local config = require('pending.config')

local TOKEN_URL = 'https://oauth2.googleapis.com/token'
local AUTH_URL = 'https://accounts.google.com/o/oauth2/v2/auth'

local BUNDLED_CLIENT_ID = 'PLACEHOLDER'
local BUNDLED_CLIENT_SECRET = 'PLACEHOLDER'

---@class pending.OAuthCredentials
---@field client_id string
---@field client_secret string

---@class pending.OAuthTokens
---@field access_token string
---@field refresh_token string
---@field expires_in? integer
---@field obtained_at? integer

---@class pending.OAuthClient
---@field name string
---@field scope string
---@field port integer
---@field config_key string
local OAuthClient = {}
OAuthClient.__index = OAuthClient

---@class pending.oauth
local M = {}

---@param str string
---@return string
function M.url_encode(str)
  return (
    str:gsub('([^%w%-%.%_%~])', function(c)
      return string.format('%%%02X', string.byte(c))
    end)
  )
end

---@param path string
---@return table?
function M.load_json_file(path)
  local f = io.open(path, 'r')
  if not f then
    return nil
  end
  local content = f:read('*a')
  f:close()
  if content == '' then
    return nil
  end
  local ok, decoded = pcall(vim.json.decode, content)
  if not ok then
    return nil
  end
  return decoded
end

---@param path string
---@param data table
---@return boolean
function M.save_json_file(path, data)
  local dir = vim.fn.fnamemodify(path, ':h')
  if vim.fn.isdirectory(dir) == 0 then
    vim.fn.mkdir(dir, 'p')
  end
  local f = io.open(path, 'w')
  if not f then
    return false
  end
  f:write(vim.json.encode(data))
  f:close()
  vim.fn.setfperm(path, 'rw-------')
  return true
end

---@param method string
---@param url string
---@param headers? string[]
---@param body? string
---@return table? result
---@return string? err
function M.curl_request(method, url, headers, body)
  local args = { 'curl', '-s', '-X', method }
  for _, h in ipairs(headers or {}) do
    table.insert(args, '-H')
    table.insert(args, h)
  end
  if body then
    table.insert(args, '-d')
    table.insert(args, body)
  end
  table.insert(args, url)
  local result = vim.system(args, { text = true }):wait()
  if result.code ~= 0 then
    return nil, 'curl failed: ' .. (result.stderr or '')
  end
  if not result.stdout or result.stdout == '' then
    return {}, nil
  end
  local ok, decoded = pcall(vim.json.decode, result.stdout)
  if not ok then
    return nil, 'failed to parse response: ' .. result.stdout
  end
  if decoded.error then
    return nil, 'API error: ' .. (decoded.error.message or vim.json.encode(decoded.error))
  end
  return decoded, nil
end

---@param access_token string
---@return string[]
function M.auth_headers(access_token)
  return {
    'Authorization: Bearer ' .. access_token,
    'Content-Type: application/json',
  }
end

---@param backend_name string
---@return nil
function M.health(backend_name)
  if vim.fn.executable('curl') == 1 then
    vim.health.ok('curl found (required for ' .. backend_name .. ' sync)')
  else
    vim.health.warn('curl not found (needed for ' .. backend_name .. ' sync)')
  end
  if vim.fn.executable('openssl') == 1 then
    vim.health.ok('openssl found (required for ' .. backend_name .. ' OAuth PKCE)')
  else
    vim.health.warn('openssl not found (needed for ' .. backend_name .. ' OAuth)')
  end
end

---@return string
function OAuthClient:token_path()
  return vim.fn.stdpath('data') .. '/pending/' .. self.name .. '_tokens.json'
end

---@return pending.OAuthCredentials
function OAuthClient:resolve_credentials()
  local cfg = config.get()
  local backend_cfg = (cfg.sync and cfg.sync[self.config_key]) or {}

  if backend_cfg.client_id and backend_cfg.client_secret then
    return {
      client_id = backend_cfg.client_id,
      client_secret = backend_cfg.client_secret,
    }
  end

  local cred_path = backend_cfg.credentials_path
    or (vim.fn.stdpath('data') .. '/pending/' .. self.name .. '_credentials.json')
  local creds = M.load_json_file(cred_path)
  if creds then
    if creds.installed then
      creds = creds.installed
    end
    if creds.client_id and creds.client_secret then
      return creds --[[@as pending.OAuthCredentials]]
    end
  end

  return {
    client_id = BUNDLED_CLIENT_ID,
    client_secret = BUNDLED_CLIENT_SECRET,
  }
end

---@return pending.OAuthTokens?
function OAuthClient:load_tokens()
  return M.load_json_file(self:token_path()) --[[@as pending.OAuthTokens?]]
end

---@param tokens pending.OAuthTokens
---@return boolean
function OAuthClient:save_tokens(tokens)
  return M.save_json_file(self:token_path(), tokens)
end

---@param creds pending.OAuthCredentials
---@param tokens pending.OAuthTokens
---@return pending.OAuthTokens?
function OAuthClient:refresh_access_token(creds, tokens)
  local body = 'client_id='
    .. M.url_encode(creds.client_id)
    .. '&client_secret='
    .. M.url_encode(creds.client_secret)
    .. '&grant_type=refresh_token'
    .. '&refresh_token='
    .. M.url_encode(tokens.refresh_token)
  local result = vim
    .system({
      'curl',
      '-s',
      '-X',
      'POST',
      '-H',
      'Content-Type: application/x-www-form-urlencoded',
      '-d',
      body,
      TOKEN_URL,
    }, { text = true })
    :wait()
  if result.code ~= 0 then
    return nil
  end
  local ok, decoded = pcall(vim.json.decode, result.stdout or '')
  if not ok or not decoded.access_token then
    return nil
  end
  tokens.access_token = decoded.access_token --[[@as string]]
  tokens.expires_in = decoded.expires_in --[[@as integer?]]
  tokens.obtained_at = os.time()
  self:save_tokens(tokens)
  return tokens
end

---@return string?
function OAuthClient:get_access_token()
  local creds = self:resolve_credentials()
  local tokens = self:load_tokens()
  if not tokens or not tokens.refresh_token then
    self:auth()
    tokens = self:load_tokens()
    if not tokens then
      return nil
    end
  end
  local now = os.time()
  local obtained = tokens.obtained_at or 0
  local expires = tokens.expires_in or 3600
  if now - obtained > expires - 60 then
    tokens = self:refresh_access_token(creds, tokens)
    if not tokens then
      vim.notify('pending.nvim: Failed to refresh access token.', vim.log.levels.ERROR)
      return nil
    end
  end
  return tokens.access_token
end

---@return nil
function OAuthClient:auth()
  local creds = self:resolve_credentials()
  local port = self.port

  local verifier_chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~'
  local verifier = {}
  math.randomseed(os.time())
  for _ = 1, 64 do
    local idx = math.random(1, #verifier_chars)
    table.insert(verifier, verifier_chars:sub(idx, idx))
  end
  local code_verifier = table.concat(verifier)

  local sha_pipe = vim
    .system({
      'sh',
      '-c',
      'printf "%s" "'
        .. code_verifier
        .. '" | openssl dgst -sha256 -binary | openssl base64 -A | tr "+/" "-_" | tr -d "="',
    }, { text = true })
    :wait()
  local code_challenge = sha_pipe.stdout or ''

  local auth_url = AUTH_URL
    .. '?client_id='
    .. M.url_encode(creds.client_id)
    .. '&redirect_uri='
    .. M.url_encode('http://127.0.0.1:' .. port)
    .. '&response_type=code'
    .. '&scope='
    .. M.url_encode(self.scope)
    .. '&access_type=offline'
    .. '&prompt=consent'
    .. '&code_challenge='
    .. M.url_encode(code_challenge)
    .. '&code_challenge_method=S256'

  vim.ui.open(auth_url)
  vim.notify('pending.nvim: Opening browser for Google authorization...')

  local server = vim.uv.new_tcp()
  server:bind('127.0.0.1', port)
  server:listen(1, function(err)
    if err then
      return
    end
    local conn = vim.uv.new_tcp()
    server:accept(conn)
    conn:read_start(function(read_err, data)
      if read_err or not data then
        return
      end
      local code = data:match('[?&]code=([^&%s]+)')
      local response_body = code
          and '<html><body><h1>Authorization successful</h1><p>You can close this tab.</p></body></html>'
        or '<html><body><h1>Authorization failed</h1></body></html>'
      local http_response = 'HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nConnection: close\r\n\r\n'
        .. response_body
      conn:write(http_response, function()
        conn:shutdown(function()
          conn:close()
        end)
      end)
      server:close()
      if code then
        vim.schedule(function()
          self:_exchange_code(creds, code, code_verifier, port)
        end)
      end
    end)
  end)
end

---@param creds pending.OAuthCredentials
---@param code string
---@param code_verifier string
---@param port integer
---@return nil
function OAuthClient:_exchange_code(creds, code, code_verifier, port)
  local body = 'client_id='
    .. M.url_encode(creds.client_id)
    .. '&client_secret='
    .. M.url_encode(creds.client_secret)
    .. '&code='
    .. M.url_encode(code)
    .. '&code_verifier='
    .. M.url_encode(code_verifier)
    .. '&grant_type=authorization_code'
    .. '&redirect_uri='
    .. M.url_encode('http://127.0.0.1:' .. port)

  local result = vim
    .system({
      'curl',
      '-s',
      '-X',
      'POST',
      '-H',
      'Content-Type: application/x-www-form-urlencoded',
      '-d',
      body,
      TOKEN_URL,
    }, { text = true })
    :wait()

  if result.code ~= 0 then
    vim.notify('pending.nvim: Token exchange failed.', vim.log.levels.ERROR)
    return
  end

  local ok, decoded = pcall(vim.json.decode, result.stdout or '')
  if not ok or not decoded.access_token then
    vim.notify('pending.nvim: Invalid token response.', vim.log.levels.ERROR)
    return
  end

  decoded.obtained_at = os.time()
  self:save_tokens(decoded)
  vim.notify('pending.nvim: ' .. self.name .. ' authorized successfully.')
end

---@param opts { name: string, scope: string, port: integer, config_key: string }
---@return pending.OAuthClient
function M.new(opts)
  return setmetatable({
    name = opts.name,
    scope = opts.scope,
    port = opts.port,
    config_key = opts.config_key,
  }, OAuthClient)
end

M._BUNDLED_CLIENT_ID = BUNDLED_CLIENT_ID
M._BUNDLED_CLIENT_SECRET = BUNDLED_CLIENT_SECRET

return M