routes/auth.js

const router = require('express').Router();
const User = require('../models/User');
const bcrypt = require('bcryptjs');
const jwt = require('jsonwebtoken');
const { OAuth2Client } = require('google-auth-library');
const verify = require('../utils/verifyToken');

const client = new OAuth2Client(process.env.GOOGLE_CLIENT_ID);

// In-memory OTP store (Use Redis for production scaling)
const otpStore = {}; 

// 1. INITIATE SIGNUP (Send OTP)
router.post('/signup/initiate', async (req, res) => {
  try {
    const { email } = req.body;
    
    // Check if user already exists
    const userExists = await User.findOne({ email });
    if (userExists) return res.status(400).send("Email already registered. Please Login.");

    // Generate OTP (Fixed to 111111 for testing as requested)
    const otp = "111111"; 
    
    // Store OTP with a 10-minute expiry timestamp (optional logic, kept simple here)
    otpStore[email] = otp;

    // console.log(`[OTP] Sent to ${email}: ${otp}`); // Uncomment for debug
    res.send({ message: "OTP sent to email" });
  } catch (err) {
    res.status(500).send("Server Error");
  }
});

// 2. VERIFY OTP & CREATE ACCOUNT
router.post('/signup/verify', async (req, res) => {
  try {
    const { name, email, password, referral_code, otp, termsAccepted } = req.body;

    if (!termsAccepted) return res.status(400).send("You must accept Terms & Conditions");
    
    // Validate OTP
    if (!otpStore[email] || otpStore[email] !== otp) {
      return res.status(400).send("Invalid or Expired OTP");
    }

    // Hash Password
    const salt = await bcrypt.genSalt(10);
    const hashedPassword = await bcrypt.hash(password, salt);

    // Generate My Referral Code
    const myReferralCode = Math.random().toString(36).substring(2, 8).toUpperCase();

    const user = new User({
      name,
      email,
      password: hashedPassword,
      referral_code: myReferralCode,
      referred_by: referral_code || null,
      kyc_status: true // Storing consent as initial KYC step
    });

    await user.save();
    
    // Cleanup OTP
    delete otpStore[email];

    // Auto Login
    const token = jwt.sign({ _id: user._id, role: user.role }, process.env.JWT_SECRET);
    res.send({ token, name: user.name, upi: user.upi_id });

  } catch (err) {
    res.status(500).send("Signup Failed");
  }
});

// 3. LOGIN (Email + Password only)
router.post('/login', async (req, res) => {
  try {
    const { email, password } = req.body;

    // Check User
    const user = await User.findOne({ email });
    if (!user) return res.status(400).send("Email not found");

    // Check Password
    const validPass = await bcrypt.compare(password, user.password);
    if (!validPass) return res.status(400).send("Invalid Password");

    // Issue Token
    const token = jwt.sign({ _id: user._id, role: user.role }, process.env.JWT_SECRET);
    res.send({ token, name: user.name, upi: user.upi_id });

  } catch (err) {
    res.status(500).send("Login Failed");
  }
});

// 4. GOOGLE AUTH (Smart Handling)
router.post('/google', async (req, res) => {
  try {
    const { token, referral_code, termsAccepted } = req.body;

    const ticket = await client.verifyIdToken({
      idToken: token,
      audience: process.env.GOOGLE_CLIENT_ID,
    });
    const { name, email, sub } = ticket.getPayload();

    let user = await User.findOne({ email });

    // IF NEW USER: Require Consent
    if (!user) {
        if (!termsAccepted) return res.status(400).send("Please tick the Terms & Conditions box to Register.");

        const randomPassword = Math.random().toString(36).slice(-8);
        const salt = await bcrypt.genSalt(10);
        const hashedPassword = await bcrypt.hash(randomPassword, salt);
        const myReferralCode = Math.random().toString(36).substring(2, 8).toUpperCase();

        user = new User({
            name, email, password: hashedPassword,
            referral_code: myReferralCode,
            referred_by: referral_code || null,
            kyc_status: true
        });
        await user.save();
    }

    const jwtToken = jwt.sign({ _id: user._id, role: user.role }, process.env.JWT_SECRET);
    res.send({ token: jwtToken, name: user.name, upi: user.upi_id });

  } catch (err) {
    res.status(400).send("Google Auth Failed");
  }
});

// 5. LOGOUT
router.post('/logout', async (req, res) => {
  try {
    res.send({ message: "Logged Out" });
  } catch (err) {
    res.status(500).send("Logout Failed");
  }
});

// GET CURRENT USER DETAILS (Protected)
router.get('/me', verify, async (req, res) => {
  try {
    // Find user by ID (exclude password for security)
    const user = await User.findById(req.user._id).select('-password');
    
    if (!user) return res.status(404).send("User not found");
    
    res.json(user);
  } catch (err) {
    res.status(500).send("Server Error");
  }
});

router.post('/update-upi', verify, async (req, res) => {
  const { upi_id } = req.body;

  if (!upi_id || !upi_id.includes('@')) {
    return res.status(400).send("Invalid UPI ID");
  }

  await User.findByIdAndUpdate(req.user._id, { upi_id });
  res.send("UPI updated");
});

module.exports = router;