package testenv

import (
	"context"
	"crypto/ed25519"
	"encoding/json"
	"fmt"
	"net/http"
	"regexp"
	"testing"
	"time"
)

// Session is a registered device session ready to drive the
// authenticated gRPC surface.
type Session struct {
	Email           string
	DeviceSessionID string
	Public          ed25519.PublicKey
	Private         ed25519.PrivateKey
}

var sessionLoginCodeRE = regexp.MustCompile(`(?m)\b(\d{6})\b`)

// RegisterSession runs send-email-code → confirm-email-code through
// the gateway public REST surface and returns a fresh Session. It
// uses mailpit to capture the verification code and includes the
// platform's mailpit reset to avoid stale messages between calls.
func RegisterSession(t *testing.T, plat *Platform, email string) *Session {
	t.Helper()
	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
	defer cancel()

	if err := plat.Mailpit.DeleteAll(ctx); err != nil {
		t.Fatalf("clear mailpit: %v", err)
	}

	pub, priv, err := GenerateSessionKeyPair()
	if err != nil {
		t.Fatalf("generate session keypair: %v", err)
	}
	public := NewPublicRESTClient(plat.Gateway.HTTPURL)

	send, _, err := public.SendEmailCode(ctx, email, "en-US")
	if err != nil {
		t.Fatalf("send-email-code: %v", err)
	}
	if send.ChallengeID == "" {
		t.Fatalf("send-email-code returned empty challenge_id")
	}

	msg, err := plat.Mailpit.WaitForMessage(ctx, "to:"+email, 30*time.Second)
	if err != nil {
		t.Fatalf("wait for mail: %v", err)
	}
	body, err := plat.Mailpit.MessageBody(ctx, msg.ID)
	if err != nil {
		t.Fatalf("fetch mail body: %v", err)
	}
	m := sessionLoginCodeRE.FindStringSubmatch(body)
	if m == nil {
		t.Fatalf("no 6-digit code in mail body:\n%s", body)
	}
	code := m[1]

	confirm, _, err := public.ConfirmEmailCode(ctx, send.ChallengeID, code, EncodePublicKey(pub), "UTC")
	if err != nil {
		t.Fatalf("confirm-email-code: %v", err)
	}
	if confirm.DeviceSessionID == "" {
		t.Fatalf("confirm-email-code returned empty device_session_id")
	}

	return &Session{
		Email:           email,
		DeviceSessionID: confirm.DeviceSessionID,
		Public:          pub,
		Private:         priv,
	}
}

// DialAuthenticated returns a SignedGatewayClient bound to s.
func (s *Session) DialAuthenticated(ctx context.Context, plat *Platform) (*SignedGatewayClient, error) {
	if s == nil {
		return nil, fmt.Errorf("nil session")
	}
	return DialGateway(ctx, plat.Gateway.GRPCAddr, s.DeviceSessionID, s.Private, plat.Gateway.ResponseSignerPublic)
}

// LookupUserID resolves the user_id for s via backend's internal
// session lookup. Returns an empty string if the session is unknown.
func (s *Session) LookupUserID(ctx context.Context, plat *Platform) (string, error) {
	if s == nil || s.DeviceSessionID == "" {
		return "", fmt.Errorf("nil or empty session")
	}
	internal := NewBackendInternalClient(plat.Backend.HTTPURL)
	raw, resp, err := internal.Do(ctx, http.MethodGet, "/api/v1/internal/sessions/"+s.DeviceSessionID, nil)
	if err != nil {
		return "", err
	}
	if resp.StatusCode != http.StatusOK {
		return "", fmt.Errorf("session lookup: status %d body=%s", resp.StatusCode, string(raw))
	}
	var body struct {
		UserID string `json:"user_id"`
	}
	if err := json.Unmarshal(raw, &body); err != nil {
		return "", fmt.Errorf("decode session: %w", err)
	}
	return body.UserID, nil
}