import { NextRequest, NextResponse } from "next/server";
import { auth, getAuthSession } from "@/lib/auth";
import { db } from "@/lib/db";
import { serverSettings } from "@/lib/db/schema";
import { checkRateLimit, getClientIp } from "@/lib/security/rateLimit";
import { z } from "zod";

const UpdateSettingsSchema = z.object({
  minecraftPath: z.string().optional(),
  serverJar: z.string().optional(),
  serverVersion: z.string().optional(),
  serverType: z.enum(["vanilla", "paper", "spigot", "bukkit", "fabric", "forge", "bedrock"]).optional(),
  maxRam: z.number().min(512).max(32768).optional(),
  minRam: z.number().min(256).max(32768).optional(),
  rconEnabled: z.boolean().optional(),
  rconPort: z.number().min(1).max(65535).optional(),
  rconPassword: z.string().min(8).optional(),
  javaArgs: z.string().max(1000).optional(),
  autoStart: z.boolean().optional(),
  restartOnCrash: z.boolean().optional(),
  backupEnabled: z.boolean().optional(),
  backupSchedule: z.string().optional(),
  bluemapEnabled: z.boolean().optional(),
  bluemapUrl: z.string().url().optional().or(z.literal("")),
});

export async function GET(req: NextRequest) {
  const session = await getAuthSession(req.headers);
  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });

  const settings = await db.select().from(serverSettings).get();
  // Never return RCON password
  if (settings) {
    const { rconPassword: _, ...safe } = settings;
    return NextResponse.json({ settings: safe });
  }
  return NextResponse.json({ settings: null });
}

export async function PATCH(req: NextRequest) {
  const session = await getAuthSession(req.headers);
  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  if (session.user.role !== "superadmin") {
    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
  }

  const ip = getClientIp(req);
  const { allowed } = checkRateLimit(ip);
  if (!allowed) return NextResponse.json({ error: "Too many requests" }, { status: 429 });

  let body: z.infer<typeof UpdateSettingsSchema>;
  try {
    body = UpdateSettingsSchema.parse(await req.json());
  } catch {
    return NextResponse.json({ error: "Invalid request" }, { status: 400 });
  }

  const existing = await db.select().from(serverSettings).get();
  if (existing) {
    await db.update(serverSettings).set({ ...body, updatedAt: Date.now() });
  } else {
    await db.insert(serverSettings).values({ id: 1, ...body, updatedAt: Date.now() });
  }

  return NextResponse.json({ success: true });
}