package server

import (
	"encoding/json"
	"errors"
	"net/http"

	mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
)

type loginRequest struct {
	Username string `json:"username"`
	Password string `json:"password"`
	TOTPCode string `json:"totp_code"`
}

type loginResponse struct {
	Token string `json:"token"`
}

func loginHandler(auth *mcdslauth.Authenticator) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		var req loginRequest
		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
			writeError(w, http.StatusBadRequest, "invalid request body")
			return
		}

		token, _, err := auth.Login(req.Username, req.Password, req.TOTPCode)
		if err != nil {
			if errors.Is(err, mcdslauth.ErrInvalidCredentials) {
				writeError(w, http.StatusUnauthorized, "invalid credentials")
				return
			}
			if errors.Is(err, mcdslauth.ErrForbidden) {
				writeError(w, http.StatusForbidden, "access denied by login policy")
				return
			}
			writeError(w, http.StatusServiceUnavailable, "authentication service unavailable")
			return
		}

		writeJSON(w, http.StatusOK, loginResponse{Token: token})
	}
}

func logoutHandler(auth *mcdslauth.Authenticator) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		token := extractBearerToken(r)
		if token == "" {
			writeError(w, http.StatusUnauthorized, "authentication required")
			return
		}

		if err := auth.Logout(token); err != nil {
			writeError(w, http.StatusInternalServerError, "logout failed")
			return
		}

		w.WriteHeader(http.StatusNoContent)
	}
}