package middleware

import (
	"bytes"
	"io"
	"net/http"
	"strings"

	"github.com/flatrender/payment-svc/internal/db"
	"github.com/flatrender/payment-svc/internal/models"
	"github.com/flatrender/payment-svc/internal/signing"
	"github.com/gin-gonic/gin"
	"github.com/golang-jwt/jwt/v5"
)

const (
	CtxIsAdmin   = "is_admin"
	CtxClient    = "client_app"
	CtxRawBody   = "raw_body"
)

// JWTAuth validates a FlatRender identity JWT (same secret) for admin endpoints.
func JWTAuth(secret string) gin.HandlerFunc {
	return func(c *gin.Context) {
		hdr := c.GetHeader("Authorization")
		if !strings.HasPrefix(hdr, "Bearer ") {
			c.AbortWithStatusJSON(http.StatusUnauthorized, models.APIError{Code: "unauthorized", Message: "missing bearer token"})
			return
		}
		token, err := jwt.Parse(hdr[7:], func(t *jwt.Token) (interface{}, error) {
			if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
				return nil, jwt.ErrSignatureInvalid
			}
			return []byte(secret), nil
		})
		if err != nil || !token.Valid {
			c.AbortWithStatusJSON(http.StatusUnauthorized, models.APIError{Code: "unauthorized", Message: "invalid token"})
			return
		}
		claims, _ := token.Claims.(jwt.MapClaims)
		isAdmin := false
		switch v := claims["is_admin"].(type) {
		case bool:
			isAdmin = v
		case string:
			isAdmin = v == "true"
		}
		c.Set(CtxIsAdmin, isAdmin)
		c.Next()
	}
}

func RequireAdmin() gin.HandlerFunc {
	return func(c *gin.Context) {
		v, _ := c.Get(CtxIsAdmin)
		if b, _ := v.(bool); !b {
			c.AbortWithStatusJSON(http.StatusForbidden, models.APIError{Code: "forbidden", Message: "admin required"})
			return
		}
		c.Next()
	}
}

// ClientAuth authenticates a client site by API key + HMAC body signature.
//
//	X-Api-Key:    the client's public key
//	X-Signature:  hex( HMAC-SHA256(client.secret, raw_request_body) )
//
// The verified ClientApp and the raw body are stashed in the gin context.
func ClientAuth(store *db.Store) gin.HandlerFunc {
	return func(c *gin.Context) {
		apiKey := c.GetHeader("X-Api-Key")
		if apiKey == "" {
			c.AbortWithStatusJSON(http.StatusUnauthorized, models.APIError{Code: "unauthorized", Message: "missing X-Api-Key"})
			return
		}
		client, err := store.GetClientByAPIKey(c.Request.Context(), apiKey)
		if err != nil {
			c.AbortWithStatusJSON(http.StatusUnauthorized, models.APIError{Code: "unauthorized", Message: "unknown or inactive api key"})
			return
		}

		raw, _ := io.ReadAll(c.Request.Body)
		c.Request.Body = io.NopCloser(bytes.NewReader(raw)) // restore for the handler

		sig := c.GetHeader("X-Signature")
		if sig == "" || !signing.Verify(client.Secret, raw, sig) {
			c.AbortWithStatusJSON(http.StatusUnauthorized, models.APIError{Code: "bad_signature", Message: "invalid request signature"})
			return
		}

		c.Set(CtxClient, client)
		c.Set(CtxRawBody, raw)
		c.Next()
	}
}

func GetClient(c *gin.Context) *models.ClientApp {
	v, _ := c.Get(CtxClient)
	cl, _ := v.(*models.ClientApp)
	return cl
}