<?php

declare(strict_types=1);

namespace SHServ\Controllers;

use GNexus\GAuth\DTO\TokenSet;
use SHServ\Integrations\GAuth\AuthControllerTrait;
use SHServ\Integrations\GAuth\AuthService;
use SHServ\Integrations\GAuth\PermissionResolver;
use SHServ\Integrations\GAuth\Store\DbTokenStore;
use SHServ\Integrations\GAuth\UserResolver;

class AuthController extends \SHServ\Middleware\Controller
{
    use AuthControllerTrait;

    private function logAuth(string $msg): void
    {
        $path = dirname(__DIR__, 2) . '/Logs/gauth_debug.log';
        @file_put_contents($path, date('Y-m-d H:i:s') . ' ' . $msg . "\n", FILE_APPEND | LOCK_EX);
    }

    /**
     * GET /auth/login
     * Redirect user to gnexus-auth authorization page.
     */
    public function login()
    {
        $this->logAuth('login() called');
        $service = new AuthService();
        $returnTo = $_GET['return_to'] ?? '/';
        $url = $service->buildLoginUrl($returnTo);
        $this->logAuth("login() redirect to: {$url}");
        return $this->utils()->redirect($url);
    }

    /**
     * GET /auth/callback
     * Handle OAuth callback from gnexus-auth.
     */
    public function callback()
    {
        if (session_status() === PHP_SESSION_NONE) {
            @session_start();
        }

        $this->logAuth('callback() called');
        try {
            $code = isset($_GET['code']) ? (string) $_GET['code'] : '';
            $state = isset($_GET['state']) ? (string) $_GET['state'] : '';

            $this->logAuth("callback() code={$code}, state={$state}");

            if ($code === '' || $state === '') {
                $this->logAuth('callback() empty code/state');
                return $this->utils()->response_error('invalid_callback');
            }

            $service = new AuthService();
            $this->logAuth('callback() AuthService created');

            try {
                $user = $service->handleCallback($code, $state);
                $this->logAuth('callback() handleCallback OK, userId=' . $user->userId);
            } catch (\GNexus\GAuth\Exception\GAuthException $e) {
                $this->logAuth('callback() GAuthException: ' . $e->getMessage());
                return $this->utils()->response_error('auth_failed', [], ['message' => $e->getMessage()]);
            } catch (\Throwable $e) {
                $this->logAuth('callback() Throwable in handleCallback: ' . get_class($e) . ' - ' . $e->getMessage());
                throw $e;
            }

            $resolver = new UserResolver();
            $this->logAuth('callback() UserResolver created');

            try {
                $localUserId = $resolver->resolve($user);
                $this->logAuth('callback() resolve OK, localUserId=' . $localUserId);
            } catch (\Throwable $e) {
                $this->logAuth('callback() Throwable in resolve: ' . get_class($e) . ' - ' . $e->getMessage());
                throw $e;
            }

            $_SESSION['shserv_user_id'] = $localUserId;

            // Persist tokens to DB now that we have the local user ID
            $sessionToken = $_SESSION['shserv_auth_token'] ?? null;
            $tokenData = $_SESSION['shserv_last_token_set'] ?? null;
            if ($sessionToken && $tokenData) {
                $expiresAt = $tokenData['expires_at'] ? new \DateTimeImmutable($tokenData['expires_at']) : null;
                $tokenSet = new TokenSet(
                    accessToken: $tokenData['access_token'],
                    refreshToken: $tokenData['refresh_token'] ?? null,
                    tokenType: $tokenData['token_type'] ?? 'Bearer',
                    expiresIn: $expiresAt ? (int) $expiresAt->format('U') - time() : 0,
                    expiresAt: $expiresAt,
                );
                $dbStore = new DbTokenStore(app()->thin_builder);
                $dbStore->put($sessionToken, $tokenSet, $localUserId);
                unset($_SESSION['shserv_last_token_set']);
                $this->logAuth('callback() DbTokenStore->put() OK');
            }

            // Redirect back to app
            $context = $_SESSION['gauth_state'][$state]['context'] ?? [];
            $returnTo = $context['return_to'] ?? '/';
            $this->logAuth("callback() redirect to: {$returnTo}");
            return $this->utils()->redirect($returnTo);
        } catch (\Throwable $e) {
            $this->logAuth('callback() UNCAUGHT Throwable: ' . get_class($e) . ' - ' . $e->getMessage());
            $this->logAuth('callback() Stack: ' . str_replace("\n", ' | ', $e->getTraceAsString()));
            throw $e;
        }
    }

    /**
     * POST /auth/logout
     */
    public function logout()
    {
        $service = new AuthService();
        $service->logout();
        return $this->utils()->response_success();
    }

    /**
     * GET /auth/me
     * Return current authenticated user + effective permissions.
     */
    public function me()
    {
        $user = $this->get_current_user();
        if (!$user) {
            return $this->utils()->response_error('not_found_any_sessions', [], [], 401);
        }

        $permissions = $this->get_current_permissions();

        return $this->utils()->response_success([
            'user' => [
                'id' => $user['id'],
                'gauth_user_id' => $user['gauth_user_id'],
                'email' => $user['email'],
                'display_name' => $user['display_name'],
                'avatar_url' => $user['avatar_url'],
                'system_role' => $user['system_role'],
                'status' => $user['status'],
            ],
            'permissions' => $permissions,
        ]);
    }

    /**
     * POST /auth/refresh
     * Refresh access token using stored refresh token.
     */
    public function refresh()
    {
        $sessionToken = $_SESSION['shserv_auth_token'] ?? null;
        if (!$sessionToken) {
            return $this->utils()->response_error('not_found_any_sessions', [], [], 401);
        }

        $service = new AuthService();
        $tokenSet = $service->refreshAccessToken($sessionToken);

        if (!$tokenSet) {
            return $this->utils()->response_error('session_expired', [], [], 401);
        }

        return $this->utils()->response_success([
            'access_token' => $tokenSet->accessToken,
            'expires_in' => $tokenSet->expiresIn,
        ]);
    }
}