const { getSessionUser, COOKIE_NAME, publicUser } = require('../services/authService');
const { getDb, getSetting } = require('../db/database');
const { standardizeError } = require('./errorFormatter');

function getSingleModeUser() {
  if (getSetting('auth_mode') !== 'single') return null;
  const userId = getSetting('default_user_id');
  if (!userId) return null;
  // Single-user mode: validate only that the configured user exists,
  // is active, and has role 'user'. Sessions are not relevant here —
  // single-user mode bypasses session auth entirely.
  const row = getDb().prepare(`
    SELECT id, username, display_name, role, must_change_password, first_login,
           active, is_default_admin
    FROM users
    WHERE id = ? AND role = 'user' AND active = 1
  `).get(userId);
  return row ? publicUser(row) : null;
}

function requireAuth(req, res, next) {
  // Single-user mode: bypass session entirely, auto-attach the default user
  const singleUser = getSingleModeUser();
  if (singleUser) {
    req.user = singleUser;
    req.singleUserMode = true;
    return next();
  }

  const user = getSessionUser(req.cookies?.[COOKIE_NAME]);
  if (!user) return res.status(401).json(standardizeError('Not authenticated', 'AUTH_ERROR'));
  req.user = user;
  next();
}

function requireUser(req, res, next) {
  if (req.user?.is_default_admin) {
    return res.status(403).json(standardizeError('Default admin account does not have tracker access', 'FORBIDDEN'));
  }
  if (!['user', 'admin'].includes(req.user?.role)) {
    return res.status(403).json(standardizeError('Access denied: user account required', 'FORBIDDEN'));
  }
  next();
}

function requireAdmin(req, res, next) {
  // In single-user mode the auto-attached user is never admin,
  // so admin routes naturally stay protected by session.
  if (req.user?.role !== 'admin') {
    return res.status(403).json(standardizeError('Access denied: admin account required', 'FORBIDDEN'));
  }
  next();
}

module.exports = { requireAuth, requireUser, requireAdmin };