package api

import (
	"io/fs"
	"net/http"

	"github.com/go-chi/chi/v5"
	chimiddleware "github.com/go-chi/chi/v5/middleware"
	"github.com/go-chi/cors"
	gcsrf "github.com/gorilla/csrf"
	"github.com/gorilla/sessions"
	"xorm.io/xorm"

	"github.com/forgeo/forgebucket/internal/api/handlers"
	"github.com/forgeo/forgebucket/internal/api/middleware"
	"github.com/forgeo/forgebucket/internal/config"
)

func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, staticFiles fs.FS) http.Handler {
	r := chi.NewRouter()

	r.Use(chimiddleware.Logger)
	r.Use(chimiddleware.RealIP)
	r.Use(chimiddleware.Recoverer)
	r.Use(cors.Handler(cors.Options{
		AllowedOrigins:   []string{"http://localhost:5173", cfg.InstanceURL},
		AllowedMethods:   []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
		AllowCredentials: true,
		MaxAge:           300,
	}))

	csrfMiddleware := gcsrf.Protect(
		[]byte(cfg.CSRFSecret),
		gcsrf.Secure(!cfg.Debug),
		gcsrf.SameSite(gcsrf.SameSiteLaxMode),
		gcsrf.ErrorHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			http.Error(w, `{"error":"CSRF validation failed"}`, http.StatusForbidden)
		})),
	)

	auth := middleware.NewAuth(store)

	repoH := handlers.NewRepoHandler(engine, cfg)
	userH := handlers.NewUserHandler(engine, store)
	prH := handlers.NewPRHandler(engine)
	pipeH := handlers.NewPipelineHandler(engine)
	wsH := handlers.NewWSHandler()

	// Health — no auth, no CSRF
	r.Get("/api/v1/health", func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("Content-Type", "application/json")
		w.Write([]byte(`{"status":"ok"}`))
	})

	// CSRF token bootstrap for SPA
	r.With(csrfMiddleware).Get("/api/v1/csrf", func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("X-CSRF-Token", gcsrf.Token(r))
		w.Header().Set("Content-Type", "application/json")
		w.Write([]byte(`{"ok":true}`))
	})

	// Auth (CSRF protected, no session required)
	r.With(csrfMiddleware).Route("/api/v1/auth", func(r chi.Router) {
		r.Post("/login", userH.Login)
		r.Post("/logout", userH.Logout)
		r.Post("/register", userH.Register)
	})

	// Authenticated API
	r.With(csrfMiddleware).With(auth.Require).Route("/api/v1", func(r chi.Router) {
		r.Get("/me", userH.Me)

		r.Route("/repos", func(r chi.Router) {
			r.Get("/", repoH.List)
			r.Post("/", repoH.Create)
			r.Route("/{owner}/{repo}", func(r chi.Router) {
				r.Get("/", repoH.Get)
				r.Get("/tree", repoH.Tree)
				r.Get("/blob", repoH.Blob)
				r.Get("/commits", repoH.Commits)
				r.Route("/pulls", func(r chi.Router) {
					r.Get("/", prH.List)
					r.Post("/", prH.Create)
					r.Get("/{prID}", prH.Get)
					r.Post("/{prID}/merge", prH.Merge)
					r.Post("/{prID}/close", prH.Close)
				})
				r.Route("/pipelines", func(r chi.Router) {
					r.Get("/", pipeH.List)
					r.Get("/{runID}", pipeH.Get)
				})
			})
		})
	})

	// WebSocket — session auth only, no CSRF needed for WS upgrades
	r.With(auth.Optional).Get("/ws", wsH.Hub)

	// SPA fallback
	r.Handle("/*", spaHandler(staticFiles))

	return r
}

func spaHandler(staticFiles fs.FS) http.Handler {
	fileServer := http.FileServer(http.FS(staticFiles))
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		_, err := staticFiles.Open(r.URL.Path)
		if err != nil {
			r.URL.Path = "/"
		}
		fileServer.ServeHTTP(w, r)
	})
}