package auth

import (
	"errors"
	"strings"
	"time"

	"github.com/gofiber/fiber/v3"
	"github.com/golang-jwt/jwt/v5"
)

type Config struct {
	Secret             string
	Issuer             string
	AccessTokenExpiry  time.Duration
	RefreshTokenExpiry time.Duration
}

type Service struct {
	cfg           Config
	secret        []byte
	accessExpiry  time.Duration
	refreshExpiry time.Duration
}

type Claims struct {
	Username  string `json:"username"`
	TokenType string `json:"type"`
	jwt.RegisteredClaims
}

// Typescript: interface
type TokenPair struct {
	AccessToken  string `json:"access_token"`
	RefreshToken string `json:"refresh_token"`
}

const (
	tokenTypeAccess  = "access"
	tokenTypeRefresh = "refresh"
)

func New(cfg Config) (*Service, error) {
	if cfg.Secret == "" {
		return nil, errors.New("jwt secret is required")
	}
	if cfg.AccessTokenExpiry <= 0 {
		return nil, errors.New("access token expiry must be positive")
	}
	if cfg.RefreshTokenExpiry <= 0 {
		return nil, errors.New("refresh token expiry must be positive")
	}

	return &Service{
		cfg:           cfg,
		secret:        []byte(cfg.Secret),
		accessExpiry:  cfg.AccessTokenExpiry,
		refreshExpiry: cfg.RefreshTokenExpiry,
	}, nil
}

func (s *Service) GenerateTokenPair(username string) (TokenPair, error) {
	access, err := s.generateToken(username, tokenTypeAccess, s.accessExpiry)
	if err != nil {
		return TokenPair{}, err
	}

	refresh, err := s.generateToken(username, tokenTypeRefresh, s.refreshExpiry)
	if err != nil {
		return TokenPair{}, err
	}

	return TokenPair{
		AccessToken:  access,
		RefreshToken: refresh,
	}, nil
}

// AccessExpiry returns the configured access token lifetime.
func (s *Service) AccessExpiry() time.Duration {
	return s.accessExpiry
}

// RefreshExpiry returns the configured refresh token lifetime.
func (s *Service) RefreshExpiry() time.Duration {
	return s.refreshExpiry
}

func (s *Service) Middleware() fiber.Handler {
	return func(c fiber.Ctx) error {
		tokenString := c.Get("Auth-Token")
		if tokenString == "" {
			return fiber.NewError(fiber.StatusUnauthorized, "missing token header")
		}

		claims, err := s.parseToken(tokenString)
		if err != nil {
			return fiber.NewError(fiber.StatusUnauthorized, err.Error())
		}
		if claims.TokenType != tokenTypeAccess {
			return fiber.NewError(fiber.StatusUnauthorized, "access token required")
		}

		c.Locals("authClaims", claims)
		return c.Next()
	}
}

func (s *Service) Refresh(refreshToken string) (TokenPair, error) {
	claims, err := s.parseToken(refreshToken)
	if err != nil {
		return TokenPair{}, err
	}
	if claims.TokenType != tokenTypeRefresh {
		return TokenPair{}, errors.New("refresh token required")
	}
	return s.GenerateTokenPair(claims.Username)
}

// ValidateAccessToken parses and validates an access token string, ensuring type=access.
func (s *Service) ValidateAccessToken(tokenString string) (*Claims, error) {
	claims, err := s.parseToken(tokenString)
	if err != nil {
		return nil, err
	}
	if claims.TokenType != tokenTypeAccess {
		return nil, errors.New("access token required")
	}
	return claims, nil
}

func (s *Service) parseToken(tokenString string) (*Claims, error) {
	claims := &Claims{}
	token, err := jwt.ParseWithClaims(tokenString, claims, func(t *jwt.Token) (interface{}, error) {
		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
			return nil, fiber.ErrUnauthorized
		}
		return s.secret, nil
	})
	if err != nil || !token.Valid {
		return nil, errors.New("invalid or expired token")
	}
	if s.cfg.Issuer != "" && claims.Issuer != "" && claims.Issuer != s.cfg.Issuer {
		return nil, errors.New("invalid token issuer")
	}

	return claims, nil
}

func (s *Service) generateToken(username, tokenType string, expiry time.Duration) (string, error) {
	claims := Claims{
		Username:  username,
		TokenType: tokenType,
		RegisteredClaims: jwt.RegisteredClaims{
			Issuer:    s.cfg.Issuer,
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiry)),
			IssuedAt:  jwt.NewNumericDate(time.Now()),
		},
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	return token.SignedString(s.secret)
}

func bearerToken(header string) (string, error) {
	if header == "" {
		return "", errors.New("missing Auth-Token header")
	}
	if !strings.HasPrefix(header, "Bearer ") {
		return "", errors.New("invalid Authorization header format")
	}

	token := strings.TrimSpace(strings.TrimPrefix(header, "Bearer "))
	if token == "" {
		return "", errors.New("empty bearer token")
	}
	return token, nil
}

func ClaimsFromCtx(c fiber.Ctx) (*Claims, bool) {
	val := c.Locals("authClaims")
	if val == nil {
		return nil, false
	}
	claims, ok := val.(*Claims)
	return claims, ok
}