using System.Security.Claims;
using Microsoft.AspNetCore.Components.Authorization;
using Microsoft.AspNetCore.Components.Server;
using Microsoft.AspNetCore.Http;
using ScadaLink.Security;

namespace ScadaLink.CentralUI.Auth;

/// <summary>
/// Reads the JWT from an HTTP-only cookie and creates a ClaimsPrincipal for Blazor Server.
/// This bridges cookie-based auth (set by the login endpoint) with Blazor's auth state.
/// </summary>
public class CookieAuthenticationStateProvider : ServerAuthenticationStateProvider
{
    public const string AuthCookieName = "ScadaLink.Auth";

    private readonly IHttpContextAccessor _httpContextAccessor;
    private readonly JwtTokenService _jwtTokenService;

    public CookieAuthenticationStateProvider(
        IHttpContextAccessor httpContextAccessor,
        JwtTokenService jwtTokenService)
    {
        _httpContextAccessor = httpContextAccessor;
        _jwtTokenService = jwtTokenService;
    }

    public override Task<AuthenticationState> GetAuthenticationStateAsync()
    {
        var httpContext = _httpContextAccessor.HttpContext;
        if (httpContext == null)
        {
            return Task.FromResult(new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity())));
        }

        var token = httpContext.Request.Cookies[AuthCookieName];
        if (string.IsNullOrEmpty(token))
        {
            return Task.FromResult(new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity())));
        }

        var principal = _jwtTokenService.ValidateToken(token);
        if (principal == null)
        {
            return Task.FromResult(new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity())));
        }

        // Check idle timeout
        if (_jwtTokenService.IsIdleTimedOut(principal))
        {
            return Task.FromResult(new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity())));
        }

        return Task.FromResult(new AuthenticationState(principal));
    }
}