MC4CAQAwBQYDK2VwBCIEINQZtoSotwUZoGPajGexdT2UBPgvDi4Cj1JGSX0/6A98";

        let result =
            BinanceAuth::new_ed25519("test_api_key".into(), SmartString::from(der_key_base64));

        assert!(
            result.is_ok(),
            "Failed to parse DER Ed25519 key: {:?}",
            result.err()
        );
        let auth = result.unwrap();
        assert_eq!(auth.api_key(), "test_api_key");

        // Verify it's an Ed25519 key
        match &auth.key_type {
            BinanceKeyType::Ed25519(_) => (),
            _ => panic!("Expected Ed25519 key type"),
        }
    }

    #[test]
    fn test_ed25519_invalid_formats() {
        // Test with invalid key formats

        // Too short
        let short_key = "dG9vX3Nob3J0"; // "too_short" in base64
        let result = BinanceAuth::new_ed25519("test_api_key".into(), SmartString::from(short_key));
        assert!(result.is_err());

        // Invalid base64
        let invalid_base64 = "not valid base64!@#$";
        let result =
            BinanceAuth::new_ed25519("test_api_key".into(), SmartString::from(invalid_base64));
        assert!(result.is_err());

        // Valid base64 but not a valid key format (33 bytes)
        let wrong_length = BASE64.encode([0u8; 33]);
        let result =
            BinanceAuth::new_ed25519("test_api_key".into(), SmartString::from(wrong_length));
        assert!(result.is_err());
    }

    #[test]
    fn test_ed25519_public_key_from_raw_format() {
        // Test that we can generate a public key from the private key
        let raw_key_base64 = "1Dm2fKi3BRmgY9qMZ7F1PZQE+C8OLgKPUkZJfT/oD3w=";

        let auth =
            BinanceAuth::new_ed25519("test_api_key".into(), SmartString::from(raw_key_base64))
                .expect("Failed to create auth");

        let public_key_result = auth.get_ed25519_public_key();
        assert!(public_key_result.is_ok());

        let public_key = public_key_result.unwrap();
        // Ed25519 public keys are 32 bytes, which is 44 chars in base64 (with padding)
        assert_eq!(public_key.len(), 44);
    }

    #[test]
    fn test_signed_params_generation() {
        let auth = BinanceAuth::new_hmac(
            "vmPUZE6mv9SD5VNHk4HlWFsOr6aKE2zvsw0MuIgwCIPy6utIco14y7Ju91duEh8A".into(),
            "NhqPtmdSJYdKjVHjA7PZj4Mge3R5YNiP1e3UZjInClVN65XAbvqqM6A7H5fATj0j".into(),
        );

        let params = [
            ("symbol", "LTCBTC"),
            ("side", "BUY"),
            ("type", "LIMIT"),
            ("timeInForce", "GTC"),
            ("quantity", "1"),
            ("price", "0.1"),
        ];

        let result = auth.generate_signed_params(&params);
        assert!(result.is_ok());
        let signed_params = result.unwrap();
        assert!(signed_params.contains("signature="));
        assert!(signed_params.contains("timestamp="));
        assert!(signed_params.contains("recvWindow=5000"));
    }

    #[test]
    fn test_ed25519_auth_creation() {
        // Test with a valid 32-byte private key (base64 encoded)
        let private_key = BASE64.encode([0u8; 32]); // 32-byte zero key for testing
        let auth = BinanceAuth::new_ed25519("test_api_key".into(), private_key.into());
        assert!(auth.is_ok());
        let auth = auth.unwrap();
        assert_eq!(auth.api_key(), "test_api_key");
    }

    #[test]
    fn test_new_ed25519_valid_raw_key() {
        let api_key = "test_api_key".into();
        // 32-byte raw private key, base64 encoded
        let private_key = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".into();
        let auth = BinanceAuth::new_ed25519(api_key, private_key);
        assert!(auth.is_ok());
    }

    #[test]
    fn test_new_ed25519_valid_der_key() {
        let api_key = "test_api_key".into();
        // A valid DER-encoded Ed25519 private key (base64 encoded)
        // This is a sample key, not a real one.
        // SEQUENCE (48 bytes)
        //   INTEGER 0
        //   SEQUENCE (5 bytes)
        //     OBJECT IDENTIFIER 1.3.101.112 (Ed25519)
        //   OCTET STRING (34 bytes)
        //     OCTET STRING (32 bytes) - the private key
        let private_key = "MC4CAQAwBQYDK2VwBCIEINTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU".into();
        let auth = BinanceAuth::new_ed25519(api_key, private_key);
        assert!(auth.is_ok());
    }

    #[test]
    fn test_new_ed25519_der_longer_format() {
        let api_key = "test_api_key".into();
        // Test that malformed DER structures are properly rejected
        // This ensures the parser is strict about key format validation
        // Build an invalid DER structure
        let key_data = [0xAA; 32];
        let mut content = vec![
            0x02, 0x01, 0x00, // INTEGER 0
            0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, // Ed25519 OID
            0x00, 0x00, 0x00, 0x00, // Some padding
            0x04, 0x22, 0x04, 0x20, // OCTET STRING wrapping
        ];
        content.extend_from_slice(&key_data);
        content.extend_from_slice(&[0x00; 16]); // Extra data

        // Create SEQUENCE with correct length
        let mut longer_der = vec![0x30]; // SEQUENCE tag
        if content.len() < 128 {
            longer_der.push(content.len() as u8);
        } else {
            longer_der.push(0x81); // Long form, 1 byte
            longer_der.push(content.len() as u8);
        }
        longer_der.extend_from_slice(&content);

        let private_key = BASE64.encode(&longer_der).into();
        let auth = BinanceAuth::new_ed25519(api_key, private_key);
        // This malformed DER should be rejected
        assert!(auth.is_err());
        assert!(
            auth.unwrap_err()
                .to_string()
                .contains("Invalid Ed25519 private key format")
        );
    }

    #[test]
    fn test_new_ed25519_openssl_generated_key() {
        let api_key = "test_api_key".into();
        // Key generated by: openssl genpkey -algorithm ED25519 -outform DER | base64
        // This format may have slight variations in structure
        let openssl_key = "MC4CAQAwBQYDK2VwBCIEIHjl9sgmE5hzlz7pe6Mrc2K9L7JYQWhpabNQ8T9Ls3tO".into();
        let auth = BinanceAuth::new_ed25519(api_key, openssl_key);
        assert!(auth.is_ok());
    }

    #[test]
    fn test_new_ed25519_pkcs8_wrapped_key() {
        let api_key: SmartString = "test_api_key".into();
        // Test valid PKCS#8 v0 format with proper Ed25519 structure
        // This is a valid PKCS#8 Ed25519 key with all zeros as the private key
        let pkcs8_v0_key =
            "MC4CAQAwBQYDK2VwBCIEINTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU".into();
        let auth = BinanceAuth::new_ed25519(api_key.clone(), pkcs8_v0_key);
        assert!(auth.is_ok());

        // Test raw 32-byte key format (also valid)
        let raw_key = SmartString::from(
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", // 32 zero bytes
        );
        let auth_raw = BinanceAuth::new_ed25519(api_key.clone(), raw_key);
        assert!(auth_raw.is_ok());

        // Test invalid key format (not 32 bytes, not valid DER)
        let invalid_key = "aW52YWxpZCBrZXk=".into(); // "invalid key" in base64
        let auth_invalid = BinanceAuth::new_ed25519(api_key, invalid_key);
        assert!(auth_invalid.is_err());
    }

    #[test]
    fn test_new_ed25519_invalid_key_not_base64() {
        let api_key = "test_api_key".into();
        let private_key = "this-is-not-base64".into();
        let auth = BinanceAuth::new_ed25519(api_key, private_key);
        assert!(auth.is_err());
        let error = auth.unwrap_err();
        assert!(matches!(error, CommonError::Auth(_)));
        assert!(error.to_string().contains("Invalid Ed25519 private key"));
    }

    #[test]
    fn test_new_ed25519_invalid_key_wrong_length() {
        let api_key = "test_api_key".into();
        // 16-byte key, base64 encoded
        let private_key = "AAAAAAAAAAAAAAAAAAAAAA==".into();
        let auth = BinanceAuth::new_ed25519(api_key, private_key);
        assert!(auth.is_err());
        let error = auth.unwrap_err();
        assert!(matches!(error, CommonError::Auth(_)));
        assert!(
            error
                .to_string()
                .contains("Invalid Ed25519 private key format")
        );
    }

    #[test]
    fn test_new_ed25519_invalid_der_malformed() {
        let api_key = "test_api_key".into();
        // Malformed DER key - starts with SEQUENCE but has wrong structure
        // This has SEQUENCE tag (0x30) but incorrect content
        let private_key = "MBgCAQAwBQYDK2Vw".into(); // Too short, missing key data
        let auth = BinanceAuth::new_ed25519(api_key, private_key);
        assert!(auth.is_err());
        let error = auth.unwrap_err();
        assert!(matches!(error, CommonError::Auth(_)));
        assert!(
            error
                .to_string()
                .contains("Invalid Ed25519 private key format")
        );
    }

    #[test]
    fn test_ed25519_invalid_key_length() {
        // Test with invalid key length
        let private_key = BASE64.encode([0u8; 16]); // Only 16 bytes, should fail
        let auth = BinanceAuth::new_ed25519("test_api_key".into(), private_key.into());
        assert!(auth.is_err());
    }

    #[test]
    fn test_ed25519_public_key_generation() {
        let private_key = BASE64.encode([0u8; 32]);
        let auth = BinanceAuth::new_ed25519("test_api_key".into(), private_key.into()).unwrap();

        let public_key = auth.get_ed25519_public_key();
        assert!(public_key.is_ok());
        let public_key = public_key.unwrap();
        assert!(!public_key.is_empty());
        assert_eq!(public_key.len(), 44); // Base64 encoded 32-byte key is 44 chars
    }

    #[test]
    fn test_ed25519_signed_params_generation() {
        let private_key = BASE64.encode([1u8; 32]); // Use non-zero key
        let auth = BinanceAuth::new_ed25519("test_api_key".into(), private_key.into()).unwrap();

        let params = [
            ("symbol", "BTCUSDT"),
            ("side", "BUY"),
            ("type", "LIMIT"),
            ("quantity", "1"),
            ("price", "50000"),
        ];

        let result = auth.generate_signed_params(&params);
        assert!(result.is_ok());
        let signed_params = result.unwrap();
        assert!(signed_params.contains("signature="));
        assert!(signed_params.contains("timestamp="));
        assert!(signed_params.contains("recvWindow=5000"));

        // Ed25519 signatures are base64 encoded, so they should not contain hex chars like 'g'
        // But they can contain A-Z, a-z, 0-9, +, /, =
        let signature_part = signed_params.split("signature=").nth(1).unwrap();
        assert!(!signature_part.is_empty());
    }

    #[test]
    fn test_ed25519_websocket_auth() {
        let private_key = BASE64.encode([2u8; 32]);
        let auth = BinanceAuth::new_ed25519("test_api_key".into(), private_key.into()).unwrap();

        let ws_auth = auth.generate_ws_auth();
        assert!(ws_auth.is_ok());
        let ws_auth = ws_auth.unwrap();
        assert!(ws_auth.contains("session.logon"));
        assert!(ws_auth.contains("test_api_key"));
        assert!(ws_auth.contains("signature"));
        assert!(ws_auth.contains("timestamp"));
    }

    #[test]
    fn test_headers_generation() {
        let auth = BinanceAuth::new_hmac("test_api_key".into(), "test_secret".into());

        // Test GET request headers
        let headers = auth.generate_headers("GET", "/api/v3/account", None, None);
        assert!(headers.is_ok());
        let headers = headers.unwrap();
        assert_eq!(
            headers.get(&header_keys::x_mbx_apikey()).unwrap(),
            "test_api_key"
        );
        assert!(!headers.contains_key(&header_keys::content_type()));

        // Test POST request headers with body
        let headers =
            auth.generate_headers("POST", "/api/v3/order", None, Some("{\"test\": \"data\"}"));
        assert!(headers.is_ok());
        let headers = headers.unwrap();
        assert_eq!(
            headers.get(&header_keys::x_mbx_apikey()).unwrap(),
            "test_api_key"
        );
        assert_eq!(
            headers.get(&header_keys::content_type()).unwrap(),
            &header_keys::application_json()
        );

        // Test POST request headers without body
        let headers = auth.generate_headers("POST", "/api/v3/order", None, None);
        assert!(headers.is_ok());
        let headers = headers.unwrap();
        assert_eq!(
            headers.get(&header_keys::content_type()).unwrap(),
            &header_keys::application_form()
        );
    }

    #[test]
    fn test_signed_query_string_generation() {
        let auth = BinanceAuth::new_hmac(
            "vmPUZE6mv9SD5VNHk4HlWFsOr6aKE2zvsw0MuIgwCIPy6utIco14y7Ju91duEh8A".into(),
            "NhqPtmdSJYdKjVHjA7PZj4Mge3R5YNiP1e3UZjInClVN65XAbvqqM6A7H5fATj0j".into(),
        );

        let params = [
            ("symbol", "LTCBTC"),
            ("side", "BUY"),
            ("type", "LIMIT"),
            ("timeInForce", "GTC"),
            ("quantity", "1"),
            ("price", "0.1"),
        ];

        let result = auth.generate_signed_query_string(Some(&params));
        assert!(result.is_ok());
        let signed_query = result.unwrap();
        assert!(signed_query.contains("signature="));
        assert!(signed_query.contains("timestamp="));
        assert!(signed_query.contains("recvWindow=5000"));
        assert!(signed_query.contains("symbol=LTCBTC"));
    }

    #[test]
    fn test_ws_logon_message_ed25519() {
        let private_key = BASE64.encode([1u8; 32]);
        let auth = BinanceAuth::new_ed25519("test_api_key".into(), private_key.into()).unwrap();

        let logon_message = auth.generate_ws_logon_message();
        assert!(logon_message.is_ok());
        let message = logon_message.unwrap();
        assert_eq!(message.method, "session.logon");
        assert_eq!(message.params.api_key, "test_api_key");
        assert!(!message.params.signature.is_empty());
        assert!(message.params.timestamp > 0);
    }

    #[test]
    fn test_ws_logon_message_hmac_fails() {
        let auth = BinanceAuth::new_hmac("test_api_key".into(), "test_secret".into());

        let logon_message = auth.generate_ws_logon_message();
        assert!(logon_message.is_err());
        let error = logon_message.unwrap_err();
        match error {
            CommonError::Auth(msg) => {
                assert!(msg.contains("WebSocket session authentication requires Ed25519 keys"));
            }
            _ => panic!("Expected Auth error"),
        }
    }

    #[test]
    fn test_usage_example() {
        // Example 1: HMAC Authentication (Legacy but still supported)
        let hmac_auth = BinanceAuth::new_hmac("your_api_key".into(), "your_secret_key".into());

        let params = [("symbol", "BTCUSDT"), ("side", "BUY")];
        let signed_params = hmac_auth.generate_signed_params(&params);
        assert!(signed_params.is_ok());

        // Generate headers for REST API
        let headers = hmac_auth.generate_headers("GET", "/api/v3/account", None, None);
        assert!(headers.is_ok());

        // Generate signed query string
        let signed_query = hmac_auth.generate_signed_query_string(Some(&params));
        assert!(signed_query.is_ok());

        // Example 2: Ed25519 Authentication (Recommended)
        let private_key = BASE64.encode([1u8; 32]); // In practice, use a real private key
        let ed25519_auth =
            BinanceAuth::new_ed25519("your_api_key".into(), private_key.into()).unwrap();

        // Get public key for API registration
        let public_key = ed25519_auth.get_ed25519_public_key().unwrap();
        assert!(!public_key.is_empty());

        // Generate signed parameters for API calls
        let ed25519_signed_params = ed25519_auth.generate_signed_params(&params);
        assert!(ed25519_signed_params.is_ok());

        // Generate headers for REST API
        let headers = ed25519_auth.generate_headers("POST", "/api/v3/order", None, Some("{}"));
        assert!(headers.is_ok());

        // Generate WebSocket authentication (only works with Ed25519)
        let ws_auth = ed25519_auth.generate_ws_auth();
        assert!(ws_auth.is_ok());

        // Generate WebSocket logon message
        let ws_logon = ed25519_auth.generate_ws_logon_message();
        assert!(ws_logon.is_ok());

        // HMAC keys cannot be used for WebSocket session authentication
        let hmac_ws_auth = hmac_auth.generate_ws_auth();
        assert!(hmac_ws_auth.is_err());
    }

    #[test]
    fn test_optimized_methods() {
        let _auth = BinanceAuth::new_hmac("test_api_key".into(), "test_secret".into());

        // Test optimized parameter building
        let params = &[("symbol", "BTCUSDT"), ("side", "BUY")];
        let query_string = BinanceAuth::build_query_string_optimized(params);
        assert!(!query_string.is_empty());
        assert!(query_string.contains("symbol"));
        assert!(query_string.contains("BUY"));

        // Test parameter count utility
        assert_eq!(BinanceAuth::param_count(Some(params)), 2);
        assert_eq!(BinanceAuth::param_count(None), 0);

        // Test nanosecond timestamp
        let nanos1 = BinanceAuth::generate_timestamp_nanos().unwrap();
        let nanos2 = BinanceAuth::generate_timestamp_nanos().unwrap();
        assert!(nanos2 >= nanos1);

        // Test millisecond timestamp
        let millis1 = BinanceAuth::generate_timestamp().unwrap();
        let millis2 = BinanceAuth::generate_timestamp().unwrap();
        assert!(millis2 >= millis1);
    }

    #[test]
    fn test_generate_joined_param() {
        // Test empty params
        let empty_params: &[(&str, &str)] = &[];
        let result = BinanceAuth::generate_joined_param(empty_params);
        assert!(result.is_none());

        // Test single param
        let single_params = &[("key", "value")];
        let result = BinanceAuth::generate_joined_param(single_params);
        assert!(result.is_some());
        let result = result.unwrap();
        assert_eq!(result, SmartString::from("key=value"));

        // Test multiple params
        let multiple_params = &[("key1", "value1"), ("key2", "value2")];
        let result = BinanceAuth::generate_joined_param(multiple_params);
        assert!(result.is_some());
        let result = result.unwrap();
        assert_eq!(result, SmartString::from("key1=value1&key2=value2"));
    }

    #[test]
    fn test_stack_allocation_performance() {
        // Test parameter building with various sizes to ensure SmallVec stack allocation

        // Test with 1 parameter (well within stack allocation)
        let small_params = &[("key", "value")];
        let small_result = BinanceAuth::build_query_string_optimized(small_params);
        assert_eq!(small_result, "key=value");

        // Test with 8 parameters (at the edge of stack allocation)
        let medium_params = &[
            ("param1", "value1"),
            ("param2", "value2"),
            ("param3", "value3"),
            ("param4", "value4"),
            ("param5", "value5"),
            ("param6", "value6"),
            ("param7", "value7"),
            ("param8", "value8"),
        ];
        let medium_result = BinanceAuth::build_query_string_optimized(medium_params);
        assert_eq!(medium_result.matches('&').count(), 7); // 7 separators for 8 params

        // Test that empty parameters return empty string efficiently
        let empty_params: &[(&str, &str)] = &[];
        let empty_result = BinanceAuth::build_query_string_optimized(empty_params);
        assert!(empty_result.is_empty());
    }

    #[test]
    fn test_url_encoding_special_chars() {
        let params = &[("market", "BTC-USDT"), ("state", "wait")];
        let result = BinanceAuth::build_query_string_optimized(params);
        assert_eq!(result, SmartString::from("market=BTC-USDT&state=wait"));

        // Test with URL encoding required
        let params_with_encoding = &[("message", "hello world!"), ("special", "@#$%")];
        let result_encoded = BinanceAuth::build_query_string_optimized(params_with_encoding);
        assert!(result_encoded.contains("hello%20world%21"));
        assert!(result_encoded.contains("%40%23%24%25"));
    }

    #[test]
    fn test_zero_copy_encoding_performance() {
        let mut buffer = SmartString::new();

        // Test multiple encodings with same buffer (zero allocation after first)
        let test_strings = ["simple", "with spaces", "special@chars", "unicode™"];

        for test_str in &test_strings {
            BinanceAuth::encode_params_zero_copy(test_str, &mut buffer).unwrap();
            assert!(!buffer.is_empty());
        }
    }

    #[test]
    fn test_performance_optimizations() {
        let auth = BinanceAuth::new_hmac("test_api_key".into(), "test_secret".into());

        // Test that headers are pre-allocated with exact capacity
        let headers = auth
            .generate_headers("GET", "/api/v3/account", None, None)
            .unwrap();
        assert!(headers.len() <= 2); // Should have at most 2 headers for GET

        // Test with parameters
        let params = &[("symbol", "BTCUSDT"), ("side", "BUY")];
        let headers_with_params = auth
            .generate_headers("POST", "/api/v3/order", Some(params), Some("{}"))
            .unwrap();
        assert_eq!(headers_with_params.len(), 2); // Should have exactly 2 headers

        // Verify header contents are optimized SmartStrings
        let api_key_value = headers.get(&header_keys::x_mbx_apikey()).unwrap();
        assert_eq!(api_key_value, "test_api_key");
    }
}