using Azaion.Common.Database;
using Azaion.Common.Entities;
using LinqToDB;
using Microsoft.AspNetCore.Http;

namespace Azaion.Services;

public interface IAuditLog
{
    Task RecordLoginFailed (string email, CancellationToken ct = default);
    Task RecordLoginLockout(string email, CancellationToken ct = default);
    Task RecordLoginSuccess(string email, CancellationToken ct = default);

    // AZ-556 — per-category internal forensics. Wire response is uniformly
    // `InvalidCredentials`; these recorders keep SecOps's audit trail honest.
    Task RecordLoginFailedUnknownEmail(string email, CancellationToken ct = default);
    Task RecordLoginFailedDisabled    (string email, CancellationToken ct = default);

    // AZ-534 — MFA lifecycle + login auth-event audit.
    Task RecordMfaEnroll       (string email, CancellationToken ct = default);
    Task RecordMfaConfirm      (string email, CancellationToken ct = default);
    Task RecordMfaDisable      (string email, CancellationToken ct = default);
    Task RecordMfaLoginSuccess (string email, CancellationToken ct = default);
    Task RecordMfaLoginFailed  (string email, CancellationToken ct = default);
    Task RecordMfaRecoveryUsed (string email, CancellationToken ct = default);

    /// <summary>
    /// Count of failure-audit rows for the given email within the last
    /// <paramref name="windowSeconds"/> that feed the per-account sliding-window rate
    /// limit. Includes BOTH password (<c>login_failed</c>) and TOTP
    /// (<c>mfa_login_failed</c>) failures (AZ-537 AC-2 + AZ-557 AC-3). Disabled-account
    /// and unknown-email rejections are intentionally excluded — they don't reflect an
    /// account-credential attack that the lockout/rate-limit policy should escalate.
    /// </summary>
    Task<int> CountRecentFailedLogins(string email, int windowSeconds, CancellationToken ct = default);
}

public class AuditLog(IDbFactory dbFactory, IHttpContextAccessor httpContextAccessor) : IAuditLog
{
    public Task RecordLoginFailed (string email, CancellationToken ct = default)
        => Insert(AuditEventTypes.LoginFailed,  email, ct);

    public Task RecordLoginLockout(string email, CancellationToken ct = default)
        => Insert(AuditEventTypes.LoginLockout, email, ct);

    public Task RecordLoginSuccess(string email, CancellationToken ct = default)
        => Insert(AuditEventTypes.LoginSuccess, email, ct);

    public Task RecordLoginFailedUnknownEmail(string email, CancellationToken ct = default)
        => Insert(AuditEventTypes.LoginFailedUnknownEmail, email, ct);

    public Task RecordLoginFailedDisabled(string email, CancellationToken ct = default)
        => Insert(AuditEventTypes.LoginFailedDisabled, email, ct);

    public Task RecordMfaEnroll       (string email, CancellationToken ct = default)
        => Insert(AuditEventTypes.MfaEnroll,        email, ct);
    public Task RecordMfaConfirm      (string email, CancellationToken ct = default)
        => Insert(AuditEventTypes.MfaConfirm,       email, ct);
    public Task RecordMfaDisable      (string email, CancellationToken ct = default)
        => Insert(AuditEventTypes.MfaDisable,       email, ct);
    public Task RecordMfaLoginSuccess (string email, CancellationToken ct = default)
        => Insert(AuditEventTypes.MfaLoginSuccess,  email, ct);
    public Task RecordMfaLoginFailed  (string email, CancellationToken ct = default)
        => Insert(AuditEventTypes.MfaLoginFailed,   email, ct);
    public Task RecordMfaRecoveryUsed (string email, CancellationToken ct = default)
        => Insert(AuditEventTypes.MfaRecoveryUsed,  email, ct);

    public async Task<int> CountRecentFailedLogins(string email, int windowSeconds, CancellationToken ct = default)
    {
        var cutoff = DateTime.UtcNow.AddSeconds(-windowSeconds);
        var normalised = email.ToLowerInvariant();
        // AZ-557 — MFA failures feed the same per-account sliding-window count as
        // password failures so an attacker who got past factor 1 can't brute-force
        // factor 2 from rotating IPs without tripping the per-account throttle.
        return await dbFactory.Run(async db =>
            await db.AuditEvents
                .Where(e => (e.EventType == AuditEventTypes.LoginFailed
                             || e.EventType == AuditEventTypes.MfaLoginFailed)
                            && e.Email == normalised
                            && e.OccurredAt >= cutoff)
                .CountAsync(token: ct));
    }

    private async Task Insert(string eventType, string email, CancellationToken ct)
    {
        var ip = httpContextAccessor.HttpContext?.Connection.RemoteIpAddress?.ToString();
        var normalised = email.ToLowerInvariant();
        await dbFactory.RunAdmin(async db =>
        {
            await db.InsertAsync(new AuditEvent
            {
                EventType  = eventType,
                OccurredAt = DateTime.UtcNow,
                Email      = normalised,
                Ip         = ip
            }, token: ct);
        });
    }
}