/**
 * Synology SSO Access Token 검증 및 로그인 처리
 * POST /api/auth/synology/verify
 */
import { queryOne, execute, insertReturning } from '~/server/utils/db'
import { createSession, setSessionCookie } from '~/server/utils/session'
import { getClientIp } from '~/server/utils/ip'

export default defineEventHandler(async (event) => {
  const body = await readBody(event)
  const { accessToken } = body
  const ip = getClientIp(event)
  
  if (!accessToken) {
    throw createError({
      statusCode: 400,
      message: 'Access token이 없습니다.'
    })
  }
  
  const config = useRuntimeConfig()
  
  console.log('[Synology SSO] Access Token:', accessToken)
  
  try {
    // SSOAccessToken.cgi로 사용자 정보 조회
    const tokenInfoUrl = `${config.synologyServerUrl}/webman/sso/SSOAccessToken.cgi?action=exchange&access_token=${accessToken}&app_id=${config.synologyClientId}`
    
    console.log('[Synology SSO] Requesting:', tokenInfoUrl)
    
    let tokenResponse = await $fetch<any>(tokenInfoUrl)
    
    // 문자열로 온 경우 JSON 파싱
    if (typeof tokenResponse === 'string') {
      tokenResponse = JSON.parse(tokenResponse)
    }
    
    console.log('[Synology SSO] Response:', JSON.stringify(tokenResponse, null, 2))
    
    if (!tokenResponse.success) {
      throw createError({
        statusCode: 401,
        message: 'Synology 토큰 검증에 실패했습니다.'
      })
    }
    
    const synologyUsername = tokenResponse.data?.user_name
    
    if (!synologyUsername) {
      throw createError({
        statusCode: 401,
        message: 'Synology 사용자명을 가져올 수 없습니다.'
      })
    }
    
    console.log('[Synology SSO] Username:', synologyUsername)
    
    // username@osolit.net 으로 매칭
    const synologyEmail = `${synologyUsername}@osolit.net`
    
    const employee = await queryOne<any>(`
      SELECT employee_id, employee_name, is_active, password_hash,
             synology_id, synology_email, employee_email
      FROM wr_employee_info 
      WHERE synology_id = $1 
         OR employee_email = $2
    `, [synologyUsername, synologyEmail])
    
    if (!employee) {
      throw createError({
        statusCode: 404,
        message: `Synology 계정 "${synologyUsername}"과 연결된 사용자를 찾을 수 없습니다. (${synologyEmail}) 관리자에게 문의하세요.`
      })
    }
    
    if (!employee.is_active) {
      throw createError({
        statusCode: 403,
        message: '비활성화된 계정입니다.'
      })
    }
    
    // Synology ID 업데이트
    await execute(`
      UPDATE wr_employee_info 
      SET synology_id = $1, synology_linked_at = NOW()
      WHERE employee_id = $2
    `, [synologyUsername, employee.employee_id])
    
    // 로그인 이력 기록
    const loginHistory = await insertReturning(`
      INSERT INTO wr_login_history (employee_id, login_type, login_ip, login_at, login_email)
      VALUES ($1, 'SYNOLOGY', $2, NOW(), $3)
      RETURNING history_id
    `, [employee.employee_id, ip, synologyEmail])
    
    // 세션 생성
    const userAgent = getHeader(event, 'user-agent') || null
    const sessionId = await createSession(
      employee.employee_id,
      loginHistory.history_id,
      ip,
      userAgent
    )
    setSessionCookie(event, sessionId)
    
    return {
      success: true,
      needPasswordSet: !employee.password_hash
    }
    
  } catch (error: any) {
    console.error('[Synology SSO] Error:', error)
    if (error.statusCode) {
      throw error
    }
    throw createError({
      statusCode: 500,
      message: 'Synology 로그인 처리 중 오류가 발생했습니다.'
    })
  }
})