using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Security.Principal;
using FakeNTLMServer.Model;
using FakeNTLMServer.Common;

namespace FakeNTLMServer.Controllers;

[ApiController]
[Route("[controller]")]
public class AuthController : ControllerBase
{
    [Authorize]
    [HttpGet("me")]
    public IActionResult GetMe()
    {
        var identity = User.Identity;
        return Ok(new
        {
            identity?.Name,
            identity?.AuthenticationType,
            identity?.IsAuthenticated,
            Claims = User.Claims.Select(claim => new { claim.Type, claim.Value })
        });
    }

    /// <summary>
    /// NTLM/Negotiate login endpoint.
    /// Triggers the NTLM handshake and returns authenticated user info.
    /// </summary>
    [Authorize]
    [HttpGet("login")]
    public IActionResult Login()
    {
        var identity = User.Identity;

        if (identity is null || !identity.IsAuthenticated)
            return Unauthorized(new { Message = "NTLM authentication failed." });

        return Ok(new
        {
            Message = "NTLM authentication successful.",
            identity.Name,
            identity.AuthenticationType,
            identity.IsAuthenticated,
            Claims = User.Claims.Select(claim => new { claim.Type, claim.Value })
        });
    }

    /// <summary>
    /// Validates Windows credentials (username/password) using the Win32 LogonUser API.
    /// Works on local Kestrel without IIS or Negotiate middleware.
    /// </summary>
    [AllowAnonymous]
    [HttpPost("login")]
    public IActionResult LoginWithCredentials([FromBody] Login request)
    {
        var username = request.Username;
        var domain = request.Domain ?? ".";

        if (username.Contains('\\'))
        {
            var parts = username.Split('\\', 2);
            domain = parts[0];
            username = parts[1];
        }
        else if (username.Contains('@'))
        {
            var parts = username.Split('@', 2);
            username = parts[0];
            domain = parts[1];
        }

        if (!NtlmHelper.ValidateCredentials(username, domain, request.Password, out var token))
        {
            return Unauthorized(new { Message = "Invalid username or password." });
        }

        using (token)
        {
            var windowsIdentity = new WindowsIdentity(token.DangerousGetHandle());
            var claims = windowsIdentity.Claims.Select(c => new { c.Type, c.Value }).ToList();

            return Ok(new
            {
                Message = "Authentication successful.",
                Name = windowsIdentity.Name,
                AuthenticationType = windowsIdentity.AuthenticationType,
                IsAuthenticated = windowsIdentity.IsAuthenticated,
                Claims = claims
            });
        }
    }

    [Authorize]
    [HttpGet("status")]
    public IActionResult Status()
    {
        return Ok(new
        {
            User.Identity?.Name,
            User.Identity?.AuthenticationType
        });
    }
}