import { verifyMagicAuthCode } from '@/lib/auth/workosAuth';
import { supabaseServiceRole } from '@/lib/supabase';
import type { APIRoute } from 'astro';
import { SignJWT } from 'jose';

const SUPABASE_JWT_SECRET = import.meta.env.SUPABASE_JWT_SECRET;

export const POST: APIRoute = async ({ request }) => {
  const headers = { 'Content-Type': 'application/json' };

  try {
    const { email, code } = await request.json();

    if (!email || !code) {
      return new Response(
        JSON.stringify({ success: false, message: 'Email and code are required' }),
        { status: 400, headers }
      );
    }

    if (!SUPABASE_JWT_SECRET || !supabaseServiceRole) {
      return new Response(JSON.stringify({ success: false, message: 'Service misconfigured' }), {
        status: 500,
        headers,
      });
    }

    const result = await verifyMagicAuthCode(email, code);

    if (!result.success || !result.userId) {
      return new Response(
        JSON.stringify({ success: false, message: result.error || 'Invalid or expired code' }),
        { status: 400, headers }
      );
    }

    let { data: profile } = await supabaseServiceRole
      .from('profiles')
      .select('id')
      .eq('workos_user_id', result.userId)
      .single();

    if (!profile) {
      const { data: newProfile, error } = await supabaseServiceRole
        .from('profiles')
        .insert({ workos_user_id: result.userId, email: email.toLowerCase() })
        .select('id')
        .single();

      if (error) {
        const { data: existing } = await supabaseServiceRole
          .from('profiles')
          .select('id')
          .eq('workos_user_id', result.userId)
          .single();

        if (!existing) {
          return new Response(
            JSON.stringify({ success: false, message: 'Failed to create profile' }),
            { status: 500, headers }
          );
        }
        profile = existing;
      } else {
        profile = newProfile;
      }
    }

    const secret = new TextEncoder().encode(SUPABASE_JWT_SECRET);
    const sessionToken = await new SignJWT({
      sub: profile.id,
      role: 'authenticated',
      aud: 'authenticated',
      workos_user_id: result.userId,
    })
      .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
      .setIssuedAt()
      .setExpirationTime('100y')
      .sign(secret);

    return new Response(
      JSON.stringify({
        success: true,
        message: 'Email verified successfully',
        sessionToken,
        userId: result.userId,
        profileId: profile.id,
      }),
      { status: 200, headers }
    );
  } catch {
    return new Response(JSON.stringify({ success: false, message: 'Internal server error' }), {
      status: 500,
      headers,
    });
  }
};