package server

import (
	"encoding/json"
	"fmt"
	"net/http"
)

// GET /api/v1/admin/settings
// POST /api/v1/admin/settings {key,value}
func (s *Server) HandleAdminSettings(w http.ResponseWriter, r *http.Request) {
	if s.store == nil {
		writeJSON(w, http.StatusInternalServerError, `{"error":1,"message":"store not ready"}`)
		return
	}
	if r.Method == http.MethodGet {
		settings, err := s.store.ListSettings()
		if err != nil {
			writeJSON(w, http.StatusInternalServerError, `{"error":1,"message":"list settings failed"}`)
			return
		}
		b, _ := json.Marshal(map[string]any{"error": 0, "settings": settings})
		writeJSON(w, http.StatusOK, string(b))
		return
	}
	if r.Method != http.MethodPost {
		writeJSON(w, http.StatusMethodNotAllowed, `{"error":1,"message":"method not allowed"}`)
		return
	}
	var req struct {
		Key   string `json:"key"`
		Value string `json:"value"`
	}
	if err := json.NewDecoder(r.Body).Decode(&req); err != nil || req.Key == "" {
		writeJSON(w, http.StatusBadRequest, `{"error":1,"message":"bad request"}`)
		return
	}
	// allowlist
	switch req.Key {
	case "advanced_impersonate", "advanced_force_network", "advanced_cross_tenant":
	default:
		writeJSON(w, http.StatusBadRequest, `{"error":1,"message":"invalid key"}`)
		return
	}
	if req.Value == "" {
		req.Value = "0"
	}
	if err := s.store.SetSetting(req.Key, req.Value); err != nil {
		writeJSON(w, http.StatusInternalServerError, `{"error":1,"message":"set failed"}`)
		return
	}
	if ac := GetAccessContext(r); ac != nil {
		_ = s.store.AddAuditLog(ac.Kind, fmt.Sprintf("%d", ac.UserID), "setting_change", "setting", req.Key, req.Value, r.RemoteAddr)
	}
	writeJSON(w, http.StatusOK, `{"error":0,"message":"ok"}`)
}