// setup_handler.go — public landing page for the user-setup link
// emitted by the admin's "+ Add user" / "Regenerate setup link" flow.
//
// Routes (wired in server.go):
//
//	GET  /setup   → handleUISetupGet
//	POST /setup   → handleUISetupPost  (lands in Task D2)
//
// The token in the querystring (`?token=<raw>`) is the credential.
// Auth middleware does not run on these routes.
package http

import (
	"crypto/sha256"
	"encoding/hex"
	"log/slog"
	stdhttp "net/http"
	"time"

	"github.com/oklog/ulid/v2"

	"gitea.dcglab.co.uk/steve/restic-manager/internal/auth"
	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/ui"
	"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
)

type setupPage struct {
	Username string
	Token    string // round-tripped to the POST form
	Error    string // displayed when password validation fails or token is invalid
}

// hashSetupToken is the canonical hashing for setup tokens. Must
// match what the admin handler uses when SetSetupToken is called,
// so the digest at rest matches what GET /setup hashes.
func hashSetupToken(raw string) string {
	h := sha256.Sum256([]byte(raw))
	return hex.EncodeToString(h[:])
}

func (s *Server) handleUISetupGet(w stdhttp.ResponseWriter, r *stdhttp.Request) {
	raw := r.URL.Query().Get("token")
	if raw == "" {
		s.renderSetupExpired(w, r)
		return
	}
	tok, err := s.deps.Store.LookupSetupToken(r.Context(), hashSetupToken(raw))
	if err != nil {
		s.renderSetupExpired(w, r)
		return
	}
	if tok.ExpiresAt.Before(time.Now().UTC()) {
		s.renderSetupExpired(w, r)
		return
	}
	u, err := s.deps.Store.GetUserByID(r.Context(), tok.UserID)
	if err != nil {
		s.renderSetupExpired(w, r)
		return
	}
	view := s.baseView(r, nil)
	view.Title = "Set your password · restic-manager"
	view.Page = setupPage{Username: u.Username, Token: raw}
	if err := s.deps.UI.Render(w, "setup", view); err != nil {
		slog.Error("ui setup: render", "err", err)
	}
}

func (s *Server) renderSetupExpired(w stdhttp.ResponseWriter, r *stdhttp.Request) {
	w.WriteHeader(stdhttp.StatusGone)
	view := s.baseView(r, nil)
	view.Title = "Link expired · restic-manager"
	view.Page = setupPage{Error: "expired"}
	_ = s.deps.UI.Render(w, "setup", view)
	_ = ui.User{} // keep ui import alive
}

func (s *Server) handleUISetupPost(w stdhttp.ResponseWriter, r *stdhttp.Request) {
	if err := r.ParseForm(); err != nil {
		stdhttp.Error(w, "bad request", stdhttp.StatusBadRequest)
		return
	}
	raw := r.PostForm.Get("token")
	pw := r.PostForm.Get("password")
	pw2 := r.PostForm.Get("password_confirm")

	if raw == "" {
		s.renderSetupExpired(w, r)
		return
	}
	if pw == "" || pw2 == "" || pw != pw2 || len(pw) < 12 {
		s.renderSetupForm(w, r, raw, "Passwords must match and be at least 12 characters.")
		return
	}

	tok, err := s.deps.Store.LookupSetupToken(r.Context(), hashSetupToken(raw))
	if err != nil || tok.ExpiresAt.Before(time.Now().UTC()) {
		s.renderSetupExpired(w, r)
		return
	}
	u, err := s.deps.Store.GetUserByID(r.Context(), tok.UserID)
	if err != nil {
		s.renderSetupExpired(w, r)
		return
	}

	hash, err := auth.HashPassword(pw)
	if err != nil {
		slog.Error("setup: hash password", "err", err)
		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
		return
	}
	if err := s.deps.Store.SetPasswordHash(r.Context(), u.ID, hash); err != nil {
		slog.Error("setup: set password", "err", err)
		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
		return
	}
	if err := s.deps.Store.DeleteSetupToken(r.Context(), u.ID); err != nil {
		slog.Warn("setup: delete token", "err", err)
		// Non-fatal — password is set, audit will reflect it.
	}

	// Drop a session cookie so the user lands authenticated on /.
	rawSession, err := auth.NewToken()
	if err != nil {
		slog.Error("setup: session token", "err", err)
		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
		return
	}
	hashed := auth.HashToken(rawSession)
	now := time.Now().UTC()
	if err := s.deps.Store.CreateSession(r.Context(), store.Session{
		ID: hashed, UserID: u.ID, CreatedAt: now,
		ExpiresAt: now.Add(8 * time.Hour),
	}, hashed); err != nil {
		slog.Error("setup: create session", "err", err)
		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
		return
	}
	stdhttp.SetCookie(w, &stdhttp.Cookie{
		Name: sessionCookieName, Value: rawSession,
		Path: "/", HttpOnly: true,
		SameSite: stdhttp.SameSiteLaxMode,
		Secure:   s.deps.Cfg.CookieSecure,
		Expires:  now.Add(8 * time.Hour),
	})
	// Record the login so the users-list "Last login" column shows
	// the moment they completed setup (the regular /login path does
	// the same; we'd otherwise leave the row showing "never").
	_ = s.deps.Store.MarkUserLogin(r.Context(), u.ID, now)
	_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
		ID:         ulid.Make().String(),
		UserID:     &u.ID,
		Actor:      "user",
		Action:     "user.setup_completed",
		TargetKind: ptr("user"),
		TargetID:   &u.ID,
		TS:         now,
	})
	stdhttp.Redirect(w, r, "/", stdhttp.StatusSeeOther)
}

// renderSetupForm re-renders the setup page with an inline error
// (e.g. password mismatch). 200 OK with the form intact so the user
// can correct without losing the token.
func (s *Server) renderSetupForm(w stdhttp.ResponseWriter, r *stdhttp.Request, token, errMsg string) {
	view := s.baseView(r, nil)
	view.Title = "Set your password · restic-manager"
	username := ""
	if tok, err := s.deps.Store.LookupSetupToken(r.Context(), hashSetupToken(token)); err == nil {
		if u, err := s.deps.Store.GetUserByID(r.Context(), tok.UserID); err == nil {
			username = u.Username
		}
	}
	view.Page = setupPage{Username: username, Token: token, Error: errMsg}
	_ = s.deps.UI.Render(w, "setup", view)
}