using System.Globalization;
using Npgsql;

namespace Azaion.E2E.Helpers;

/// <summary>
/// Thin wrapper around <see cref="NpgsqlConnection"/> for tests that must inspect
/// or seed rows directly. Used by AZ-536 (password hash format) and AZ-537
/// (lockout state, audit_events) acceptance tests.
/// </summary>
public sealed class DbHelper
{
    private readonly string _connectionString;

    public DbHelper(string connectionString) => _connectionString = connectionString;

    public async Task<string?> GetPasswordHash(string email, CancellationToken ct = default)
    {
        await using var conn = await OpenAsync(ct);
        await using var cmd = new NpgsqlCommand(
            "SELECT password_hash FROM public.users WHERE email = @e", conn);
        cmd.Parameters.AddWithValue("e", email);
        var raw = await cmd.ExecuteScalarAsync(ct);
        return raw == null || raw is DBNull ? null : (string)raw;
    }

    public async Task<(int FailedLoginCount, DateTime? LockoutUntil)> GetLockoutState(string email, CancellationToken ct = default)
    {
        await using var conn = await OpenAsync(ct);
        await using var cmd = new NpgsqlCommand(
            "SELECT failed_login_count, lockout_until FROM public.users WHERE email = @e", conn);
        cmd.Parameters.AddWithValue("e", email);
        await using var rd = await cmd.ExecuteReaderAsync(ct);
        if (!await rd.ReadAsync(ct))
            throw new InvalidOperationException($"User {email} not found.");
        var failed = rd.GetInt32(0);
        DateTime? lockout = rd.IsDBNull(1) ? null : DateTime.SpecifyKind(rd.GetDateTime(1), DateTimeKind.Utc);
        return (failed, lockout);
    }

    public async Task<int> CountAuditEvents(string eventType, string email, CancellationToken ct = default)
    {
        await using var conn = await OpenAsync(ct);
        await using var cmd = new NpgsqlCommand(
            "SELECT COUNT(*) FROM public.audit_events WHERE event_type = @t AND email = @e", conn);
        cmd.Parameters.AddWithValue("t", eventType);
        cmd.Parameters.AddWithValue("e", email);
        var raw = await cmd.ExecuteScalarAsync(ct);
        return Convert.ToInt32(raw, CultureInfo.InvariantCulture);
    }

    /// <summary>
    /// Inject a user with a known legacy SHA-384 hash so the lazy-migration path can be
    /// exercised end-to-end without going through the Argon2id-using registration API.
    /// </summary>
    public async Task SeedLegacyShaUser(Guid id, string email, string sha384HashBase64, string role = "ResourceUploader", CancellationToken ct = default)
    {
        await using var conn = await OpenAsync(ct);
        await using var cmd = new NpgsqlCommand(@"
            INSERT INTO public.users (id, email, password_hash, role, created_at, is_enabled, failed_login_count)
            VALUES (@id, @email, @hash, @role, now(), true, 0)
            ON CONFLICT (email) DO UPDATE
            SET password_hash      = excluded.password_hash,
                failed_login_count = 0,
                lockout_until      = NULL,
                is_enabled         = true", conn);
        cmd.Parameters.AddWithValue("id",    id);
        cmd.Parameters.AddWithValue("email", email);
        cmd.Parameters.AddWithValue("hash",  sha384HashBase64);
        cmd.Parameters.AddWithValue("role",  role);
        await cmd.ExecuteNonQueryAsync(ct);
    }

    public async Task DeleteUser(string email, CancellationToken ct = default)
    {
        await using var conn = await OpenAsync(ct);
        await using var cmd = new NpgsqlCommand(
            "DELETE FROM public.users WHERE email = @e", conn);
        cmd.Parameters.AddWithValue("e", email);
        await cmd.ExecuteNonQueryAsync(ct);
    }

    public async Task DeleteAuditEventsFor(string email, CancellationToken ct = default)
    {
        await using var conn = await OpenAsync(ct);
        await using var cmd = new NpgsqlCommand(
            "DELETE FROM public.audit_events WHERE email = @e", conn);
        cmd.Parameters.AddWithValue("e", email);
        await cmd.ExecuteNonQueryAsync(ct);
    }

    /// <summary>
    /// Force-set a lockout deadline so tests don't have to actually trip the threshold
    /// 10 times to check expiry behavior (AZ-537 AC-5).
    /// </summary>
    public async Task SetLockoutUntil(string email, DateTime? lockoutUntilUtc, int failedCount, CancellationToken ct = default)
    {
        await using var conn = await OpenAsync(ct);
        await using var cmd = new NpgsqlCommand(@"
            UPDATE public.users
               SET lockout_until      = @until,
                   failed_login_count = @count
             WHERE email = @e", conn);
        cmd.Parameters.AddWithValue("until",
            (object?)(lockoutUntilUtc?.ToUniversalTime()) ?? DBNull.Value);
        cmd.Parameters.AddWithValue("count", failedCount);
        cmd.Parameters.AddWithValue("e",     email);
        await cmd.ExecuteNonQueryAsync(ct);
    }

    private async Task<NpgsqlConnection> OpenAsync(CancellationToken ct)
    {
        var conn = new NpgsqlConnection(_connectionString);
        await conn.OpenAsync(ct);
        return conn;
    }
}