import { auth } from "@/lib/auth";
import { db } from "@/lib/db";
import { usuariosApp } from "@/lib/schema";
import { createClient } from "@supabase/supabase-js";

function getAdminClient() {
  return createClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.SUPABASE_SERVICE_ROLE_KEY!,
    { auth: { autoRefreshToken: false, persistSession: false } }
  );
}

export async function GET() {
  const session = await auth();
  if (!session || session.user.role !== "admin") {
    return Response.json({ error: "Forbidden" }, { status: 403 });
  }

  const rows = await db.select().from(usuariosApp).orderBy(usuariosApp.createdAt);
  return Response.json(rows);
}

export async function POST(req: Request) {
  const session = await auth();
  if (!session || session.user.role !== "admin") {
    return Response.json({ error: "Forbidden" }, { status: 403 });
  }

  const { email, nombre, rol, permisos } = await req.json();

  if (!email || !nombre) {
    return Response.json({ error: "Email y nombre son requeridos" }, { status: 400 });
  }
  if (rol && !["admin", "inquilino"].includes(rol)) {
    return Response.json({ error: "Rol inválido" }, { status: 400 });
  }

  const supabaseAdmin = getAdminClient();

  // Create Supabase Auth user with invite (sends magic link email)
  const { data: authData, error: authError } = await supabaseAdmin.auth.admin.inviteUserByEmail(email, {
    data: { name: nombre },
    redirectTo: `${process.env.NEXT_PUBLIC_SITE_URL || 'http://localhost:3000'}/auth/callback?next=/dashboard`,
  });

  if (authError) {
    return Response.json({ error: authError.message }, { status: 400 });
  }

  // Insert into usuarios_app
  const [newUser] = await db.insert(usuariosApp).values({
    authUid: authData.user.id,
    email,
    nombre,
    rol: rol || "inquilino",
    permisos: Array.isArray(permisos) ? permisos : null,
  }).returning();

  return Response.json(newUser, { status: 201 });
}