import { NextRequest, NextResponse } from 'next/server'
import { validateSession, hasPermission } from '@/lib/auth'
import connectToDatabase from '@/lib/mongodb'
import { Role } from '@/lib/models'
import { sanitizeObject } from '@/lib/input-validation'
import { createAuditLog, getClientIP } from '@/lib/audit'

// GET /api/roles — List all roles
export async function GET(request: NextRequest) {
  try {
    const session = await validateSession(request)
    if (!session) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }

    if (!hasPermission(session, 'roles:view')) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
    }

    await connectToDatabase()
    const roles = await Role.find().sort({ name: 1 }).lean()

    return NextResponse.json({ success: true, data: roles })
  } catch (error) {
    console.error('Fetch roles error:', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
}

// POST /api/roles — Create a new role
export async function POST(request: NextRequest) {
  const clientIP = getClientIP(request)

  try {
    const session = await validateSession(request)
    if (!session) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }

    if (!hasPermission(session, 'roles:create')) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
    }

    const raw = await request.json()
    const { name, description, permissions } = sanitizeObject(raw)

    if (!name) {
      return NextResponse.json({ error: 'Role name is required' }, { status: 400 })
    }

    await connectToDatabase()

    const existing = await Role.findOne({ name })
    if (existing) {
      return NextResponse.json({ error: 'Role name already exists' }, { status: 409 })
    }

    const role = new Role({
      name,
      description: description || '',
      permissions: permissions || [],
      isDefault: false,
    })

    await role.save()

    await createAuditLog({
      action: 'role_created',
      entityType: 'role',
      entityId: role._id.toString(),
      entityName: role.name,
      userId: session._id,
      userName: session.username,
      userEmail: session.email,
      newValues: { name, description, permissions },
      clientIP,
      status: 'success',
      statusCode: 201,
    })

    return NextResponse.json({ success: true, data: role }, { status: 201 })
  } catch (error) {
    console.error('Create role error:', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
}