using System.Net.Mime;
using Iceshrimp.Backend.Controllers.Mastodon.Attributes;
using Iceshrimp.Backend.Controllers.Mastodon.Schemas;
using Iceshrimp.Backend.Core.Database;
using Iceshrimp.Backend.Core.Database.Tables;
using Iceshrimp.Backend.Core.Extensions;
using Iceshrimp.Backend.Core.Helpers;
using Iceshrimp.Backend.Core.Middleware;
using Iceshrimp.Backend.Core.Services;
using Microsoft.AspNetCore.Cors;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.RateLimiting;
using Microsoft.EntityFrameworkCore;

namespace Iceshrimp.Backend.Controllers.Mastodon;

[MastodonApiController]
[EnableRateLimiting("sliding")]
[EnableCors("mastodon")]
[Produces(MediaTypeNames.Application.Json)]
public class AuthController(DatabaseContext db, MetaService meta) : ControllerBase
{
	[HttpGet("/api/v1/apps/verify_credentials")]
	[Authenticate]
	[ProducesResponseType(StatusCodes.Status200OK, Type = typeof(AuthSchemas.VerifyAppCredentialsResponse))]
	[ProducesResponseType(StatusCodes.Status401Unauthorized, Type = typeof(MastodonErrorResponse))]
	public async Task<IActionResult> VerifyAppCredentials()
	{
		var token = HttpContext.GetOauthToken();
		if (token == null) throw GracefulException.Unauthorized("The access token is invalid");

		var res = new AuthSchemas.VerifyAppCredentialsResponse
		{
			App = token.App, VapidKey = await meta.Get(MetaEntity.VapidPublicKey)
		};

		return Ok(res);
	}

	[HttpPost("/api/v1/apps")]
	[EnableRateLimiting("strict")]
	[ConsumesHybrid]
	[ProducesResponseType(StatusCodes.Status200OK, Type = typeof(AuthSchemas.RegisterAppResponse))]
	[ProducesResponseType(StatusCodes.Status400BadRequest, Type = typeof(MastodonErrorResponse))]
	public async Task<IActionResult> RegisterApp([FromHybrid] AuthSchemas.RegisterAppRequest request)
	{
		if (request.RedirectUris.Count == 0)
			throw GracefulException.BadRequest("Invalid redirect_uris parameter");

		if (request.RedirectUris.Any(p => !MastodonOauthHelpers.ValidateRedirectUri(p)))
			throw GracefulException.BadRequest("redirect_uris parameter contains invalid protocols");

		if (!MastodonOauthHelpers.ValidateScopes(request.Scopes))
			throw GracefulException.BadRequest("Invalid scopes parameter");

		if (request.Website != null)
			try
			{
				var uri = new Uri(request.Website);
				if (!uri.IsAbsoluteUri || uri.Scheme is not "http" and not "https") throw new Exception();
			}
			catch
			{
				throw GracefulException.BadRequest("Invalid website URL");
			}

		var app = new OauthApp
		{
			Id           = IdHelpers.GenerateSlowflakeId(),
			ClientId     = CryptographyHelpers.GenerateRandomString(32),
			ClientSecret = CryptographyHelpers.GenerateRandomString(32),
			CreatedAt    = DateTime.UtcNow,
			Name         = request.ClientName,
			Website      = request.Website,
			Scopes       = request.Scopes,
			RedirectUris = request.RedirectUris
		};

		await db.AddAsync(app);
		await db.SaveChangesAsync();

		var res = new AuthSchemas.RegisterAppResponse
		{
			App = app, VapidKey = await meta.Get(MetaEntity.VapidPublicKey)
		};

		return Ok(res);
	}

	[HttpPost("/oauth/token")]
	[ConsumesHybrid]
	[ProducesResponseType(StatusCodes.Status200OK, Type = typeof(AuthSchemas.OauthTokenResponse))]
	[ProducesResponseType(StatusCodes.Status400BadRequest, Type = typeof(MastodonErrorResponse))]
	public async Task<IActionResult> GetOauthToken([FromHybrid] AuthSchemas.OauthTokenRequest request)
	{
		//TODO: app-level access (grant_type = "client_credentials")
		if (request.GrantType != "authorization_code")
			throw GracefulException.BadRequest("Invalid grant_type");
		var token = await db.OauthTokens.FirstOrDefaultAsync(p => p.Code == request.Code &&
		                                                          p.App.ClientId == request.ClientId &&
		                                                          p.App.ClientSecret == request.ClientSecret);
		if (token == null)
			throw GracefulException
				.Unauthorized("Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.");

		if (token.Active)
			throw GracefulException
				.BadRequest("The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.");

		if (MastodonOauthHelpers.ExpandScopes(request.Scopes ?? [])
		                        .Except(MastodonOauthHelpers.ExpandScopes(token.Scopes))
		                        .Any())
			throw GracefulException.BadRequest("The requested scope is invalid, unknown, or malformed.");

		token.Scopes = request.Scopes ?? token.Scopes;
		token.Active = true;
		await db.SaveChangesAsync();

		var res = new AuthSchemas.OauthTokenResponse
		{
			CreatedAt   = token.CreatedAt,
			Scopes      = token.Scopes,
			AccessToken = token.Token
		};

		return Ok(res);
	}

	[HttpPost("/oauth/revoke")]
	[ConsumesHybrid]
	[ProducesResponseType(StatusCodes.Status200OK, Type = typeof(object))]
	[ProducesResponseType(StatusCodes.Status400BadRequest, Type = typeof(MastodonErrorResponse))]
	[ProducesResponseType(StatusCodes.Status403Forbidden, Type = typeof(MastodonErrorResponse))]
	public async Task<IActionResult> RevokeOauthToken([FromHybrid] AuthSchemas.OauthTokenRevocationRequest request)
	{
		var token = await db.OauthTokens.FirstOrDefaultAsync(p => p.Token == request.Token &&
		                                                          p.App.ClientId == request.ClientId &&
		                                                          p.App.ClientSecret == request.ClientSecret);
		if (token == null)
			throw GracefulException.Forbidden("You are not authorized to revoke this token");

		db.Remove(token);
		await db.SaveChangesAsync();

		return Ok(new object());
	}
}