import { createFileRoute } from "@tanstack/react-router";
import { createHmac, timingSafeEqual } from "crypto";
import { z } from "zod";

function verifyHmac(secret: string, message: string, signatureHex: string): boolean {
  const expected = createHmac("sha256", secret).update(message).digest("hex");
  const a = Buffer.from(signatureHex);
  const b = Buffer.from(expected);
  if (a.length !== b.length) return false;
  return timingSafeEqual(a, b);
}

const reportSchema = z.object({
  events: z.array(
    z.object({
      subscription_id: z.string().uuid().nullable().optional(),
      mac_address: z.string(),
      ip_address: z.string().optional().nullable(),
      bytes_in: z.number().int().nonnegative().optional().default(0),
      bytes_out: z.number().int().nonnegative().optional().default(0),
      started_at: z.string().optional().nullable(),
      ended_at: z.string().optional().nullable(),
    }),
  ),
});

export const Route = createFileRoute("/api/public/agent/report")({
  server: {
    handlers: {
      POST: async ({ request }) => {
        const routerId = request.headers.get("x-router-id");
        const ts = request.headers.get("x-timestamp");
        const sig = request.headers.get("x-signature");
        if (!routerId || !ts || !sig)
          return new Response("Missing auth headers", { status: 401 });

        const tsNum = Number(ts);
        if (!Number.isFinite(tsNum) || Math.abs(Date.now() / 1000 - tsNum) > 300) {
          return new Response("Timestamp out of range", { status: 401 });
        }

        const rawBody = await request.text();
        const { supabaseAdmin } = await import("@/integrations/supabase/client.server");
        const { data: router } = await supabaseAdmin
          .from("routers")
          .select("id, agent_secret")
          .eq("id", routerId)
          .maybeSingle();
        if (!router?.agent_secret) return new Response("Unknown router", { status: 401 });
        if (!verifyHmac(router.agent_secret, `${routerId}:${ts}:${rawBody}`, sig)) {
          return new Response("Invalid signature", { status: 401 });
        }

        let parsed;
        try {
          parsed = reportSchema.parse(JSON.parse(rawBody));
        } catch (e) {
          return new Response("Invalid body", { status: 400 });
        }

        if (parsed.events.length > 0) {
          const rows = parsed.events.map((e) => ({
            router_id: routerId,
            subscription_id: e.subscription_id ?? null,
            mac_address: e.mac_address,
            ip_address: e.ip_address ?? null,
            bytes_in: e.bytes_in ?? 0,
            bytes_out: e.bytes_out ?? 0,
            started_at: e.started_at ?? new Date().toISOString(),
            ended_at: e.ended_at ?? null,
          }));
          await supabaseAdmin.from("mac_sessions").insert(rows);
        }

        await supabaseAdmin
          .from("routers")
          .update({ is_online: true, last_seen_at: new Date().toISOString() })
          .eq("id", routerId);

        return new Response(JSON.stringify({ ok: true }), {
          status: 200,
          headers: { "content-type": "application/json" },
        });
      },
    },
  },
});
