// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/resend_verification.go
package auth

import (
	"context"
	"crypto/rand"
	"fmt"
	"html"
	"time"

	"github.com/awnumar/memguard"
	"go.uber.org/zap"

	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
	dom_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/domain/user"
	uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/emailer/mailgun"
	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
)

type ResendVerificationRequestDTO struct {
	Email string `json:"email"`
}

type ResendVerificationResponseDTO struct {
	Message string `json:"message"`
}

type ResendVerificationService interface {
	Execute(ctx context.Context, req *ResendVerificationRequestDTO) (*ResendVerificationResponseDTO, error)
}

type resendVerificationServiceImpl struct {
	config           *config.Config
	logger           *zap.Logger
	userGetByEmailUC uc_user.UserGetByEmailUseCase
	userUpdateUC     uc_user.UserUpdateUseCase
	emailer          mailgun.Emailer
}

func NewResendVerificationService(
	config *config.Config,
	logger *zap.Logger,
	userGetByEmailUC uc_user.UserGetByEmailUseCase,
	userUpdateUC uc_user.UserUpdateUseCase,
	emailer mailgun.Emailer,
) ResendVerificationService {
	return &resendVerificationServiceImpl{
		config:           config,
		logger:           logger.Named("ResendVerificationService"),
		userGetByEmailUC: userGetByEmailUC,
		userUpdateUC:     userUpdateUC,
		emailer:          emailer,
	}
}

func (s *resendVerificationServiceImpl) Execute(ctx context.Context, req *ResendVerificationRequestDTO) (*ResendVerificationResponseDTO, error) {
	// Validate request
	if err := s.validateResendVerificationRequest(req); err != nil {
		return nil, err // Returns RFC 9457 ProblemDetail
	}

	// Create SAGA for resend verification workflow
	saga := transaction.NewSaga("resend-verification", s.logger)

	s.logger.Info("starting resend verification")

	// Step 1: Get user by email (read-only, no compensation)
	user, err := s.userGetByEmailUC.Execute(ctx, req.Email)
	if err != nil || user == nil {
		s.logger.Warn("User not found for resend verification", zap.String("email", validation.MaskEmail(req.Email)))
		// Don't reveal if user exists or not for security
		return &ResendVerificationResponseDTO{
			Message: "If the email exists and is unverified, a new verification code has been sent.",
		}, nil
	}

	// Step 2: Check if email is already verified
	if user.SecurityData != nil && user.SecurityData.WasEmailVerified {
		s.logger.Info("Email already verified", zap.String("email", validation.MaskEmail(req.Email)))
		// Don't reveal that email is already verified for security
		return &ResendVerificationResponseDTO{
			Message: "If the email exists and is unverified, a new verification code has been sent.",
		}, nil
	}

	// Step 3: Backup old verification data for compensation
	var oldCode string
	var oldCodeExpiry time.Time
	if user.SecurityData != nil {
		oldCode = user.SecurityData.Code
		oldCodeExpiry = user.SecurityData.CodeExpiry
	}

	// Step 4: Generate new verification code
	verificationCode := s.generateVerificationCode()
	verificationExpiry := time.Now().Add(24 * time.Hour)

	// Step 5: Update user with new code
	if user.SecurityData == nil {
		user.SecurityData = &dom_user.UserSecurityData{}
	}
	user.SecurityData.Code = verificationCode
	user.SecurityData.CodeType = dom_user.UserCodeTypeEmailVerification
	user.SecurityData.CodeExpiry = verificationExpiry
	user.ModifiedAt = time.Now()

	// Step 6: Save updated user FIRST (compensate: restore old code if email fails)
	// CRITICAL: Save new code before sending email to enable rollback if email fails
	if err := s.userUpdateUC.Execute(ctx, user); err != nil {
		s.logger.Error("Failed to update user with new verification code", zap.Error(err))
		return nil, httperror.NewInternalServerError("Failed to update verification code. Please try again later.")
	}

	// Register compensation: restore old verification code if email fails
	userCaptured := user
	oldCodeCaptured := oldCode
	oldCodeExpiryCaptured := oldCodeExpiry
	saga.AddCompensation(func(ctx context.Context) error {
		s.logger.Info("compensating: restoring old verification code due to email failure",
			zap.String("email", validation.MaskEmail(userCaptured.Email)))
		userCaptured.SecurityData.Code = oldCodeCaptured
		userCaptured.SecurityData.CodeExpiry = oldCodeExpiryCaptured
		userCaptured.ModifiedAt = time.Now()
		return s.userUpdateUC.Execute(ctx, userCaptured)
	})

	// Step 7: Send verification email - MUST succeed or rollback
	if err := s.sendVerificationEmail(ctx, user.Email, user.FirstName, verificationCode); err != nil {
		s.logger.Error("Failed to send verification email",
			zap.String("email", validation.MaskEmail(user.Email)),
			zap.Error(err))

		// Trigger compensation: Restore old verification code
		saga.Rollback(ctx)
		return nil, httperror.NewInternalServerError("Failed to send verification email. Please try again later.")
	}

	s.logger.Info("Verification code resent successfully",
		zap.String("email", validation.MaskEmail(req.Email)),
		zap.String("user_id", user.ID.String()))

	return &ResendVerificationResponseDTO{
		Message: "If the email exists and is unverified, a new verification code has been sent.",
	}, nil
}

func (s *resendVerificationServiceImpl) generateVerificationCode() string {
	// Generate random 8-digit code for increased entropy
	// 8 digits = 90,000,000 combinations vs 6 digits = 900,000
	b := make([]byte, 4)
	rand.Read(b)
	defer memguard.WipeBytes(b) // SECURITY: Wipe random bytes after use
	code := int(b[0])<<24 | int(b[1])<<16 | int(b[2])<<8 | int(b[3])
	code = (code % 90000000) + 10000000
	return fmt.Sprintf("%d", code)
}

func (s *resendVerificationServiceImpl) sendVerificationEmail(ctx context.Context, email, firstName, code string) error {
	subject := "Verify Your MapleFile Account"
	sender := s.emailer.GetSenderEmail()

	// Escape user input to prevent HTML injection
	safeFirstName := html.EscapeString(firstName)

	htmlContent := fmt.Sprintf(`
		<html>
			<body>
				<h2>Welcome to MapleFile, %s!</h2>
				<p>You requested a new verification code. Please verify your email address by entering this code:</p>
				<h1 style="color: #4CAF50; font-size: 32px; letter-spacing: 5px;">%s</h1>
				<p>This code will expire in 24 hours.</p>
				<p>If you didn't request this code, please ignore this email.</p>
			</body>
		</html>
	`, safeFirstName, code)

	return s.emailer.Send(ctx, sender, subject, email, htmlContent)
}

// validateResendVerificationRequest validates the resend verification request.
// Returns RFC 9457 ProblemDetail error with field-specific errors.
func (s *resendVerificationServiceImpl) validateResendVerificationRequest(req *ResendVerificationRequestDTO) error {
	errors := make(map[string]string)

	// Validate email using shared validation utility
	if errMsg := validation.ValidateEmail(req.Email); errMsg != "" {
		errors["email"] = errMsg
	}

	// If there are validation errors, return RFC 9457 error
	if len(errors) > 0 {
		return httperror.NewValidationError(errors)
	}

	return nil
}