<?php

declare(strict_types=1);

namespace App\Http\Controllers\Api\V1;

use App\Enums\EmailTemplateType;
use App\Http\Controllers\Controller;
use App\Models\User;
use App\Services\EmailService;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Password;
use Illuminate\Validation\Rules\Password as PasswordRule;

final class PasswordResetController extends Controller
{
    public function __construct(
        private readonly EmailService $emailService,
    ) {}

    public function sendResetLink(Request $request): JsonResponse
    {
        $request->validate([
            'email' => ['required', 'email'],
            'app' => ['required', 'in:app,portal,admin'],
        ]);

        $frontendUrls = [
            'admin' => config('app.frontend_admin_url'),
            'app' => config('app.frontend_app_url'),
            'portal' => config('app.frontend_portal_url'),
        ];

        $frontendUrl = $frontendUrls[$request->input('app')];

        Password::sendResetLink(
            ['email' => strtolower($request->email)],
            function (User $user, string $token) use ($frontendUrl) {
                $organisation = $user->organisations()->first();

                $this->emailService->send(
                    type: EmailTemplateType::PASSWORD_RESET,
                    recipientEmail: $user->email,
                    recipientName: $user->first_name . ' ' . $user->last_name,
                    actionUrl: $frontendUrl . '/reset-password?token=' . $token . '&email=' . urlencode($user->email),
                    organisation: $organisation,
                    userId: $user->id,
                );
            }
        );

        // Always return success (don't leak whether email exists)
        return $this->success(
            message: 'Als dit e-mailadres bij ons bekend is, ontvang je een link om je wachtwoord te herstellen.'
        );
    }

    public function resetPassword(Request $request): JsonResponse
    {
        $request->validate([
            'token' => ['required'],
            'email' => ['required', 'email'],
            'password' => ['required', 'confirmed', PasswordRule::min(8)->mixedCase()->numbers()],
        ]);

        $status = Password::reset(
            $request->only('email', 'password', 'password_confirmation', 'token'),
            function (User $user, string $password) {
                $user->forceFill(['password' => Hash::make($password)])->save();

                // Revoke all existing tokens (force re-login everywhere)
                $user->tokens()->delete();

                activity()
                    ->causedBy($user)
                    ->performedOn($user)
                    ->log('user.password_reset');
            }
        );

        if ($status === Password::PASSWORD_RESET) {
            return $this->success(message: 'Je wachtwoord is succesvol gewijzigd. Je kunt nu inloggen.');
        }

        return $this->error(__($status), 422);
    }
}