// purchasing a single document within a product
import { json, error } from '@sveltejs/kit';
import type { RequestHandler } from '@sveltejs/kit';
import prisma from '$lib/server/prisma';
import { API_CLIENT_ID, KEY, SECRET, SERVICE_ID } from '$env/static/private';
import { createHmac } from 'node:crypto';

export const POST: RequestHandler = async ({ locals: { user }, request, url: { origin } }) => {
  if (!user) return error(401, 'Unauthorized');

  const body = await request.json().catch(() => ({}));
  const { productId, documentId, amount } = body || {};
  if (!productId || !documentId || !amount) return error(400, 'Missing required fields');

  // verify document belongs to product
  const doc = await prisma.productDocument.findUnique({ where: { id: Number(documentId) } });
  if (!doc || doc.productId !== Number(productId)) return error(404, 'Document not found for product');

  // fetch product to compute authoritative amount
  const product = await prisma.product.findUnique({
    where: { id: Number(productId) },
    select: { id: true, price: true, digitalCopyPrice: true }
  });
  if (!product) return error(404, 'Product not found');

  // compute expected amount (authoritative):
  // priority: product.digitalCopyPrice -> doc.purchasePrice -> fallback (50% of product.price)
  const expectedAmount =
    (product.digitalCopyPrice ?? (doc as any).purchasePrice ?? Math.round((product.price ?? 0) * 0.5)) ?? 0;

  // validate client-sent amount matches expected amount
  const clientAmount = Number(amount);
  if (Number.isNaN(clientAmount) || clientAmount <= 0) return error(400, 'Invalid amount');
  if (clientAmount !== Number(expectedAmount)) {
    // reject tampered amount
    return error(400, 'Invalid amount for document purchase');
  }


  // build bill reference
  const billRefNumber = `DOC-${Date.now()}-${user.id}-${documentId}`;

  // create payment record (PENDING)
  const payment = await prisma.payment.create({
    data: {
      userId: user.id,
      amount: Number(amount),
      provider: 'PESAFLOW',
      status: 'PENDING',
      providerRef: billRefNumber,
      rawPayload: { type: 'DOCUMENT_PURCHASE', productId: Number(productId), documentId: Number(documentId) } as any
    }
  });

  // prepare PesaFlow paymentDetails (same shape your checkout uses)
  const paymentDetails = {
    apiClientID: API_CLIENT_ID,
    amountExpected: Number(amount),
    serviceID: SERVICE_ID,
    clientIDNumber: (user as any).idNumber || '0',
    currency: 'KES',
    billRefNumber,
    billDesc: `Document: ${doc.originalName}`,
    clientName: (user as any).name || (user as any).email,
    secret: SECRET
  };

  const dataString = [
    paymentDetails.apiClientID,
    paymentDetails.amountExpected,
    paymentDetails.serviceID,
    paymentDetails.clientIDNumber,
    paymentDetails.currency,
    paymentDetails.billRefNumber,
    paymentDetails.billDesc,
    paymentDetails.clientName,
    paymentDetails.secret
  ].join('');

  const secureHash = createHmac('sha256', KEY).update(dataString).digest('base64');

  return json({
    paymentId: payment.id,
    paymentDetails: {
      ...paymentDetails,
      secureHash,
      callBackURLOnSuccess: `${origin}/api/document/confirm?ref=${encodeURIComponent(billRefNumber)}`,
      callBackURLOnFail: `${origin}/product/${productId}`,
      notificationURL: `${origin}/api/document/notification`,
      clientEmail: (user as any).email,
      clientMSISDN: (user as any).phoneNumber || '0700000000',
      pictureURL: `${origin}/kLawLogo.png`
    }
  });
};