@page "/user-audit"
@attribute [Authorize]
@inject IUserSessionService Session
@inject ISessionManager SessionMgr
@inject IUserAccessAuditService AuditSvc
@inject IGraphUserDirectoryService GraphSvc
@inject UserAccessCsvExportService CsvExport
@inject UserAccessHtmlExportService HtmlExport
@inject WebExportService WebExport
@inject IAuditService Audit
@inject TranslationSource T
@rendermode InteractiveServer

<h1 class="page-title">@T["tab.userAccessAudit"]</h1>
<p class="page-subtitle">@T["audit.subtitle"]</p>

@if (!Session.HasProfile) { <NoProfilePrompt /> return; }

<div class="card">
    <div class="form-group">
        <div class="flex-row">
            <label class="form-label" style="margin:0">@T["audit.lbl.users"]</label>
            <div class="spacer"></div>
            <label style="font-weight:normal"><input type="checkbox" @bind="_includeGuests" /> @T["directory.chk.guests"]</label>
            <button class="btn btn-secondary btn-sm" @onclick="LoadUsers" disabled="@_loadingUsers">
                @(_loadingUsers ? string.Format(T["audit.btn.loading"], _loadCount) : T["audit.btn.loadUsers"])
            </button>
        </div>

        @if (_directoryUsers.Count > 0)
        {
            <div class="flex-row mt-8">
                <input class="form-input" style="width:260px" @bind="_userFilter" @bind:event="oninput" placeholder="@T["audit.ph.filterUsers"]" />
                <span class="text-muted">@string.Format(T["audit.lbl.selectedCount"], _selectedEmails.Count)</span>
                <div class="spacer"></div>
                <button class="btn btn-link btn-sm" @onclick="SelectAllFiltered">@string.Format(T["audit.btn.selectAll"], FilteredUsers.Count())</button>
                <button class="btn btn-link btn-sm" @onclick="ClearSelection">@T["settings.logo.clear"]</button>
            </div>
            <div class="user-select-list">
                @foreach (var u in FilteredUsers.Take(500))
                {
                    var email = u.Mail ?? u.UserPrincipalName;
                    <label class="user-select-row">
                        <input type="checkbox" checked="@_selectedEmails.Contains(email)"
                               @onchange="e => ToggleUser(email, (bool)e.Value!)" />
                        <span class="user-select-name">@u.DisplayName</span>
                        <span class="text-muted">@email</span>
                        @if (u.UserType == "Guest") { <span class="chip chip-yellow">@T["common.guest"]</span> }
                    </label>
                }
            </div>
            @if (FilteredUsers.Count() > 500) { <div class="text-muted mt-8">@T["audit.msg.showFirst500Filter"]</div> }
        }

        <label class="form-label mt-8">@T["audit.lbl.additionalEmails"]</label>
        <textarea class="form-textarea" @bind="_users" placeholder="alice@contoso.com&#10;bob@contoso.com" rows="2"></textarea>
    </div>
    <SitePicker Profile="Session.CurrentProfile!" @bind-SelectedSites="_sites" />
    <div class="form-row">
        <div class="form-group" style="display:flex;align-items:center;gap:16px;padding-top:20px">
            <label><input type="checkbox" @bind="_includeInherited" /> @T["audit.chk.includeInherited"]</label>
            <label><input type="checkbox" @bind="_scanFolders" /> @T["chk.scan.folders"]</label>
            <label><input type="checkbox" @bind="_includeSubsites" /> @T["chk.include.subsites"]</label>
        </div>
    </div>
    <div class="flex-row mt-8">
        <button class="btn btn-primary" @onclick="RunAudit" disabled="@_running">
            @(_running ? T["audit.btn.auditing"] : T["audit.btn.auditUsers"])
        </button>
        @if (_running) { <button class="btn btn-secondary" @onclick="Cancel">@T["btn.cancel"]</button> }
    </div>
    <ProgressPanel IsRunning="_running" StatusMessage="@_status" Current="_current" Total="_total" />
</div>

@if (!string.IsNullOrEmpty(_error)) { <div class="alert alert-error">@_error</div> }

@if (_results.Count > 0)
{
    <div class="card">
        <div class="flex-row">
            <div class="card-title">@T["audit.results.title"] <span class="count-badge">@_results.Count</span></div>
            <div class="spacer"></div>
            <button class="btn btn-secondary btn-sm" @onclick="ExportCsv">@T["audit.btn.exportCsv"]</button>
            <button class="btn btn-secondary btn-sm" @onclick="ExportHtml">@T["audit.btn.exportHtml"]</button>
        </div>
        <div class="data-table-wrap">
            <table class="data-table">
                <thead><tr><th>@T["report.col.user"]</th><th>@T["report.col.site"]</th><th>@T["report.col.object"]</th><th>@T["audit.col.permission"]</th><th>@T["report.col.access_type"]</th><th>@T["report.col.granted_through"]</th></tr></thead>
                <tbody>
                    @foreach (var r in _results.Take(500))
                    {
                        <tr>
                            <td>@r.UserDisplayName</td>
                            <td>@r.SiteTitle</td>
                            <td>@r.ObjectTitle <span class="text-muted">(@r.ObjectType)</span></td>
                            <td>@r.PermissionLevel @if (r.IsHighPrivilege) { <span class="chip chip-red">@T["audit.chip.high"]</span> }</td>
                            <td>@r.AccessType</td>
                            <td>@r.GrantedThrough</td>
                        </tr>
                    }
                </tbody>
            </table>
        </div>
        @if (_results.Count > 500) { <div class="text-muted mt-8">@T["audit.msg.showFirst500Export"]</div> }
    </div>
}

@code {
    private string _users = string.Empty;
    private bool _includeGuests, _loadingUsers;
    private int _loadCount;
    private string _userFilter = string.Empty;
    private List<GraphDirectoryUser> _directoryUsers = new();
    private readonly HashSet<string> _selectedEmails = new(StringComparer.OrdinalIgnoreCase);
    private List<SiteInfo> _sites = new();

    private IEnumerable<GraphDirectoryUser> FilteredUsers => string.IsNullOrWhiteSpace(_userFilter)
        ? _directoryUsers
        : _directoryUsers.Where(u => u.DisplayName.Contains(_userFilter, StringComparison.OrdinalIgnoreCase)
            || u.UserPrincipalName.Contains(_userFilter, StringComparison.OrdinalIgnoreCase)
            || (u.Mail?.Contains(_userFilter, StringComparison.OrdinalIgnoreCase) ?? false));

    private async Task LoadUsers()
    {
        _error = string.Empty; _loadingUsers = true; _loadCount = 0;
        var progress = new Progress<int>(c => { _loadCount = c; InvokeAsync(StateHasChanged); });
        try
        {
            _directoryUsers = (await GraphSvc.GetUsersAsync(Session.CurrentProfile!, _includeGuests, progress)).ToList();
        }
        catch (Exception ex) { _error = ex.Message; }
        finally { _loadingUsers = false; await InvokeAsync(StateHasChanged); }
    }

    private void ToggleUser(string email, bool selected)
    {
        if (selected) _selectedEmails.Add(email); else _selectedEmails.Remove(email);
    }

    private void SelectAllFiltered()
    {
        foreach (var u in FilteredUsers) _selectedEmails.Add(u.Mail ?? u.UserPrincipalName);
    }

    private void ClearSelection() => _selectedEmails.Clear();
    private bool _includeInherited, _includeSubsites, _scanFolders = true;
    private bool _running; private string _status = string.Empty, _error = string.Empty;
    private int _current, _total;
    private List<UserAccessEntry> _results = new();
    private CancellationTokenSource? _cts;

    private async Task RunAudit()
    {
        _error = string.Empty; _results.Clear(); _running = true;
        _cts = new CancellationTokenSource();
        var userList = _selectedEmails
            .Concat(_users.Split('\n', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries))
            .Distinct(StringComparer.OrdinalIgnoreCase).ToList();
        if (!userList.Any()) { _error = T["audit.err.noUsersOrEmail"]; _running = false; return; }
        var siteList = _sites.ToList();
        if (!siteList.Any()) siteList.Add(new SiteInfo(Session.CurrentProfile!.TenantUrl, Session.CurrentProfile.Name));
        var progress = new Progress<OperationProgress>(p => { _status = p.Message; _current = p.Current; _total = p.Total; InvokeAsync(StateHasChanged); });
        try
        {
            var opts = new ScanOptions(_includeInherited, _scanFolders, 1, _includeSubsites);
            _results = (await AuditSvc.AuditUsersAsync(SessionMgr, Session.CurrentProfile!, userList, siteList, opts, progress, _cts.Token)).ToList();
            _status = string.Format(T["audit.status.found"], _results.Count);
            await Audit.LogAsync("UserAccessAudit", Session.CurrentProfile?.Name ?? "", siteList.Select(s => s.Url),
                $"{_results.Count} entries for {userList.Count} user(s)");
        }
        catch (OperationCanceledException) { _status = T["audit.status.cancelled"]; }
        catch (Exception ex) { _error = ex.Message; }
        finally { _running = false; await InvokeAsync(StateHasChanged); }
    }

    private void Cancel() => _cts?.Cancel();
    private async Task ExportCsv() { await WebExport.DownloadCsvAsync(CsvExport.BuildCsv(_results.FirstOrDefault()?.UserDisplayName ?? "Users", _results.FirstOrDefault()?.UserLogin ?? "", _results), $"user_audit_{DateTime.Now:yyyyMMdd_HHmmss}.csv"); }
    private async Task ExportHtml() { await WebExport.DownloadHtmlAsync(HtmlExport.BuildHtml(_results, branding: Session.CurrentBranding), $"user_audit_{DateTime.Now:yyyyMMdd_HHmmss}.html"); }
}