/**
 * Authentication helpers for E2E tests.
 *
 * Provides functions to inject session cookies and to perform a full
 * registration-and-verify flow through the UI + direct DB access.
 */

import type { Page } from '@playwright/test';
import pg from 'pg';
import { createHash } from 'node:crypto';

const { Client } = pg;

// ---------------------------------------------------------------------------
// Known test tokens — must match seed.ts
// ---------------------------------------------------------------------------
export const ADMIN_SESSION_TOKEN = 'e2e-admin-session-token-for-testing-only';
export const USER_SESSION_TOKEN = 'e2e-user-session-token-for-testing-only';
export const SESSION_COOKIE_NAME = 'ai_synth_session';

// ---------------------------------------------------------------------------
// Cookie injection helpers
// ---------------------------------------------------------------------------

/**
 * Set the session cookie for the admin test user.
 * The page must already be navigated to (or about to navigate to)
 * the app domain so the cookie is scoped correctly.
 */
export async function loginAsAdmin(page: Page): Promise<void> {
  await page.context().addCookies([
    {
      name: SESSION_COOKIE_NAME,
      value: ADMIN_SESSION_TOKEN,
      domain: 'localhost',
      path: '/',
      httpOnly: true,
      sameSite: 'Lax',
    },
  ]);
}

/**
 * Set the session cookie for the regular test user.
 */
export async function loginAsUser(page: Page): Promise<void> {
  await page.context().addCookies([
    {
      name: SESSION_COOKIE_NAME,
      value: USER_SESSION_TOKEN,
      domain: 'localhost',
      path: '/',
      httpOnly: true,
      sameSite: 'Lax',
    },
  ]);
}

/**
 * Perform a full registration flow for a new email address:
 * 1. Navigate to /register
 * 2. Fill out the form and submit
 * 3. Extract the raw magic link token from the DB
 * 4. Navigate to the verify URL with that token
 *
 * This works because:
 * - Turnstile is in test mode (auto-passes with the test site key)
 * - Resend is in test mode (no email actually sent)
 * - We read the token hash from magic_tokens and reverse-lookup is not needed
 *   because we query by email and find the most recent unused token
 *
 * NOTE: We cannot reverse-lookup the raw token from its hash. Instead,
 * we query the magic_tokens table for the most recent token_hash for
 * this email and use the backend's GET /api/v1/auth/verify endpoint
 * which sets the cookie via redirect. But since we only have the hash,
 * we instead need a workaround: we query the DB for the token_hash,
 * then use the POST verify endpoint.
 *
 * Actually, the cleanest approach is to create a magic link via the
 * register API, then query the DB for the token_hash. Since we cannot
 * reverse the hash, we insert a known token ourselves after registration.
 */
export async function registerAndVerify(
  page: Page,
  email: string,
): Promise<void> {
  const databaseUrl =
    process.env.DATABASE_URL ??
    'postgres://ai_synth_test:testpassword@localhost:5433/ai_synth_test';

  // Navigate to register page and fill the form
  await page.goto('/register');
  await page.locator('#email').fill(email);

  // Wait for Turnstile to auto-verify (test key always passes)
  // The Turnstile widget will call the callback automatically with the test site key.
  // We need to wait a moment for the async script to load and render.
  await page.waitForTimeout(2000);

  // Submit the form
  await page.locator('button[type="submit"]').click();

  // Wait for the "check inbox" message to appear (means registration succeeded)
  await page.waitForSelector('text=Verifiez votre boite de reception', {
    timeout: 10_000,
  });

  // Now extract the magic token from the database.
  // The token_hash is stored, but we don't have the raw token.
  // We'll insert a known magic token for this email directly.
  const knownRawToken = `e2e-magic-token-${Date.now()}`;
  const knownTokenHash = createHash('sha256')
    .update(knownRawToken)
    .digest('hex');
  const expiresAt = new Date(Date.now() + 15 * 60 * 1000).toISOString();

  const client = new Client({ connectionString: databaseUrl });
  await client.connect();
  try {
    await client.query(
      `INSERT INTO magic_tokens (email, token_hash, expires_at, used)
       VALUES ($1, $2, $3, false)`,
      [email.toLowerCase(), knownTokenHash, expiresAt],
    );
  } finally {
    await client.end();
  }

  // Navigate to the verify URL (GET endpoint that sets cookie and redirects)
  await page.goto(`/api/v1/auth/verify?token=${knownRawToken}`);

  // The GET verify endpoint redirects to APP_URL (http://localhost:8080)
  // Wait for the redirect to complete and the home page to load
  await page.waitForURL('**/', { timeout: 10_000 });
}

/**
 * Connect directly to the test database and return a pg Client.
 */
export function createDbClient(): InstanceType<typeof Client> {
  const databaseUrl =
    process.env.DATABASE_URL ??
    'postgres://ai_synth_test:testpassword@localhost:5433/ai_synth_test';
  return new Client({ connectionString: databaseUrl });
}