package handler

import (
	"errors"
	"net/http"
	"strings"

	"github.com/gin-gonic/gin"

	"github.com/sundynix/sundynix-gateway/internal/auth"
	"github.com/sundynix/sundynix-gateway/internal/store"
)

// userJSON 是对外的用户视图（绝不含密码哈希）。
func userJSON(u *store.User) gin.H {
	return gin.H{"id": u.ID, "email": u.Email, "name": u.Name}
}

// Register: POST /api/v1/auth/register {email, password, name} —— 注册并签发 JWT。
func (h *Handler) Register(c *gin.Context) {
	var body struct {
		Email    string `json:"email"`
		Password string `json:"password"`
		Name     string `json:"name"`
	}
	if err := c.ShouldBindJSON(&body); err != nil {
		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
		return
	}
	email := strings.TrimSpace(strings.ToLower(body.Email))
	if !strings.Contains(email, "@") || len(body.Password) < 6 {
		c.JSON(http.StatusBadRequest, gin.H{"error": "需合法邮箱且密码至少 6 位"})
		return
	}
	hash, err := auth.HashPassword(body.Password)
	if err != nil {
		c.JSON(http.StatusInternalServerError, gin.H{"error": "密码处理失败"})
		return
	}
	u, err := h.db.CreateUser(c.Request.Context(), email, strings.TrimSpace(body.Name), hash)
	if err != nil {
		if errors.Is(err, store.ErrUserExists) {
			c.JSON(http.StatusConflict, gin.H{"error": "该邮箱已注册"})
			return
		}
		c.JSON(http.StatusBadGateway, gin.H{"error": err.Error()})
		return
	}
	issueToken(c, u)
}

// Login: POST /api/v1/auth/login {email, password} —— 校验并签发 JWT。
func (h *Handler) Login(c *gin.Context) {
	var body struct {
		Email    string `json:"email"`
		Password string `json:"password"`
	}
	if err := c.ShouldBindJSON(&body); err != nil {
		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
		return
	}
	email := strings.TrimSpace(strings.ToLower(body.Email))
	u, err := h.db.GetUserByEmail(c.Request.Context(), email)
	// 用户不存在与密码错误返回同一文案，避免邮箱枚举。
	if err != nil || u == nil || !auth.CheckPassword(u.PasswordHash, body.Password) {
		c.JSON(http.StatusUnauthorized, gin.H{"error": "邮箱或密码错误"})
		return
	}
	issueToken(c, u)
}

// Me: GET /api/v1/auth/me —— 返回当前登录用户（无有效令牌则 401）。
func (h *Handler) Me(c *gin.Context) {
	uid := userID(c)
	if uid == "" || uid == "anonymous" {
		c.JSON(http.StatusUnauthorized, gin.H{"error": "未登录"})
		return
	}
	u, err := h.db.GetUserByID(c.Request.Context(), uid)
	if err != nil || u == nil {
		c.JSON(http.StatusUnauthorized, gin.H{"error": "未登录"})
		return
	}
	c.JSON(http.StatusOK, gin.H{"user": userJSON(u)})
}

// issueToken 为用户签发 JWT 并返回 {token, user}。
func issueToken(c *gin.Context, u *store.User) {
	token, err := auth.Issue(u.ID)
	if err != nil {
		c.JSON(http.StatusInternalServerError, gin.H{"error": "签发令牌失败"})
		return
	}
	c.JSON(http.StatusOK, gin.H{"token": token, "user": userJSON(u)})
}