package auth

import (
	"context"
	"database/sql"
	"encoding/json"
	"net/http"
	"time"

	"github.com/google/uuid"
	"github.com/gorilla/mux"
	"golang.org/x/crypto/bcrypt"
)

// ── Models ────────────────────────────────────────────────────────────────────

type User struct {
	ID        string    `json:"id"`
	Email     string    `json:"email"`
	Name      string    `json:"name"`
	CreatedAt time.Time `json:"created_at"`
}

type contextKey string

const userKey contextKey = "user"

// ── Store ─────────────────────────────────────────────────────────────────────

type Store struct{ db *sql.DB }

func NewStore(db *sql.DB) *Store { return &Store{db: db} }

func (s *Store) GetByEmail(email string) (*User, string, error) {
	var u User
	var hash string
	err := s.db.QueryRow(
		`SELECT id, email, name, password_hash, created_at FROM users WHERE email=?`, email,
	).Scan(&u.ID, &u.Email, &u.Name, &hash, &u.CreatedAt)
	return &u, hash, err
}

func (s *Store) GetByID(id string) (*User, error) {
	var u User
	err := s.db.QueryRow(
		`SELECT id, email, name, created_at FROM users WHERE id=?`, id,
	).Scan(&u.ID, &u.Email, &u.Name, &u.CreatedAt)
	return &u, err
}

func (s *Store) List() ([]User, error) {
	rows, err := s.db.Query(`SELECT id, email, name, created_at FROM users ORDER BY created_at`)
	if err != nil {
		return nil, err
	}
	defer rows.Close()
	var users []User
	for rows.Next() {
		var u User
		if err := rows.Scan(&u.ID, &u.Email, &u.Name, &u.CreatedAt); err != nil {
			return nil, err
		}
		users = append(users, u)
	}
	return users, nil
}

func (s *Store) Create(email, name, password string) (*User, error) {
	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
	if err != nil {
		return nil, err
	}
	u := &User{ID: uuid.NewString(), Email: email, Name: name}
	_, err = s.db.Exec(
		`INSERT INTO users (id, email, name, password_hash) VALUES (?,?,?,?)`,
		u.ID, u.Email, u.Name, string(hash),
	)
	return u, err
}

func (s *Store) UpdateProfile(id, email, name string) error {
	_, err := s.db.Exec(`UPDATE users SET email=?, name=? WHERE id=?`, email, name, id)
	return err
}

func (s *Store) UpdatePassword(id, newPassword string) error {
	hash, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost)
	if err != nil {
		return err
	}
	_, err = s.db.Exec(`UPDATE users SET password_hash=? WHERE id=?`, string(hash), id)
	return err
}

func (s *Store) Delete(id string) error {
	_, err := s.db.Exec(`DELETE FROM users WHERE id=?`, id)
	return err
}

func (s *Store) Count() int {
	var n int
	s.db.QueryRow(`SELECT COUNT(*) FROM users`).Scan(&n)
	return n
}

func (s *Store) CheckPassword(id, password string) bool {
	var hash string
	s.db.QueryRow(`SELECT password_hash FROM users WHERE id=?`, id).Scan(&hash)
	return bcrypt.CompareHashAndPassword([]byte(hash), []byte(password)) == nil
}

// Sessions en mémoire
var sessions = map[string]string{}

func (s *Store) CreateSession(userID string) string {
	token := uuid.NewString()
	sessions[token] = userID
	return token
}

func (s *Store) GetUserFromToken(token string) (*User, error) {
	id, ok := sessions[token]
	if !ok {
		return nil, sql.ErrNoRows
	}
	return s.GetByID(id)
}

func (s *Store) DeleteSession(token string) {
	delete(sessions, token)
}

// ── Handler ───────────────────────────────────────────────────────────────────

type Handler struct{ store *Store }

func NewHandler(store *Store) *Handler { return &Handler{store: store} }

func (h *Handler) Login(w http.ResponseWriter, r *http.Request) {
	var body struct {
		Email    string `json:"email"`
		Password string `json:"password"`
	}
	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
		http.Error(w, "invalid body", http.StatusBadRequest)
		return
	}
	user, hash, err := h.store.GetByEmail(body.Email)
	if err != nil || bcrypt.CompareHashAndPassword([]byte(hash), []byte(body.Password)) != nil {
		http.Error(w, "identifiants incorrects", http.StatusUnauthorized)
		return
	}
	token := h.store.CreateSession(user.ID)
	http.SetCookie(w, &http.Cookie{
		Name: "session", Value: token, Path: "/",
		HttpOnly: true, SameSite: http.SameSiteLaxMode,
		Expires: time.Now().Add(30 * 24 * time.Hour),
	})
	w.Header().Set("Content-Type", "application/json")
	json.NewEncoder(w).Encode(map[string]any{"user": user, "token": token})
}

func (h *Handler) Logout(w http.ResponseWriter, r *http.Request) {
	c, err := r.Cookie("session")
	if err == nil {
		h.store.DeleteSession(c.Value)
	}
	http.SetCookie(w, &http.Cookie{Name: "session", MaxAge: -1, Path: "/"})
	w.WriteHeader(http.StatusNoContent)
}

func (h *Handler) Me(w http.ResponseWriter, r *http.Request) {
	user := r.Context().Value(userKey).(*User)
	respond(w, user)
}

// Register — public si aucun user, sinon auth requise
func (h *Handler) Register(w http.ResponseWriter, r *http.Request) {
	var body struct {
		Email    string `json:"email"`
		Name     string `json:"name"`
		Password string `json:"password"`
	}
	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
		http.Error(w, "invalid body", http.StatusBadRequest)
		return
	}
	if body.Email == "" || body.Name == "" || body.Password == "" {
		http.Error(w, "email, nom et mot de passe requis", http.StatusBadRequest)
		return
	}
	if len(body.Password) < 6 {
		http.Error(w, "mot de passe trop court (6 caractères minimum)", http.StatusBadRequest)
		return
	}
	user, err := h.store.Create(body.Email, body.Name, body.Password)
	if err != nil {
		http.Error(w, "email déjà utilisé", http.StatusConflict)
		return
	}
	token := h.store.CreateSession(user.ID)
	http.SetCookie(w, &http.Cookie{
		Name: "session", Value: token, Path: "/",
		HttpOnly: true, SameSite: http.SameSiteLaxMode,
		Expires: time.Now().Add(30 * 24 * time.Hour),
	})
	w.Header().Set("Content-Type", "application/json")
	w.WriteHeader(http.StatusCreated)
	json.NewEncoder(w).Encode(map[string]any{"user": user, "token": token})
}

// UpdateProfile — modifier nom + email
func (h *Handler) UpdateProfile(w http.ResponseWriter, r *http.Request) {
	user := r.Context().Value(userKey).(*User)
	var body struct {
		Email string `json:"email"`
		Name  string `json:"name"`
	}
	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
		http.Error(w, "invalid body", http.StatusBadRequest)
		return
	}
	if body.Email == "" || body.Name == "" {
		http.Error(w, "email et nom requis", http.StatusBadRequest)
		return
	}
	if err := h.store.UpdateProfile(user.ID, body.Email, body.Name); err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	user.Email = body.Email
	user.Name = body.Name
	respond(w, user)
}

// UpdatePassword — changer son mot de passe
func (h *Handler) UpdatePassword(w http.ResponseWriter, r *http.Request) {
	user := r.Context().Value(userKey).(*User)
	var body struct {
		Current string `json:"current_password"`
		New     string `json:"new_password"`
	}
	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
		http.Error(w, "invalid body", http.StatusBadRequest)
		return
	}
	if !h.store.CheckPassword(user.ID, body.Current) {
		http.Error(w, "mot de passe actuel incorrect", http.StatusUnauthorized)
		return
	}
	if len(body.New) < 6 {
		http.Error(w, "nouveau mot de passe trop court (6 caractères minimum)", http.StatusBadRequest)
		return
	}
	if err := h.store.UpdatePassword(user.ID, body.New); err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	w.WriteHeader(http.StatusNoContent)
}

// ListUsers — liste tous les utilisateurs (admin)
func (h *Handler) ListUsers(w http.ResponseWriter, r *http.Request) {
	users, err := h.store.List()
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	if users == nil {
		users = []User{}
	}
	respond(w, users)
}

// DeleteUser — supprimer un utilisateur (ne peut pas se supprimer soi-même)
func (h *Handler) DeleteUser(w http.ResponseWriter, r *http.Request) {
	me := r.Context().Value(userKey).(*User)
	id := mux.Vars(r)["id"]
	if id == me.ID {
		http.Error(w, "impossible de supprimer son propre compte", http.StatusBadRequest)
		return
	}
	if err := h.store.Delete(id); err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	w.WriteHeader(http.StatusNoContent)
}

// ── Middleware ────────────────────────────────────────────────────────────────

func Middleware(store *Store) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			token := ""
			if c, err := r.Cookie("session"); err == nil {
				token = c.Value
			}
			if token == "" {
				token = r.Header.Get("Authorization")
			}
			user, err := store.GetUserFromToken(token)
			if err != nil {
				http.Error(w, "non autorisé", http.StatusUnauthorized)
				return
			}
			ctx := context.WithValue(r.Context(), userKey, user)
			next.ServeHTTP(w, r.WithContext(ctx))
		})
	}
}

func respond(w http.ResponseWriter, v any) {
	w.Header().Set("Content-Type", "application/json")
	json.NewEncoder(w).Encode(v)
}