// Package http hosts the chi-based REST handlers for the control
// plane. The Server type owns the router, the handlers, and the
// graceful-shutdown lifecycle.
package http

import (
	"context"
	"errors"
	stdhttp "net/http"
	"time"

	"github.com/go-chi/chi/v5"
	"github.com/go-chi/chi/v5/middleware"

	"gitea.dcglab.co.uk/steve/restic-manager/internal/crypto"
	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/config"
	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/ui"
	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/ws"
	"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
)

// Deps bundles every collaborator the HTTP server depends on. Wired up
// in cmd/server; tests pass a pared-down Deps with fakes.
type Deps struct {
	Cfg   config.Config
	Store *store.Store
	AEAD  *crypto.AEAD
	Hub   *ws.Hub
	UI    *ui.Renderer
	// Version is the binary's build version, surfaced in the chrome.
	// Empty falls back to "dev".
	Version string
	// BootstrapToken (optional, populated only on first run) is the raw
	// admin-bootstrap token printed in the server logs. While set, the
	// /bootstrap endpoint accepts it to create the first admin user.
	BootstrapToken string
}

// Server is the running HTTP server.
type Server struct {
	srv  *stdhttp.Server
	deps Deps
}

// New builds a configured but not-yet-started server.
func New(deps Deps) *Server {
	r := chi.NewRouter()

	// Built-in middleware: request ID for log correlation, recovery
	// (don't crash the process on a panic in a handler), realIP iff a
	// trusted proxy is configured.
	r.Use(middleware.RequestID)
	r.Use(middleware.Recoverer)
	r.Use(requestLogger)

	// Health endpoint — unauthenticated, no audit, deliberately cheap.
	r.Get("/healthz", func(w stdhttp.ResponseWriter, _ *stdhttp.Request) {
		w.WriteHeader(stdhttp.StatusNoContent)
	})

	s := &Server{deps: deps}
	s.routes(r)

	s.srv = &stdhttp.Server{
		Addr:              deps.Cfg.Listen,
		Handler:           r,
		ReadHeaderTimeout: 10 * time.Second,
		IdleTimeout:       60 * time.Second,
		// Long write timeout — WS upgrades and live log streams need it.
		WriteTimeout: 0,
	}
	return s
}

// routes wires the API tree. Subtrees live in this file by area so a
// reader can scan one place and see the surface.
func (s *Server) routes(r chi.Router) {
	r.Route("/api", func(r chi.Router) {
		r.Post("/auth/login", s.handleLogin)
		r.Post("/auth/logout", s.handleLogout)
		r.Post("/bootstrap", s.handleBootstrap)

		// Agent enrollment (open endpoint — token is the credential).
		r.Post("/agents/enroll", s.handleAgentEnroll)

		// Operator → server (authenticated). Spec.md §6.1's
		// /hosts/{id}/enrollment-token (regenerate) lands when the
		// host page can call it; for now just the create endpoint.
		r.Post("/enrollment-tokens", s.handleCreateEnrollmentToken)

		// Fleet read endpoints — back the dashboard.
		r.Get("/hosts", s.handleListHosts)
		r.Get("/fleet/summary", s.handleFleetSummary)

		// Run-now: dispatch a job to a host's agent.
		r.Post("/hosts/{id}/jobs", s.handleRunNow)

		// Snapshot projection (refreshed by the agent after each backup).
		r.Get("/hosts/{id}/snapshots", s.handleListHostSnapshots)

		// Repo credentials — operator can edit after enrollment. The
		// initial set is supplied at token-mint time (see enrollment.go).
		// GET returns a redacted view (URL, username, has_password).
		r.Get("/hosts/{id}/repo-credentials", s.handleGetHostCredentials)
		r.Put("/hosts/{id}/repo-credentials", s.handleSetHostCredentials)
	})

	// Agent ↔ server WebSocket. Bearer-authenticated inside the handler.
	if s.deps.Hub != nil {
		r.Mount("/ws/agent", ws.AgentHandler(ws.HandlerDeps{
			Hub:     s.deps.Hub,
			Store:   s.deps.Store,
			OnHello: s.onAgentHello,
		}))
	}

	// Agent binaries + install scripts. Open endpoints — content is
	// unprivileged on its own, gating happens via the enrollment
	// token. See agent_assets.go.
	r.Get("/agent/binary", s.handleAgentBinary)
	r.Get("/install/*", s.handleInstallAsset)

	// Static assets (Tailwind CSS bundle, future favicon).
	r.Mount("/static/", staticHandler())

	// HTML UI. The renderer is required — fail loud if the binary
	// was built without templates (impossible in practice given
	// embed, but guards bad test wiring).
	if s.deps.UI != nil {
		r.Get("/", s.handleUIDashboard)
		r.Get("/login", s.handleUILoginGet)
		r.Post("/login", s.handleUILoginPost)
		r.Post("/logout", s.handleUILogoutPost)
		// HTMX action endpoint for "Run now" buttons on the dashboard.
		r.Post("/hosts/{id}/run-backup", s.handleUIRunBackup)
	}
}

// Start begins listening. Blocks until ListenAndServe returns
// (typically only on Shutdown). The server is HTTP-only by design;
// production deployments terminate TLS at a reverse proxy in front.
func (s *Server) Start() error {
	err := s.srv.ListenAndServe()
	if errors.Is(err, stdhttp.ErrServerClosed) {
		return nil
	}
	return err
}

// Shutdown stops accepting new connections and waits up to ctx.Deadline
// for in-flight handlers to finish.
func (s *Server) Shutdown(ctx context.Context) error {
	return s.srv.Shutdown(ctx)
}

// Addr returns the configured listen address. Useful in tests when
// the caller passes :0 to get a random port.
func (s *Server) Addr() string { return s.srv.Addr }