package auth

import (
	"encoding/json"
	"errors"
	"fmt"
	"log"
	"net/http"
	"slices"

	"golang.org/x/crypto/bcrypt"
	"gorm.io/gorm"

	"git.schreifuchs.ch/schreifuchs/ng-blog/backend/internal/model"
)

func (s *Service) Signup(w http.ResponseWriter, r *http.Request) {
	var err error
	var login Login
	user := model.NewUser()

	if err = json.NewDecoder(r.Body).Decode(&login); err != nil {
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	if len([]byte(login.Password)) > 72 {
		fmt.Fprint(w, "Password to long, max 72 bytes")
		w.WriteHeader(http.StatusBadRequest)
		return
	}
	if user.Password, err = bcrypt.GenerateFromPassword([]byte(login.Password), 6); err != nil {
		log.Println("Error: ", err)
		w.WriteHeader(http.StatusInternalServerError)
		return
	}
	user.Name = login.Name
	user.Role = s.cfg.DefaultRole

	err = s.db.Save(&user).Error
	if err != nil {
		if errors.Is(err, gorm.ErrCheckConstraintViolated) {
			fmt.Fprint(w, "Username is already in use")
			w.WriteHeader(http.StatusBadRequest)
			return
		}

		log.Printf("Error: %v", err)
		w.WriteHeader(http.StatusInternalServerError)
	}
}

func (s *Service) Login(w http.ResponseWriter, r *http.Request) {
	var login Login
	var user model.User

	if err := json.NewDecoder(r.Body).Decode(&login); err != nil {
		w.WriteHeader(http.StatusBadRequest)
		return
	}

	if err := s.db.First(&user).Error; err != nil {
		fmt.Fprint(w, "user not found")
		w.WriteHeader(http.StatusBadRequest)
	}
	if err := bcrypt.CompareHashAndPassword(user.Password, []byte(login.Password)); err != nil {
		fmt.Fprint(w, "Invalid Password")
		w.WriteHeader(http.StatusBadRequest)
	}

	token, err := s.createJWT(&user)
	if err != nil {
		w.WriteHeader(http.StatusBadRequest)
		return
	}

	res, err := json.Marshal(&LoginResponse{
		Token: token,
	})
	if err != nil {
		log.Println("Error: ", err)
		w.WriteHeader(http.StatusInternalServerError)
		return
	}

	w.Write(res)
}

func (s *Service) Logout(w http.ResponseWriter, r *http.Request) {
	token, err := extractToken(r)
	if err != nil {
		log.Printf("Error while extracting token: %s", err.Error())
		w.WriteHeader(http.StatusInternalServerError)
		return
	}

	claims, err := s.validateJWT(token)
	if err != nil {
		fmt.Fprint(w, "Invalid token")
		w.WriteHeader(http.StatusBadRequest)
		return
	}

	if err = s.db.Save(&model.InvalidJWT{JWT: token, ValidUntil: claims.ExpiresAt.Time}).Error; err != nil {
		log.Printf("Error while saving logout token: %v", err)
		w.WriteHeader(http.StatusInternalServerError)
		return
	}

	w.WriteHeader(http.StatusNoContent)
}

func (s *Service) Authenticated(next http.HandlerFunc, roles ...model.Role) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Our middleware logic goes here...
		token, err := extractToken(r)
		if err != nil {
			w.WriteHeader(http.StatusUnauthorized)
			return
		}

		claims, err := s.validateJWT(token)
		if err != nil {
			w.WriteHeader(http.StatusUnauthorized)
			return
		}

		// if roles specified check if satisfied
		if len(roles) > 0 && !slices.Contains(roles, claims.Role) {
			w.WriteHeader(http.StatusForbidden)
			return
		}
		r = writeToContext(r, &claims)
		next(w, r)
	})
}