import { getDb, withTransaction } from '../../utils/db.js'
import { requireAuth } from '../../utils/authHelpers.js'
import { hashPassword } from '../../utils/password.js'
import { buildUpdateQuery } from '../../utils/queryBuilder.js'

const ROLES = ['admin', 'leader', 'member']

export default defineEventHandler(async (event) => {
  requireAuth(event, { role: 'admin' })
  const id = event.context.params?.id
  if (!id) throw createError({ statusCode: 400, message: 'id required' })
  const body = await readBody(event)
  const db = await getDb()

  return withTransaction(db, async ({ run, get }) => {
    const user = await get('SELECT id, identifier, role, auth_provider, password_hash FROM users WHERE id = ?', [id])
    if (!user) throw createError({ statusCode: 404, message: 'User not found' })

    const updates = {}

    if (body?.role !== undefined) {
      const role = body.role
      if (!role || !ROLES.includes(role)) {
        throw createError({ statusCode: 400, message: 'role must be admin, leader, or member' })
      }
      updates.role = role
    }

    if (user.auth_provider === 'local') {
      if (body?.identifier !== undefined) {
        const identifier = body.identifier?.trim()
        if (!identifier || identifier.length < 1) {
          throw createError({ statusCode: 400, message: 'identifier cannot be empty' })
        }
        const existing = await get('SELECT id FROM users WHERE identifier = ? AND id != ?', [identifier, id])
        if (existing) {
          throw createError({ statusCode: 409, message: 'Identifier already in use' })
        }
        updates.identifier = identifier
      }
      if (body?.password !== undefined && body.password !== '') {
        const password = body.password
        if (typeof password !== 'string' || password.length < 1) {
          throw createError({ statusCode: 400, message: 'password cannot be empty' })
        }
        updates.password_hash = hashPassword(password)
      }
    }

    if (Object.keys(updates).length === 0) {
      return { id: user.id, identifier: user.identifier, role: user.role, auth_provider: user.auth_provider ?? 'local' }
    }

    const { query, params } = buildUpdateQuery('users', null, updates)
    if (query) {
      await run(query, [...params, id])
    }
    const updated = await get('SELECT id, identifier, role, auth_provider FROM users WHERE id = ?', [id])
    return updated
  })
})