use axum::{
    extract::State,
    http::{HeaderMap, StatusCode},
    Json,
};
use std::net::IpAddr;
use serde::{Deserialize, Serialize};

use crate::{
    app_state::AppState,
    AuthClaims,
    jwt_auth::{self, AuthenticatedUser, TokenPair},
};

#[derive(Debug, Deserialize)]
pub struct LoginRequest {
    pub login: String,
    pub password: String,
}

#[derive(Debug, Deserialize)]
pub struct RefreshRequest {
    pub refresh_token: String,
}

#[derive(Debug, Deserialize)]
pub struct BootstrapRequest {
    pub email: String,
    pub username: String,
    pub display_name: String,
    pub password: String,
}

#[derive(Debug, Serialize)]
pub struct AuthResponse {
    pub user: AuthenticatedUser,
    pub tokens: TokenPair,
}

fn extract_client_ip(headers: &HeaderMap) -> Option<String> {
    let forwarded = headers
        .get("x-forwarded-for")
        .and_then(|value| value.to_str().ok())
        .or_else(|| headers.get("x-real-ip").and_then(|value| value.to_str().ok()))?;

    let first = forwarded.split(',').next()?.trim();
    if first.is_empty() {
        return None;
    }

    if let Ok(ip) = first.parse::<IpAddr>() {
        return Some(ip.to_string());
    }

    if first.starts_with('[') {
        if let Some(end) = first.find(']') {
            let candidate = &first[1..end];
            if let Ok(ip) = candidate.parse::<IpAddr>() {
                return Some(ip.to_string());
            }
        }
        return None;
    }

    if let Some((host, _port)) = first.rsplit_once(':') {
        if let Ok(ip) = host.parse::<IpAddr>() {
            return Some(ip.to_string());
        }
    }

    None
}

pub async fn bootstrap(
    State(state): State<AppState>,
    headers: HeaderMap,
    Json(req): Json<BootstrapRequest>,
) -> Result<Json<AuthResponse>, (StatusCode, Json<serde_json::Value>)> {
    let pool = state
        .postgres
        .as_ref()
        .ok_or_else(|| error(StatusCode::SERVICE_UNAVAILABLE, "PostgreSQL nav pieejams"))?;
    let user = jwt_auth::bootstrap_admin(
        pool,
        &state.settings,
        &req.email,
        &req.username,
        &req.display_name,
        &req.password,
    )
    .await
    .map_err(|e| error(StatusCode::BAD_REQUEST, &e.to_string()))?;
    let client_ip = extract_client_ip(&headers);
    let tokens = jwt_auth::issue_token_pair(
        pool,
        &state.settings,
        &user,
        client_ip.as_deref(),
        headers.get("user-agent").and_then(|value| value.to_str().ok()),
    )
    .await
    .map_err(|e| error(StatusCode::INTERNAL_SERVER_ERROR, &e.to_string()))?;
    Ok(Json(AuthResponse { user, tokens }))
}

pub async fn login(
    State(state): State<AppState>,
    headers: HeaderMap,
    Json(req): Json<LoginRequest>,
) -> Result<Json<AuthResponse>, (StatusCode, Json<serde_json::Value>)> {
    let pool = state
        .postgres
        .as_ref()
        .ok_or_else(|| error(StatusCode::SERVICE_UNAVAILABLE, "PostgreSQL nav pieejams"))?;
    let user = jwt_auth::authenticate_user(pool, &state.settings, &req.login, &req.password)
        .await
        .map_err(|e| error(StatusCode::UNAUTHORIZED, &e.to_string()))?;
    let client_ip = extract_client_ip(&headers);
    let tokens = jwt_auth::issue_token_pair(
        pool,
        &state.settings,
        &user,
        client_ip.as_deref(),
        headers.get("user-agent").and_then(|value| value.to_str().ok()),
    )
    .await
    .map_err(|e| error(StatusCode::INTERNAL_SERVER_ERROR, &e.to_string()))?;
    Ok(Json(AuthResponse { user, tokens }))
}

pub async fn refresh(
    State(state): State<AppState>,
    headers: HeaderMap,
    Json(req): Json<RefreshRequest>,
) -> Result<Json<AuthResponse>, (StatusCode, Json<serde_json::Value>)> {
    let pool = state
        .postgres
        .as_ref()
        .ok_or_else(|| error(StatusCode::SERVICE_UNAVAILABLE, "PostgreSQL nav pieejams"))?;
    let client_ip = extract_client_ip(&headers);
    let tokens = jwt_auth::refresh_token_pair(
        pool,
        &state.settings,
        &req.refresh_token,
        client_ip.as_deref(),
        headers.get("user-agent").and_then(|value| value.to_str().ok()),
    )
    .await
    .map_err(|e| error(StatusCode::UNAUTHORIZED, &e.to_string()))?;
    let claims = jwt_auth::verify_access_token(&state.settings, &tokens.access_token)
        .map_err(|e| error(StatusCode::UNAUTHORIZED, &e.to_string()))?;
    let user = jwt_auth::load_user_from_claims(pool, &state.settings, &claims)
        .await
        .map_err(|e| error(StatusCode::UNAUTHORIZED, &e.to_string()))?;
    Ok(Json(AuthResponse { user, tokens }))
}

pub async fn me(
    State(state): State<AppState>,
    claims: axum::extract::Extension<AuthClaims>,
) -> Result<Json<AuthenticatedUser>, (StatusCode, Json<serde_json::Value>)> {
    let pool = state
        .postgres
        .as_ref()
        .ok_or_else(|| error(StatusCode::SERVICE_UNAVAILABLE, "PostgreSQL nav pieejams"))?;
    let user = jwt_auth::load_user_from_claims(pool, &state.settings, &claims.0)
        .await
        .map_err(|e| error(StatusCode::UNAUTHORIZED, &e.to_string()))?;
    Ok(Json(user))
}

pub async fn logout(
    State(state): State<AppState>,
    claims: axum::extract::Extension<AuthClaims>,
) -> Result<StatusCode, (StatusCode, Json<serde_json::Value>)> {
    let pool = state
        .postgres
        .as_ref()
        .ok_or_else(|| error(StatusCode::SERVICE_UNAVAILABLE, "PostgreSQL nav pieejams"))?;
    jwt_auth::revoke_session(pool, &claims.sid)
        .await
        .map_err(|e| error(StatusCode::INTERNAL_SERVER_ERROR, &e.to_string()))?;
    Ok(StatusCode::NO_CONTENT)
}

fn error(status: StatusCode, message: &str) -> (StatusCode, Json<serde_json::Value>) {
    (status, Json(serde_json::json!({ "error": message })))
}