package auth

import (
	"context"
	"errors"
	"tercul/internal/domain"
	"tercul/internal/platform/auth"
	"tercul/internal/platform/log"
)

var (
	ErrUserNotFound    = errors.New("user not found")
	ErrContextRequired = errors.New("context is required")
)

// AuthQueries contains the query handlers for authentication.
type AuthQueries struct {
	userRepo   domain.UserRepository
	jwtManager auth.JWTManagement
}

// NewAuthQueries creates a new AuthQueries handler.
func NewAuthQueries(userRepo domain.UserRepository, jwtManager auth.JWTManagement) *AuthQueries {
	return &AuthQueries{
		userRepo:   userRepo,
		jwtManager: jwtManager,
	}
}

// GetUserFromContext extracts user from context
func (q *AuthQueries) GetUserFromContext(ctx context.Context) (*domain.User, error) {
	if ctx == nil {
		return nil, ErrContextRequired
	}
	log.LogDebug("Attempting to get user from context")

	claims, err := auth.RequireAuth(ctx)
	if err != nil {
		log.LogWarn("Failed to get user from context - authentication required", log.F("error", err))
		return nil, err
	}
	log.LogDebug("Claims found in context", log.F("user_id", claims.UserID))

	user, err := q.userRepo.GetByID(ctx, claims.UserID)
	if err != nil {
		log.LogWarn("Failed to get user from context - user not found", log.F("user_id", claims.UserID), log.F("error", err))
		return nil, ErrUserNotFound
	}

	if !user.Active {
		log.LogWarn("Failed to get user from context - user inactive", log.F("user_id", user.ID))
		return nil, ErrInvalidCredentials
	}

	log.LogDebug("User retrieved from context successfully", log.F("user_id", user.ID))
	return user, nil
}

// ValidateToken validates a JWT token and returns the user
func (q *AuthQueries) ValidateToken(ctx context.Context, tokenString string) (*domain.User, error) {
	if ctx == nil {
		return nil, ErrContextRequired
	}

	if tokenString == "" {
		log.LogWarn("Token validation failed - empty token")
		return nil, auth.ErrMissingToken
	}
	log.LogDebug("Attempting to validate token")

	claims, err := q.jwtManager.ValidateToken(tokenString)
	if err != nil {
		log.LogWarn("Token validation failed - invalid token", log.F("error", err))
		return nil, err
	}
	log.LogDebug("Token claims validated", log.F("user_id", claims.UserID))

	user, err := q.userRepo.GetByID(ctx, claims.UserID)
	if err != nil {
		log.LogWarn("Token validation failed - user not found", log.F("user_id", claims.UserID), log.F("error", err))
		return nil, ErrUserNotFound
	}

	if !user.Active {
		log.LogWarn("Token validation failed - user inactive", log.F("user_id", user.ID))
		return nil, ErrInvalidCredentials
	}

	log.LogInfo("Token validated successfully", log.F("user_id", user.ID))
	return user, nil
}