<?php declare(strict_types=1);
/*
 * This file is part of the SplendidBear Websites' projects.
 *
 * Copyright (c) 2026 @ www.splendidbear.org
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace App\Controller;

use App\Entity\User;
use App\Form\ForgotPasswordFormType;
use App\Form\RegistrationFormType;
use App\Form\ResetPasswordFormType;
use App\Repository\UserRepository;
use App\Service\Email\SendActivationEmailService;
use App\Service\Email\SendPasswordResetEmailService;
use App\Service\Email\SendUserActivationNotificationService;
use App\Service\Email\SendUserRegistrationNotificationService;
use DateTime;
use Doctrine\ORM\EntityManagerInterface;
use LogicException;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Attribute\AsController;
use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
use Symfony\Component\Routing\Attribute\Route;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;

/**
 * Class SecurityController
 *
 * @package  App\Controller
 * @author   Lang <https://www.splendidbear.org>
 * @category Class
 * @license  https://www.gnu.org/licenses/lgpl-3.0.en.html GNU Lesser General Public License
 * @link     www.splendidbear.org
 * @since    2026. 04. 11.
 */
#[AsController]
class SecurityController extends AbstractController
{
    public function __construct(
        private readonly EntityManagerInterface                  $em,
        private readonly RequestStack                            $requestStack,
        private readonly UserRepository                          $userRepository,
        private readonly UserPasswordHasherInterface             $passwordHasher,
        private readonly AuthenticationUtils                     $authenticationUtils,
        private readonly SendActivationEmailService              $activationEmail,
        private readonly SendPasswordResetEmailService           $passwordResetEmail,
        private readonly SendUserActivationNotificationService   $activationNotificationEmail,
        private readonly SendUserRegistrationNotificationService $registrationNotificationEmail,
    ) {
    }

    #[Route('/login', name: 'MineSeekerBundle_login')]
    public function login(): Response
    {
        if ($this->getUser()) {
            return $this->redirectToRoute('MineSeekerBundle_homepage');
        }

        return $this->render('Security/login.html.twig', [
            'last_username' => $this->authenticationUtils->getLastUsername(),
            'error'         => $this->authenticationUtils->getLastAuthenticationError(),
        ]);
    }

    #[Route('/logout', name: 'MineSeekerBundle_logout', methods: ['POST'])]
    public function logout(): never
    {
        throw new LogicException('This action is intercepted by the security firewall.');
    }

    #[Route('/register', name: 'MineSeekerBundle_register')]
    public function register(): Response
    {
        if ($this->getUser()) {
            return $this->redirectToRoute('MineSeekerBundle_homepage');
        }

        $user = new User();
        $form = $this->createForm(RegistrationFormType::class, $user);
        $form->handleRequest($this->requestStack->getCurrentRequest());

        if ($form->isSubmitted() && $form->isValid()) {
            $token = bin2hex(random_bytes(32));

            $user->isVerified = false;
            $user->verificationToken = $token;
            $user->password = $this->passwordHasher->hashPassword($user, $form->get('plainPassword')->getData());

            $this->em->persist($user);
            $this->em->flush();

            $activationUrl = $this->generateUrl(
                'MineSeekerBundle_activate',
                ['token' => $token],
                UrlGeneratorInterface::ABSOLUTE_URL,
            );

            /** Ensure HTTPS scheme in production */
            if ($this->getParameter('kernel.environment') === 'prod') {
                $activationUrl = str_replace('http://', 'https://', $activationUrl);
            }

            $this->activationEmail->send($user, $activationUrl);
            $this->registrationNotificationEmail->send($user, new DateTime());

            $this->addFlash('verify_email', $user->email);

            return $this->redirectToRoute('MineSeekerBundle_register');
        }

        return $this->render('Security/register.html.twig', ['form' => $form]);
    }

    #[Route('/forgot-password', name: 'MineSeekerBundle_forgot_password')]
    public function forgotPassword(): Response
    {
        if ($this->getUser()) {
            return $this->redirectToRoute('MineSeekerBundle_homepage');
        }

        $form = $this->createForm(ForgotPasswordFormType::class);
        $form->handleRequest($this->requestStack->getCurrentRequest());

        if ($form->isSubmitted() && $form->isValid()) {
            $email = $form->get('email')->getData();
            $user = $this->userRepository->findOneByEmail($email);

            if ($user && $user->isVerified) {
                $token = bin2hex(random_bytes(32));
                $user->resetToken = $token;
                $user->resetTokenExpiresAt = new DateTime('+1 hour');
                $this->em->flush();

                $resetUrl = $this->generateUrl(
                    'MineSeekerBundle_reset_password',
                    ['token' => $token],
                    UrlGeneratorInterface::ABSOLUTE_URL,
                );

                /** Ensure HTTPS scheme in production */
                if ($this->getParameter('kernel.environment') === 'prod') {
                    $resetUrl = str_replace('http://', 'https://', $resetUrl);
                }

                $this->passwordResetEmail->send($email, $user->getUsername(), $resetUrl);
            }

            $this->addFlash('reset_sent', $email);

            return $this->redirectToRoute('MineSeekerBundle_forgot_password');
        }

        return $this->render('Security/forgot_password.html.twig', ['form' => $form]);
    }

    #[Route('/reset-password/{token}', name: 'MineSeekerBundle_reset_password')]
    public function resetPassword(string $token): Response
    {
        $user = $this->userRepository->findOneByResetToken($token);

        if (!$user || $user->resetTokenExpiresAt < new DateTime()) {
            $this->addFlash('error', 'This password reset link is invalid or has expired.');
            return $this->redirectToRoute('MineSeekerBundle_forgot_password');
        }

        $form = $this->createForm(ResetPasswordFormType::class);
        $form->handleRequest($this->requestStack->getCurrentRequest());

        if ($form->isSubmitted() && $form->isValid()) {
            $user->password = $this->passwordHasher->hashPassword($user, $form->get('plainPassword')->getData());
            $user->resetToken = null;
            $user->resetTokenExpiresAt = null;

            $this->em->flush();

            $this->addFlash('success', 'Your password has been reset. You can now sign in.');

            return $this->redirectToRoute('MineSeekerBundle_login');
        }

        return $this->render('Security/reset_password.html.twig', ['form' => $form]);
    }

    #[Route('/activate/{token}', name: 'MineSeekerBundle_activate')]
    public function activate(string $token): Response
    {
        $user = $this->em->getRepository(User::class)->findOneBy(['verificationToken' => $token]);

        if (!$user) {
            $this->addFlash('error', 'This activation link is invalid or has already been used.');
            return $this->redirectToRoute('MineSeekerBundle_login');
        }

        $user->isVerified = true;
        $user->verificationToken = null;
        $this->em->flush();

        $this->activationNotificationEmail->send($user, new DateTime());

        $this->addFlash('success', 'Your account is now active. Welcome, ' . $user->getUsername() . '!');

        return $this->redirectToRoute('MineSeekerBundle_login');
    }
}