import { serve } from "https://deno.land/std@0.168.0/http/server.ts"
import { AwsClient } from 'https://esm.sh/aws4fetch@1.0.17'
import { trySignR2Url } from "../_shared/r2_signer.ts";

const corsHeaders = {
  'Access-Control-Allow-Origin': '*',
  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
}

serve(async (req) => {
  if (req.method === 'OPTIONS') return new Response('ok', { headers: corsHeaders })

  try {
    // 1. AUTH CHECK
    const authHeader = req.headers.get('Authorization')
    if (!authHeader) {
      return new Response(JSON.stringify({ code: 401, message: 'Missing authorization header' }), {
        status: 401,
        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
      })
    }

    // Extract user ID from JWT without full validation
    // The JWT is already validated by Supabase's edge runtime
    let userId: string
    try {
      const token = authHeader.replace('Bearer ', '')
      const payload = JSON.parse(atob(token.split('.')[1]))
      userId = payload.sub
      if (!userId) throw new Error('No user ID in token')
      console.log('Authenticated user:', userId)
    } catch (e) {
      console.error('Failed to parse JWT:', e)
      return new Response(JSON.stringify({ code: 401, message: 'Invalid JWT' }), {
        status: 401,
        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
      })
    }

    // 2. CONFIGURATION
    const R2_BUCKET_IMAGES = 'sojorn-media'
    const R2_BUCKET_VIDEOS = 'sojorn-videos'
    const ACCOUNT_ID = (Deno.env.get('R2_ACCOUNT_ID') ?? '').trim()
    const ACCESS_KEY = (Deno.env.get('R2_ACCESS_KEY') ?? '').trim()
    const SECRET_KEY = (Deno.env.get('R2_SECRET_KEY') ?? '').trim()
    if (!ACCOUNT_ID || !ACCESS_KEY || !SECRET_KEY) throw new Error('Missing R2 Secrets')

    // 3. PARSE MULTIPART FORM DATA
    const contentType = req.headers.get('content-type') || ''

    if (!contentType.includes('multipart/form-data')) {
      throw new Error('Request must be multipart/form-data')
    }

    const formData = await req.formData()
    const mediaFile = formData.get('media') as File
    const fileName = formData.get('fileName') as string
    const mediaType = formData.get('type') as string

    if (!mediaFile) {
      throw new Error('No media file provided')
    }

    if (!mediaType || (mediaType !== 'image' && mediaType !== 'video')) {
      throw new Error('Invalid or missing type parameter. Must be "image" or "video"')
    }

    // Extract and sanitize extension from filename
    let extension = mediaType === 'image' ? 'jpg' : 'mp4'
    if (fileName) {
      const parts = fileName.split('.')
      if (parts.length > 1) {
        const ext = parts[parts.length - 1].toLowerCase()
        // Only allow safe extensions
        if (mediaType === 'image' && ['jpg', 'jpeg', 'png', 'gif', 'webp'].includes(ext)) {
          extension = ext
        } else if (mediaType === 'video' && ['mp4', 'mov', 'webm'].includes(ext)) {
          extension = ext
        }
      }
    }

    const safeFileName = `${crypto.randomUUID()}.${extension}`
    const mediaContentType = mediaFile.type || (mediaType === 'image' ? 'image/jpeg' : 'video/mp4')

    console.log(`Direct upload: type=${mediaType}, fileName=${fileName}, contentType=${mediaContentType}, size=${mediaFile.size}`)

    // 4. INIT R2 CLIENT
    const r2 = new AwsClient({
      accessKeyId: ACCESS_KEY,
      secretAccessKey: SECRET_KEY,
      region: 'auto',
      service: 's3',
    })

    // 5. UPLOAD DIRECTLY TO R2 FROM EDGE FUNCTION
    const bucket = mediaType === 'image' ? R2_BUCKET_IMAGES : R2_BUCKET_VIDEOS
    const url = `https://${ACCOUNT_ID}.r2.cloudflarestorage.com/${bucket}/${safeFileName}`
    const mediaBytes = await mediaFile.arrayBuffer()

    const uploadResponse = await r2.fetch(url, {
      method: 'PUT',
      body: mediaBytes,
      headers: {
        'Content-Type': mediaContentType,
        'Content-Length': mediaBytes.byteLength.toString(),
      },
    })

    if (!uploadResponse.ok) {
      const errorText = await uploadResponse.text()
      console.error('R2 upload failed:', errorText)
      throw new Error(`R2 upload failed: ${uploadResponse.status} ${errorText}`)
    }

    console.log('Successfully uploaded to R2:', safeFileName)

    // 6. RETURN SUCCESS RESPONSE
    // Always return a signed URL to avoid public bucket access.
    const signedUrl = await trySignR2Url(safeFileName, bucket)
    if (!signedUrl) {
      throw new Error('Failed to generate signed URL')
    }

    return new Response(
      JSON.stringify({
        publicUrl: signedUrl,
        signedUrl,
        signed_url: signedUrl,
        fileKey: safeFileName,
        fileName: safeFileName,
        fileSize: mediaFile.size,
        contentType: mediaContentType,
        type: mediaType,
      }),
      {
        headers: {
          ...corsHeaders,
          'Content-Type': 'application/json',
        }
      }
    )

  } catch (error: unknown) {
    const errorMessage = error instanceof Error ? error.message : 'Unknown error'
    console.error('Upload function error:', errorMessage)
    return new Response(
      JSON.stringify({
        error: errorMessage,
        hint: 'Make sure you are logged in and R2 credentials are configured.'
      }),
      {
        status: 400,
        headers: {
          ...corsHeaders,
          'Content-Type': 'application/json'
        }
      }
    )
  }
})