package testenv

import (
	"context"
	"crypto/ed25519"
	"encoding/json"
	"fmt"
	"net/http"
	"regexp"
	"testing"
	"time"
)

// Session is a registered device session ready to drive the
// authenticated edge surface.
type Session struct {
	Email           string
	DeviceSessionID string
	Public          ed25519.PublicKey
	Private         ed25519.PrivateKey
}

var sessionLoginCodeRE = regexp.MustCompile(`(?m)\b(\d{6})\b`)

// RegisterSession runs send-email-code → confirm-email-code through
// the gateway public REST surface and returns a fresh Session. It
// uses mailpit to capture the verification code and includes the
// platform's mailpit reset to avoid stale messages between calls.
func RegisterSession(t *testing.T, plat *Platform, email string) *Session {
	t.Helper()
	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
	defer cancel()

	if err := plat.Mailpit.DeleteAll(ctx); err != nil {
		t.Fatalf("clear mailpit: %v", err)
	}

	pub, priv, err := GenerateSessionKeyPair()
	if err != nil {
		t.Fatalf("generate session keypair: %v", err)
	}
	public := NewPublicRESTClient(plat.Gateway.HTTPURL)

	send, _, err := public.SendEmailCode(ctx, email, "en-US")
	if err != nil {
		t.Fatalf("send-email-code: %v", err)
	}
	if send.ChallengeID == "" {
		t.Fatalf("send-email-code returned empty challenge_id")
	}

	msg, err := plat.Mailpit.WaitForMessage(ctx, "to:"+email, 30*time.Second)
	if err != nil {
		t.Fatalf("wait for mail: %v", err)
	}
	body, err := plat.Mailpit.MessageBody(ctx, msg.ID)
	if err != nil {
		t.Fatalf("fetch mail body: %v", err)
	}
	m := sessionLoginCodeRE.FindStringSubmatch(body)
	if m == nil {
		t.Fatalf("no 6-digit code in mail body:\n%s", body)
	}
	code := m[1]

	// Pass a non-UTC IANA zone so every integration scenario that
	// enrols a pilot exercises the time.LoadLocation path. UTC works
	// even when the backend image lacks tzdata (Go's no-data fallback
	// covers it), so a regression that drops the embedded tzdata
	// import would otherwise slip past unnoticed.
	confirm, _, err := public.ConfirmEmailCode(ctx, send.ChallengeID, code, EncodePublicKey(pub), "Europe/Berlin")
	if err != nil {
		t.Fatalf("confirm-email-code: %v", err)
	}
	if confirm.DeviceSessionID == "" {
		t.Fatalf("confirm-email-code returned empty device_session_id")
	}

	return &Session{
		Email:           email,
		DeviceSessionID: confirm.DeviceSessionID,
		Public:          pub,
		Private:         priv,
	}
}

// DialAuthenticated returns a SignedGatewayClient bound to s.
func (s *Session) DialAuthenticated(ctx context.Context, plat *Platform) (*SignedGatewayClient, error) {
	if s == nil {
		return nil, fmt.Errorf("nil session")
	}
	return DialGateway(ctx, plat.Gateway.GRPCAddr, s.DeviceSessionID, s.Private, plat.Gateway.ResponseSignerPublic)
}

// PromoteToPaid applies a permanent paid entitlement to the user
// behind sess via the backend admin surface, so subsequent lobby
// commands gated by `EntitlementProvider.IsPaid` (notably
// `POST /api/v1/user/lobby/games`) succeed. Helper for integration
// scenarios that create games end-to-end; the default
// `RegisterSession` leaves the user on the free tier.
func PromoteToPaid(t *testing.T, ctx context.Context, admin *BackendAdminClient, plat *Platform, sess *Session) {
	t.Helper()
	if sess == nil {
		t.Fatalf("PromoteToPaid: nil session")
	}
	userID, err := sess.LookupUserID(ctx, plat)
	if err != nil {
		t.Fatalf("PromoteToPaid: lookup user_id: %v", err)
	}
	body := map[string]any{
		"tier":   "permanent",
		"source": "integration_test",
		"actor":  map[string]any{"type": "admin", "id": "integration"},
	}
	raw, resp, err := admin.Do(ctx, http.MethodPost, "/api/v1/admin/users/"+userID+"/entitlements", body)
	if err != nil {
		t.Fatalf("PromoteToPaid: %v", err)
	}
	if resp.StatusCode/100 != 2 {
		t.Fatalf("PromoteToPaid: status=%d body=%s", resp.StatusCode, string(raw))
	}
}

// LookupUserID resolves the user_id for s via backend's internal
// session lookup. Returns an empty string if the session is unknown.
func (s *Session) LookupUserID(ctx context.Context, plat *Platform) (string, error) {
	if s == nil || s.DeviceSessionID == "" {
		return "", fmt.Errorf("nil or empty session")
	}
	internal := NewBackendInternalClient(plat.Backend.HTTPURL)
	raw, resp, err := internal.Do(ctx, http.MethodGet, "/api/v1/internal/sessions/"+s.DeviceSessionID, nil)
	if err != nil {
		return "", err
	}
	if resp.StatusCode != http.StatusOK {
		return "", fmt.Errorf("session lookup: status %d body=%s", resp.StatusCode, string(raw))
	}
	var body struct {
		UserID string `json:"user_id"`
	}
	if err := json.Unmarshal(raw, &body); err != nil {
		return "", fmt.Errorf("decode session: %w", err)
	}
	return body.UserID, nil
}