import { BadRequestException, Injectable, Inject } from '@nestjs/common';
import type {
  ClientRegistrationDto,
  IOAuthStore,
  OAuthClient,
} from '../stores/oauth-store.interface';
import { randomBytes } from 'crypto';
import type { OAuthModuleOptions } from '../providers/oauth-provider.interface';

@Injectable()
export class ClientService {
  constructor(
    @Inject('IOAuthStore') private readonly store: IOAuthStore,
    @Inject('OAUTH_MODULE_OPTIONS')
    private readonly options: OAuthModuleOptions,
  ) {}

  /**
   * Register a client application.
   * Always creates a new client record. client_name is not treated as unique.
   *
   * Note: Left open for future enhancements (e.g., software statements,
   * URL-based Client ID Metadata Documents) via preRegistrationChecks().
   */
  async registerClient(
    registrationDto: ClientRegistrationDto,
  ): Promise<OAuthClient> {
    // Validate required fields
    if (
      !registrationDto.redirect_uris ||
      !Array.isArray(registrationDto.redirect_uris)
    ) {
      throw new BadRequestException(
        'redirect_uris is required and must be an array',
      );
    }

    // Validate token_endpoint_auth_method if provided
    const supportedAuthMethods = [
      'client_secret_basic',
      'client_secret_post',
      'none',
    ];
    if (
      registrationDto.token_endpoint_auth_method &&
      !supportedAuthMethods.includes(registrationDto.token_endpoint_auth_method)
    ) {
      throw new BadRequestException(
        `Unsupported token_endpoint_auth_method. Supported methods: ${supportedAuthMethods.join(', ')}`,
      );
    }

    // Default values for new clients
    const defaultClientValues = {
      grant_types: ['authorization_code', 'refresh_token'],
      response_types: ['code'],
      token_endpoint_auth_method:
        registrationDto.token_endpoint_auth_method || 'none',
    };

    // Future-proofing: hook for software statements / metadata URL validations
    await this.preRegistrationChecks(registrationDto);

    const now = new Date();

    // Create new client - merge defaults with registration data
    const client_id = this.store.generateClientId(
      registrationDto as OAuthClient,
    );

    // Only generate client_secret for methods that require it
    const authMethod = registrationDto.token_endpoint_auth_method || 'none';
    const client_secret =
      authMethod !== 'none' ? randomBytes(32).toString('hex') : undefined;

    const newClient: OAuthClient = {
      ...defaultClientValues,
      ...registrationDto,
      client_id,
      client_secret,
      created_at: now,
      updated_at: now,
    };
    const client = await this.store.storeClient(newClient);
    const filteredClient = Object.fromEntries(
      Object.entries(client).filter(([, value]) => value !== null),
    ) as OAuthClient;

    return filteredClient;
  }

  /**
   * Hook for future registration policies (e.g., software statements per RFC 7591/7592,
   * or URL-based Client Registration using Client ID Metadata Documents).
   * Currently a no-op to keep behavior: always create a new client.
   */

  protected async preRegistrationChecks(
    _dto: ClientRegistrationDto,
  ): Promise<void> {
    // Intentionally left blank. Implement validations/attestations in the future.
  }

  async getClient(clientId: string): Promise<OAuthClient | null> {
    const client = await this.store.getClient(clientId);
    if (!client) {
      return null;
    }

    // Remove null fields from the client object
    const filteredClient = Object.fromEntries(
      Object.entries(client).filter(([, value]) => value !== null),
    ) as OAuthClient;

    return filteredClient;
  }

  async validateRedirectUri(
    clientId: string,
    redirectUri: string,
  ): Promise<boolean> {
    const client = await this.getClient(clientId);
    return client ? client.redirect_uris.includes(redirectUri) : false;
  }
}