const jwt = require('jsonwebtoken');

// Allow models to be injected for testing
let models = null;
try {
  models = require('../models');
} catch (error) {
  // Models will be injected during testing
}

// Function to set models (used in testing)
function setModels(testModels) {
  models = testModels;
}

async function authenticateToken(req, res, next) {
  const authHeader = req.headers['authorization'];
  
  if (!authHeader) {
    return res.status(401).json({
      success: false,
      message: 'Access token required'
    });
  }

  // Check for proper Bearer token format
  if (!authHeader.startsWith('Bearer ')) {
    return res.status(401).json({
      success: false,
      message: 'Invalid token format'
    });
  }

  const token = authHeader.split(' ')[1];
  
  if (!token) {
    return res.status(401).json({
      success: false,
      message: 'Access token required'
    });
  }

  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    
    // Log what's in the token for debugging
    console.log('🔍 JWT Token decoded:', {
      userId: decoded.userId,
      username: decoded.username,
      role: decoded.role,
      tenantId: decoded.tenantId,
      provider: decoded.provider
    });
    
    // For older tokens without tenantId, we need to look up the user's tenant
    let tenantId = decoded.tenantId;
    
    const user = await models.User.findByPk(decoded.userId, {
      attributes: ['id', 'username', 'email', 'role', 'is_active', 'tenant_id'],
      include: [{
        model: models.Tenant,
        as: 'tenant',
        attributes: ['slug', 'name']
      }]
    });

    if (!user || !user.is_active) {
      return res.status(401).json({
        success: false,
        message: 'Invalid or inactive user'
      });
    }

    // Set user context with expected properties for compatibility
    req.user = {
      id: user.id,
      userId: user.id, // For backward compatibility
      username: user.username,
      email: user.email,
      role: user.role,
      is_active: user.is_active,
      tenant_id: user.tenant_id,
      tenant: user.tenant
    };
    
    // Set tenant context - prefer JWT tenantId, fallback to user's tenant
    if (tenantId) {
      req.tenantId = tenantId;
      console.log('✅ Tenant context from JWT:', tenantId);
    } else if (user.tenant && user.tenant.slug) {
      req.tenantId = user.tenant.slug;
      console.log('✅ Tenant context from user record:', user.tenant.slug);
    } else {
      console.log('⚠️ No tenant context available');
    }
    
    next();
  } catch (error) {
    // Only log unexpected errors, not common JWT validation failures
    if (process.env.NODE_ENV !== 'test' || error.name === 'TypeError') {
      console.error('Token verification error:', error);
    }
    
    // Handle specific JWT errors
    if (error.name === 'TokenExpiredError') {
      return res.status(401).json({
        success: false,
        message: 'Token expired'
      });
    }
    
    return res.status(401).json({
      success: false,
      message: 'Invalid token'
    });
  }
}

function requireRole(roles) {
  return (req, res, next) => {
    if (!req.user) {
      return res.status(401).json({
        success: false,
        message: 'Authentication required'
      });
    }

    const userRoles = Array.isArray(roles) ? roles : [roles];
    if (!userRoles.includes(req.user.role)) {
      return res.status(403).json({
        success: false,
        message: 'Insufficient permissions'
      });
    }

    next();
  };
}

module.exports = {
  authenticateToken,
  requireRole,
  setModels
};