package tokens

import (
	"crypto/rand"
	"crypto/sha256"
	"encoding/base64"
	"encoding/hex"
	"errors"
	"server/internal/config"

	"time"

	"github.com/gofiber/fiber/v3"
	"github.com/golang-jwt/jwt/v5"
)

type TockenService struct {
	cfg           config.AuthConfig
	secret        []byte
	accessExpiry  time.Duration
	refreshExpiry time.Duration
}

type Claims struct {
	ID           string `json:"id"`
	Impersonator string `json:"impersonator,omitempty"`
	Permission   uint   `json:"permission"`
	TokenType    string `json:"type"`
	jwt.RegisteredClaims
}

// Typescript: interface
type TokenPair struct {
	AccessToken  string `json:"access_token"`
	RefreshToken string `json:"refresh_token"`
}

const (
	TokenTypeAccess  = "access"
	TokenTypeRefresh = "refresh"
)

var Tockens *TockenService

func GetTockenService() (*TockenService, error) {
	if Tockens == nil {
		cfg, err := config.GetConfig()
		if err != nil {
			return nil, err
		}
		Tockens, err = NewTockenService(cfg.Auth)
		if err != nil {
			return nil, err
		}
	}
	return Tockens, nil
}

func NewTockenService(cfg config.AuthConfig) (*TockenService, error) {
	if cfg.Secret == "" {
		return nil, errors.New("jwt secret is required")
	}
	if cfg.AccessTokenExpiryMinutes <= 0 {
		return nil, errors.New("access token expiry must be positive")
	}
	if cfg.RefreshTokenExpiryMinutes <= 0 {
		return nil, errors.New("refresh token expiry must be positive")
	}

	return &TockenService{
		cfg:           cfg,
		secret:        []byte(cfg.Secret),
		accessExpiry:  time.Duration(cfg.AccessTokenExpiryMinutes) * time.Minute,
		refreshExpiry: time.Duration(cfg.RefreshTokenExpiryMinutes) * time.Minute,
	}, nil
}

func hashToken(token string) string {
	sum := sha256.Sum256([]byte(token))
	return hex.EncodeToString(sum[:])
}

func HashToken(token string) string {
	return hashToken(token)
}

func (s *TockenService) GenerateTokenPair(id string, permission uint) (TokenPair, error) {
	access, err := s.GenerateToken(id, permission, TokenTypeAccess, s.accessExpiry)
	if err != nil {
		return TokenPair{}, err
	}

	refresh, err := s.GenerateToken(id, permission, TokenTypeRefresh, s.refreshExpiry)
	if err != nil {
		return TokenPair{}, err
	}

	return TokenPair{
		AccessToken:  access,
		RefreshToken: refresh,
	}, nil
}

func (s *TockenService) AccessExpiry() time.Duration {
	return s.accessExpiry
}

func (s *TockenService) RefreshExpiry() time.Duration {
	return s.refreshExpiry
}

func (s *TockenService) Refresh(refreshToken string) (TokenPair, error) {
	claims, err := s.ParseToken(refreshToken)
	if err != nil {
		return TokenPair{}, err
	}
	if claims.TokenType != TokenTypeRefresh {
		return TokenPair{}, errors.New("refresh token required")
	}
	return s.GenerateTokenPair(claims.ID, claims.Permission)
}

func (s *TockenService) ValidateToken(tokenString string) (*Claims, error) {
	claims, err := s.ParseToken(tokenString)
	if err != nil {
		return nil, err
	}
	if claims.TokenType != TokenTypeAccess {
		return nil, errors.New("access token required")
	}
	return claims, nil
}

func ClaimsFromCtx(c fiber.Ctx) (*Claims, bool) {
	val := c.Locals("authClaims")
	if val == nil {
		return nil, false
	}
	claims, ok := val.(*Claims)
	return claims, ok
}

func (s *TockenService) ParseToken(tokenString string) (*Claims, error) {
	claims := &Claims{}
	token, err := jwt.ParseWithClaims(tokenString, claims, func(t *jwt.Token) (interface{}, error) {
		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
			return nil, fiber.ErrUnauthorized
		}
		return s.secret, nil
	})
	if err != nil || !token.Valid {
		return nil, errors.New("invalid or expired token")
	}
	if s.cfg.Issuer != "" && claims.Issuer != "" && claims.Issuer != s.cfg.Issuer {
		return nil, errors.New("invalid token issuer")
	}

	return claims, nil
}

func (s *TockenService) GenerateToken(id string, permission uint, tokenType string, expiry time.Duration) (string, error) {

	claims := Claims{
		ID:           id,
		Impersonator: "",
		Permission:   permission,
		TokenType:    tokenType,
		RegisteredClaims: jwt.RegisteredClaims{
			Issuer:    s.cfg.Issuer,
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiry)),
			IssuedAt:  jwt.NewNumericDate(time.Now()),
		},
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	return token.SignedString(s.secret)
}

func (s *TockenService) ValidateAccessToken(tokenString string) (*Claims, error) {
	claims, err := s.ParseToken(tokenString)
	if err != nil {
		return nil, err
	}
	if claims.TokenType != TokenTypeAccess {
		return nil, errors.New("access token required")
	}
	return claims, nil
}

func (s *TockenService) GenerateSecureToken() (string, error) {
	buf := make([]byte, 32)
	if _, err := rand.Read(buf); err != nil {
		return "", err
	}
	return base64.RawURLEncoding.EncodeToString(buf), nil
}