const express = require('express');
const fs = require('fs');
const { CADDY, REGEX, LIMITS } = require('../constants');

module.exports = function(ctx) {
  const router = express.Router();

  // Get Caddyfile contents
  router.get('/caddyfile', ctx.asyncHandler(async (req, res) => {
    const content = await ctx.caddy.read();
    res.json({ success: true, content });
  }, 'caddyfile-get'));

  // Get current Caddy config (from admin API)
  router.get('/caddy/config', ctx.asyncHandler(async (req, res) => {
    const response = await ctx.fetchT(`${ctx.caddy.adminUrl}/config/`);
    const config = await response.json();
    res.json({ success: true, config });
  }, 'caddy-config'));

  // Reload Caddy configuration via admin API
  router.post('/caddy/reload', ctx.asyncHandler(async (req, res) => {
    const caddyfileContent = await ctx.caddy.read();

    const response = await ctx.fetchT(`${ctx.caddy.adminUrl}/load`, {
      method: 'POST',
      headers: { 'Content-Type': CADDY.CONTENT_TYPE },
      body: caddyfileContent,
    });

    if (!response.ok) {
      const errorText = await response.text();
      ctx.log.error('caddy', 'Caddy reload failed', { error: errorText });
      return ctx.errorResponse(res, 500, '[DC-303] Caddy reload failed. Check server logs for details.');
    }

    res.json({ success: true, message: 'Caddy configuration reloaded successfully' });
  }, 'caddy-reload'));

  // Get Certificate Authorities from Caddyfile
  router.get('/caddy/cas', ctx.asyncHandler(async (req, res) => {
    const content = await ctx.caddy.read();
    const cas = [];

    const pkiRegex = /pki\s*\{([^}]*(?:\{[^}]*\}[^}]*)*)\}/gs;
    let pkiMatch;
    while ((pkiMatch = pkiRegex.exec(content)) !== null) {
      const pkiBlock = pkiMatch[1];
      let caMatch;
      const caBlockRegex = /ca\s+(\S+)\s*\{([^}]*(?:\{[^}]*\}[^}]*)*)\}/gs;
      while ((caMatch = caBlockRegex.exec(pkiBlock)) !== null) {
        const caName = caMatch[1];
        const caBlock = caMatch[2];
        const ca = { id: caName, name: caName, root: {}, intermediate: {} };

        const nameMatch = /name\s+"([^"]+)"/.exec(caBlock);
        if (nameMatch) ca.name = nameMatch[1];

        const rootCnMatch = /root_cn\s+"([^"]+)"/.exec(caBlock);
        const intCnMatch = /intermediate_cn\s+"([^"]+)"/.exec(caBlock);
        if (rootCnMatch) ca.root_cn = rootCnMatch[1];
        if (intCnMatch) ca.intermediate_cn = intCnMatch[1];

        const rootMatch = /root\s*\{([^}]*)\}/s.exec(caBlock);
        if (rootMatch) {
          const rootBlock = rootMatch[1];
          const certMatch = /cert\s+(\S+)/.exec(rootBlock);
          const keyMatch = /key\s+(\S+)/.exec(rootBlock);
          if (certMatch) ca.root.cert = certMatch[1];
          if (keyMatch) ca.root.key = keyMatch[1];
        }

        const intMatch = /intermediate\s*\{([^}]*)\}/s.exec(caBlock);
        if (intMatch) {
          const intBlock = intMatch[1];
          const certMatch = /cert\s+(\S+)/.exec(intBlock);
          const keyMatch = /key\s+(\S+)/.exec(intBlock);
          if (certMatch) ca.intermediate.cert = certMatch[1];
          if (keyMatch) ca.intermediate.key = keyMatch[1];
        }

        cas.push(ca);
      }
    }

    const tlsGlobalRegex = /\{\s*acme_ca\s+(\S+)/g;
    let tlsMatch;
    while ((tlsMatch = tlsGlobalRegex.exec(content)) !== null) {
      cas.push({ name: 'acme', url: tlsMatch[1], type: 'acme' });
    }

    const siteBlocks = content.match(/[\w.-]+\s*\{[^}]*tls\s+[^}]*\}/gs) || [];
    const tlsInternalCAs = new Set();
    for (const block of siteBlocks) {
      const tlsInternalMatch = /tls\s+internal\s*\{[^}]*ca\s+(\S+)/s.exec(block);
      if (tlsInternalMatch) tlsInternalCAs.add(tlsInternalMatch[1]);
      if (/tls\s+internal(?:\s|$)/.test(block) && !/tls\s+internal\s*\{/.test(block)) {
        tlsInternalCAs.add('local');
      }
    }
    for (const caName of tlsInternalCAs) {
      if (!cas.find(c => c.name === caName)) {
        cas.push({ name: caName, type: 'internal', note: 'Referenced in tls directive' });
      }
    }
    if (cas.length === 0 && /tls\s+internal/.test(content)) {
      cas.push({ name: 'local', type: 'internal', note: 'Default Caddy internal CA' });
    }

    const caList = cas.map(ca => ({
      id: ca.id || ca.name,
      name: ca.name,
      displayName: ca.name !== (ca.id || ca.name) ? `${ca.name} (${ca.id || ca.name})` : ca.name,
    }));
    res.json({ status: 'success', data: { cas: caList } });
  }, 'caddy-get-cas'));

  // Remove a site from Caddyfile
  router.delete('/site/:domain', ctx.asyncHandler(async (req, res) => {
    const { domain } = req.params;
    if (!domain) return ctx.errorResponse(res, 400, 'Domain is required');

    const result = await ctx.caddy.modify((content) => {
      const escapedDomain = domain.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
      const siteBlockRegex = new RegExp(
        `\\n?${escapedDomain}\\s*\\{[^{}]*(?:\\{[^{}]*(?:\\{[^{}]*\\}[^{}]*)*\\}[^{}]*)*\\}\\s*`, 'g',
      );
      const modified = content.replace(siteBlockRegex, '\n');
      if (modified.length === content.length) return null;
      return modified.replace(/\n{3,}/g, '\n\n');
    });

    if (!result.success) {
      if (result.rolledBack) {
        return ctx.errorResponse(res, 500, `Removed "${domain}" but Caddy reload failed (rolled back): ${result.error}`);
      }
      return ctx.errorResponse(res, 404, `Site block for "${domain}" not found in Caddyfile`);
    }

    res.json({ success: true, message: `Site "${domain}" removed from Caddyfile and Caddy reloaded` });
  }, 'site-delete'));

  // Add a new site to Caddyfile and reload
  router.post('/site', ctx.asyncHandler(async (req, res) => {
    const { domain, upstream, config } = req.body;
    if (!domain || !upstream) return ctx.errorResponse(res, 400, 'Domain and upstream are required');
    if (!REGEX.DOMAIN.test(domain)) return ctx.errorResponse(res, 400, '[DC-301] Invalid domain format');

    const upstreamRegex = /^[a-z0-9.-]+:\d{1,5}$/i;
    if (!upstreamRegex.test(upstream)) return ctx.errorResponse(res, 400, 'Invalid upstream format. Use host:port');

    const content = await ctx.caddy.read();
    const escapedDomain = domain.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
    const siteBlockRegex = new RegExp(`\\n?${escapedDomain}\\s*\\{`, 'g');
    if (siteBlockRegex.test(content)) {
      return ctx.errorResponse(res, 409, `[DC-302] Site block for "${domain}" already exists in Caddyfile`);
    }

    // Always generate structured config — never allow raw Caddy config injection
    const newSiteBlock = `\n${domain} {\n    reverse_proxy ${upstream}\n    tls internal\n}\n`;

    const result = await ctx.caddy.modify(c => c + newSiteBlock);
    if (!result.success) {
      return ctx.errorResponse(res, 500, `[DC-303] Site added to Caddyfile but reload failed: ${result.error}`,
        result.rolledBack ? { note: 'Caddyfile was rolled back to previous state' } : {});
    }

    ctx.ok(res, { message: `Site "${domain}" added to Caddyfile and Caddy reloaded successfully` });
  }, 'site-add'));

  // Add external service reverse proxy to Caddyfile
  router.post('/site/external', ctx.asyncHandler(async (req, res) => {
    const { subdomain, externalUrl, preserveHost, followRedirects, sslType, caddyfilePath, reloadCaddy: shouldReload, createDns, serviceName, logo } = req.body;

    if (!subdomain || !externalUrl) {
      return ctx.errorResponse(res, 400, 'Subdomain and externalUrl are required');
    }
    if (!REGEX.SUBDOMAIN.test(subdomain)) {
      return ctx.errorResponse(res, 400, '[DC-301] Invalid subdomain format');
    }

    try {
      ctx.validateURL(externalUrl);
    } catch (validationErr) {
      return ctx.errorResponse(res, 400, validationErr.message);
    }

    const domain = ctx.buildDomain(subdomain);
    let dnsWarning = null;

    try {
      if (createDns) {
        try {
          await ctx.dns.createRecord(subdomain, ctx.siteConfig.dnsServerIp);
          ctx.log.info('dns', 'DNS record created for external proxy', { domain, ip: ctx.siteConfig.dnsServerIp });
        } catch (dnsError) {
          dnsWarning = `DNS creation failed: ${dnsError.message}. You may need to create the DNS record manually.`;
          ctx.log.warn('dns', 'DNS creation failed for external proxy', { domain, error: dnsError.message });
        }
      }

      const sslConfig = sslType === 'letsencrypt' ? '' : 'tls internal';
      const hostHeader = preserveHost ? '\n        header_up Host {upstream_hostport}' : '';

      const urlObj = new URL(externalUrl);

      // Validate URL components are safe for Caddyfile syntax
      const unsafeCaddyChars = /[{}\n\r]/;
      if (unsafeCaddyChars.test(urlObj.host) || unsafeCaddyChars.test(urlObj.pathname)) {
        return ctx.errorResponse(res, 400, 'External URL contains characters not safe for Caddy configuration');
      }

      const baseUrl = `${urlObj.protocol}//${urlObj.host}`;
      const urlPath = urlObj.pathname.replace(/\/$/, '');

      let proxyConfig = '';
      if (urlPath && urlPath !== '') {
        proxyConfig = `\n${domain} {\n    ${sslConfig}\n\n    handle_path ${urlPath}/* {\n        reverse_proxy ${baseUrl} {\n            transport http {\n                tls\n                tls_server_name ${urlObj.host}\n            }\n        }\n    }\n\n    handle {\n        redir ${urlPath}/ permanent\n    }\n}\n`;
      } else {
        proxyConfig = `\n${domain} {\n    ${sslConfig}\n\n    reverse_proxy ${externalUrl} {${hostHeader}\n        transport http {\n            tls\n        }\n    }\n}\n`;
      }

      const caddyResult = await ctx.caddy.modify(c => {
        const escapedDomain = domain.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
        if (new RegExp(`\\n?${escapedDomain}\\s*\\{`, 'g').test(c)) return null;
        return c + proxyConfig;
      });

      if (!caddyResult.success && !caddyResult.rolledBack) {
        return ctx.errorResponse(res, 409, `[DC-302] Site block for "${domain}" already exists in Caddyfile`);
      }
      if (!caddyResult.success) {
        return ctx.errorResponse(res, 500, `[DC-303] External proxy added but Caddy reload failed (rolled back): ${caddyResult.error}`);
      }

      if (serviceName && logo) {
        try {
          await ctx.addServiceToConfig({
            id: subdomain, name: serviceName, logo,
            isExternal: true, externalUrl,
            deployedAt: new Date().toISOString(),
          });
          ctx.log.info('deploy', 'Service added to dashboard', { subdomain });
        } catch (serviceError) {
          ctx.log.warn('deploy', 'Failed to add service to dashboard', { subdomain, error: serviceError.message });
        }
      }

      const response = {
        success: true,
        message: `External service proxy for ${domain} -> ${externalUrl} created${shouldReload ? ' and Caddy reloaded' : ''}`,
      };
      if (dnsWarning) response.warning = dnsWarning;
      res.json(response);
    } catch (error) {
      ctx.errorResponse(res, 500, ctx.safeErrorMessage(error));
    }
  }, 'site-external'));

  return router;
};