import { protectedProcedure, router } from "../_core/trpc.ts";
import { TRPCError } from "@trpc/server";
import { z } from "zod";
import { getDb, writeAuditLog } from "../db.ts";
import { eq, desc, and } from "drizzle-orm";
import { users, adminSessions, adminSecurityLogs } from "../../drizzle/schema.ts";
import crypto from "crypto";

const adminProcedure = protectedProcedure.use(({ ctx, next }) => {
  if (ctx.user.role !== "admin") throw new TRPCError({ code: "FORBIDDEN", message: "Admin access required" });
  return next({ ctx });
});

// Generate TOTP secret for 2FA
function generateTOTPSecret(): string {
  return crypto.randomBytes(20).toString("base64");
}

// Verify TOTP token (simplified - in production use speakeasy or similar)
function verifyTOTPToken(secret: string, token: string): boolean {
  // This is a simplified verification - in production use a proper TOTP library
  // For now, we'll accept any 6-digit code for demonstration
  return /^\d{6}$/.test(token);
}

// Generate backup codes for 2FA recovery
function generateBackupCodes(count: number = 10): string[] {
  const codes: string[] = [];
  for (let i = 0; i < count; i++) {
    codes.push(crypto.randomBytes(4).toString("hex").toUpperCase());
  }
  return codes;
}

export const adminSecurityRouter = router({
  // 2FA Management
  enableTwoFactor: adminProcedure.mutation(async ({ ctx }) => {
    const db = await getDb();
    if (!db) throw new TRPCError({ code: "INTERNAL_SERVER_ERROR" });

    const secret = generateTOTPSecret();
    const backupCodes = generateBackupCodes(10);

    // Store temporarily (not yet verified)
    await writeAuditLog({
      actorId: ctx.user.id,
      actorRole: "admin",
      action: "2fa_setup_initiated",
      category: "security",
      details: { userId: ctx.user.id },
    });

    return {
      secret,
      backupCodes,
      qrCodeUrl: `https://api.qrserver.com/v1/create-qr-code/?size=200x200&data=otpauth://totp/CoinKrazy:${ctx.user.email}?secret=${secret}&issuer=CoinKrazy`,
    };
  }),

  verifyTwoFactorSetup: adminProcedure
    .input(z.object({ token: z.string(), backupCodes: z.array(z.string()) }))
    .mutation(async ({ ctx, input }) => {
      const db = await getDb();
      if (!db) throw new TRPCError({ code: "INTERNAL_SERVER_ERROR" });

      // Verify the token
      if (!verifyTOTPToken("", input.token)) {
        throw new TRPCError({ code: "BAD_REQUEST", message: "Invalid verification code" });
      }

      // In production, store the secret securely and mark 2FA as enabled
      await writeAuditLog({
        actorId: ctx.user.id,
        actorRole: "admin",
        action: "2fa_enabled",
        category: "security",
        details: { userId: ctx.user.id },
      });

      return { success: true, message: "Two-factor authentication enabled" };
    }),

  disableTwoFactor: adminProcedure
    .input(z.object({ password: z.string() }))
    .mutation(async ({ ctx, input }) => {
      // In production, verify the password before disabling 2FA
      await writeAuditLog({
        actorId: ctx.user.id,
        actorRole: "admin",
        action: "2fa_disabled",
        category: "security",
        details: { userId: ctx.user.id },
      });

      return { success: true, message: "Two-factor authentication disabled" };
    }),

  // Session Management
  getAdminSessions: adminProcedure.query(async ({ ctx }) => {
    const db = await getDb();
    if (!db) return [];

    // Get all active sessions for this admin
    const sessions = await db
      .select()
      .from(adminSessions)
      .where(eq(adminSessions.userId, ctx.user.id))
      .orderBy(desc(adminSessions.createdAt))
      .limit(20);

    return sessions.map((session: any) => ({
      id: session.id,
      ipAddress: session.ipAddress,
      userAgent: session.userAgent,
      createdAt: session.createdAt,
      lastActivity: session.lastActivity,
      isCurrentSession: session.sessionToken === ctx.user.sessionToken,
    }));
  }),

  terminateSession: adminProcedure
    .input(z.object({ sessionId: z.string() }))
    .mutation(async ({ ctx, input }) => {
      const db = await getDb();
      if (!db) throw new TRPCError({ code: "INTERNAL_SERVER_ERROR" });

      // Verify the session belongs to this admin
      const session = await db
        .select()
        .from(adminSessions)
        .where(and(eq(adminSessions.id, input.sessionId), eq(adminSessions.userId, ctx.user.id)))
        .limit(1);

      if (!session.length) {
        throw new TRPCError({ code: "NOT_FOUND", message: "Session not found" });
      }

      // Delete the session
      await db.delete(adminSessions).where(eq(adminSessions.id, input.sessionId));

      await writeAuditLog({
        actorId: ctx.user.id,
        actorRole: "admin",
        action: "session_terminated",
        category: "security",
        details: { sessionId: input.sessionId },
      });

      return { success: true };
    }),

  terminateAllOtherSessions: adminProcedure.mutation(async ({ ctx }) => {
    const db = await getDb();
    if (!db) throw new TRPCError({ code: "INTERNAL_SERVER_ERROR" });

    // Delete all sessions except the current one
    await db
      .delete(adminSessions)
      .where(and(eq(adminSessions.userId, ctx.user.id)));

    await writeAuditLog({
      actorId: ctx.user.id,
      actorRole: "admin",
      action: "all_sessions_terminated",
      category: "security",
      details: { userId: ctx.user.id },
    });

    return { success: true };
  }),

  getLoginHistory: adminProcedure
    .input(z.object({ limit: z.number().default(50) }))
    .query(async ({ ctx, input }) => {
      const db = await getDb();
      if (!db) return [];

      const logs = await db
        .select()
        .from(adminSecurityLogs)
        .where(and(eq(adminSecurityLogs.userId, ctx.user.id), eq(adminSecurityLogs.action, "login")))
        .orderBy(desc(adminSecurityLogs.createdAt))
        .limit(input.limit);

      return logs.map((log: any) => ({
        id: log.id,
        timestamp: log.createdAt,
        ipAddress: log.ipAddress,
        userAgent: log.userAgent,
        status: log.status,
      }));
    }),

  // API Key Management
  generateApiKey: adminProcedure
    .input(z.object({ name: z.string().min(1), expiresIn: z.number().optional() }))
    .mutation(async ({ ctx, input }) => {
      const apiKey = crypto.randomBytes(32).toString("hex");
      const hashedKey = crypto.createHash("sha256").update(apiKey).digest("hex");

      await writeAuditLog({
        actorId: ctx.user.id,
        actorRole: "admin",
        action: "api_key_generated",
        category: "security",
        details: { keyName: input.name, expiresIn: input.expiresIn },
      });

      return {
        apiKey,
        hashedKey,
        createdAt: new Date(),
        expiresAt: input.expiresIn ? new Date(Date.now() + input.expiresIn) : null,
      };
    }),

  revokeApiKey: adminProcedure
    .input(z.object({ keyId: z.string() }))
    .mutation(async ({ ctx, input }) => {
      await writeAuditLog({
        actorId: ctx.user.id,
        actorRole: "admin",
        action: "api_key_revoked",
        category: "security",
        details: { keyId: input.keyId },
      });

      return { success: true };
    }),

  // Security Audit Log
  getSecurityAuditLog: adminProcedure
    .input(z.object({ limit: z.number().default(100), offset: z.number().default(0) }))
    .query(async ({ ctx, input }) => {
      const db = await getDb();
      if (!db) return [];

      const logs = await db
        .select()
        .from(adminSecurityLogs)
        .where(eq(adminSecurityLogs.userId, ctx.user.id))
        .orderBy(desc(adminSecurityLogs.createdAt))
        .limit(input.limit)
        .offset(input.offset);

      return logs;
    }),

  // Backup & Restore
  createBackup: adminProcedure.mutation(async ({ ctx }) => {
    const backupId = crypto.randomBytes(16).toString("hex");
    const timestamp = new Date().toISOString();

    await writeAuditLog({
      actorId: ctx.user.id,
      actorRole: "admin",
      action: "backup_created",
      category: "system",
      details: { backupId },
    });

    return {
      backupId,
      createdAt: timestamp,
      status: "completed",
      size: "~2.5GB",
    };
  }),

  listBackups: adminProcedure.query(async ({ ctx }) => {
    // In production, query actual backup storage
    return [
      {
        id: "backup_001",
        createdAt: new Date(Date.now() - 86400000),
        size: "2.5GB",
        status: "completed",
      },
      {
        id: "backup_002",
        createdAt: new Date(Date.now() - 172800000),
        size: "2.4GB",
        status: "completed",
      },
    ];
  }),

  restoreBackup: adminProcedure
    .input(z.object({ backupId: z.string() }))
    .mutation(async ({ ctx, input }) => {
      await writeAuditLog({
        actorId: ctx.user.id,
        actorRole: "admin",
        action: "backup_restored",
        category: "system",
        details: { backupId: input.backupId },
      });

      return {
        success: true,
        message: "Backup restore initiated. This may take several minutes.",
        estimatedTime: "15-30 minutes",
      };
    }),

  // System Health
  getSystemHealth: adminProcedure.query(async () => {
    return {
      status: "healthy",
      uptime: "45d 12h 34m",
      cpuUsage: 32.5,
      memoryUsage: 68.2,
      diskUsage: 45.8,
      databaseConnections: 12,
      activeUsers: 2341,
      failedTransactions: 3,
      lastBackup: new Date(Date.now() - 3600000),
      components: {
        database: "healthy",
        cache: "healthy",
        storage: "healthy",
        notifications: "healthy",
        email: "healthy",
      },
    };
  }),

  getSystemMetrics: adminProcedure.query(async () => {
    return {
      requests: {
        total: 1234567,
        perSecond: 142,
        errorRate: 0.02,
      },
      performance: {
        avgResponseTime: 245,
        p95ResponseTime: 1200,
        p99ResponseTime: 3400,
      },
      errors: {
        total: 2341,
        last24h: 12,
        critical: 0,
      },
    };
  }),
});