using CMSMicroservice.Domain.Events;
using Microsoft.Extensions.Configuration;
using System.Security.Cryptography;
using System.Text;
namespace CMSMicroservice.Application.OtpTokenCQ.Commands.VerifyOtpToken;
public class VerifyOtpTokenCommandHandler : IRequestHandler<VerifyOtpTokenCommand, VerifyOtpTokenResponseDto>
{
    private readonly IApplicationDbContext _context;
    private readonly IConfiguration _cfg;

    public VerifyOtpTokenCommandHandler(IApplicationDbContext context, IConfiguration cfg)
    {
        _context = context;
        _cfg = cfg;
    }

    const int MaxAttempts = 5;              // محدودیت تلاش    
    public async Task<VerifyOtpTokenResponseDto> Handle(VerifyOtpTokenCommand request, CancellationToken cancellationToken)
    {
        var mobile = request.Mobile.NormalizeIranMobile();
        var purpose = request.Purpose?.ToLowerInvariant() ?? "signup";
        var now = DateTime.Now;


        var otp = await _context.OtpTokens
            .Where(o => o.Mobile == mobile && o.Purpose == purpose && !o.IsUsed && o.ExpiresAt > now)
            .OrderByDescending(o => o.Created)
            .FirstOrDefaultAsync(cancellationToken);

        if (otp is null) return new VerifyOtpTokenResponseDto() { Success = false, Message = "کد پیدا نشد یا منقضی شده است." };

        if (otp.Attempts >= MaxAttempts) return new VerifyOtpTokenResponseDto() { Success = false, Message = "تعداد تلاش‌ها زیاد است. دوباره کد بگیرید." };

        otp.Attempts++;

        if (!VerifyHash(request.Code, otp.CodeHash))
        {
            await _context.SaveChangesAsync(cancellationToken);
            return new VerifyOtpTokenResponseDto() { Success = false, Message = "کد نادرست است." };
        }

        // موفق
        otp.IsUsed = true;

        // کاربر را بساز/به‌روزرسانی کن
        var user = await _context.Users.FirstOrDefaultAsync(u => u.Mobile == mobile, cancellationToken);
        if (user is null)
        {
            user = new User
            {
                Mobile = mobile,
                ReferralCode = UtilExtensions.Generate(digits: 10, firstDigitNonZero: true),
                IsMobileVerified = true,
                MobileVerifiedAt = now,
                IsRulesAccepted = true,
                RulesAcceptedAt = now,
            };
            await _context.Users.AddAsync(user, cancellationToken);
            user.AddDomainEvent(new CreateNewUserEvent(user));
            await _context.SaveChangesAsync(cancellationToken);
        }
        else
        {
            user.IsMobileVerified = true;
            user.MobileVerifiedAt ??= now;

            _context.Users.Update(user);
            user.AddDomainEvent(new UpdateUserEvent(user));
            await _context.SaveChangesAsync(cancellationToken);
        }

        return new VerifyOtpTokenResponseDto()
        {
            Success = true,
            Message = "اعتبارسنجی موفق.",
            UserId = user.Id,
            RemainingAttempts = MaxAttempts,
            RemainingSeconds = (otp.ExpiresAt - now).Seconds
        };
    }

    private string Hash(string code)
    {
        // HMAC با secret اپ (نیازی به ذخیره salt جدا نیست)
        var secret = _cfg["Otp:Secret"] ?? throw new InvalidOperationException("Otp:Secret not set");
        using var h = new HMACSHA256(Encoding.UTF8.GetBytes(secret));
        var hash = h.ComputeHash(Encoding.UTF8.GetBytes(code));
        return Convert.ToHexString(hash);
    }
    private bool VerifyHash(string code, string hexHash) => Hash(code).Equals(hexHash, StringComparison.OrdinalIgnoreCase);

}