const express = require('express');
const { renewCSRFToken } = require('../../csrf-protection');
const { ValidationError, AuthenticationError } = require('../../errors');

module.exports = function({ authManager, asyncHandler, errorResponse, log }) {
  const router = express.Router();
/**
 * Auth TOTP routes factory
 * @param {Object} deps - Explicit dependencies
 * @param {Object} deps.authManager - Auth manager
 * @param {Function} deps.asyncHandler - Async route handler wrapper
 * @param {Function} deps.errorResponse - Error response helper
 * @param {Object} deps.log - Logger instance
 * @returns {express.Router}
 */

  // Get current TOTP config (public route)
  router.get('/totp/config', asyncHandler(async (req, res) => {
    res.json({
      success: true,
      config: {
        enabled: ctx.totpConfig.enabled,
        sessionDuration: ctx.totpConfig.sessionDuration,
        isSetUp: ctx.totpConfig.isSetUp
      }
    });
  }, 'totp-config-get'));

  // Generate new TOTP secret + QR code
  router.post('/totp/setup', asyncHandler(async (req, res) => {
    const { authenticator } = require('otplib');
    const QRCode = require('qrcode');

    // Accept user-provided secret or generate a new one
    let secret;
    if (req.body && req.body.secret) {
      secret = req.body.secret.replace(/\s/g, '').toUpperCase();
      // Normalize common Base32 confusions: 0→O, 1→L, 8→B
      secret = secret.replace(/0/g, 'O').replace(/1/g, 'L').replace(/8/g, 'B');
      if (!/^[A-Z2-7]{16,}$/.test(secret)) {
        throw new ValidationError('Invalid secret key format. Must be a Base32 string (letters A-Z and digits 2-7).', 'secret');
      }
    } else {
      secret = authenticator.generateSecret();
    }
    await ctx.credentialManager.store('totp.pending_secret', secret);

    const otpauth = authenticator.keyuri('user', 'DashCaddy', secret);
    const qrDataUrl = await QRCode.toDataURL(otpauth, {
      width: 256, margin: 2,
      color: { dark: '#ffffff', light: '#00000000' }
    });

    res.json({ success: true, qrCode: qrDataUrl, manualKey: secret, issuer: 'DashCaddy', imported: !!req.body?.secret });
  }, 'totp-setup'));

  // Verify first code to confirm setup, then activate TOTP
  router.post('/totp/verify-setup', asyncHandler(async (req, res) => {
    const { authenticator } = require('otplib');
    const { code } = req.body;

    if (!code || !/^\d{6}$/.test(code)) {
      throw new ValidationError('Invalid code format', 'code');
    }

    const pendingSecret = await ctx.credentialManager.retrieve('totp.pending_secret');
    if (!pendingSecret) {
      throw new ValidationError('No pending TOTP setup. Call /api/totp/setup first.');
    }

    authenticator.options = { window: 1 };
    if (!authenticator.verify({ token: code, secret: pendingSecret })) {
      throw new AuthenticationError('[DC-111] Invalid code. Please try again.');
    }

    // Promote pending secret to active
    await ctx.credentialManager.store('totp.secret', pendingSecret);
    await ctx.credentialManager.delete('totp.pending_secret');

    ctx.totpConfig.isSetUp = true;
    ctx.totpConfig.enabled = true;
    if (ctx.totpConfig.sessionDuration === 'never') {
      ctx.totpConfig.sessionDuration = '24h';
    }
    await ctx.saveTotpConfig();

    // Set session so user doesn't get locked out immediately
    ctx.session.create(req, ctx.totpConfig.sessionDuration);
    ctx.session.setCookie(res, ctx.totpConfig.sessionDuration);

    res.json({ success: true, message: 'TOTP enabled successfully', sessionDuration: ctx.totpConfig.sessionDuration });
  }, 'totp-verify-setup'));

  // Login: verify TOTP code and set session cookie
  router.post('/totp/verify', asyncHandler(async (req, res) => {
    const { authenticator } = require('otplib');
    const { code } = req.body;

    if (!code || !/^\d{6}$/.test(code)) {
      throw new ValidationError('Invalid code format', 'code');
    }

    if (!ctx.totpConfig.enabled || !ctx.totpConfig.isSetUp) {
      throw new ValidationError('TOTP is not enabled');
    }

    const secret = await ctx.credentialManager.retrieve('totp.secret');
    if (!secret) {
      throw new Error('TOTP secret not found');
    }

    authenticator.options = { window: 1 };
    if (!authenticator.verify({ token: code, secret })) {
      throw new AuthenticationError('[DC-111] Invalid code');
    }

    log.info('auth', 'TOTP verified, creating session', { ip: ctx.session.getClientIP(req), duration: ctx.totpConfig.sessionDuration });
    ctx.session.create(req, ctx.totpConfig.sessionDuration);
    ctx.session.setCookie(res, ctx.totpConfig.sessionDuration);

    // Rotate CSRF token for the new session
    const newCsrfToken = renewCSRFToken(res, req.secure || req.protocol === 'https');

    log.debug('auth', 'Session created', { sessions: ctx.session.ipSessions.size });
    res.json({ success: true, message: 'Authenticated successfully', sessionDuration: ctx.totpConfig.sessionDuration, csrfToken: newCsrfToken });
  }, 'totp-verify'));

  // Check session validity (used by Caddy forward_auth)
  router.get('/totp/check-session', asyncHandler(async (req, res) => {
    // Never cache session checks — stale cached 200s cause auth loops
    res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
    res.setHeader('Pragma', 'no-cache');

    if (!ctx.totpConfig.enabled || ctx.totpConfig.sessionDuration === 'never') {
      return res.status(200).json({ authenticated: true });
    }

    const valid = ctx.session.isValid(req);
    log.debug('auth', 'Session check', { ip: ctx.session.getClientIP(req), valid, sessions: ctx.session.ipSessions.size });
    if (valid) {
      return res.status(200).json({ authenticated: true });
    }

    throw new AuthenticationError('Session expired or invalid');
  }, 'totp-check-session'));

  // Disable TOTP
  router.post('/totp/disable', asyncHandler(async (req, res) => {
    const { code } = req.body;

    // Always require a valid TOTP code when TOTP is active
    if (ctx.totpConfig.enabled && ctx.totpConfig.isSetUp) {
      if (!code || !/^\d{6}$/.test(code)) {
        throw new ValidationError('A valid TOTP code is required to disable TOTP', 'code');
      }
      const { authenticator } = require('otplib');
      const secret = await ctx.credentialManager.retrieve('totp.secret');
      if (secret) {
        authenticator.options = { window: 1 };
        if (!authenticator.verify({ token: code, secret })) {
          throw new AuthenticationError('[DC-111] Invalid code');
        }
      }
    }

    await ctx.credentialManager.delete('totp.secret');
    await ctx.credentialManager.delete('totp.pending_secret');

    ctx.totpConfig.enabled = false;
    ctx.totpConfig.isSetUp = false;
    ctx.totpConfig.sessionDuration = 'never';
    delete ctx.totpConfig.secret; // Remove backup
    await ctx.saveTotpConfig();

    ctx.session.clear(req);
    ctx.session.clearCookie(res);
    res.json({ success: true, message: 'TOTP disabled' });
  }, 'totp-disable'));

  // Update TOTP settings (session duration)
  router.post('/totp/config', asyncHandler(async (req, res) => {
    const { sessionDuration } = req.body;

    if (sessionDuration && !ctx.session.durations.hasOwnProperty(sessionDuration)) {
      throw new ValidationError(`Invalid session duration. Valid options: ${Object.keys(ctx.session.durations).join(', ')}`, 'sessionDuration');
    }

    if (sessionDuration) {
      ctx.totpConfig.sessionDuration = sessionDuration;
      if (sessionDuration === 'never') {
        ctx.totpConfig.enabled = false;
      }
    }

    await ctx.saveTotpConfig();
    res.json({
      success: true,
      config: { enabled: ctx.totpConfig.enabled, sessionDuration: ctx.totpConfig.sessionDuration, isSetUp: ctx.totpConfig.isSetUp }
    });
  }, 'totp-config'));

  return router;
};