package models

import (
	"database/sql"
	"fmt"

	"simple_portal/database"

	"golang.org/x/crypto/bcrypt"
)

// Admin represents an administrator account.
type Admin struct {
	ID       int    `json:"id"`
	Username string `json:"username"`
	Password string `json:"-"` // Never expose password hash in JSON
}

// GetAdminByUsername returns an admin by username. Returns nil if not found.
func GetAdminByUsername(username string) (*Admin, error) {
	var a Admin
	err := database.DB.QueryRow(
		"SELECT id, username, password FROM admins WHERE username = ?",
		username,
	).Scan(&a.ID, &a.Username, &a.Password)
	if err == sql.ErrNoRows {
		return nil, nil
	}
	if err != nil {
		return nil, fmt.Errorf("failed to get admin by username: %w", err)
	}
	return &a, nil
}

// CreateAdmin inserts a new admin with a bcrypt-hashed password.
func CreateAdmin(username, hashedPassword string) error {
	_, err := database.DB.Exec(
		"INSERT INTO admins (username, password) VALUES (?, ?)",
		username, hashedPassword,
	)
	if err != nil {
		return fmt.Errorf("failed to create admin: %w", err)
	}
	return nil
}

// VerifyPassword checks if the given plain-text password matches the stored bcrypt hash.
// Returns (matched, admin, error).
func VerifyPassword(username, password string) (bool, *Admin, error) {
	admin, err := GetAdminByUsername(username)
	if err != nil {
		return false, nil, err
	}
	if admin == nil {
		return false, nil, nil
	}

	err = bcrypt.CompareHashAndPassword([]byte(admin.Password), []byte(password))
	if err != nil {
		return false, nil, nil
	}
	return true, admin, nil
}

// ChangePassword updates the password hash for an admin by ID.
func ChangePassword(adminID int, newHashedPassword string) error {
	_, err := database.DB.Exec(
		"UPDATE admins SET password = ? WHERE id = ?",
		newHashedPassword, adminID,
	)
	if err != nil {
		return fmt.Errorf("failed to change password: %w", err)
	}
	return nil
}