import { useRuntimeConfig } from "#app";
import type { FetchResponse } from "ofetch";
import { workpulseApiRaw } from "~/utils/workpulse-api-fetch";
import { normalizeWorkpulseApiBase } from "~/utils/workpulse-api-base";
import { readWorkpulseAccessToken } from "~/utils/workpulse-session-user";
import { useAuth } from "./useAuth";

type ApiEnvelope<T> = {
  ok: boolean;
  data?: T;
  error?: { code?: string; message?: string };
};

export type AdminUserRow = {
  id: number;
  email: string;
  name: string;
  role: string;
  isActive: boolean;
  createdAt?: string | null;
  permissions?: Partial<import("~/utils/workpulse-permissions").WorkpulsePermissions>;
  divisionAccessAll?: boolean;
  visibleDivisionCodes?: string[];
};

function apiBase(): string {
  return normalizeWorkpulseApiBase(String(useRuntimeConfig().public.workpulseApiBase || ""));
}

function bearerHeaders(): { Authorization: string } | undefined {
  const { accessToken } = useAuth();
  const t = accessToken.value || readWorkpulseAccessToken();
  if (!t) return undefined;
  return { Authorization: `Bearer ${t}` };
}

async function parseEnvelope<T>(raw: FetchResponse<unknown>): Promise<{
  ok: boolean;
  status: number;
  data?: T;
  message?: string;
}> {
  const status = raw.status;
  let body = raw._data as ApiEnvelope<T> | string | undefined;
  if (typeof body === "string") {
    try {
      body = JSON.parse(body) as ApiEnvelope<T>;
    } catch {
      body = undefined;
    }
  }
  if (!body) return { ok: false, status, message: `HTTP ${status}` };
  if (!body.ok) {
    return {
      ok: false,
      status,
      message: body.error?.message || body.error?.code || `HTTP ${status}`
    };
  }
  return { ok: true, status, data: body.data as T };
}

export function useWorkpulseAdminUsers() {
  const listUsers = async (params: { limit?: number; offset?: number; q?: string } = {}) => {
    const b = apiBase();
    if (!b) return { ok: false as const, status: 0, message: "API belum dikonfigurasi." };
    const qs = new URLSearchParams();
    if (params.limit != null) qs.set("limit", String(params.limit));
    if (params.offset != null) qs.set("offset", String(params.offset));
    if (params.q?.trim()) qs.set("q", params.q.trim());
    const q = qs.toString();
    const url = `${b}/api/v1/admin/users${q ? `?${q}` : ""}`;
    const raw = await workpulseApiRaw(url, {
      headers: bearerHeaders(),
      credentials: "include",
      ignoreResponseError: true
    });
    return parseEnvelope<{ users: AdminUserRow[]; total: number }>(raw);
  };

  const createUser = async (body: {
    email: string;
    password: string;
    name: string;
    role: string;
    permissions?: Partial<import("~/utils/workpulse-permissions").WorkpulsePermissions>;
    divisionAccessAll?: boolean;
    visibleDivisionCodes?: string[];
  }) => {
    const b = apiBase();
    if (!b) return { ok: false as const, status: 0, message: "API belum dikonfigurasi." };
    const raw = await workpulseApiRaw(`${b}/api/v1/admin/users`, {
      method: "POST",
      headers: bearerHeaders(),
      credentials: "include",
      body,
      ignoreResponseError: true
    });
    return parseEnvelope<AdminUserRow>(raw);
  };

  const patchUser = async (
    id: number,
    body: {
      name?: string;
      role?: string;
      isActive?: boolean;
      permissions?: Partial<import("~/utils/workpulse-permissions").WorkpulsePermissions>;
      divisionAccessAll?: boolean;
      visibleDivisionCodes?: string[];
    }
  ) => {
    const b = apiBase();
    if (!b) return { ok: false as const, status: 0, message: "API belum dikonfigurasi." };
    const raw = await workpulseApiRaw(`${b}/api/v1/admin/users/${id}`, {
      method: "PATCH",
      headers: bearerHeaders(),
      credentials: "include",
      body,
      ignoreResponseError: true
    });
    return parseEnvelope<AdminUserRow>(raw);
  };

  const resetUserPassword = async (id: number, newPassword: string) => {
    const b = apiBase();
    if (!b) return { ok: false as const, status: 0, message: "API belum dikonfigurasi." };
    const raw = await workpulseApiRaw(`${b}/api/v1/admin/users/${id}/password`, {
      method: "POST",
      headers: bearerHeaders(),
      credentials: "include",
      body: { newPassword },
      ignoreResponseError: true
    });
    return parseEnvelope<{ ok?: boolean }>(raw);
  };

  const getUser = async (id: number) => {
    const b = apiBase();
    if (!b) return { ok: false as const, status: 0, message: "API belum dikonfigurasi." };
    const raw = await workpulseApiRaw(`${b}/api/v1/admin/users/${id}`, {
      method: "GET",
      headers: bearerHeaders(),
      credentials: "include",
      ignoreResponseError: true
    });
    return parseEnvelope<AdminUserRow>(raw);
  };

  return { listUsers, createUser, patchUser, resetUserPassword, getUser };
}