const express = require('express');
const bcrypt = require('bcrypt');
const User = require('../models/User');
const { authenticateToken, generateToken } = require('../middleware/auth');
const { validateAzureToken, hybridAuthenticate } = require('../middleware/azureAuth');

const router = express.Router();

// Global setting for password authentication (stored in memory for now)
let passwordAuthEnabled = true;

// Login endpoint (password-based)
router.post('/login', async (req, res) => {
  try {
    // Check if password authentication is enabled
    if (!passwordAuthEnabled) {
      return res.status(403).json({ message: 'Password authentication is disabled. Please use Azure AD login.' });
    }

    const { email, password } = req.body;

    if (!email || !password) {
      return res.status(400).json({ message: 'Email and password are required' });
    }

    // Find user by email
    const user = await User.findOne({ where: { email: email.toLowerCase() } });
    
    if (!user) {
      return res.status(401).json({ message: 'Invalid credentials' });
    }

    if (!user.isActive) {
      return res.status(401).json({ message: 'Account is disabled' });
    }

    // Verify password
    const validPassword = await bcrypt.compare(password, user.password);
    if (!validPassword) {
      return res.status(401).json({ message: 'Invalid credentials' });
    }

    // Update last login time
    await user.update({ lastLoginAt: new Date() });

    // Generate token
    const token = generateToken(user);

    res.json({
      message: 'Login successful',
      user: {
        id: user.id,
        email: user.email,
        name: user.name,
        role: user.preferences?.role || 'user',
        allowedAgents: user.preferences?.allowedAgents || null
      },
      token
    });
  } catch (error) {
    console.error('Login error:', error);
    res.status(500).json({ message: 'Server error during login' });
  }
});

// Token validation endpoint
router.get('/validate', authenticateToken, async (req, res) => {
  try {
    // User data is already validated and attached by middleware
    res.json({
      user: req.user,
      valid: true
    });
  } catch (error) {
    console.error('Token validation error:', error);
    res.status(500).json({ message: 'Server error during validation' });
  }
});

// Logout endpoint
router.post('/logout', authenticateToken, (req, res) => {
  // In a real application with token blacklisting, you would add the token to a blacklist here
  res.json({ message: 'Logged out successfully' });
});

// Change password endpoint
router.put('/change-password', authenticateToken, async (req, res) => {
  try {
    const { currentPassword, newPassword } = req.body;

    if (!currentPassword || !newPassword) {
      return res.status(400).json({ message: 'Current and new passwords are required' });
    }

    if (newPassword.length < 8) {
      return res.status(400).json({ message: 'New password must be at least 8 characters' });
    }

    const user = await User.findByPk(req.user.id);
    
    // Verify current password
    const validPassword = await bcrypt.compare(currentPassword, user.password);
    if (!validPassword) {
      return res.status(401).json({ message: 'Current password is incorrect' });
    }

    // Hash new password
    const hashedNewPassword = await bcrypt.hash(newPassword, 10);
    
    // Update password
    await user.update({ password: hashedNewPassword });

    res.json({ message: 'Password changed successfully' });
  } catch (error) {
    console.error('Change password error:', error);
    res.status(500).json({ message: 'Server error during password change' });
  }
});

// Register new user (admin only for manual user creation)
router.post('/register', authenticateToken, async (req, res) => {
  try {
    const { email, name, password, role = 'user' } = req.body;

    if (req.user.role !== 'admin') {
      return res.status(403).json({ message: 'Admin privileges required to create users' });
    }

    if (!email || !name || !password) {
      return res.status(400).json({ message: 'Email, name, and password are required' });
    }

    if (password.length < 8) {
      return res.status(400).json({ message: 'Password must be at least 8 characters' });
    }

    // Check if user already exists
    const existingUser = await User.findOne({ where: { email: email.toLowerCase() } });
    if (existingUser) {
      return res.status(409).json({ message: 'User with this email already exists' });
    }

    // Hash password
    const hashedPassword = await bcrypt.hash(password, 10);

    // Create new user with default settings
    const newUser = await User.create({
      email: email.toLowerCase(),
      name,
      password: hashedPassword,
      preferences: {
        theme: 'light',
        notifications: true,
        defaultAssistant: 'creator-bot-push-the-boundaries-of-technology',
        role: role,
        allowedAgents: role === 'admin' ? null : [] // Admin gets all agents, users get none by default
      },
      isActive: true
    });

    res.status(201).json({
      message: 'User created successfully',
      user: {
        id: newUser.id,
        email: newUser.email,
        name: newUser.name,
        role: newUser.preferences?.role || 'user'
      }
    });
  } catch (error) {
    console.error('Register user error:', error);
    res.status(500).json({ message: 'Server error during user registration' });
  }
});

// Azure AD token validation endpoint
router.post('/azure-validate', validateAzureToken, async (req, res) => {
  try {
    // User data is already validated and attached by middleware
    res.json({
      user: req.user,
      valid: true
    });
  } catch (error) {
    console.error('Azure token validation error:', error);
    res.status(500).json({ message: 'Server error during Azure validation' });
  }
});

// Get authentication settings
router.get('/settings', (req, res) => {
  res.json({
    passwordAuthEnabled,
    azureAuthEnabled: true,
    tenantId: 'e519c2e6-bc6d-4fdf-8d9c-923c2f002385',
    clientId: '9079054c-9620-4757-a256-23413042f1ef'
  });
});

// Toggle password authentication (admin only)
router.put('/settings/password-auth', hybridAuthenticate, async (req, res) => {
  try {
    if (req.user.role !== 'admin') {
      return res.status(403).json({ message: 'Admin privileges required' });
    }

    const { enabled } = req.body;
    
    if (typeof enabled !== 'boolean') {
      return res.status(400).json({ message: 'Enabled must be a boolean value' });
    }

    passwordAuthEnabled = enabled;

    res.json({
      message: `Password authentication ${enabled ? 'enabled' : 'disabled'} successfully`,
      passwordAuthEnabled
    });
  } catch (error) {
    console.error('Toggle password auth error:', error);
    res.status(500).json({ message: 'Server error during settings update' });
  }
});

// Get current password auth status (public endpoint)
router.get('/password-enabled', (req, res) => {
  res.json({ enabled: passwordAuthEnabled });
});

module.exports = router;