"use strict";

const express = require("express"),
  config = require("config"),
  { sendVerifyMail, sendPasswordChangedMail } = require("../lib/mail"),
  crypto = require("crypto");

const router = express.Router();

let userDB;

require("../db/users.js").then(function(db) {
  userDB = db;
});

router.get("/", function(req, res/*, next*/) {
  console.log("/users/");
  return getSessionUser(req).then((user) => {
    return res.status(200).send(user);
  }).catch((error) => {
    console.log("User not logged in: " + error);
    return res.status(200).send({});
  });
});

router.put("/password", function(req, res) {
  console.log("/users/password");

  const changes = {
    currentPassword: req.query.c || req.body.c,
    newPassword: req.query.n || req.body.n
  };

  if (!changes.currentPassword || !changes.newPassword) {
    return res.status(400).send("Missing current password and/or new password.");
  }

  if (changes.currentPassword == changes.newPassword) {
    return res.status(400).send("Attempt to set new password to current password.");
  }

  return getSessionUser(req).then(function(user) {
    return userDB.sequelize.query("SELECT id FROM users " +
      "WHERE uid=:username AND password=:password", {
      replacements: {
        username: user.username,
        password: crypto.createHash('sha256').update(changes.currentPassword).digest('base64')
      },
      type: userDB.Sequelize.QueryTypes.SELECT,
      raw: true
    }).then(function(users) {
      if (users.length != 1) {
        return null;
      }
      return user;
    });
  }).then(function(user) {
    if (!user) {
      console.log("Invalid password");
      /* Invalid password */
      res.status(401).send("Invalid password");
      return null;
    }

    return userDB.sequelize.query("UPDATE users SET password=:password WHERE uid=:username", {
      replacements: {
        username: user.username,
        password: crypto.createHash('sha256').update(changes.newPassword).digest('base64')
      }
    }).then(function() {
      console.log("Password changed for user " + user.username + " to '" + changes.newPassword + "'.");
      
      res.status(200).send(user);
      user.id = req.session.userId;
      return sendPasswordChangedMail(userDB, req, user);
    });
  });
});

router.get("/csrf", (req, res) => {
  console.log("/users/csrf");
  res.json({ csrfToken: req.csrfToken() });
});

router.post("/create", function(req, res) {
  console.log("/users/create");

  const user = {
    uid: req.query.m || req.body.m,
    displayName: req.query.n || req.body.n || "",
    password: req.query.p || req.body.p || "",
    mail: req.query.m || req.body.m,
    notes: req.query.w || req.body.w || ""
  };

  if (!user.uid || !user.password || !user.displayName || !user.notes) {
    return res.status(400).send("Missing email address, password, name, and/or who you know.");
  }

  user.password = crypto.createHash('sha256')
    .update(user.password).digest('base64');
  user.md5 = crypto.createHash('md5')
    .update(data).digest('base64');

  return userDB.sequelize.query("SELECT * FROM users WHERE uid=:uid", {
    replacements: user,
    type: userDB.Sequelize.QueryTypes.SELECT,
    raw: true
  }).then(function(results) {
    if (results.length != 0) {
      return res.status(400).send("Email address already used.");
    }

    let re = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
    if (!re.exec(user.mail)) {
      console.log("Invalid email address: " + user.mail);
      throw "Invalid email address.";
    }
  }).then(function() {
    return userDB.sequelize.query("INSERT INTO users " + 
      "(uid,displayName,password,mail,memberSince,authenticated,notes,md5) " +
      "VALUES(:uid,:displayName,:password,:mail,CURRENT_TIMESTAMP,0,:notes,:md5)", {
      replacements: user
    }).spread(function(results, metadata) {
      req.session.userId = metadata.lastID;
    }).then(function() {
      return getSessionUser(req).then(function(user) {
        res.status(200).send(user);
        user.id = req.session.userId;
        return sendVerifyMail(userDB, req, user);
      });
    }).catch(function(error) {
      console.log("Error creating account: ", error);
      return res.status(401).send(error);
    });
  });
});

const getSessionUser = function(req) {
  return Promise.resolve().then(function() {
    if (!req.session || !req.session.userId) {
      throw "Unauthorized. You must be logged in.";
    }

    let query = "SELECT " +
        "uid AS username,displayName,mailVerified,authenticated,memberSince AS name,mail " +
        "FROM users WHERE id=:id";
    return userDB.sequelize.query(query, {
      replacements: {
        id: req.session.userId
      },
      type: userDB.Sequelize.QueryTypes.SELECT,
      raw: true
    }).then(function(results) {
      if (results.length != 1) {
        throw "Invalid account.";
      }

      let user = results[0];

      if (!user.mailVerified) {
        user.restriction = user.restriction || "Email address not verified.";
        return user;
      }

      if (!user.authenticated) {
        user.restriction = user.restriction || "Accout not authorized.";
        return user;
      }

      return user;
    });
  }).then(function(user) {
    /* Strip out any fields that shouldn't be there. The allowed fields are: */
    let allowed = [
      "maintainer", "username", "displayName", "mailVerified", "authenticated", "name", "mail", "restriction"
    ];
    for (let field in user) {
      if (allowed.indexOf(field) == -1) {
        delete user[field];
      }
    }
    return user;
  });
}

router.post("/login", function(req, res) {
  console.log("/users/login");

  let { email, password } = req.body;

  console.log("Login attempt");

  if (!email || !password) {
    return res.status(400).send({
      message: `Missing email and/or password`
    });
  }

  console.log("Looking up user in DB.");
   
  let query = "SELECT " +
      "id,mailVerified,authenticated," +
      "uid AS username," +
      "displayName AS name,mail " +
      "FROM users WHERE uid=:username AND password=:password";
  return userDB.sequelize.query(query, {
    replacements: {
      username: email,
      password: crypto.createHash('sha256').update(password).digest('base64')
    },
    type: userDB.Sequelize.QueryTypes.SELECT
  })
  .then(function(users) {
    if (users.length != 1) {
      return null;
    }
    let user = users[0];
    req.session.userId = user.id;
    return user;
  })
  .then(function(user) {
    if (!user) {
      console.log(email + " not found (or invalid password.)");
      req.session.userId = null;
      return res.status(401).send({ 
        message: `Invalid login credentials`
      });      
    }

    let message = "Logged in as " + user.displayName + " (" + user.id + ")";
    if (!user.mailVerified) {
      console.log(message + ", who is not verified email.");
    } else if (!user.authenticated) {
      console.log(message + ", who is not authenticated.");
    } else {
      console.log(message);
    }

    return getSessionUser(req).then(function(user) {
      return res.status(200).send(user);
    });
  })
  .catch(function(error) {
    console.log(error);
    return res.status(403).send(error);
  });
});

router.get("/logout", function(req, res) {
  console.log("/users/logout");

  if (req.session && req.session.userId) {
    req.session.userId = null;
  }
  res.status(200).send({});
});

module.exports = router;