use axum::{
    extract::{Form, State},
    http::StatusCode,
    response::IntoResponse,
    routing::post,
    Router,
};
use chrono::Utc;
use sqlx::sqlite::SqlitePool;

use crate::error::InternalError;

use super::{
    extract::IdentityToken,
    repo::{logins::Provider as _, tokens::Provider as _},
};

pub fn router() -> Router<SqlitePool> {
    Router::new()
        .route("/login", post(on_login))
        .route("/logout", post(on_logout))
}

#[derive(serde::Deserialize)]
struct Login {
    name: String,
    password: String,
}

async fn on_login(
    State(db): State<SqlitePool>,
    identity: IdentityToken,
    Form(form): Form<Login>,
) -> Result<impl IntoResponse, InternalError> {
    let now = Utc::now();

    if identity.token().is_some() {
        return Ok((StatusCode::BAD_REQUEST, identity, "already logged in"));
    }

    let mut tx = db.begin().await?;

    // Spelling the following in the more conventional form,
    //     if let Some(…) = create().await? {}
    //     else if let Some(…) = validate().await? {}
    //     else {}
    // pushes the specifics of whether the returned error types are Send or not
    // (they aren't) into the type of this function's generated Futures, which
    // in turn makes this function unusable as an Axum handler.
    let login = tx.logins().create(&form.name, &form.password).await?;
    let login = if login.is_some() {
        login
    } else {
        tx.logins().authenticate(&form.name, &form.password).await?
    };

    // If `login` is Some, then we have an identity and can issue an identity
    // token. If `login` is None, then neither creating a new login nor authenticating
    // an existing one succeeded, and we must reject the attempt.
    //
    // These properties will be transferred to `token`, as well.
    let token = if let Some(login) = login {
        Some(tx.tokens().issue(&login.id, now).await?)
    } else {
        None
    };

    tx.commit().await?;

    let resp = if let Some(token) = token {
        let identity = identity.set(&token);
        (StatusCode::OK, identity, "logged in")
    } else {
        (
            StatusCode::UNAUTHORIZED,
            identity,
            "invalid name or password",
        )
    };

    Ok(resp)
}

async fn on_logout(
    State(db): State<SqlitePool>,
    identity: IdentityToken,
) -> Result<impl IntoResponse, InternalError> {
    if let Some(token) = identity.token() {
        let mut tx = db.begin().await?;
        tx.tokens().revoke(token).await?;
        tx.commit().await?;
    }

    let identity = identity.clear();

    Ok((StatusCode::OK, identity, "logged out"))
}