import { Hono } from 'hono';
import jwt from 'jsonwebtoken';
import pool from '../db.js';
import type { AuthUser, JwtPayload, PermissionLevel } from './types.js';
import { FULL_ACCESS_ROLES, DEPT_ACCESS_ROLES } from './types.js';

const app = new Hono();

const EXTERNAL_API_BASE = process.env.EXTERNAL_API_BASE || 'https://beta.lnh2e.com';
const JWT_SECRET = process.env.JWT_SECRET || 'ln-bi-default-secret';

/** GET /api/auth/exchange?jumpToken=xxx — 一步完成：换取用户信息 + 签发 JWT */
app.get('/exchange', async (c) => {
  const jumpToken = c.req.query('jumpToken');
  if (!jumpToken) return c.json({ error: 'Missing jumpToken' }, 400);

  try {
    const res = await fetch(
      `${EXTERNAL_API_BASE}/api/lingniu-manager-v1/v1/auth/issueTokenByJump?jumpToken=${encodeURIComponent(jumpToken)}`
    );
    const data = await res.json() as {
      code: number;
      data: {
        userInfo: {
          id: string;
          userName: string;
          loginName: string;
          depCode: string;
          orgId: string;
          roles: { roleName: string; id: string }[];
        };
        token: string;
      } | null;
      message: string;
    };

    if (data.code !== 0 || !data.data?.userInfo) {
      return c.json({ error: 'Token exchange failed', message: data.message }, 401);
    }

    const userInfo = data.data.userInfo;
    const roleNames = userInfo.roles.map(r => r.roleName);

    // 确定权限级别
    let permissionLevel: PermissionLevel = 'personal';
    if (roleNames.some(r => FULL_ACCESS_ROLES.includes(r))) {
      permissionLevel = 'full';
    } else if (roleNames.some(r => DEPT_ACCESS_ROLES.includes(r))) {
      permissionLevel = 'department';
    }

    // 查询 depCode 对应的部门名称
    let depName = '';
    if (userInfo.depCode) {
      const [rows] = await pool.execute(
        'SELECT dep_name FROM tab_department WHERE dep_code = ? AND is_deleted = 0 LIMIT 1',
        [userInfo.depCode]
      ) as [{ dep_name: string }[], unknown];
      depName = rows[0]?.dep_name || '';
    }

    const payload: JwtPayload = {
      userId: userInfo.id,
      userName: userInfo.userName,
      loginName: userInfo.loginName,
      depCode: userInfo.depCode,
      depName,
      permissionLevel,
      roles: roleNames,
    };

    const token = jwt.sign(payload, JWT_SECRET, { expiresIn: '8h' });
    const authUser: AuthUser = { ...payload };

    return c.json({ token, user: authUser });
  } catch (e: unknown) {
    console.error('auth exchange error:', e);
    return c.json({ error: 'Authentication failed' }, 500);
  }
});

/** GET /api/auth/me — 查看当前用户信息（调试用） */
app.get('/me', async (c) => {
  const authHeader = c.req.header('Authorization');
  if (!authHeader?.startsWith('Bearer ')) {
    return c.json({ error: 'No token' }, 401);
  }
  try {
    const payload = jwt.verify(authHeader.slice(7), JWT_SECRET) as JwtPayload;
    return c.json(payload);
  } catch {
    return c.json({ error: 'Invalid token' }, 401);
  }
});

export default app;