use axum::{
    extract::{Form, State},
    http::StatusCode,
    response::{IntoResponse, Redirect, Response},
    routing::post,
    Router,
};
use sqlx::sqlite::SqlitePool;

use crate::{clock::RequestedAt, error::InternalError};

use super::{
    extract::IdentityToken,
    repo::{logins::Provider as _, tokens::Provider as _},
};

pub fn router() -> Router<SqlitePool> {
    Router::new()
        .route("/login", post(on_login))
        .route("/logout", post(on_logout))
}

#[derive(serde::Deserialize)]
struct Login {
    name: String,
    password: String,
}

async fn on_login(
    State(db): State<SqlitePool>,
    RequestedAt(now): RequestedAt,
    identity: IdentityToken,
    Form(form): Form<Login>,
) -> Result<impl IntoResponse, InternalError> {
    let mut tx = db.begin().await?;

    // Spelling the following in the more conventional form,
    //     if let Some(…) = create().await? {}
    //     else if let Some(…) = validate().await? {}
    //     else {}
    // pushes the specifics of whether the returned error types are Send or not
    // (they aren't) into the type of this function's generated Futures, which
    // in turn makes this function unusable as an Axum handler.
    let login = tx.logins().create(&form.name, &form.password).await?;
    let login = if login.is_some() {
        login
    } else {
        tx.logins().authenticate(&form.name, &form.password).await?
    };

    // If `login` is Some, then we have an identity and can issue an identity
    // token. If `login` is None, then neither creating a new login nor authenticating
    // an existing one succeeded, and we must reject the attempt.
    //
    // These properties will be transferred to `token`, as well.
    let token = if let Some(login) = login {
        Some(tx.tokens().issue(&login.id, now).await?)
    } else {
        None
    };

    tx.commit().await?;

    let resp = if let Some(token) = token {
        let identity = identity.set(&token);
        (identity, LoginResponse::Successful)
    } else {
        (identity, LoginResponse::Rejected)
    };

    Ok(resp)
}

enum LoginResponse {
    Rejected,
    Successful,
}

impl IntoResponse for LoginResponse {
    fn into_response(self) -> Response {
        match self {
            Self::Rejected => {
                (StatusCode::UNAUTHORIZED, "invalid name or password").into_response()
            }
            Self::Successful => Redirect::to("/").into_response(),
        }
    }
}

async fn on_logout(
    State(db): State<SqlitePool>,
    identity: IdentityToken,
) -> Result<impl IntoResponse, InternalError> {
    if let Some(token) = identity.token() {
        let mut tx = db.begin().await?;
        tx.tokens().revoke(token).await?;
        tx.commit().await?;
    }

    let identity = identity.clear();

    Ok((identity, Redirect::to("/")))
}