import crypto from 'node:crypto'
import {
  getCustomerById,
  getCustomerByPhone,
  getCustomerByGoogleSub,
  getCustomerByAppleSub,
  createAnonymousCustomerV2,
  createCustomerWithIdentity,
  upgradeCustomerIdentity,
  stampAccountBelongsTo,
} from './customer.service.js'
import {
  getMitraByPhone,
  getMitraById,
  createMitra,
} from './mitra.service.js'
import {
  getCcUserByEmail,
  getCcUserById,
  incrementCcUserFailedLogin,
  resetCcUserFailedLogin,
} from './cc-user.service.js'
import { verifyGoogleIdToken, verifyAppleIdToken } from './social-identity.service.js'
import { verifyPassword } from './password.service.js'
import { issueTokens, refreshTokens as rotateRefresh, revokeSession } from './token.service.js'
import { getCcLoginLockoutConfig } from './config.service.js'
import { UserType } from '../constants.js'

const generateAnonymousDisplayName = () => {
  const n = crypto.randomInt(1000, 10000)
  return `Teman Anonim #${n}`
}

export class AuthError extends Error {
  constructor(message, code, statusCode) {
    super(message)
    this.code = code
    this.statusCode = statusCode
  }
}

// Phase 4 §2.1 — shared identity-resolution path used by phone/Google/Apple
// sign-ins. Three branches:
//
//   1. existing identity row + anon prefix points at a different row
//      → stamp `account_belongs_to` on the anon row and return the existing
//        row. The anon row stays intact so its prior chat_sessions /
//        customer_transactions FKs remain valid; reconciliation onto the
//        existing customer is replayable later via the breadcrumb.
//   2. existing identity row (no anon, or anon id == existing.id)
//      → return existing as-is.
//   3. no existing row + anon prefix
//      → upgrade the anon row in place (set identity fields, preserve
//        display_name etc. via COALESCE).
//   4. no existing row + no anon
//      → create a fresh identified customer with display_name=null (client
//        routes to the set-display-name screen).
//
// `identityFields` is the set of columns added by either upgrade or create
// (phone, google_sub+email, apple_sub+email). display_name=null is appended
// automatically for the create case.
const resolveCustomerForIdentity = async ({ existing, anonymousCustomerId, identityFields }) => {
  if (existing) {
    if (anonymousCustomerId && existing.id !== anonymousCustomerId) {
      await stampAccountBelongsTo(anonymousCustomerId, existing.id)
    }
    return existing
  }
  if (anonymousCustomerId) {
    return await upgradeCustomerIdentity(anonymousCustomerId, identityFields)
  }
  return await createCustomerWithIdentity({ ...identityFields, display_name: null })
}

// --- Anonymous ---

export const signInAnonymous = async ({ deviceInfo } = {}) => {
  const customer = await createAnonymousCustomerV2({
    display_name: generateAnonymousDisplayName(),
  })
  const tokens = await issueTokens({
    userType: UserType.CUSTOMER,
    userId: customer.id,
    deviceInfo,
  })
  return { tokens, profile: customer }
}

// --- Phone OTP — Customer (Phase 4 §2.1 merge breadcrumb) ---
export const completeCustomerPhoneSignIn = async ({ phone, anonymousCustomerId, deviceInfo }) => {
  const existing = await getCustomerByPhone(phone)
  const customer = await resolveCustomerForIdentity({
    existing,
    anonymousCustomerId,
    identityFields: { phone },
  })
  const tokens = await issueTokens({
    userType: UserType.CUSTOMER,
    userId: customer.id,
    deviceInfo,
  })
  return { tokens, profile: customer }
}

// --- Phone OTP — Mitra ---

export const completeMitraPhoneSignIn = async ({ phone, deviceInfo }) => {
  let mitra = await getMitraByPhone(phone)
  if (!mitra) {
    mitra = await createMitra({ phone, display_name: phone })
  }
  const tokens = await issueTokens({
    userType: UserType.MITRA,
    userId: mitra.id,
    deviceInfo,
  })
  return { tokens, profile: mitra }
}

// --- Google (customer only) — Phase 4 §2.1 merge breadcrumb ---
//
// We don't pull display_name from Google; the anon's display_name is
// preserved via upgradeCustomerIdentity's COALESCE.
export const signInWithGoogle = async ({ idToken, anonymousCustomerId, deviceInfo }) => {
  const google = await verifyGoogleIdToken(idToken)
  const existing = await getCustomerByGoogleSub(google.sub)
  const customer = await resolveCustomerForIdentity({
    existing,
    anonymousCustomerId,
    identityFields: { google_sub: google.sub, email: google.email },
  })
  const tokens = await issueTokens({
    userType: UserType.CUSTOMER,
    userId: customer.id,
    deviceInfo,
  })
  return { tokens, profile: customer }
}

// --- Apple (customer only) — Phase 4 §2.1 merge breadcrumb ---

export const signInWithApple = async ({ idToken, anonymousCustomerId, deviceInfo }) => {
  const apple = await verifyAppleIdToken(idToken)
  const existing = await getCustomerByAppleSub(apple.sub)
  const customer = await resolveCustomerForIdentity({
    existing,
    anonymousCustomerId,
    identityFields: { apple_sub: apple.sub, email: apple.email },
  })
  const tokens = await issueTokens({
    userType: UserType.CUSTOMER,
    userId: customer.id,
    deviceInfo,
  })
  return { tokens, profile: customer }
}

// --- Control center email/password ---

export const signInCcUser = async ({ email, password, deviceInfo }) => {
  const user = await getCcUserByEmail(email)
  // Constant-time response — same branch for "not found" vs "wrong password" OR lockout
  if (!user) {
    throw new AuthError('Invalid credentials', 'INVALID_CREDENTIALS', 401)
  }

  // Lockout check
  if (user.lockout_until && new Date(user.lockout_until) > new Date()) {
    throw new AuthError(
      `Account locked until ${user.lockout_until}. Try again later.`,
      'ACCOUNT_LOCKED', 423,
    )
  }

  const ok = await verifyPassword(password, user.password_hash)
  if (!ok) {
    const { max_attempts, lockout_minutes } = await getCcLoginLockoutConfig()
    await incrementCcUserFailedLogin(user.id, lockout_minutes, max_attempts)
    throw new AuthError('Invalid credentials', 'INVALID_CREDENTIALS', 401)
  }

  await resetCcUserFailedLogin(user.id)

  const tokens = await issueTokens({
    userType: UserType.CC_USER,
    userId: user.id,
    deviceInfo,
  })
  return {
    tokens,
    profile: {
      id: user.id,
      email: user.email,
      display_name: user.display_name,
      role: user.role,
    },
  }
}

// --- Refresh ---

export const refreshTokens = async ({ refreshToken, deviceInfo }) => {
  const result = await rotateRefresh({ refreshToken, deviceInfo })
  let profile = null
  if (result.user_type === UserType.CUSTOMER) {
    profile = await getCustomerById(result.user_id)
  } else if (result.user_type === UserType.MITRA) {
    profile = await getMitraById(result.user_id)
  } else if (result.user_type === UserType.CC_USER) {
    const ccUser = await getCcUserById(result.user_id)
    profile = ccUser ? {
      id: ccUser.id,
      email: ccUser.email,
      display_name: ccUser.display_name,
      role: ccUser.role,
    } : null
  }
  return { tokens: result, profile }
}

// --- Logout ---

export const logout = async ({ sessionId }) => {
  if (!sessionId) return
  await revokeSession(sessionId)
}