//! Logout and token revocation endpoints

use axum::{
    extract::{Request, State, Path},
    http::{StatusCode, HeaderMap},
    Json,
};
use uuid::Uuid;
use serde::Serialize;
use tracing::{info, warn};

use crate::auth::AuthenticatedUser;
use crate::AppState;

use super::auth::ErrorResponse;

/// Extract JWT token from Authorization header
fn extract_token_from_headers(headers: &HeaderMap) -> Result<String, (StatusCode, Json<ErrorResponse>)> {
    let auth_header = headers
        .get("Authorization")
        .and_then(|v| v.to_str().ok())
        .ok_or_else(|| {
            (
                StatusCode::UNAUTHORIZED,
                Json(ErrorResponse {
                    error: "Missing Authorization header".to_string(),
                }),
            )
        })?;

    let token = auth_header
        .strip_prefix("Bearer ")
        .ok_or_else(|| {
            (
                StatusCode::UNAUTHORIZED,
                Json(ErrorResponse {
                    error: "Invalid Authorization format".to_string(),
                }),
            )
        })?;

    Ok(token.to_string())
}

/// Logout response
#[derive(Debug, Serialize)]
pub struct LogoutResponse {
    pub message: String,
}

/// POST /api/auth/logout - Revoke current token (logout)
///
/// Adds the user's current JWT token to the blacklist, effectively logging them out.
/// The token will no longer be valid for any requests.
pub async fn logout(
    State(state): State<AppState>,
    user: AuthenticatedUser,
    request: Request,
) -> Result<Json<LogoutResponse>, (StatusCode, Json<ErrorResponse>)> {
    // Extract token from headers
    let token = extract_token_from_headers(request.headers())?;

    // Add token to blacklist
    state.token_blacklist.revoke(&token).await;

    info!("User {} logged out (token revoked)", user.username);

    Ok(Json(LogoutResponse {
        message: "Logged out successfully".to_string(),
    }))
}

/// POST /api/auth/revoke-token - Revoke own token (same as logout)
///
/// Alias for logout endpoint for consistency with revocation terminology.
pub async fn revoke_own_token(
    State(state): State<AppState>,
    user: AuthenticatedUser,
    request: Request,
) -> Result<Json<LogoutResponse>, (StatusCode, Json<ErrorResponse>)> {
    logout(State(state), user, request).await
}

/// Revoke user request
#[derive(Debug, serde::Deserialize)]
pub struct RevokeUserRequest {
    pub user_id: Uuid,
}

/// POST /api/auth/admin/revoke-user - Admin endpoint to revoke all tokens for a user
///
/// WARNING: This currently only revokes the admin's own token as a demonstration.
/// Full implementation would require:
/// 1. Session tracking table to store active JWT tokens
/// 2. Query to find all tokens for the target user
/// 3. Add all found tokens to blacklist
///
/// For MVP, we're implementing the foundation but not the full user tracking.
pub async fn revoke_user_tokens(
    State(state): State<AppState>,
    admin: AuthenticatedUser,
    Json(req): Json<RevokeUserRequest>,
) -> Result<Json<LogoutResponse>, (StatusCode, Json<ErrorResponse>)> {
    // Verify admin permission
    if !admin.is_admin() {
        return Err((
            StatusCode::FORBIDDEN,
            Json(ErrorResponse {
                error: "Admin access required".to_string(),
            }),
        ));
    }

    warn!(
        "Admin {} attempted to revoke tokens for user {} - NOT IMPLEMENTED (requires session tracking)",
        admin.username, req.user_id
    );

    // TODO: Implement session tracking
    // 1. Query active_sessions table for all tokens belonging to user_id
    // 2. Add each token to blacklist
    // 3. Delete session records from database

    Err((
        StatusCode::NOT_IMPLEMENTED,
        Json(ErrorResponse {
            error: "User token revocation not yet implemented - requires session tracking table".to_string(),
        }),
    ))
}

/// GET /api/auth/blacklist/stats - Get blacklist statistics (admin only)
///
/// Returns information about the current token blacklist for monitoring.
#[derive(Debug, Serialize)]
pub struct BlacklistStatsResponse {
    pub revoked_tokens_count: usize,
}

pub async fn get_blacklist_stats(
    State(state): State<AppState>,
    admin: AuthenticatedUser,
) -> Result<Json<BlacklistStatsResponse>, (StatusCode, Json<ErrorResponse>)> {
    if !admin.is_admin() {
        return Err((
            StatusCode::FORBIDDEN,
            Json(ErrorResponse {
                error: "Admin access required".to_string(),
            }),
        ));
    }

    let count = state.token_blacklist.len().await;

    Ok(Json(BlacklistStatsResponse {
        revoked_tokens_count: count,
    }))
}

/// POST /api/auth/blacklist/cleanup - Clean up expired tokens from blacklist (admin only)
///
/// Removes expired tokens from the blacklist to prevent memory buildup.
#[derive(Debug, Serialize)]
pub struct CleanupResponse {
    pub removed_count: usize,
    pub remaining_count: usize,
}

pub async fn cleanup_blacklist(
    State(state): State<AppState>,
    admin: AuthenticatedUser,
) -> Result<Json<CleanupResponse>, (StatusCode, Json<ErrorResponse>)> {
    if !admin.is_admin() {
        return Err((
            StatusCode::FORBIDDEN,
            Json(ErrorResponse {
                error: "Admin access required".to_string(),
            }),
        ));
    }

    let removed = state.token_blacklist.cleanup_expired(&state.jwt_config).await;
    let remaining = state.token_blacklist.len().await;

    info!("Admin {} cleaned up blacklist: {} tokens removed, {} remaining", admin.username, removed, remaining);

    Ok(Json(CleanupResponse {
        removed_count: removed,
        remaining_count: remaining,
    }))
}