package app

import (
	"net/http"
	"strings"

	"github.com/yourorg/ntfywui/internal/store"
)

func (s *Server) handleUsersList(w http.ResponseWriter, r *http.Request) {
	if r.URL.Path != "/users" {
		http.NotFound(w, r)
		return
	}
	admin, _ := s.currentAdmin(r)
	switch r.Method {
	case http.MethodGet:
		users, err := s.ntfy.ListUsers(s.ntfyCtx(r))
		if err != nil {
			s.renderer.Render(w, "error.html", PageData{
				Title: "Fehler",
				Admin: admin.Username,
				Role:  string(admin.Role),
				Error: err.Error(),
			})
			return
		}
		csrf, _ := s.csrfEnsure(w, r)
		flash := s.popFlash(w, r)
		s.renderer.Render(w, "users.html", PageData{
			Title: "Users",
			Admin: admin.Username,
			Role:  string(admin.Role),
			CSRF:  csrf,
			Flash: flash,
			Users: users,
		})
	case http.MethodPost:
		_ = r.ParseForm()
		action := r.Form.Get("action")
		switch action {
		case "create":
			if !roleAtLeast(admin.Role, store.RoleOperator) {
				http.Error(w, "forbidden", http.StatusForbidden)
				return
			}
			username := cleanUser(r.Form.Get("username"))
			role := strings.TrimSpace(r.Form.Get("role"))
			tier := strings.TrimSpace(r.Form.Get("tier"))
			pass := r.Form.Get("password")
			if username == "" || pass == "" {
				s.setFlash(w, r, "Username und Passwort sind erforderlich")
				http.Redirect(w, r, s.abs("/users"), http.StatusFound)
				return
			}
			if err := s.ntfy.AddUser(s.ntfyCtx(r), username, role, tier, pass); err != nil {
				s.setFlash(w, r, "Fehler: "+err.Error())
				http.Redirect(w, r, s.abs("/users"), http.StatusFound)
				return
			}
			s.auditEvent(r, "ntfy_user_add", username, map[string]string{"role": role, "tier": tier})
			s.setFlash(w, r, "User erstellt: "+username)
			http.Redirect(w, r, s.abs("/users"), http.StatusFound)
		default:
			http.Error(w, "bad request", http.StatusBadRequest)
		}
	default:
		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
	}
}

func (s *Server) handleUserDetail(w http.ResponseWriter, r *http.Request) {
	// /users/{name} or /users/{name}/action
	admin, _ := s.currentAdmin(r)
	p := strings.TrimPrefix(r.URL.Path, "/users/")
	if p == "" {
		http.NotFound(w, r)
		return
	}
	parts := strings.Split(strings.Trim(p, "/"), "/")
	username := parts[0]
	action := ""
	if len(parts) > 1 {
		action = parts[1]
	}
	switch r.Method {
	case http.MethodGet:
		users, err := s.ntfy.ListUsers(s.ntfyCtx(r))
		if err != nil {
			s.renderer.Render(w, "error.html", PageData{
				Title: "Fehler",
				Admin: admin.Username,
				Role:  string(admin.Role),
				Error: err.Error(),
			})
			return
		}
		var u any
		for _, x := range users {
			if x.Username == username {
				u = x
				break
			}
		}
		if u == nil {
			http.NotFound(w, r)
			return
		}
		toks, _ := s.ntfy.TokenList(s.ntfyCtx(r), username)
		csrf, _ := s.csrfEnsure(w, r)
		flash := s.popFlash(w, r)
		s.renderer.Render(w, "user.html", PageData{
			Title: "User: " + username,
			Admin: admin.Username,
			Role:  string(admin.Role),
			CSRF:  csrf,
			Flash: flash,
			User:  u,
			Tokens: toks,
		})
	case http.MethodPost:
		if !roleAtLeast(admin.Role, store.RoleOperator) {
			http.Error(w, "forbidden", http.StatusForbidden)
			return
		}
		_ = r.ParseForm()
		switch action {
		case "delete":
			if err := s.ntfy.DelUser(s.ntfyCtx(r), username); err != nil {
				s.setFlash(w, r, "Fehler: "+err.Error())
				http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
				return
			}
			s.auditEvent(r, "ntfy_user_del", username, nil)
			s.setFlash(w, r, "User gelöscht: "+username)
			http.Redirect(w, r, s.abs("/users"), http.StatusFound)
		case "password":
			pass := r.Form.Get("password")
			if pass == "" {
				s.setFlash(w, r, "Passwort erforderlich")
				http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
				return
			}
			if err := s.ntfy.ChangePass(s.ntfyCtx(r), username, pass); err != nil {
				s.setFlash(w, r, "Fehler: "+err.Error())
				http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
				return
			}
			s.auditEvent(r, "ntfy_user_change_pass", username, nil)
			s.setFlash(w, r, "Passwort geändert")
			http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
		case "role":
			role := strings.TrimSpace(r.Form.Get("role"))
			if role == "" {
				s.setFlash(w, r, "Rolle erforderlich")
				http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
				return
			}
			if err := s.ntfy.ChangeRole(s.ntfyCtx(r), username, role); err != nil {
				s.setFlash(w, r, "Fehler: "+err.Error())
				http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
				return
			}
			s.auditEvent(r, "ntfy_user_change_role", username, map[string]string{"role": role})
			s.setFlash(w, r, "Rolle geändert")
			http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
		case "tier":
			tier := strings.TrimSpace(r.Form.Get("tier"))
			if tier == "" {
				tier = "none"
			}
			if err := s.ntfy.ChangeTier(s.ntfyCtx(r), username, tier); err != nil {
				s.setFlash(w, r, "Fehler: "+err.Error())
				http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
				return
			}
			s.auditEvent(r, "ntfy_user_change_tier", username, map[string]string{"tier": tier})
			s.setFlash(w, r, "Tier geändert")
			http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
		default:
			http.Error(w, "bad request", http.StatusBadRequest)
		}
	default:
		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
	}
}