const express = require("express");
const { User } = require("../models");
const {
  authenticate,
  authorizeAdmin,
  authorizeManager,
} = require("../middleware/auth");

const router = express.Router();

// Get all users (admin and manager)
router.get("/", authenticate, authorizeManager, async (req, res) => {
  try {
    const users = await User.findAll({
      attributes: ["id", "username", "role"],
    });
    res.json(users);
  } catch (error) {
    res.status(500).json({ message: "Server error" });
  }
});

// Create user (admin and manager)
router.post("/", authenticate, authorizeManager, async (req, res) => {
  try {
    const { username, password, role } = req.body;
    let userRole = role || "user";

    // Managers cannot create admins
    if (userRole === "admin" && req.user.role !== "admin") {
      return res
        .status(403)
        .json({ message: "Managers cannot create admin users" });
    }

    // Managers can only create users or managers
    if (
      req.user.role === "manager" &&
      !["user", "manager"].includes(userRole)
    ) {
      return res
        .status(403)
        .json({ message: "Managers can only create users or managers" });
    }

    const user = await User.create({
      username,
      password,
      role: userRole,
    });
    res
      .status(201)
      .json({ id: user.id, username: user.username, role: user.role });
  } catch (error) {
    if (error.name === "SequelizeUniqueConstraintError") {
      return res.status(400).json({ message: "Username already exists" });
    }
    res.status(500).json({ message: "Server error" });
  }
});

// Update user password (admin and manager)
router.put(
  "/:id/password",
  authenticate,
  authorizeManager,
  async (req, res) => {
    try {
      const { password } = req.body;
      const user = await User.findByPk(req.params.id);
      if (!user) {
        return res.status(404).json({ message: "User not found" });
      }
      user.password = password;
      await user.save();
      res.json({ message: "Password updated" });
    } catch (error) {
      res.status(500).json({ message: "Server error" });
    }
  }
);

// Delete user (admin and manager)
router.delete("/:id", authenticate, authorizeManager, async (req, res) => {
  try {
    const user = await User.findByPk(req.params.id);
    if (!user) {
      return res.status(404).json({ message: "User not found" });
    }
    await user.destroy();
    res.json({ message: "User deleted" });
  } catch (error) {
    res.status(500).json({ message: "Server error" });
  }
});

module.exports = router;