package auth

import (
	"errors"
	"time"

	"github.com/golang-jwt/jwt/v5"
	"golang.org/x/crypto/bcrypt"
	"gorm.io/gorm"

	"gitea.kmux.cn/zhilv/scriptforge/internal/model"
)

var (
	ErrUserExists     = errors.New("username already exists")
	ErrInvalidCredentials = errors.New("invalid username or password")
)

type AuthService struct {
	db      *gorm.DB
	jwtKey  []byte
}

func NewAuthService(db *gorm.DB, jwtKey string) *AuthService {
	return &AuthService{db: db, jwtKey: []byte(jwtKey)}
}

type Claims struct {
	UserID   uint   `json:"user_id"`
	Username string `json:"username"`
	Role     string `json:"role"`
	jwt.RegisteredClaims
}

func (s *AuthService) Register(username, password string) (*model.User, error) {
	var existing model.User
	if err := s.db.Where("username = ?", username).First(&existing).Error; err == nil {
		return nil, ErrUserExists
	}

	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
	if err != nil {
		return nil, err
	}

	// First user becomes admin
	var userCount int64
	s.db.Model(&model.User{}).Count(&userCount)
	role := "user"
	if userCount == 0 {
		role = "admin"
	}

	user := model.User{
		Username:     username,
		PasswordHash: string(hash),
		Role:         role,
	}

	if err := s.db.Create(&user).Error; err != nil {
		return nil, err
	}
	return &user, nil
}

func (s *AuthService) Login(username, password string) (*model.User, string, error) {
	var user model.User
	if err := s.db.Where("username = ?", username).First(&user).Error; err != nil {
		return nil, "", ErrInvalidCredentials
	}

	if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(password)); err != nil {
		return nil, "", ErrInvalidCredentials
	}

	token, err := s.GenerateToken(user.ID, user.Username, user.Role)
	if err != nil {
		return nil, "", err
	}
	return &user, token, nil
}

func (s *AuthService) GenerateToken(userID uint, username, role string) (string, error) {
	claims := Claims{
		UserID:   userID,
		Username: username,
		Role:     role,
		RegisteredClaims: jwt.RegisteredClaims{
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(7 * 24 * time.Hour)),
		},
	}
	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	return token.SignedString(s.jwtKey)
}

func (s *AuthService) ParseToken(tokenStr string) (*Claims, error) {
	token, err := jwt.ParseWithClaims(tokenStr, &Claims{}, func(t *jwt.Token) (interface{}, error) {
		return s.jwtKey, nil
	})
	if err != nil {
		return nil, err
	}
	claims, ok := token.Claims.(*Claims)
	if !ok {
		return nil, errors.New("invalid claims")
	}
	return claims, nil
}

func (s *AuthService) GetUserByID(id uint) (*model.User, error) {
	var user model.User
	err := s.db.First(&user, id).Error
	return &user, err
}

func (s *AuthService) IsAdmin(userID uint) bool {
	var user model.User
	if err := s.db.First(&user, userID).Error; err != nil {
		return false
	}
	return user.Role == "admin"
}