package handlers

import (
	"encoding/json"
	"net/http"
	"strconv"
	"strings"
	"time"

	"github.com/go-chi/chi/v5"
	"xorm.io/xorm"

	"github.com/forgeo/forgebucket/internal/api/middleware"
	"github.com/forgeo/forgebucket/internal/models"
)

type AccessTokenHandler struct{ db *xorm.Engine }

func NewAccessTokenHandler(db *xorm.Engine) *AccessTokenHandler {
	return &AccessTokenHandler{db: db}
}

type accessTokenResponse struct {
	ID        int64   `json:"id"`
	Title     string  `json:"title"`
	Scopes    string  `json:"scopes"`
	ExpiresAt *string `json:"expiresAt"`
	CreatedAt string  `json:"createdAt"`
	Token     string  `json:"token,omitempty"` // only on creation
}

func (h *AccessTokenHandler) lookupRepo(w http.ResponseWriter, r *http.Request) (*models.Repository, bool) {
	ownerName := chi.URLParam(r, "owner")
	repoName := chi.URLParam(r, "repo")
	var owner models.User
	if found, _ := h.db.Where("username = ?", ownerName).Get(&owner); !found {
		jsonError(w, "repository not found", http.StatusNotFound)
		return nil, false
	}
	var repo models.Repository
	if found, _ := h.db.Where("owner_id = ? AND name = ?", owner.ID, repoName).Get(&repo); !found {
		jsonError(w, "repository not found", http.StatusNotFound)
		return nil, false
	}
	return &repo, true
}

func (h *AccessTokenHandler) canManage(repo *models.Repository, callerID int64) bool {
	if callerID == repo.OwnerID {
		return true
	}
	var m models.RepoMember
	found, _ := h.db.Where("repo_id = ? AND user_id = ? AND permission = 'admin'", repo.ID, callerID).Get(&m)
	return found
}

func (h *AccessTokenHandler) List(w http.ResponseWriter, r *http.Request) {
	repo, ok := h.lookupRepo(w, r)
	if !ok {
		return
	}
	var tokens []models.RepoAccessToken
	h.db.Where("repo_id = ?", repo.ID).OrderBy("created_at desc").Find(&tokens)
	resp := make([]accessTokenResponse, 0, len(tokens))
	for _, t := range tokens {
		var exp *string
		if t.ExpiresAt != nil {
			s := t.ExpiresAt.Format("2006-01-02")
			exp = &s
		}
		resp = append(resp, accessTokenResponse{
			ID:        t.ID,
			Title:     t.Title,
			Scopes:    t.Scopes,
			ExpiresAt: exp,
			CreatedAt: t.CreatedAt.Format(time.RFC3339),
		})
	}
	jsonOK(w, resp)
}

func (h *AccessTokenHandler) Create(w http.ResponseWriter, r *http.Request) {
	repo, ok := h.lookupRepo(w, r)
	if !ok {
		return
	}
	callerID, _ := middleware.UserIDFromContext(r.Context())
	if !h.canManage(repo, callerID) {
		jsonError(w, "only the owner or an admin can manage access tokens", http.StatusForbidden)
		return
	}

	var body struct {
		Title     string `json:"title"`
		Scopes    string `json:"scopes"`    // "read" | "read,write"
		ExpiresAt string `json:"expiresAt"` // "2026-12-31" or ""
	}
	if err := json.NewDecoder(r.Body).Decode(&body); err != nil || body.Title == "" {
		jsonError(w, "title is required", http.StatusBadRequest)
		return
	}
	if body.Scopes == "" {
		body.Scopes = "read"
	}

	var expiresAt *time.Time
	if body.ExpiresAt != "" {
		t, err := time.Parse("2006-01-02", body.ExpiresAt)
		if err != nil {
			jsonError(w, "invalid expiresAt format; use YYYY-MM-DD", http.StatusBadRequest)
			return
		}
		t = t.UTC()
		expiresAt = &t
	}

	raw, hash, err := generateToken("fbat_")
	if err != nil {
		jsonError(w, "could not generate token", http.StatusInternalServerError)
		return
	}

	token := &models.RepoAccessToken{
		RepoID:    repo.ID,
		CreatorID: callerID,
		Title:     body.Title,
		TokenHash: hash,
		Scopes:    body.Scopes,
		ExpiresAt: expiresAt,
	}
	if _, err := h.db.Insert(token); err != nil {
		jsonError(w, "could not save token", http.StatusInternalServerError)
		return
	}

	var exp *string
	if expiresAt != nil {
		s := expiresAt.Format("2006-01-02")
		exp = &s
	}
	w.Header().Set("Content-Type", "application/json")
	w.WriteHeader(http.StatusCreated)
	json.NewEncoder(w).Encode(accessTokenResponse{
		ID:        token.ID,
		Title:     token.Title,
		Scopes:    token.Scopes,
		ExpiresAt: exp,
		CreatedAt: token.CreatedAt.Format(time.RFC3339),
		Token:     raw,
	})
}

func (h *AccessTokenHandler) Delete(w http.ResponseWriter, r *http.Request) {
	repo, ok := h.lookupRepo(w, r)
	if !ok {
		return
	}
	callerID, _ := middleware.UserIDFromContext(r.Context())
	if !h.canManage(repo, callerID) {
		jsonError(w, "only the owner or an admin can manage access tokens", http.StatusForbidden)
		return
	}

	tokenID, err := strconv.ParseInt(chi.URLParam(r, "tokenID"), 10, 64)
	if err != nil {
		jsonError(w, "invalid token ID", http.StatusBadRequest)
		return
	}
	h.db.Where("id = ? AND repo_id = ?", tokenID, repo.ID).Delete(&models.RepoAccessToken{})
	w.WriteHeader(http.StatusNoContent)
}

// LookupAccessToken validates a Bearer token and returns the creator's userID.
// Returns (userID, repoID, hasWrite, ok).
func LookupAccessToken(db *xorm.Engine, rawToken string) (userID, repoID int64, hasWrite bool, ok bool) {
	if !strings.HasPrefix(rawToken, "fbat_") {
		return
	}
	hash := sha256Hex(rawToken)
	var t models.RepoAccessToken
	found, _ := db.Where("token_hash = ?", hash).Get(&t)
	if !found {
		return
	}
	if t.ExpiresAt != nil && t.ExpiresAt.Before(time.Now()) {
		return
	}
	now := time.Now()
	t.LastUsed = &now
	db.ID(t.ID).Cols("last_used_at").Update(&t)
	hasWrite = strings.Contains(t.Scopes, "write")
	return t.CreatorID, t.RepoID, hasWrite, true
}