const jwt      = require('jsonwebtoken');
const db       = require('../db/db');
const registry = require('../permissions/registry');

/* ── Default values for role_permissions — sourced from central registry ── */
const PERM_DEFAULTS = registry.buildDefaultsMap();

function authMiddleware(req, res, next) {
  const header = req.headers.authorization;
  if (!header || !header.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'Unauthorized' });
  }

  const token = header.slice(7);
  try {
    const payload = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
    // Re-fetch role + token_version from DB so changes take effect immediately
    const fresh = db.prepare('SELECT role, token_version, is_banned FROM users WHERE id = ?').get(payload.id);
    if (!fresh) return res.status(401).json({ error: 'User not found' });
    if (fresh.is_banned) return res.status(403).json({ error: 'Аккаунт заблокирован' });
    // Invalidate tokens issued before password change / role change.
    // If DB has token_version set, token MUST carry matching tv.
    // (payload.tv === undefined means old token without version — also revoke)
    if (fresh.token_version != null && payload.tv !== fresh.token_version) {
      return res.status(401).json({ error: 'Token revoked — please log in again' });
    }
    req.user = { ...payload, role: fresh.role };
    next();
  } catch {
    res.status(401).json({ error: 'Token invalid or expired' });
  }
}

function requireRole(...roles) {
  return (req, res, next) => {
    if (!roles.includes(req.user?.role)) {
      return res.status(403).json({ error: 'Forbidden' });
    }
    next();
  };
}

/* ── Check permission; user override → role override → hardcoded default ── */
function requirePermission(key) {
  return (req, res, next) => {
    if (req.user?.role === 'admin') return next();
    const role = req.user?.role;
    const uid  = req.user?.id;
    if (!role) return res.status(401).json({ error: 'Unauthorized' });

    // 1. User-level override
    const userRow = db.prepare(
      'SELECT enabled FROM user_permissions WHERE user_id = ? AND permission = ?'
    ).get(uid, key);
    if (userRow !== undefined) {
      return userRow.enabled === 1 ? next() : res.status(403).json({ error: 'Permission denied' });
    }

    // 2. Role-level
    const roleRow = db.prepare(
      'SELECT enabled FROM role_permissions WHERE role = ? AND permission = ?'
    ).get(role, key);
    const enabled = roleRow !== undefined ? roleRow.enabled === 1 : (PERM_DEFAULTS[role]?.[key] ?? false);
    if (enabled) return next();
    return res.status(403).json({ error: 'Permission denied' });
  };
}

/* ── Parent link JWT auth (separate from user auth) ───────────────────── */
function parentAuth(req, res, next) {
  const header = req.headers.authorization;
  if (!header || !header.startsWith('Bearer '))
    return res.status(401).json({ error: 'Unauthorized' });

  const token = header.slice(7);
  try {
    const payload = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
    if (payload.type !== 'parent')
      return res.status(401).json({ error: 'Invalid token type' });

    const link = db.prepare(
      'SELECT id, student_id, is_active, expires_at FROM parent_links WHERE id = ?'
    ).get(payload.linkId);
    if (!link || !link.is_active)
      return res.status(401).json({ error: 'Link revoked' });
    if (link.expires_at && new Date(link.expires_at) < new Date())
      return res.status(401).json({ error: 'Link expired' });

    req.parent = { linkId: link.id, studentId: link.student_id };
    next();
  } catch {
    res.status(401).json({ error: 'Token invalid or expired' });
  }
}

/* Alias: requireAuth = authMiddleware */
const requireAuth = authMiddleware;

/**
 * perm(key) — ergonomic alias for requirePermission(key).
 * Throws at module-load time if `key` is not in the registry,
 * so typos are caught at startup rather than at runtime.
 */
function perm(key) {
  if (!registry.isKnown(key)) {
    throw new Error(`[auth] Unknown permission key: "${key}". Add it to backend/src/permissions/registry.js`);
  }
  return requirePermission(key);
}

/* optionalAuth: попытаться установить req.user, но не блокировать при отсутствии токена */
function optionalAuth(req, res, next) {
  const header = req.headers.authorization || '';
  if (!header.startsWith('Bearer ')) return next();
  const token = header.slice(7);
  try {
    const payload = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
    const fresh = db.prepare('SELECT role, token_version, is_banned FROM users WHERE id = ?').get(payload.id);
    if (fresh && !fresh.is_banned) {
      if (fresh.token_version == null || payload.tv === fresh.token_version) {
        req.user = { ...payload, role: fresh.role };
      }
    }
  } catch {}
  next();
}

module.exports = { authMiddleware, requireAuth, optionalAuth, requireRole, requirePermission, perm, parentAuth };