#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
# shellcheck source=/dev/null
source "$SCRIPT_DIR/libenv.sh"

ENV_FILE=$(limristem_mail_resolve_main_env_file)

usage() {
  cat <<'EOF'
Usage: manage-api-credentials.sh <command>

Commands:
  show [--json]        Show current API admin username and endpoint info
  regenerate [--json]  Generate a new API admin password, update env, restart API
EOF
}

ensure_env() {
  if [[ ! -f "$ENV_FILE" ]]; then
    echo "Error: $ENV_FILE not found" >&2
    exit 1
  fi
  limristem_mail_load_env_file "$ENV_FILE"
}

show_credentials() {
  ensure_env
  local api_user=${LIMRISTEM_MAIL_API_ADMIN_USER:-admin}
  local api_bind=${LIMRISTEM_MAIL_API_BIND:-127.0.0.1}
  local api_port=${LIMRISTEM_MAIL_API_PORT:-8080}
  local hostname=${LIMRISTEM_MAIL_HOSTNAME:-$(hostname -f 2>/dev/null || echo localhost)}
  local enable_nginx=${LIMRISTEM_MAIL_ENABLE_NGINX:-no}

  local endpoint
  if [[ "$enable_nginx" == "yes" ]]; then
    endpoint="https://${hostname}/"
  else
    endpoint="http://${api_bind}:${api_port}/"
  fi

  if [[ "${1:-}" == "--json" ]]; then
    printf '{"api_admin_user":"%s","api_endpoint":"%s","hostname":"%s"}\n' \
      "$api_user" "$endpoint" "$hostname"
  else
    echo "API admin user: $api_user"
    echo "API endpoint  : $endpoint"
    echo "Hostname      : $hostname"
  fi
}

regenerate_credentials() {
  ensure_env
  local base_dir=${LIMRISTEM_MAIL_BASE_DIR:-/opt/limristem-mail}
  local venv="$base_dir/.venv"

  if [[ ! -x "$venv/bin/python" ]]; then
    echo "Error: Python venv not found at $venv" >&2
    exit 1
  fi

  local new_pass
  new_pass=$(head -c 24 <(tr -dc 'A-Za-z0-9@_+' < /dev/urandom); echo)

  local new_hash
  new_hash=$(
    LIMRISTEM_MAIL_API_ADMIN_PASS="$new_pass" "$venv/bin/python" - <<'PY'
from os import environ
from passlib.context import CryptContext
context = CryptContext(schemes=["argon2"], default="argon2", argon2__type="ID")
print(context.hash(environ["LIMRISTEM_MAIL_API_ADMIN_PASS"]))
PY
  )

  limristem_mail_upsert_env_value "$ENV_FILE" LIMRISTEM_MAIL_API_ADMIN_PASS_HASH "$new_hash"

  systemctl restart --no-block limristem-mail 2>/dev/null || true

  local api_user=${LIMRISTEM_MAIL_API_ADMIN_USER:-admin}
  local hostname=${LIMRISTEM_MAIL_HOSTNAME:-$(hostname -f 2>/dev/null || echo localhost)}
  local enable_nginx=${LIMRISTEM_MAIL_ENABLE_NGINX:-no}
  local api_bind=${LIMRISTEM_MAIL_API_BIND:-127.0.0.1}
  local api_port=${LIMRISTEM_MAIL_API_PORT:-8080}

  local endpoint
  if [[ "$enable_nginx" == "yes" ]]; then
    endpoint="https://${hostname}/"
  else
    endpoint="http://${api_bind}:${api_port}/"
  fi

  if [[ "${1:-}" == "--json" ]]; then
    printf '{"api_admin_user":"%s","api_admin_pass":"%s","api_endpoint":"%s","hostname":"%s"}\n' \
      "$api_user" "$new_pass" "$endpoint" "$hostname"
  else
    echo "API admin user    : $api_user"
    echo "API admin password: $new_pass"
    echo "API endpoint      : $endpoint"
    echo ""
    echo "Conserva questa password: nel file env viene salvato solo l'hash."
  fi
}

case "${1:-}" in
  show)        show_credentials "${2:-}" ;;
  regenerate)  regenerate_credentials "${2:-}" ;;
  -h|--help)   usage ;;
  *)           usage; exit 1 ;;
esac