package handlers

import (
	"log/slog"
	"net/http"

	"golang.org/x/crypto/bcrypt"

	"qbank/internal/auth"
	"qbank/internal/db"
)

type AuthHandler struct {
	auth   *auth.Manager
	repo   *db.Repo
	render *Renderer
}

func NewAuthHandler(a *auth.Manager, repo *db.Repo, r *Renderer) *AuthHandler {
	return &AuthHandler{auth: a, repo: repo, render: r}
}

func (h *AuthHandler) LoginGet(w http.ResponseWriter, r *http.Request) {
	h.render.Render(w, http.StatusOK, "login", map[string]any{
		"CSRFToken": h.auth.CSRFToken(r),
	})
}

func (h *AuthHandler) LoginPost(w http.ResponseWriter, r *http.Request) {
	r.Body = http.MaxBytesReader(w, r.Body, 4096)

	if !h.auth.CheckCSRF(r) {
		HTTPError(w, http.StatusForbidden)
		return
	}

	username := r.FormValue("username")
	password := r.FormValue("password")

	user, err := h.repo.GetUserByName(username)
	if err != nil || bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(password)) != nil {
		slog.Info("login failed", "username", username)
		h.render.Render(w, http.StatusUnauthorized, "login", map[string]any{
			"CSRFToken": h.auth.CSRFToken(r),
			"Error":     "Invalid username or password.",
		})
		return
	}

	h.auth.SetUser(r, user.ID, user.Name)
	http.Redirect(w, r, "/", http.StatusSeeOther)
}

func (h *AuthHandler) Logout(w http.ResponseWriter, r *http.Request) {
	if !h.auth.CheckCSRF(r) {
		HTTPError(w, http.StatusForbidden)
		return
	}
	if err := h.auth.ClearUser(r); err != nil {
		slog.Error("logout", "err", err)
	}
	http.Redirect(w, r, "/login", http.StatusSeeOther)
}