import 'server-only';
import { NextRequest, NextResponse } from 'next/server';
import { getAuth } from 'firebase-admin/auth';
import { getFirebaseAdmin } from '@/lib/firebase-admin';
import { trackActivity } from './activity-tracker';

export interface AuthResult {
    uid: string;
    email?: string;
}

/**
 * Firebase ID Token 검증 미들웨어
 * Authorization: Bearer <idToken> 헤더에서 토큰을 추출하고,
 * firebase-admin의 verifyIdToken으로 검증한 뒤 uid를 반환한다.
 *
 * @returns AuthResult (성공) 또는 NextResponse (401 에러)
 */
export async function verifyAuth(req: NextRequest): Promise<AuthResult | NextResponse> {
    const authHeader = req.headers.get('Authorization');
    if (!authHeader?.startsWith('Bearer ')) {
        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
    }

    const idToken = authHeader.split('Bearer ')[1];
    if (!idToken) {
        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
    }

    try {
        getFirebaseAdmin();
        const decoded = await getAuth().verifyIdToken(idToken);
        trackActivity(decoded.uid);
        return { uid: decoded.uid, email: decoded.email };
    } catch (error) {
        console.error('Token verification failed:', error);
        return NextResponse.json({ error: 'Invalid or expired token' }, { status: 401 });
    }
}

/**
 * 쿼리 파라미터로 전달된 Firebase ID Token 검증 (PWA Share Target 등)
 * ?token=<idToken> 형태로 전달된 토큰을 검증한다.
 */
export async function verifyAuthFromParam(token: string | null): Promise<AuthResult | NextResponse> {
    if (!token) {
        return NextResponse.json({ error: 'Unauthorized: token parameter required' }, { status: 401 });
    }

    try {
        getFirebaseAdmin();
        const decoded = await getAuth().verifyIdToken(token);
        trackActivity(decoded.uid);
        return { uid: decoded.uid, email: decoded.email };
    } catch (error) {
        console.error('Token verification failed:', error);
        return NextResponse.json({ error: 'Invalid or expired token' }, { status: 401 });
    }
}

/**
 * Firebase ID Token 검증 + member/admin 역할 확인 미들웨어
 * guest 역할은 403 Forbidden 반환
 */
export async function verifyMember(req: NextRequest): Promise<AuthResult | NextResponse> {
    const authResult = await verifyAuth(req);
    if (authResult instanceof NextResponse) return authResult;

    // Firestore에서 역할 확인
    const { getFirestore } = await import('firebase-admin/firestore');
    const db = getFirestore();
    const userDoc = await db.collection('users').doc(authResult.uid).get();
    const role = userDoc.data()?.role;

    if (!role || role === 'guest') {
        return NextResponse.json(
            { error: 'Forbidden: Member access required' },
            { status: 403 }
        );
    }

    return authResult;
}

/**
 * Firebase ID Token 검증 + admin 역할 확인 미들웨어
 * admin 역할이 아닌 경우 403 Forbidden 반환
 */
export async function verifyAdmin(req: NextRequest): Promise<AuthResult | NextResponse> {
    const authResult = await verifyAuth(req);
    if (authResult instanceof NextResponse) return authResult;

    const { getFirestore } = await import('firebase-admin/firestore');
    const db = getFirestore();
    const userDoc = await db.collection('users').doc(authResult.uid).get();
    const role = userDoc.data()?.role;

    if (role !== 'admin') {
        return NextResponse.json(
            { error: 'Forbidden: Admin access required' },
            { status: 403 }
        );
    }

    return authResult;
}

/**
 * 쿼리 파라미터 토큰 검증 + member/admin 역할 확인
 * guest 역할은 403 Forbidden 반환
 */
export async function verifyMemberFromParam(token: string | null): Promise<AuthResult | NextResponse> {
    const authResult = await verifyAuthFromParam(token);
    if (authResult instanceof NextResponse) return authResult;

    const { getFirestore } = await import('firebase-admin/firestore');
    const db = getFirestore();
    const userDoc = await db.collection('users').doc(authResult.uid).get();
    const role = userDoc.data()?.role;

    if (!role || role === 'guest') {
        return NextResponse.json(
            { error: 'Forbidden: Member access required' },
            { status: 403 }
        );
    }

    return authResult;
}

/**
 * Firebase ID Token 검증 + reviewer/admin 역할 확인 미들웨어
 * member, guest 역할은 403 Forbidden 반환
 */
export async function verifyReviewer(req: NextRequest): Promise<AuthResult | NextResponse> {
    const authResult = await verifyAuth(req);
    if (authResult instanceof NextResponse) return authResult;

    const { getFirestore } = await import('firebase-admin/firestore');
    const db = getFirestore();
    const userDoc = await db.collection('users').doc(authResult.uid).get();
    const role = userDoc.data()?.role;

    if (!role || !['reviewer', 'admin'].includes(role)) {
        return NextResponse.json(
            { error: 'Forbidden: Reviewer access required' },
            { status: 403 }
        );
    }

    return authResult;
}