using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using SIGCM.Application.DTOs;
using SIGCM.Domain.Entities;
using SIGCM.Domain.Interfaces;

namespace SIGCM.API.Controllers;

[ApiController]
[Route("api/[controller]")]
[Authorize(Roles = "Admin")]
public class UsersController : ControllerBase
{
    private readonly IUserRepository _repository;

    public UsersController(IUserRepository repository)
    {
        _repository = repository;
    }

    [HttpGet]
    public async Task<IActionResult> GetAll()
    {
        var users = await _repository.GetAllAsync();
        // Don't expose password hashes
        var sanitized = users.Select(u => new { 
            u.Id, u.Username, u.Role, u.Email, u.CreatedAt 
        });
        return Ok(sanitized);
    }

    [HttpGet("{id}")]
    public async Task<IActionResult> GetById(int id)
    {
        var user = await _repository.GetByIdAsync(id);
        if (user == null) return NotFound();
        
        return Ok(new { user.Id, user.Username, user.Role, user.Email, user.CreatedAt });
    }

    [HttpPost]
    public async Task<IActionResult> Create(CreateUserDto dto)
    {
        // Check if exists
        var existing = await _repository.GetByUsernameAsync(dto.Username);
        if (existing != null) return BadRequest("El nombre de usuario ya existe.");

        var passwordHash = BCrypt.Net.BCrypt.HashPassword(dto.Password);
        
        var user = new User
        {
            Username = dto.Username,
            PasswordHash = passwordHash,
            Role = dto.Role,
            Email = dto.Email,
            CreatedAt = DateTime.UtcNow
        };

        var id = await _repository.CreateAsync(user);
        return CreatedAtAction(nameof(GetById), new { id }, new { id, user.Username });
    }

    [HttpPut("{id}")]
    public async Task<IActionResult> Update(int id, UpdateUserDto dto)
    {
        var user = await _repository.GetByIdAsync(id);
        if (user == null) return NotFound();

        user.Username = dto.Username;
        user.Role = dto.Role;
        user.Email = dto.Email;

        if (!string.IsNullOrEmpty(dto.Password))
        {
            user.PasswordHash = BCrypt.Net.BCrypt.HashPassword(dto.Password);
        }

        await _repository.UpdateAsync(user);
        return NoContent();
    }

    [HttpDelete("{id}")]
    public async Task<IActionResult> Delete(int id)
    {
        // Safe check: prevent deleting yourself optional but good practice
        // For now simple delete
        await _repository.DeleteAsync(id);
        return NoContent();
    }
}