import prisma from '$lib/server/prisma.js';
import auth from '$lib/server/auth.js';
import { fail, redirect } from '@sveltejs/kit';
import type { Actions } from './$types';
import { maxAge, refreshTokenMaxAge, secure } from '$lib/server/utils';
import { validateLogin } from '$lib/validations';

export const actions: Actions = {
  default: async ({ request, cookies }) => {
    const formData = Object.fromEntries((await request.formData()).entries());
    const validation = validateLogin(formData);

    if (!validation.success) {
      return fail(400, {
        data: formData,
        errors: validation.errors
      });
    }

    const { email, password } = validation.data!;

    let user;
    try {
      user = await prisma.user.findUnique({ where: { email } });
      if (!user) {
        return fail(400, {
          data: { email },
          errors: { _errors: ['Invalid Email or Password'] }
        });
      }
    } catch (e) {
      console.error('Login DB error:', e);
      return fail(500, {
        data: { email },
        errors: { _errors: ['An unexpected error occurred. Please try again later.'] }
      });
    }

    const isValidPassword = await auth.compare(password.toString(), user.password);
    if (!isValidPassword) {
      return fail(401, {
        data: { email },
        errors: { _errors: ['Invalid Email or Password'] }
      });
    }

    const isAdmin = await auth.isAdmin(user);

    // Ensure verified account for normal users
    if (!isAdmin && !user.isVerified) {
      return fail(401, {
        data: { email },
        errors: { _errors: ['Account not verified. Please check your email for verification link.'] }
      });
    }

    // --- STEP 1: Generate a new sessionId and hash it in DB ---
    const sessionId = await auth.generateSessionId();
    await auth.saveSessionToken(user.id, sessionId); // Overwrites any previous session

    // --- STEP 2: Sign JWT (access token) embedding the sessionId ---
    const token = auth.sign(user, sessionId);

    // --- STEP 3: Generate a refresh token and hash it in DB ---
    const refreshToken = await auth.generateRefreshToken(user);

    // --- STEP 4: Set secure cookies ---
    cookies.set('token', token, {
      httpOnly: true,
      secure,
      path: '/',
      maxAge
    });

    cookies.set('refreshToken', refreshToken, {
      httpOnly: true,
      secure,
      path: '/',
      maxAge: formData?.rememberMe ? refreshTokenMaxAge : undefined
    });

    // --- STEP 5: Redirect based on role ---
    throw redirect(303, isAdmin ? '/admin/product' : '/product');
  }
};