const express = require('express');
const { renewCSRFToken } = require('../../csrf-protection');

module.exports = function(ctx) {
  const router = express.Router();

  // Get current TOTP config (public route)
  router.get('/totp/config', ctx.asyncHandler(async (req, res) => {
    res.json({
      success: true,
      config: {
        enabled: ctx.totpConfig.enabled,
        sessionDuration: ctx.totpConfig.sessionDuration,
        isSetUp: ctx.totpConfig.isSetUp
      }
    });
  }, 'totp-config-get'));

  // Generate new TOTP secret + QR code
  router.post('/totp/setup', ctx.asyncHandler(async (req, res) => {
    const { authenticator } = require('otplib');
    const QRCode = require('qrcode');

    // Accept user-provided secret or generate a new one
    let secret;
    if (req.body && req.body.secret) {
      secret = req.body.secret.replace(/\s/g, '').toUpperCase();
      if (!/^[A-Z2-7]{16,}$/.test(secret)) {
        return ctx.errorResponse(res, 400, 'Invalid secret key format. Must be a Base32 string (letters A-Z and digits 2-7).');
      }
    } else {
      secret = authenticator.generateSecret();
    }
    await ctx.credentialManager.store('totp.pending_secret', secret);

    const otpauth = authenticator.keyuri('user', 'DashCaddy', secret);
    const qrDataUrl = await QRCode.toDataURL(otpauth, {
      width: 256, margin: 2,
      color: { dark: '#ffffff', light: '#00000000' }
    });

    res.json({ success: true, qrCode: qrDataUrl, manualKey: secret, issuer: 'DashCaddy', imported: !!req.body?.secret });
  }, 'totp-setup'));

  // Verify first code to confirm setup, then activate TOTP
  router.post('/totp/verify-setup', ctx.asyncHandler(async (req, res) => {
    const { authenticator } = require('otplib');
    const { code } = req.body;

    if (!code || !/^\d{6}$/.test(code)) {
      return ctx.errorResponse(res, 400, 'Invalid code format');
    }

    const pendingSecret = await ctx.credentialManager.retrieve('totp.pending_secret');
    if (!pendingSecret) {
      return ctx.errorResponse(res, 400, 'No pending TOTP setup. Call /api/totp/setup first.');
    }

    authenticator.options = { window: 1 };
    if (!authenticator.verify({ token: code, secret: pendingSecret })) {
      return ctx.errorResponse(res, 401, '[DC-111] Invalid code. Please try again.');
    }

    // Promote pending secret to active
    await ctx.credentialManager.store('totp.secret', pendingSecret);
    await ctx.credentialManager.delete('totp.pending_secret');

    ctx.totpConfig.isSetUp = true;
    ctx.totpConfig.enabled = true;
    if (ctx.totpConfig.sessionDuration === 'never') {
      ctx.totpConfig.sessionDuration = '24h';
    }
    await ctx.saveTotpConfig();

    // Set session so user doesn't get locked out immediately
    ctx.session.create(req, ctx.totpConfig.sessionDuration);
    ctx.session.setCookie(res, ctx.totpConfig.sessionDuration);

    res.json({ success: true, message: 'TOTP enabled successfully', sessionDuration: ctx.totpConfig.sessionDuration });
  }, 'totp-verify-setup'));

  // Login: verify TOTP code and set session cookie
  router.post('/totp/verify', ctx.asyncHandler(async (req, res) => {
    const { authenticator } = require('otplib');
    const { code } = req.body;

    if (!code || !/^\d{6}$/.test(code)) {
      return ctx.errorResponse(res, 400, 'Invalid code format');
    }

    if (!ctx.totpConfig.enabled || !ctx.totpConfig.isSetUp) {
      return ctx.errorResponse(res, 400, 'TOTP is not enabled');
    }

    const secret = await ctx.credentialManager.retrieve('totp.secret');
    if (!secret) {
      return ctx.errorResponse(res, 500, 'TOTP secret not found');
    }

    authenticator.options = { window: 1 };
    if (!authenticator.verify({ token: code, secret })) {
      return ctx.errorResponse(res, 401, '[DC-111] Invalid code');
    }

    ctx.log.info('auth', 'TOTP verified, creating session', { ip: ctx.session.getClientIP(req), duration: ctx.totpConfig.sessionDuration });
    ctx.session.create(req, ctx.totpConfig.sessionDuration);
    ctx.session.setCookie(res, ctx.totpConfig.sessionDuration);

    // Rotate CSRF token for the new session
    const newCsrfToken = renewCSRFToken(res, req.secure || req.protocol === 'https');

    ctx.log.debug('auth', 'Session created', { sessions: ctx.session.ipSessions.size });
    res.json({ success: true, message: 'Authenticated successfully', sessionDuration: ctx.totpConfig.sessionDuration, csrfToken: newCsrfToken });
  }, 'totp-verify'));

  // Check session validity (used by Caddy forward_auth)
  router.get('/totp/check-session', ctx.asyncHandler(async (req, res) => {
    // Never cache session checks — stale cached 200s cause auth loops
    res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
    res.setHeader('Pragma', 'no-cache');

    if (!ctx.totpConfig.enabled || ctx.totpConfig.sessionDuration === 'never') {
      return res.status(200).json({ authenticated: true });
    }

    const valid = ctx.session.isValid(req);
    ctx.log.debug('auth', 'Session check', { ip: ctx.session.getClientIP(req), valid, sessions: ctx.session.ipSessions.size });
    if (valid) {
      return res.status(200).json({ authenticated: true });
    }

    return ctx.errorResponse(res, 401, 'Session expired or invalid', { authenticated: false });
  }, 'totp-check-session'));

  // Disable TOTP
  router.post('/totp/disable', ctx.asyncHandler(async (req, res) => {
    const { code } = req.body;

    // Always require a valid TOTP code when TOTP is active
    if (ctx.totpConfig.enabled && ctx.totpConfig.isSetUp) {
      if (!code || !/^\d{6}$/.test(code)) {
        return ctx.errorResponse(res, 400, 'A valid TOTP code is required to disable TOTP');
      }
      const { authenticator } = require('otplib');
      const secret = await ctx.credentialManager.retrieve('totp.secret');
      if (secret) {
        authenticator.options = { window: 1 };
        if (!authenticator.verify({ token: code, secret })) {
          return ctx.errorResponse(res, 401, '[DC-111] Invalid code');
        }
      }
    }

    await ctx.credentialManager.delete('totp.secret');
    await ctx.credentialManager.delete('totp.pending_secret');

    ctx.totpConfig.enabled = false;
    ctx.totpConfig.isSetUp = false;
    ctx.totpConfig.sessionDuration = 'never';
    delete ctx.totpConfig.secret; // Remove backup
    await ctx.saveTotpConfig();

    ctx.session.clear(req);
    ctx.session.clearCookie(res);
    res.json({ success: true, message: 'TOTP disabled' });
  }, 'totp-disable'));

  // Update TOTP settings (session duration)
  router.post('/totp/config', ctx.asyncHandler(async (req, res) => {
    const { sessionDuration } = req.body;

    if (sessionDuration && !ctx.session.durations.hasOwnProperty(sessionDuration)) {
      return ctx.errorResponse(res, 400, 'Invalid session duration', {
        validOptions: Object.keys(ctx.session.durations)
      });
    }

    if (sessionDuration) {
      ctx.totpConfig.sessionDuration = sessionDuration;
      if (sessionDuration === 'never') {
        ctx.totpConfig.enabled = false;
      }
    }

    await ctx.saveTotpConfig();
    res.json({
      success: true,
      config: { enabled: ctx.totpConfig.enabled, sessionDuration: ctx.totpConfig.sessionDuration, isSetUp: ctx.totpConfig.isSetUp }
    });
  }, 'totp-config'));

  return router;
};