package app

import (
	"net/http"
	"strings"

	"github.com/yourorg/ntfywui/internal/store"
)

func (s *Server) handleTokens(w http.ResponseWriter, r *http.Request) {
	admin, _ := s.currentAdmin(r)
	switch r.Method {
	case http.MethodGet:
		users, err := s.ntfy.ListUsers(s.ntfyCtx(r))
		if err != nil {
			s.renderer.Render(w, "error.html", PageData{Title: "Fehler", Admin: admin.Username, Role: string(admin.Role), Error: err.Error()})
			return
		}
		csrf, _ := s.csrfEnsure(w, r)
		flash := s.popFlash(w, r)
		s.renderer.Render(w, "tokens.html", PageData{
			Title: "Tokens",
			Admin: admin.Username,
			Role:  string(admin.Role),
			CSRF:  csrf,
			Flash: flash,
			Users: users,
		})
	case http.MethodPost:
		if !roleAtLeast(admin.Role, store.RoleOperator) {
			http.Error(w, "forbidden", http.StatusForbidden)
			return
		}
		_ = r.ParseForm()
		action := r.Form.Get("action")
		username := cleanUser(r.Form.Get("username"))
		switch action {
		case "add":
			label := strings.TrimSpace(r.Form.Get("label"))
			expires := strings.TrimSpace(r.Form.Get("expires"))
			if username == "" {
				s.setFlash(w, r, "Username erforderlich")
				http.Redirect(w, r, s.abs("/tokens"), http.StatusFound)
				return
			}
			tok, err := s.ntfy.TokenAdd(s.ntfyCtx(r), username, label, expires)
			if err != nil {
				s.setFlash(w, r, "Fehler: "+err.Error())
				http.Redirect(w, r, s.abs("/tokens"), http.StatusFound)
				return
			}
			s.auditEvent(r, "ntfy_token_add", username, map[string]string{"label": label, "expires": expires})
			// Show token once
			s.setFlash(w, r, "Token erstellt: "+tok)
			http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
		case "remove":
			token := strings.TrimSpace(r.Form.Get("token"))
			if username == "" || token == "" {
				s.setFlash(w, r, "Username und Token erforderlich")
				http.Redirect(w, r, s.abs("/tokens"), http.StatusFound)
				return
			}
			if err := s.ntfy.TokenRemove(s.ntfyCtx(r), username, token); err != nil {
				s.setFlash(w, r, "Fehler: "+err.Error())
				http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
				return
			}
			s.auditEvent(r, "ntfy_token_remove", username, nil)
			s.setFlash(w, r, "Token entfernt")
			http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
		default:
			http.Error(w, "bad request", http.StatusBadRequest)
		}
	default:
		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
	}
}