<?php

declare(strict_types=1);

namespace Tests\Unit\Services;

use App\Enums\MfaMethod;
use App\Models\MfaBackupCode;
use App\Models\MfaEmailCode;
use App\Models\TrustedDevice;
use App\Models\User;
use App\Services\MfaService;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Queue;
use PragmaRX\Google2FA\Google2FA;
use Tests\TestCase;

class MfaServiceTest extends TestCase
{
    use RefreshDatabase;

    private MfaService $mfaService;
    private Google2FA $google2fa;
    private User $user;

    protected function setUp(): void
    {
        parent::setUp();

        Queue::fake();
        $this->google2fa = new Google2FA();
        $this->mfaService = app(MfaService::class);
        $this->user = User::factory()->create();
    }

    public function test_setup_totp_generates_secret_and_qr_url(): void
    {
        $result = $this->mfaService->setupTotp($this->user);

        $this->assertArrayHasKey('secret', $result);
        $this->assertArrayHasKey('qr_code_url', $result);
        $this->assertArrayHasKey('provisioning_uri', $result);
        $this->assertNotEmpty($result['secret']);
        $this->assertStringContainsString('otpauth://totp/', $result['qr_code_url']);

        $this->user->refresh();
        $this->assertNotNull($this->user->mfa_secret);
        $this->assertEquals(MfaMethod::TOTP->value, $this->user->mfa_method);
        $this->assertNull($this->user->mfa_confirmed_at);
    }

    public function test_confirm_totp_enables_mfa_and_generates_backup_codes(): void
    {
        $setupResult = $this->mfaService->setupTotp($this->user);
        $secret = $setupResult['secret'];
        $validCode = $this->google2fa->getCurrentOtp($secret);

        $backupCodes = $this->mfaService->confirmTotp($this->user, $validCode);

        $this->assertCount(10, $backupCodes);
        $this->user->refresh();
        $this->assertTrue($this->user->mfa_enabled);
        $this->assertNotNull($this->user->mfa_confirmed_at);
        $this->assertDatabaseCount('mfa_backup_codes', 10);
    }

    public function test_confirm_totp_with_invalid_code_fails(): void
    {
        $this->mfaService->setupTotp($this->user);

        $this->expectException(\DomainException::class);
        $this->expectExceptionMessage('Ongeldige verificatiecode.');

        $this->mfaService->confirmTotp($this->user, '000000');
    }

    public function test_setup_email_sends_verification_code(): void
    {
        $this->mfaService->setupEmail($this->user);

        $this->user->refresh();
        $this->assertEquals(MfaMethod::EMAIL->value, $this->user->mfa_method);
        $this->assertNull($this->user->mfa_confirmed_at);
        $this->assertDatabaseCount('mfa_email_codes', 1);
    }

    public function test_confirm_email_enables_mfa(): void
    {
        // Create a valid email code manually
        $code = '123456';
        MfaEmailCode::create([
            'user_id' => $this->user->id,
            'code' => $code,
            'expires_at' => now()->addMinutes(10),
        ]);

        $this->user->update([
            'mfa_method' => MfaMethod::EMAIL->value,
        ]);

        $backupCodes = $this->mfaService->confirmEmail($this->user, $code);

        $this->assertCount(10, $backupCodes);
        $this->user->refresh();
        $this->assertTrue($this->user->mfa_enabled);
        $this->assertNotNull($this->user->mfa_confirmed_at);
    }

    public function test_confirm_email_with_expired_code_fails(): void
    {
        MfaEmailCode::create([
            'user_id' => $this->user->id,
            'code' => '123456',
            'expires_at' => now()->subMinute(),
        ]);

        $this->user->update(['mfa_method' => MfaMethod::EMAIL->value]);

        $this->expectException(\DomainException::class);
        $this->expectExceptionMessage('Ongeldige of verlopen code.');

        $this->mfaService->confirmEmail($this->user, '123456');
    }

    public function test_email_code_rate_limited(): void
    {
        $this->mfaService->sendEmailCode($this->user);

        $this->expectException(\DomainException::class);
        $this->expectExceptionMessage('Wacht even voordat je een nieuwe code aanvraagt.');

        $this->mfaService->sendEmailCode($this->user);
    }

    public function test_generate_backup_codes_creates_10_hashed_codes(): void
    {
        $codes = $this->mfaService->generateBackupCodes($this->user);

        $this->assertCount(10, $codes);
        $this->assertDatabaseCount('mfa_backup_codes', 10);

        // Verify codes are hashed (not stored plain)
        $stored = MfaBackupCode::where('user_id', $this->user->id)->first();
        $this->assertNotEquals($codes[0], $stored->code_hash);
        $this->assertTrue(Hash::check($codes[0], $stored->code_hash));
    }

    public function test_verify_backup_code_marks_as_used(): void
    {
        // Setup MFA with backup codes
        $setupResult = $this->mfaService->setupTotp($this->user);
        $validCode = $this->google2fa->getCurrentOtp($setupResult['secret']);
        $backupCodes = $this->mfaService->confirmTotp($this->user, $validCode);

        // Create MFA session and verify with backup code
        $session = $this->mfaService->createMfaSession($this->user, '127.0.0.1');
        $this->mfaService->verifyMfaCode(
            $session['mfa_session_token'],
            $backupCodes[0],
            MfaMethod::BACKUP_CODE,
            '127.0.0.1',
        );

        $this->assertDatabaseHas('mfa_backup_codes', [
            'user_id' => $this->user->id,
            'used' => true,
        ]);

        // Verify 9 unused remain
        $remaining = MfaBackupCode::where('user_id', $this->user->id)
            ->where('used', false)->count();
        $this->assertEquals(9, $remaining);
    }

    public function test_verify_backup_code_invalid_fails(): void
    {
        $this->mfaService->generateBackupCodes($this->user);
        $this->user->update([
            'mfa_enabled' => true,
            'mfa_method' => MfaMethod::TOTP->value,
            'mfa_confirmed_at' => now(),
        ]);

        $session = $this->mfaService->createMfaSession($this->user, '127.0.0.1');

        $this->expectException(\DomainException::class);
        $this->expectExceptionMessage('Ongeldige backup code.');

        $this->mfaService->verifyMfaCode(
            $session['mfa_session_token'],
            'INVALID-CODE',
            MfaMethod::BACKUP_CODE,
            '127.0.0.1',
        );
    }

    public function test_trust_device_creates_record(): void
    {
        $device = $this->mfaService->trustDevice(
            $this->user,
            'test-fingerprint',
            '192.168.1.1',
            'Chrome on macOS',
        );

        $this->assertDatabaseHas('trusted_devices', [
            'user_id' => $this->user->id,
            'device_name' => 'Chrome on macOS',
            'ip_address' => '192.168.1.1',
        ]);
        $this->assertNotNull($device->trusted_until);
    }

    public function test_is_device_trusted_returns_true_within_expiry(): void
    {
        $this->mfaService->trustDevice($this->user, 'test-fingerprint', '192.168.1.1');

        $this->assertTrue($this->mfaService->isDeviceTrusted($this->user, 'test-fingerprint'));
    }

    public function test_is_device_trusted_returns_false_after_expiry(): void
    {
        $this->mfaService->trustDevice($this->user, 'test-fingerprint', '192.168.1.1');

        // Manually expire the device
        TrustedDevice::where('user_id', $this->user->id)
            ->update(['trusted_until' => now()->subDay()]);

        $this->assertFalse($this->mfaService->isDeviceTrusted($this->user, 'test-fingerprint'));
    }

    public function test_revoke_device_deletes_record(): void
    {
        $device = $this->mfaService->trustDevice($this->user, 'test-fingerprint', '192.168.1.1');

        $this->mfaService->revokeDevice($this->user, $device->id);

        $this->assertDatabaseMissing('trusted_devices', ['id' => $device->id]);
    }

    public function test_disable_clears_all_mfa_data(): void
    {
        // Setup full MFA
        $setupResult = $this->mfaService->setupTotp($this->user);
        $validCode = $this->google2fa->getCurrentOtp($setupResult['secret']);
        $this->mfaService->confirmTotp($this->user, $validCode);
        $this->mfaService->trustDevice($this->user, 'test-fingerprint', '192.168.1.1');

        $this->mfaService->disable($this->user);

        $this->user->refresh();
        $this->assertFalse($this->user->mfa_enabled);
        $this->assertNull($this->user->mfa_method);
        $this->assertNull($this->user->mfa_secret);
        $this->assertNull($this->user->mfa_confirmed_at);
        $this->assertDatabaseCount('mfa_backup_codes', 0);
        $this->assertDatabaseCount('trusted_devices', 0);
    }

    public function test_admin_reset_disables_mfa_with_audit(): void
    {
        $admin = User::factory()->create();
        $setupResult = $this->mfaService->setupTotp($this->user);
        $validCode = $this->google2fa->getCurrentOtp($setupResult['secret']);
        $this->mfaService->confirmTotp($this->user, $validCode);

        $this->mfaService->adminReset($admin, $this->user);

        $this->user->refresh();
        $this->assertFalse($this->user->mfa_enabled);

        $this->assertDatabaseHas('activity_log', [
            'description' => 'mfa.admin_reset',
            'causer_id' => $admin->id,
            'subject_id' => $this->user->id,
        ]);
    }

    public function test_mfa_required_for_super_admin(): void
    {
        $this->seed(RoleSeeder::class);
        $this->user->assignRole('super_admin');

        $this->assertTrue($this->mfaService->isMfaRequired($this->user));
    }

    public function test_mfa_not_required_for_volunteer(): void
    {
        $this->seed(RoleSeeder::class);
        // User with no special roles — just a basic user
        $this->assertFalse($this->mfaService->isMfaRequired($this->user));
    }

    public function test_mfa_session_expires(): void
    {
        $this->user->update([
            'mfa_enabled' => true,
            'mfa_method' => MfaMethod::TOTP->value,
            'mfa_confirmed_at' => now(),
        ]);

        $session = $this->mfaService->createMfaSession($this->user, '127.0.0.1');

        // Manually expire the session
        Cache::forget('mfa_session:' . $session['mfa_session_token']);

        $this->expectException(\DomainException::class);
        $this->expectExceptionMessage('MFA-sessie verlopen. Log opnieuw in.');

        $this->mfaService->verifyMfaCode(
            $session['mfa_session_token'],
            '123456',
            MfaMethod::TOTP,
            '127.0.0.1',
        );
    }

    public function test_mfa_session_ip_check(): void
    {
        $this->user->update([
            'mfa_enabled' => true,
            'mfa_method' => MfaMethod::TOTP->value,
            'mfa_confirmed_at' => now(),
        ]);

        $session = $this->mfaService->createMfaSession($this->user, '127.0.0.1');

        $this->expectException(\DomainException::class);
        $this->expectExceptionMessage('IP-adres gewijzigd. Log opnieuw in.');

        $this->mfaService->verifyMfaCode(
            $session['mfa_session_token'],
            '123456',
            MfaMethod::TOTP,
            '10.0.0.1', // Different IP
        );
    }
}