import { NextResponse } from "next/server"
import { prisma } from "@/server/db"
import { getSession } from "@/server/session"
import { cnpjMatches } from "@/server/cnpj"
import { verifyDomain, viewDomains } from "@/server/smtp2go"

type DomainVerifyResult = {
  dkim_verified?: boolean
  dkim_selector?: string
  dkim_expected?: string
  rpath_verified?: boolean
  rpath_selector?: string
  rpath_expected?: string
}

async function ensureClientSubaccountAccess(subaccountId: string) {
  const session = await getSession()
  const user = session.user
  if (!user) {
    return { error: "UNAUTHORIZED", status: 401 as const }
  }
  if (user.role === "ADMIN" || user.role === "SUPPORT") {
    return { error: "FORBIDDEN", status: 403 as const }
  }
  const cnpj = user.cnpj?.trim()
  if (!cnpj) {
    return { error: "FORBIDDEN_NO_CNPJ", status: 403 as const }
  }
  if (!subaccountId) {
    return { error: "MISSING_SUBACCOUNT_ID", status: 400 as const }
  }

  const meta = await prisma.subaccountMeta.findUnique({
    where: { subaccountId },
    select: { cnpj: true },
  })
  if (!meta || !cnpjMatches(meta.cnpj, cnpj)) {
    return { error: "FORBIDDEN_SUBACCOUNT", status: 403 as const }
  }
  return { ok: true as const }
}

export async function GET(req: Request) {
  const url = new URL(req.url)
  const subaccountId = String(url.searchParams.get("subaccountId") ?? "").trim()

  const access = await ensureClientSubaccountAccess(subaccountId)
  if (!("ok" in access)) {
    return NextResponse.json({ error: access.error }, { status: access.status })
  }

  const meta = await prisma.subaccountMeta.findUnique({
    where: { subaccountId },
    select: { domain: true },
  })
  let domain = meta?.domain?.trim()
  if (!domain) {
    try {
      const view = (await viewDomains({ subaccount_id: subaccountId })) as {
        domains?: Array<{ domain?: { fulldomain?: string } }>
      }
      const fetched = String(view?.domains?.[0]?.domain?.fulldomain ?? "").trim()
      if (fetched) {
        domain = fetched
        await prisma.subaccountMeta.upsert({
          where: { subaccountId },
          update: { domain },
          create: { subaccountId, domain },
        })
      }
    } catch {
      // ignore and keep fallback below
    }
  }
  if (!domain) {
    return NextResponse.json({ error: "MISSING_DOMAIN" }, { status: 404 })
  }

  try {
    const res = (await verifyDomain({ domain, subaccount_id: subaccountId })) as {
      domains?: Array<{
        domain?: {
          dkim_verified?: boolean
          dkim_selector?: string
          dkim_expected?: string
          rpath_verified?: boolean
          rpath_selector?: string
          rpath_expected?: string
        }
      }>
    }
    const entry = res?.domains?.[0]?.domain ?? {}
    const payload: DomainVerifyResult = {
      dkim_verified: Boolean(entry?.dkim_verified),
      dkim_selector: entry?.dkim_selector,
      dkim_expected: entry?.dkim_expected,
      rpath_verified: Boolean(entry?.rpath_verified),
      rpath_selector: entry?.rpath_selector,
      rpath_expected: entry?.rpath_expected,
    }
    await prisma.subaccountMeta.update({
      where: { subaccountId },
      data: {
        dkimVerified: payload.dkim_verified ?? null,
        rpathVerified: payload.rpath_verified ?? null,
        dkimSelector: payload.dkim_selector ?? null,
        rpathSelector: payload.rpath_selector ?? null,
        domainCheckedAt: new Date(),
      },
    })
    return NextResponse.json({ domain, ...payload })
  } catch (e: unknown) {
    const msg = e instanceof Error ? e.message : String(e ?? "Erro ao verificar dominio")
    return NextResponse.json({ error: msg }, { status: 502 })
  }
}