import { Request, Response } from 'express';
import * as stressfreiEmailService from '../services/stressfreiEmail.service.js';
import { logChange } from '../services/audit.service.js';
import { ApiResponse, AuthRequest } from '../types/index.js';
import { canAccessCustomer, canAccessStressfreiEmail } from '../utils/accessControl.js';
import { ApiError } from '../utils/apiError.js';

// Pentest 71.3 (INFO): `parseInt(...)` ohne NaN-Check gab bei
// `/stressfrei-emails/abc/...` einen generischen 500 zurück.
//
// Pentest 77.3 (LOW): `Number.isInteger(parseInt(...))` ließ Floats
// und Exponential-Notation durch – `4.0`, `4.5`, `4e1` werden alle
// zu `4` geparst und treffen die echte ID 4. Fix: erst gegen
// `/^\d+$/` validieren, dann erst parsen.
function requireIdParam(req: AuthRequest, res: Response, paramName: string): number | null {
  const raw = req.params[paramName];
  if (typeof raw !== 'string' || !/^\d+$/.test(raw)) {
    res.status(400).json({ success: false, error: `Ungültige ID: ${raw}` } as ApiResponse);
    return null;
  }
  const parsed = Number.parseInt(raw, 10);
  if (!Number.isInteger(parsed) || parsed < 1) {
    res.status(400).json({ success: false, error: `Ungültige ID: ${raw}` } as ApiResponse);
    return null;
  }
  return parsed;
}

export async function getEmailsByCustomer(req: AuthRequest, res: Response): Promise<void> {
  try {
    const customerId = requireIdParam(req, res, 'customerId');
    if (customerId === null) return;
    // requireCustomerAccess in der Route greift nicht ausreichend:
    // Portal-User haben `customers:read` (für eigene Daten) und werden
    // dort short-circuited, ohne Owner-Vergleich. Pentest 2026-05-24
    // (MEDIUM 31.2) – IDOR auf fremde IMAP-Konten. Hier daher der
    // explizite Per-Customer-Check analog zum POST-Handler.
    if (!(await canAccessCustomer(req, res, customerId))) return;
    const includeInactive = req.query.includeInactive === 'true';
    const emails = await stressfreiEmailService.getEmailsByCustomerId(customerId, includeInactive);
    res.json({ success: true, data: emails } as ApiResponse);
  } catch (error) {
    res.status(500).json({
      success: false,
      error: 'Fehler beim Laden der Stressfrei-Wechseln Adressen',
    } as ApiResponse);
  }
}

export async function getEmail(req: AuthRequest, res: Response): Promise<void> {
  try {
    const emailId = requireIdParam(req, res, 'id');
    if (emailId === null) return;
    if (!(await canAccessStressfreiEmail(req, res, emailId))) return;

    const email = await stressfreiEmailService.getEmailById(emailId);
    if (!email) {
      res.status(404).json({
        success: false,
        error: 'Stressfrei-Wechseln Adresse nicht gefunden',
      } as ApiResponse);
      return;
    }

    // Sensibles Feld emailPasswordEncrypted nie an Portal-Kunden geben
    const sanitized: any = { ...email };
    if (req.user?.isCustomerPortal) {
      delete sanitized.emailPasswordEncrypted;
    }
    res.json({ success: true, data: sanitized } as ApiResponse);
  } catch (error) {
    res.status(500).json({
      success: false,
      error: 'Fehler beim Laden der Stressfrei-Wechseln Adresse',
    } as ApiResponse);
  }
}

export async function createEmail(req: Request, res: Response): Promise<void> {
  try {
    const customerId = requireIdParam(req, res, 'customerId');
    if (customerId === null) return;
    const email = await stressfreiEmailService.createEmail({
      ...req.body,
      customerId,
    });
    await logChange({
      req, action: 'CREATE', resourceType: 'StressfreiEmail',
      resourceId: email.id.toString(),
      label: `Stressfrei-Wechseln Adresse angelegt für Kunde #${customerId}`,
      customerId,
    });
    res.status(201).json({ success: true, data: email } as ApiResponse);
  } catch (error) {
    const status = error instanceof ApiError ? error.statusCode : 400;
    res.status(status).json({
      success: false,
      error: error instanceof Error ? error.message : 'Fehler beim Erstellen der Stressfrei-Wechseln Adresse',
    } as ApiResponse);
  }
}

export async function updateEmail(req: AuthRequest, res: Response): Promise<void> {
  try {
    const emailId = requireIdParam(req, res, 'id');
    if (emailId === null) return;
    if (!(await canAccessStressfreiEmail(req, res, emailId))) return;
    const email = await stressfreiEmailService.updateEmail(emailId, req.body);
    await logChange({
      req, action: 'UPDATE', resourceType: 'StressfreiEmail',
      resourceId: email.id.toString(),
      label: `Stressfrei-Wechseln Adresse aktualisiert`,
    });
    res.json({ success: true, data: email } as ApiResponse);
  } catch (error) {
    const status = error instanceof ApiError ? error.statusCode : 400;
    res.status(status).json({
      success: false,
      error: error instanceof Error ? error.message : 'Fehler beim Aktualisieren der Stressfrei-Wechseln Adresse',
    } as ApiResponse);
  }
}

export async function deleteEmail(req: AuthRequest, res: Response): Promise<void> {
  try {
    const emailId = requireIdParam(req, res, 'id');
    if (emailId === null) return;
    if (!(await canAccessStressfreiEmail(req, res, emailId))) return;
    await stressfreiEmailService.deleteEmail(emailId);
    await logChange({
      req, action: 'DELETE', resourceType: 'StressfreiEmail',
      resourceId: emailId.toString(),
      label: `Stressfrei-Wechseln Adresse gelöscht`,
    });
    res.json({ success: true, message: 'Stressfrei-Wechseln Adresse gelöscht' } as ApiResponse);
  } catch (error) {
    res.status(400).json({
      success: false,
      error: error instanceof Error ? error.message : 'Fehler beim Löschen der Stressfrei-Wechseln Adresse',
    } as ApiResponse);
  }
}

export async function syncForwarding(req: AuthRequest, res: Response): Promise<void> {
  try {
    const emailId = requireIdParam(req, res, 'id');
    if (emailId === null) return;
    if (!(await canAccessStressfreiEmail(req, res, emailId))) return;

    const result = await stressfreiEmailService.syncForwardingForEmail(emailId);
    if (!result.success) {
      res.status(400).json({ success: false, error: result.error } as ApiResponse);
      return;
    }

    const labelParts = [`Weiterleitungen: ${(result.forwardTargets || []).join(', ')}`];
    if (result.passwordReset) labelParts.push('Mailbox-Passwort am Provider neu gesetzt');

    await logChange({
      req,
      action: 'UPDATE',
      resourceType: 'StressfreiEmail',
      resourceId: emailId.toString(),
      label: `Stressfrei-Sync: ${labelParts.join(' | ')}`,
    });

    res.json({
      success: true,
      data: {
        forwardTargets: result.forwardTargets,
        customerEmail: result.customerEmail,
        passwordReset: result.passwordReset,
      },
      message: 'Weiterleitungen aktualisiert',
    } as ApiResponse);
  } catch (error) {
    res.status(500).json({
      success: false,
      error: error instanceof Error ? error.message : 'Fehler beim Synchronisieren der Weiterleitungen',
    } as ApiResponse);
  }
}

/**
 * Zusätzliche Weiterleitungs-E-Mails der StressfreiEmail neu setzen.
 * Body: `{ emails: string[] }`. Liste ersetzt komplett, Provider wird
 * unmittelbar nachgezogen.
 */
export async function updateAdditionalForwards(req: AuthRequest, res: Response): Promise<void> {
  try {
    const emailId = requireIdParam(req, res, 'id');
    if (emailId === null) return;
    if (!(await canAccessStressfreiEmail(req, res, emailId))) return;

    const body = req.body ?? {};
    if (!Array.isArray(body.emails)) {
      res.status(400).json({ success: false, error: '`emails` muss ein Array sein.' } as ApiResponse);
      return;
    }
    if (body.emails.length > 20) {
      res.status(400).json({ success: false, error: 'Maximal 20 zusätzliche Weiterleitungen erlaubt.' } as ApiResponse);
      return;
    }

    const result = await stressfreiEmailService.setAdditionalForwards(emailId, body.emails);
    if (!result.success) {
      res.status(400).json({ success: false, error: result.error } as ApiResponse);
      return;
    }

    await logChange({
      req,
      action: 'UPDATE',
      resourceType: 'StressfreiEmail',
      resourceId: emailId.toString(),
      label: `Zusatz-Weiterleitungen aktualisiert (${(result.forwardTargets || []).length} Ziele aktiv)`,
    });

    res.json({
      success: true,
      data: { forwardTargets: result.forwardTargets },
      message: 'Weiterleitungen aktualisiert',
    } as ApiResponse);
  } catch (error) {
    const status = error instanceof ApiError ? error.statusCode : 500;
    res.status(status).json({
      success: false,
      error: error instanceof Error ? error.message : 'Fehler beim Aktualisieren der Weiterleitungen',
    } as ApiResponse);
  }
}

export async function resetPassword(req: AuthRequest, res: Response): Promise<void> {
  try {
    const emailId = requireIdParam(req, res, 'id');
    if (emailId === null) return;
    if (!(await canAccessStressfreiEmail(req, res, emailId))) return;
    const result = await stressfreiEmailService.resetMailboxPassword(emailId);
    if (!result.success) {
      res.status(400).json({
        success: false,
        error: result.error,
      } as ApiResponse);
      return;
    }
    res.json({
      success: true,
      data: { password: result.password },
      message: 'Passwort wurde zurückgesetzt',
    } as ApiResponse);
  } catch (error) {
    res.status(500).json({
      success: false,
      error: error instanceof Error ? error.message : 'Fehler beim Zurücksetzen des Passworts',
    } as ApiResponse);
  }
}