import NextAuth from 'next-auth';
import Credentials from 'next-auth/providers/credentials';
import { prisma } from '@repo/db';
import type { SessionUser } from '@repo/api';
import { env } from '../env';
import { authConfig } from './auth.config';

/**
 * ============================================================================
 *  Auth.js v5 — PLACEHOLDER configuration for the scaffold phase.
 * ============================================================================
 *
 *  The Credentials provider below accepts ANY email that exists in the User
 *  table (seeded by `pnpm db:seed`). NO PASSWORD CHECK is performed. This is
 *  deliberately minimal — just enough to populate the tRPC context with a real
 *  Auth.js session — and MUST be replaced with real authentication before any
 *  non-dev deployment.
 *
 *  Auto sign-in
 *  ------------
 *  See `resolveUser()` below. When AUTH_DEV_AUTOLOGIN=true, server-side code
 *  that has no session falls back to the seeded admin user. This is a back
 *  door and is gated by an explicit env flag whose default in .env.example is
 *  FALSE.
 *
 *      !!! NEVER set AUTH_DEV_AUTOLOGIN=true in production. !!!
 *
 *  In production with AUTH_DEV_AUTOLOGIN unset/false, requests without a
 *  signed Auth.js session resolve to user=null, and protectedProcedure throws
 *  401.
 * ============================================================================
 */

export const { handlers, auth, signIn, signOut } = NextAuth({
  ...authConfig,
  secret: env.AUTH_SECRET,
  providers: [
    Credentials({
      name: 'Email (placeholder)',
      credentials: {
        email: { label: 'Email', type: 'email' },
      },
      async authorize(credentials) {
        const email = credentials?.email;
        if (typeof email !== 'string' || !email) return null;
        const user = await prisma.user.findFirst({ where: { email } });
        if (!user) return null;
        // NO password verification — placeholder only.
        return {
          id: user.id,
          email: user.email,
          name: user.email,
          // eslint-disable-next-line @typescript-eslint/no-explicit-any
          role: user.role as any,
          // eslint-disable-next-line @typescript-eslint/no-explicit-any
          tenantId: user.tenantId as any,
        };
      },
    }),
  ],
});

/**
 * Resolve the current user for server-side code (RSC, route handlers, tRPC).
 * Single chokepoint that combines the real Auth.js session with the dev-only
 * auto-login fallback. Application code MUST use this and not call `auth()`
 * directly when it expects to honour AUTH_DEV_AUTOLOGIN.
 */
export async function resolveUser(): Promise<SessionUser | null> {
  const session = await auth();
  // eslint-disable-next-line @typescript-eslint/no-explicit-any
  const u = session?.user as any;
  if (u?.id && u?.tenantId) {
    return { id: u.id, email: u.email, role: u.role, tenantId: u.tenantId };
  }

  if (env.AUTH_DEV_AUTOLOGIN) {
    // Dev back door. Production guards: env flag default is false; this branch
    // is also a no-op if the seed user doesn't exist.
    const admin = await prisma.user.findFirst({ where: { email: 'admin@demo.local' } });
    if (admin) {
      return {
        id: admin.id,
        email: admin.email,
        // eslint-disable-next-line @typescript-eslint/no-explicit-any
        role: admin.role as any,
        tenantId: admin.tenantId,
      };
    }
  }

  return null;
}