package auth

import (
	"encoding/json"
	"time"
)

type DeviceTrustStatus string

const (
	DeviceTrustStatusPending DeviceTrustStatus = "pending"
	DeviceTrustStatusTrusted DeviceTrustStatus = "trusted"
	DeviceTrustStatusRevoked DeviceTrustStatus = "revoked"
)

type User struct {
	ID           string    `json:"id"`
	Email        string    `json:"email"`
	PasswordHash string    `json:"-"`
	MFAEnabled   bool      `json:"mfa_enabled"`
	PlatformRole string    `json:"platform_role"`
	CreatedAt    time.Time `json:"created_at"`
	UpdatedAt    time.Time `json:"updated_at"`
}

type Device struct {
	ID            string
	UserID        string
	Fingerprint   string
	Label         string
	TrustStatus   DeviceTrustStatus
	TrustedAt     *time.Time
	LastSeenAt    *time.Time
	RevokedAt     *time.Time
	RevokedReason *string
	CreatedAt     time.Time
	UpdatedAt     time.Time
}

type AuthSession struct {
	ID               string
	UserID           string
	DeviceID         string
	RefreshTokenHash string `json:"-"`
	RefreshExpiresAt time.Time
	LastSeenAt       *time.Time
	LastRotatedAt    *time.Time
	RevokedAt        *time.Time
	RevokedReason    *string
	CreatedAt        time.Time
	UpdatedAt        time.Time
}

type LoginCommand struct {
	Email             string `json:"email"`
	Password          string `json:"password"`
	DeviceFingerprint string `json:"device_fingerprint"`
	DeviceLabel       string `json:"device_label"`
	TrustDevice       bool   `json:"trust_device"`
}

type RefreshCommand struct {
	RefreshToken string `json:"refresh_token"`
}

type BootstrapOwnerCommand struct {
	Email               string          `json:"email"`
	Password            string          `json:"password"`
	ActivationPayload   json.RawMessage `json:"activation_payload"`
	ActivationSignature string          `json:"activation_signature"`
}

type CreateUserCommand struct {
	ActorUserID  string `json:"actor_user_id"`
	Email        string `json:"email"`
	Password     string `json:"password"`
	PlatformRole string `json:"platform_role"`
}

type RevokeAuthSessionCommand struct {
	UserID        string `json:"user_id"`
	AuthSessionID string `json:"auth_session_id"`
	Reason        string `json:"reason"`
}

type RevokeDeviceCommand struct {
	UserID   string `json:"user_id"`
	DeviceID string `json:"device_id"`
	Reason   string `json:"reason"`
}

type TokenPair struct {
	AccessToken           string    `json:"access_token"`
	AccessTokenExpiresAt  time.Time `json:"access_token_expires_at"`
	RefreshToken          string    `json:"refresh_token"`
	RefreshTokenExpiresAt time.Time `json:"refresh_token_expires_at"`
}

type AuthResult struct {
	User        User        `json:"user"`
	Device      Device      `json:"device"`
	AuthSession AuthSession `json:"auth_session"`
	Tokens      TokenPair   `json:"tokens"`
}

type InstallationStatus struct {
	Bootstrapped             bool       `json:"bootstrapped"`
	AuthorityState           string     `json:"authority_state"`
	InstallID                string     `json:"install_id,omitempty"`
	BootstrappedOwnerEmail   string     `json:"bootstrapped_owner_email,omitempty"`
	BootstrappedAt           *time.Time `json:"bootstrapped_at,omitempty"`
	AuthorityMode            string     `json:"authority_mode"`
	StrictAuthority          bool       `json:"strict_authority"`
	RootFingerprint          string     `json:"root_fingerprint,omitempty"`
	InsecureBootstrapAllowed bool       `json:"insecure_bootstrap_allowed"`
}

type BootstrapOwnerResult struct {
	Installation InstallationStatus `json:"installation"`
	User         User               `json:"user"`
	PlatformRole string             `json:"platform_role"`
}