package grpcserver

import (
	"context"

	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"

	mcias "git.wntrmute.dev/kyle/mcias/clients/go"

	pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
)

type authServer struct {
	pb.UnimplementedAuthServiceServer
	s *GRPCServer
}

func (as *authServer) Login(_ context.Context, req *pb.LoginRequest) (*pb.LoginResponse, error) {
	token, expiresAt, err := as.s.auth.Login(req.Username, req.Password, req.TotpCode)
	if err != nil {
		return nil, status.Error(codes.Unauthenticated, "invalid credentials")
	}
	return &pb.LoginResponse{Token: token, ExpiresAt: expiresAt}, nil
}

func (as *authServer) Logout(ctx context.Context, _ *pb.LogoutRequest) (*pb.LogoutResponse, error) {
	token := extractToken(ctx)
	client, err := mcias.New(as.s.cfg.MCIAS.ServerURL, mcias.Options{
		CACertPath: as.s.cfg.MCIAS.CACert,
		Token:      token,
	})
	if err == nil {
		as.s.auth.Logout(client)
	}
	return &pb.LogoutResponse{}, nil
}

func (as *authServer) TokenInfo(ctx context.Context, _ *pb.TokenInfoRequest) (*pb.TokenInfoResponse, error) {
	ti := tokenInfoFromContext(ctx)
	if ti == nil {
		// Shouldn't happen — authInterceptor runs first — but guard anyway.
		token := extractToken(ctx)
		var err error
		ti, err = as.s.auth.ValidateToken(token)
		if err != nil {
			return nil, status.Error(codes.Unauthenticated, "invalid token")
		}
	}
	return &pb.TokenInfoResponse{
		Username: ti.Username,
		Roles:    ti.Roles,
		IsAdmin:  ti.IsAdmin,
	}, nil
}