namespace IOL.BookmarkThing.Server.Api.Internal.Account;

public class CreateSessionRoute : RouteBaseInternalAsync.WithRequest<CreateSessionRequest>.WithActionResult
{
	private readonly AppDbContext _context;

	public CreateSessionRoute(AppDbContext context) {
		_context = context;
	}

	[AllowAnonymous]
	[ApiVersionNeutral]
	[ApiExplorerSettings(IgnoreApi = true)]
	[HttpPost("~/v{version:apiVersion}/account/create-session")]
	public override async Task<ActionResult> HandleAsync(CreateSessionRequest payload, CancellationToken cancellationToken = default) {
		var user = _context.Users.SingleOrDefault(u => u.Username == payload.Username);
		if (user == default || !user.VerifyPassword(payload.Password)) {
			return BadRequest(new ErrorResult("Invalid username or password"));
		}

		var claims = user.DefaultClaims();
		var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
		var principal = new ClaimsPrincipal(identity);
		var authenticationProperties = new AuthenticationProperties {
				AllowRefresh = true,
				IssuedUtc = DateTimeOffset.UtcNow,
		};

		if (payload.Persist) {
			authenticationProperties.ExpiresUtc = DateTimeOffset.UtcNow.AddYears(100);
			authenticationProperties.IsPersistent = true;
		}

		await HttpContext.SignInAsync(principal, authenticationProperties);
		// Return new LoggedInInternalUser here, because it is not materialised in AppControllerBase yet.
		return Ok(new LoggedInInternalUser {
				Id = user.Id,
				Username = user.Username
		});
	}
}