import { getDb } from '../../utils/db.js'
import { requireAuth } from '../../utils/authHelpers.js'
import { hashPassword } from '../../utils/password.js'

const ROLES = ['admin', 'leader', 'member']

export default defineEventHandler(async (event) => {
  requireAuth(event, { role: 'admin' })
  const id = event.context.params?.id
  if (!id) throw createError({ statusCode: 400, message: 'id required' })
  const body = await readBody(event)
  const { run, get } = await getDb()

  const user = await get('SELECT id, identifier, role, auth_provider, password_hash FROM users WHERE id = ?', [id])
  if (!user) throw createError({ statusCode: 404, message: 'User not found' })

  const updates = []
  const params = []

  if (body?.role !== undefined) {
    const role = body.role
    if (!role || !ROLES.includes(role)) {
      throw createError({ statusCode: 400, message: 'role must be admin, leader, or member' })
    }
    updates.push('role = ?')
    params.push(role)
  }

  if (user.auth_provider === 'local') {
    if (body?.identifier !== undefined) {
      const identifier = body.identifier?.trim()
      if (!identifier || identifier.length < 1) {
        throw createError({ statusCode: 400, message: 'identifier cannot be empty' })
      }
      const existing = await get('SELECT id FROM users WHERE identifier = ? AND id != ?', [identifier, id])
      if (existing) {
        throw createError({ statusCode: 409, message: 'Identifier already in use' })
      }
      updates.push('identifier = ?')
      params.push(identifier)
    }
    if (body?.password !== undefined && body.password !== '') {
      const password = body.password
      if (typeof password !== 'string' || password.length < 1) {
        throw createError({ statusCode: 400, message: 'password cannot be empty' })
      }
      updates.push('password_hash = ?')
      params.push(hashPassword(password))
    }
  }

  if (updates.length === 0) {
    return { id: user.id, identifier: user.identifier, role: user.role, auth_provider: user.auth_provider ?? 'local' }
  }

  params.push(id)
  await run(`UPDATE users SET ${updates.join(', ')} WHERE id = ?`, params)
  const updated = await get('SELECT id, identifier, role, auth_provider FROM users WHERE id = ?', [id])
  return updated
})