// server.js
require('dotenv').config();

const fs = require('fs');
const fsp = require('fs/promises');
const path = require('path');
const jsonServer = require('json-server');
const jwt = require('jsonwebtoken');
const bcrypt = require('bcrypt');

const scanPhoto = require('./scanner/scanPhoto.js');
const { WEB_ROOT, INDEX_PATH } = require('./config');

const SECRET_KEY = process.env.JWT_SECRET || '123456789';
const EXPIRES_IN = process.env.JWT_EXPIRES || '1h';
const PORT = process.env.SERVER_PORT || 4000;

const server = jsonServer.create();

// -----------------------------------------------------
// STATIC FILES
// -----------------------------------------------------
server.use(
  jsonServer.defaults({
    static: path.join(__dirname, '../public'),
  })
);

// -----------------------------------------------------
// CONFIG ENDPOINT (PUBBLICO)
// -----------------------------------------------------
server.get('/config', (req, res) => {
  res.json({
    baseUrl: process.env.BASE_URL,
    pathFull: process.env.PATH_FULL,
  });
});

// -----------------------------------------------------
// ROUTER DB
// -----------------------------------------------------
let router;
if (fs.existsSync('./api_v1/db.json')) {
  router = jsonServer.router('./api_v1/db.json');
} else {
  const initialData = fs.readFileSync('api_v1/initialDB.json', 'utf8');
  fs.writeFileSync('api_v1/db.json', initialData);
  router = jsonServer.router('./api_v1/db.json');
}

// -----------------------------------------------------
// USERS DB
// -----------------------------------------------------
const userdb = JSON.parse(fs.readFileSync('./api_v1/users.json', 'utf-8'));
server.use(jsonServer.bodyParser);

// -----------------------------------------------------
// JWT HELPERS
// -----------------------------------------------------
function createToken(payload) {
  return jwt.sign(payload, SECRET_KEY, { expiresIn: EXPIRES_IN });
}

const denylist = new Map();

function addToDenylist(token) {
  try {
    const decoded = jwt.decode(token);
    const exp = decoded?.exp || Math.floor(Date.now() / 1000) + 60;
    denylist.set(token, exp);
  } catch {
    denylist.set(token, Math.floor(Date.now() / 1000) + 60);
  }
}

function isRevoked(token) {
  const exp = denylist.get(token);
  if (!exp) return false;
  if (exp * 1000 < Date.now()) {
    denylist.delete(token);
    return false;
  }
  return true;
}

function verifyToken(token) {
  return jwt.verify(token, SECRET_KEY);
}

function isAuthenticated({ email, password }) {
  return (
    userdb.users.findIndex(
      (user) => user.email === email && bcrypt.compareSync(password, user.password)
    ) !== -1
  );
}

// -----------------------------------------------------
// RESET DB (utility interna usata da /initDB)
// -----------------------------------------------------
function resetDB() {
  const initialData = fs.readFileSync('api_v1/initialDB.json', 'utf8');
  fs.writeFileSync('api_v1/db.json', initialData);
  router.db.setState(JSON.parse(initialData));
  console.log('DB resettato');
}

// -----------------------------------------------------
// HOME
// -----------------------------------------------------
server.get('/', (req, res) => {
  res.sendFile(path.resolve('public/index.html'));
});

// -----------------------------------------------------
// LOGIN (PUBBLICO)
// -----------------------------------------------------
server.post('/auth/login', (req, res) => {
  const { email, password } = req.body;
  const user = userdb.users.find((u) => u.email === email);

  if (!user || !bcrypt.compareSync(password, user.password)) {
    return res.status(401).json({ status: 401, message: 'Incorrect email or password' });
  }

  const token = createToken({
    id: user.id,
    email: user.email,
    name: user.name,
  });

  res.status(200).json({
    token,
    name: user.name,
  });
});

// -----------------------------------------------------
// LOGOUT
// -----------------------------------------------------
server.post('/auth/logout', (req, res) => {
  const auth = req.headers.authorization || '';
  const [scheme, token] = auth.split(' ');
  if (scheme === 'Bearer' && token) {
    addToDenylist(token);
  }
  return res.status(204).end();
});

// -----------------------------------------------------
// JWT MIDDLEWARE (tutte le rotte tranne /auth/*)
// -----------------------------------------------------
server.use(/^(?!\/auth).*$/, (req, res, next) => {
  const auth = req.headers.authorization || '';
  const [scheme, token] = auth.split(' ');

  if (scheme !== 'Bearer' || !token) {
    return res.status(401).json({ status: 401, message: 'Bad authorization header' });
  }
  if (isRevoked(token)) {
    return res.status(401).json({ status: 401, message: 'Token revoked' });
  }

  try {
    const decoded = verifyToken(token);
    req.user = decoded;
    next();
  } catch (err) {
    return res
      .status(401)
      .json({ status: 401, message: 'Error: access_token is not valid' });
  }
});

// -----------------------------------------------------
// FILTRO AUTOMATICO PER USER (GET)
// - Non-Admin: forzo user=[<nome>, 'Common'] così vedono anche la Common
// - Admin: vede tutto senza forzature
// -----------------------------------------------------
server.use((req, res, next) => {
  if (req.method === 'GET' && req.user && req.user.name !== 'Admin') {
    const u = req.user.name;
    const q = req.query.user;
    const base = q ? (Array.isArray(q) ? q : [q]) : [];
    req.query.user = Array.from(new Set([...base, u, 'Common']));
  }
  next();
});

// -----------------------------------------------------
// SCAN FOTO
// - Admin: scansiona tutti gli utenti + Common
// - Non-Admin: scansiona solo la propria area (NO Common)
// -----------------------------------------------------
server.get('/scan', async (req, res) => {
  try {
    if (req.user && req.user.name === 'Admin') {
      await scanPhoto(undefined, 'Admin');
      return res.send({
        status: 'Scansione completata',
        user: 'Admin',
        scope: 'tutti gli utenti + Common',
      });
    }

    // Non-Admin → solo la sua area (niente Common)
    await scanPhoto(undefined, req.user.name);
    res.send({
      status: 'Scansione completata',
      user: req.user.name,
      scope: 'utente corrente',
    });
  } catch (err) {
    console.error('Errore scan:', err);
    res.status(500).json({ error: 'Errore durante lo scan', details: err.message });
  }
});

// -----------------------------------------------------
// FILE STATICI
// -----------------------------------------------------
server.get('/files', (req, res) => {
  const requested = req.query.file || '';
  const publicDir = path.resolve(path.join(__dirname, '../public'));
  const resolved = path.resolve(publicDir, requested);

  if (!resolved.startsWith(publicDir)) {
    return res.status(400).json({ error: 'Invalid path' });
  }
  if (!fs.existsSync(resolved) || fs.statSync(resolved).isDirectory()) {
    return res.status(404).json({ error: 'Not found' });
  }
  res.sendFile(resolved);
});

// -----------------------------------------------------
// RESET DB MANUALE + rimozione index.json
// -----------------------------------------------------
server.get('/initDB', async (req, res) => {
  try {
    resetDB();

    // <root>/public/photos/index.json  (coerente con indexStore.js)
    const absIndexPath = path.resolve(__dirname, '..', WEB_ROOT, INDEX_PATH);

    try {
      await fsp.unlink(absIndexPath);
      console.log('initDB: index.json rimosso ->', absIndexPath);
    } catch (err) {
      if (err && err.code === 'ENOENT') {
        console.log('initDB: index.json non trovato, niente da cancellare:', absIndexPath);
      } else {
        console.error('initDB: errore cancellando index.json:', err);
      }
    }

    res.json({ status: 'DB resettato', indexRemoved: true, indexPath: absIndexPath });
  } catch (err) {
    console.error('initDB: errore generale:', err);
    res.status(500).json({ status: 'errore', message: err.message });
  }
});

// -----------------------------------------------------
// UPSERT anti-duplicato per /photos (prima del router)
// Se id esiste -> aggiorna; altrimenti crea
// -----------------------------------------------------
server.post('/photos', (req, res, next) => {
  try {
    const id = req.body && req.body.id;
    if (!id) return next();

    const db = router.db; // lowdb instance
    const col = db.get('photos');
    const existing = col.find({ id }).value();

    if (existing) {
      col.find({ id }).assign(req.body).write();
      return res.status(200).json(req.body);
    }
    return next(); // non esiste: crea con il router
  } catch (e) {
    console.error('UPSERT /photos error:', e);
    return res.status(500).json({ error: 'upsert failed' });
  }
});

// -----------------------------------------------------
// ROUTER JSON-SERVER
// -----------------------------------------------------
server.use(router);

// -----------------------------------------------------
// START SERVER
// -----------------------------------------------------
server.listen(PORT, () => {
  console.log(`Auth API server running on port ${PORT} ...`);
});

// Pulizia denylist
setInterval(() => {
  const nowSec = Math.floor(Date.now() / 1000);
  for (const [tok, exp] of denylist.entries()) {
    if (exp < nowSec) denylist.delete(tok);
  }
}, 60 * 1000);