pub mod auth;
pub mod error;
pub mod handlers;
pub mod models;

use axum::{
    Router,
    extract::DefaultBodyLimit,
    http::{HeaderValue, header},
    routing::{delete, get, post},
};
use std::{collections::HashMap, env, path::PathBuf, sync::Arc, time::Duration};
use tokio::sync::{Mutex, RwLock};
use tower_http::{
    compression::CompressionLayer,
    cors::{AllowOrigin, CorsLayer},
    services::ServeDir,
};
use tracing::{error, info, warn};

use crate::handlers::contact::RATE_LIMIT_WINDOW_MS;
use crate::models::{ImageDim, PostInfo};

pub struct CachedPost {
    pub info: PostInfo,
    pub body: String,
}

pub struct AppState {
    pub admin_token: String,
    pub data_dir: PathBuf,
    pub cookie_secure: bool,
    pub post_lock: Mutex<()>,
    pub posts_cache: RwLock<Vec<CachedPost>>,
    pub image_dims_cache: RwLock<HashMap<String, ImageDim>>,
    pub contact_rate_limit: Mutex<HashMap<String, Vec<i64>>>,
}

#[tokio::main]
async fn main() {
    tracing_subscriber::fmt::init();
    dotenvy::dotenv().ok();

    let port = env::var("PORT").unwrap_or_else(|_| "3000".to_string());
    let admin_token = env::var("ADMIN_TOKEN")
        .ok()
        .filter(|t| !t.trim().is_empty())
        .expect("ADMIN_TOKEN must be set to a non-empty value");
    if admin_token.len() < 16 {
        warn!(
            "ADMIN_TOKEN is shorter than 16 characters. Use a long random string in production."
        );
    }
    let data_dir_str = env::var("DATA_DIR").unwrap_or_else(|_| "../data".to_string());
    let data_dir = PathBuf::from(data_dir_str);
    let cookie_secure = env::var("COOKIE_SECURE")
        .map(|v| v != "false" && v != "0")
        .unwrap_or(true);

    info!("Initializing backend with data dir: {:?}", data_dir);

    let posts_dir = data_dir.join("posts");
    let uploads_dir = data_dir.join("uploads");
    if let Err(e) = tokio::fs::create_dir_all(&posts_dir).await {
        error!("Failed to create posts directory: {}", e);
    }
    if let Err(e) = tokio::fs::create_dir_all(&uploads_dir).await {
        error!("Failed to create uploads directory: {}", e);
    }

    let state = Arc::new(AppState {
        admin_token,
        data_dir,
        cookie_secure,
        post_lock: Mutex::new(()),
        posts_cache: RwLock::new(Vec::new()),
        image_dims_cache: RwLock::new(HashMap::new()),
        contact_rate_limit: Mutex::new(HashMap::new()),
    });

    handlers::posts::rebuild_posts_cache(&state).await;
    info!("Posts cache primed with {} entries", state.posts_cache.read().await.len());

    spawn_rate_limit_reaper(state.clone());

    // CORS — locked down by default. Set FRONTEND_ORIGIN to the public URL of
    // the frontend if you ever expose the backend directly to browsers.
    // Normal deployments hit the backend through the Astro proxy, which is
    // server-to-server and not subject to CORS.
    let cors = match env::var("FRONTEND_ORIGIN").ok().filter(|s| !s.is_empty()) {
        Some(origin) => {
            let value = HeaderValue::from_str(&origin)
                .expect("FRONTEND_ORIGIN must be a valid origin URL");
            CorsLayer::new()
                .allow_origin(AllowOrigin::exact(value))
                .allow_methods([
                    axum::http::Method::GET,
                    axum::http::Method::POST,
                    axum::http::Method::DELETE,
                    axum::http::Method::OPTIONS,
                ])
                .allow_headers([header::AUTHORIZATION, header::CONTENT_TYPE])
                .allow_credentials(true)
        }
        None => CorsLayer::new(),
    };

    // JSON routes get a tight 1 MB cap; the upload route keeps 50 MB.
    const JSON_BODY_LIMIT: usize = 1024 * 1024;
    const UPLOAD_BODY_LIMIT: usize = 50 * 1024 * 1024;

    let app = Router::new()
        .route("/api/auth/login", post(handlers::auth::login))
        .route("/api/auth/logout", post(handlers::auth::logout))
        .route("/api/auth/me", get(handlers::auth::me))
        .route(
            "/api/config",
            get(handlers::config::get_config).post(handlers::config::update_config),
        )
        .route(
            "/api/posts",
            get(handlers::posts::list_posts).post(handlers::posts::create_post),
        )
        .route(
            "/api/posts/{slug}",
            get(handlers::posts::get_post).delete(handlers::posts::delete_post),
        )
        .route("/api/uploads", get(handlers::upload::list_uploads))
        .route(
            "/api/uploads/{filename}",
            delete(handlers::upload::delete_upload),
        )
        .route(
            "/api/upload",
            post(handlers::upload::upload_file)
                .layer(DefaultBodyLimit::max(UPLOAD_BODY_LIMIT)),
        )
        .route("/api/contact", post(handlers::contact::submit_contact))
        .route("/api/messages", get(handlers::contact::list_messages))
        .route(
            "/api/messages/{id}",
            delete(handlers::contact::delete_message),
        )
        .route("/healthz", get(|| async { "ok" }))
        .nest_service("/uploads", ServeDir::new(uploads_dir))
        .layer(DefaultBodyLimit::max(JSON_BODY_LIMIT))
        .layer(CompressionLayer::new().br(true).gzip(true))
        .layer(cors)
        .with_state(state);

    let addr = format!("0.0.0.0:{}", port);
    info!("Starting server on {}", addr);
    let listener = tokio::net::TcpListener::bind(&addr).await.unwrap();
    axum::serve(listener, app).await.unwrap();
}

/// Periodically prunes expired entries from the contact rate-limit map so it
/// can't grow unbounded across the lifetime of the process.
fn spawn_rate_limit_reaper(state: Arc<AppState>) {
    tokio::spawn(async move {
        let mut ticker = tokio::time::interval(Duration::from_secs(300));
        ticker.tick().await;
        loop {
            ticker.tick().await;
            let now_ms = chrono::Utc::now().timestamp_millis();
            let mut map = state.contact_rate_limit.lock().await;
            map.retain(|_, times| {
                times.retain(|t| now_ms - *t < RATE_LIMIT_WINDOW_MS);
                !times.is_empty()
            });
        }
    });
}