chat/internal/handlers/api.go

package handlers

import (
	"database/sql"
	"encoding/json"
	"net/http"
	"strconv"
	"strings"

	"git.eeqj.de/sneak/chat/internal/db"
	"github.com/go-chi/chi"
)

const maxNickLen = 32

// authUser extracts the user from the Authorization header (Bearer token).
func (s *Handlers) authUser(r *http.Request) (int64, string, error) {
	auth := r.Header.Get("Authorization")
	if !strings.HasPrefix(auth, "Bearer ") {
		return 0, "", sql.ErrNoRows
	}

	token := strings.TrimPrefix(auth, "Bearer ")

	return s.params.Database.LookupUserByToken(r.Context(), token)
}

func (s *Handlers) requireAuth(w http.ResponseWriter, r *http.Request) (int64, string, bool) {
	uid, nick, err := s.authUser(r)
	if err != nil {
		s.respondJSON(w, r, map[string]string{"error": "unauthorized"}, http.StatusUnauthorized)

		return 0, "", false
	}

	return uid, nick, true
}

// HandleCreateSession creates a new user session and returns the auth token.
func (s *Handlers) HandleCreateSession() http.HandlerFunc {
	type request struct {
		Nick string `json:"nick"`
	}

	type response struct {
		ID    int64  `json:"id"`
		Nick  string `json:"nick"`
		Token string `json:"token"`
	}

	return func(w http.ResponseWriter, r *http.Request) {
		var req request

		err := json.NewDecoder(r.Body).Decode(&req)
		if err != nil {
			s.respondJSON(w, r, map[string]string{"error": "invalid request"}, http.StatusBadRequest)

			return
		}

		req.Nick = strings.TrimSpace(req.Nick)

		if req.Nick == "" || len(req.Nick) > maxNickLen {
			s.respondJSON(w, r, map[string]string{"error": "nick must be 1-32 characters"}, http.StatusBadRequest)

			return
		}

		id, token, err := s.params.Database.CreateSimpleUser(r.Context(), req.Nick)
		if err != nil {
			if strings.Contains(err.Error(), "UNIQUE") {
				s.respondJSON(w, r, map[string]string{"error": "nick already taken"}, http.StatusConflict)

				return
			}

			s.log.Error("create user failed", "error", err)
			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)

			return
		}

		s.respondJSON(w, r, &response{ID: id, Nick: req.Nick, Token: token}, http.StatusCreated)
	}
}

// HandleState returns the current user's info and joined channels.
func (s *Handlers) HandleState() http.HandlerFunc {
	type response struct {
		ID       int64            `json:"id"`
		Nick     string           `json:"nick"`
		Channels []db.ChannelInfo `json:"channels"`
	}

	return func(w http.ResponseWriter, r *http.Request) {
		uid, nick, ok := s.requireAuth(w, r)
		if !ok {
			return
		}

		channels, err := s.params.Database.ListChannels(r.Context(), uid)
		if err != nil {
			s.log.Error("list channels failed", "error", err)
			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)

			return
		}

		s.respondJSON(w, r, &response{ID: uid, Nick: nick, Channels: channels}, http.StatusOK)
	}
}

// HandleListAllChannels returns all channels on the server.
func (s *Handlers) HandleListAllChannels() http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		_, _, ok := s.requireAuth(w, r)
		if !ok {
			return
		}

		channels, err := s.params.Database.ListAllChannels(r.Context())
		if err != nil {
			s.log.Error("list all channels failed", "error", err)
			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)

			return
		}

		s.respondJSON(w, r, channels, http.StatusOK)
	}
}

// HandleChannelMembers returns members of a channel.
func (s *Handlers) HandleChannelMembers() http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		_, _, ok := s.requireAuth(w, r)
		if !ok {
			return
		}

		name := "#" + chi.URLParam(r, "channel")

		chID, err := s.lookupChannelID(r, name)
		if err != nil {
			s.respondJSON(w, r, map[string]string{"error": "channel not found"}, http.StatusNotFound)

			return
		}

		members, err := s.params.Database.ChannelMembers(r.Context(), chID)
		if err != nil {
			s.log.Error("channel members failed", "error", err)
			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)

			return
		}

		s.respondJSON(w, r, members, http.StatusOK)
	}
}

// HandleGetMessages returns all new messages (channel + DM) for the user via long-polling.
// This is the single unified message stream — replaces separate channel/DM/poll endpoints.
func (s *Handlers) HandleGetMessages() http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		uid, _, ok := s.requireAuth(w, r)
		if !ok {
			return
		}

		afterID, _ := strconv.ParseInt(r.URL.Query().Get("after"), 10, 64)
		limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))

		msgs, err := s.params.Database.PollMessages(r.Context(), uid, afterID, limit)
		if err != nil {
			s.log.Error("get messages failed", "error", err)
			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)

			return
		}

		s.respondJSON(w, r, msgs, http.StatusOK)
	}
}

// HandleSendCommand handles all C2S commands via POST /messages.
// The "command" field dispatches to the appropriate logic.
func (s *Handlers) HandleSendCommand() http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		uid, nick, ok := s.requireAuth(w, r)
		if !ok {
			return
		}

		cmd, err := s.decodeSendCommand(r)
		if err != nil {
			s.respondJSON(w, r, map[string]string{"error": "invalid request"}, http.StatusBadRequest)

			return
		}

		switch cmd.Command {
		case "PRIVMSG", "NOTICE":
			s.handlePrivmsgCommand(w, r, uid, cmd)
		case "JOIN":
			s.handleJoinCommand(w, r, uid, cmd)
		case "PART":
			s.handlePartCommand(w, r, uid, cmd)
		case "NICK":
			s.handleNickCommand(w, r, uid, cmd)
		case "TOPIC":
			s.handleTopicCommand(w, r, cmd)
		case "PING":
			s.respondJSON(w, r, map[string]string{"command": "PONG", "from": s.params.Config.ServerName}, http.StatusOK)
		default:
			_ = nick // suppress unused warning

			s.respondJSON(w, r, map[string]string{"error": "unknown command: " + cmd.Command}, http.StatusBadRequest)
		}
	}
}

type sendCommand struct {
	Command string   `json:"command"`
	To      string   `json:"to"`
	Params  []string `json:"params,omitempty"`
	Body    any      `json:"body,omitempty"`
}

func (s *Handlers) decodeSendCommand(r *http.Request) (*sendCommand, error) {
	var cmd sendCommand

	err := json.NewDecoder(r.Body).Decode(&cmd)
	if err != nil {
		return nil, err
	}

	cmd.Command = strings.ToUpper(strings.TrimSpace(cmd.Command))
	cmd.To = strings.TrimSpace(cmd.To)

	return &cmd, nil
}

func bodyLines(body any) []string {
	switch v := body.(type) {
	case []any:
		lines := make([]string, 0, len(v))

		for _, item := range v {
			if str, ok := item.(string); ok {
				lines = append(lines, str)
			}
		}

		return lines
	case []string:
		return v
	default:
		return nil
	}
}

func (s *Handlers) handlePrivmsgCommand(
	w http.ResponseWriter, r *http.Request, uid int64, cmd *sendCommand,
) {
	if cmd.To == "" {
		s.respondJSON(w, r, map[string]string{"error": "to field required"}, http.StatusBadRequest)

		return
	}

	lines := bodyLines(cmd.Body)
	if len(lines) == 0 {
		s.respondJSON(w, r, map[string]string{"error": "body required"}, http.StatusBadRequest)

		return
	}

	content := strings.Join(lines, "\n")

	if strings.HasPrefix(cmd.To, "#") {
		s.sendChannelMessage(w, r, uid, cmd.To, content)
	} else {
		s.sendDirectMessage(w, r, uid, cmd.To, content)
	}
}

func (s *Handlers) sendChannelMessage(
	w http.ResponseWriter, r *http.Request, uid int64, channel, content string,
) {
	chID, err := s.lookupChannelID(r, channel)
	if err != nil {
		s.respondJSON(w, r, map[string]string{"error": "channel not found"}, http.StatusNotFound)

		return
	}

	msgID, err := s.params.Database.SendMessage(r.Context(), chID, uid, content)
	if err != nil {
		s.log.Error("send message failed", "error", err)
		s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)

		return
	}

	s.respondJSON(w, r, map[string]any{"id": msgID, "status": "sent"}, http.StatusCreated)
}

func (s *Handlers) sendDirectMessage(
	w http.ResponseWriter, r *http.Request, uid int64, toNick, content string,
) {
	targetID, err := s.params.Database.LookupUserByNick(r.Context(), toNick)
	if err != nil {
		s.respondJSON(w, r, map[string]string{"error": "user not found"}, http.StatusNotFound)

		return
	}

	msgID, err := s.params.Database.SendDM(r.Context(), uid, targetID, content)
	if err != nil {
		s.log.Error("send dm failed", "error", err)
		s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)

		return
	}

	s.respondJSON(w, r, map[string]any{"id": msgID, "status": "sent"}, http.StatusCreated)
}

func (s *Handlers) handleJoinCommand(
	w http.ResponseWriter, r *http.Request, uid int64, cmd *sendCommand,
) {
	if cmd.To == "" {
		s.respondJSON(w, r, map[string]string{"error": "to field required"}, http.StatusBadRequest)

		return
	}

	channel := cmd.To
	if !strings.HasPrefix(channel, "#") {
		channel = "#" + channel
	}

	chID, err := s.params.Database.GetOrCreateChannel(r.Context(), channel)
	if err != nil {
		s.log.Error("get/create channel failed", "error", err)
		s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)

		return
	}

	err = s.params.Database.JoinChannel(r.Context(), chID, uid)
	if err != nil {
		s.log.Error("join channel failed", "error", err)
		s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)

		return
	}

	s.respondJSON(w, r, map[string]string{"status": "joined", "channel": channel}, http.StatusOK)
}

func (s *Handlers) handlePartCommand(
	w http.ResponseWriter, r *http.Request, uid int64, cmd *sendCommand,
) {
	if cmd.To == "" {
		s.respondJSON(w, r, map[string]string{"error": "to field required"}, http.StatusBadRequest)

		return
	}

	channel := cmd.To
	if !strings.HasPrefix(channel, "#") {
		channel = "#" + channel
	}

	chID, err := s.lookupChannelID(r, channel)
	if err != nil {
		s.respondJSON(w, r, map[string]string{"error": "channel not found"}, http.StatusNotFound)

		return
	}

	err = s.params.Database.PartChannel(r.Context(), chID, uid)
	if err != nil {
		s.log.Error("part channel failed", "error", err)
		s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)

		return
	}

	s.respondJSON(w, r, map[string]string{"status": "parted", "channel": channel}, http.StatusOK)
}

func (s *Handlers) handleNickCommand(
	w http.ResponseWriter, r *http.Request, uid int64, cmd *sendCommand,
) {
	lines := bodyLines(cmd.Body)
	if len(lines) == 0 {
		s.respondJSON(w, r, map[string]string{"error": "body required (new nick)"}, http.StatusBadRequest)

		return
	}

	newNick := strings.TrimSpace(lines[0])
	if newNick == "" || len(newNick) > maxNickLen {
		s.respondJSON(w, r, map[string]string{"error": "nick must be 1-32 characters"}, http.StatusBadRequest)

		return
	}

	err := s.params.Database.ChangeNick(r.Context(), uid, newNick)
	if err != nil {
		if strings.Contains(err.Error(), "UNIQUE") {
			s.respondJSON(w, r, map[string]string{"error": "nick already in use"}, http.StatusConflict)

			return
		}

		s.log.Error("change nick failed", "error", err)
		s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)

		return
	}

	s.respondJSON(w, r, map[string]string{"status": "ok", "nick": newNick}, http.StatusOK)
}

func (s *Handlers) handleTopicCommand(
	w http.ResponseWriter, r *http.Request, cmd *sendCommand,
) {
	if cmd.To == "" {
		s.respondJSON(w, r, map[string]string{"error": "to field required"}, http.StatusBadRequest)

		return
	}

	lines := bodyLines(cmd.Body)
	if len(lines) == 0 {
		s.respondJSON(w, r, map[string]string{"error": "body required (topic text)"}, http.StatusBadRequest)

		return
	}

	topic := strings.Join(lines, " ")

	channel := cmd.To
	if !strings.HasPrefix(channel, "#") {
		channel = "#" + channel
	}

	err := s.params.Database.SetTopic(r.Context(), channel, 0, topic)
	if err != nil {
		s.log.Error("set topic failed", "error", err)
		s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)

		return
	}

	s.respondJSON(w, r, map[string]string{"status": "ok", "topic": topic}, http.StatusOK)
}

// HandleGetHistory returns message history for a specific target (channel or DM).
func (s *Handlers) HandleGetHistory() http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		uid, _, ok := s.requireAuth(w, r)
		if !ok {
			return
		}

		target := r.URL.Query().Get("target")
		if target == "" {
			s.respondJSON(w, r, map[string]string{"error": "target required"}, http.StatusBadRequest)

			return
		}

		beforeID, _ := strconv.ParseInt(r.URL.Query().Get("before"), 10, 64)

		limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
		if limit <= 0 {
			limit = defaultHistoryLimit
		}

		if strings.HasPrefix(target, "#") {
			s.handleChannelHistory(w, r, target, beforeID, limit)
		} else {
			s.handleDMHistory(w, r, uid, target, beforeID, limit)
		}
	}
}

const defaultHistoryLimit = 50

func (s *Handlers) handleChannelHistory(
	w http.ResponseWriter, r *http.Request,
	target string, beforeID int64, limit int,
) {
	chID, err := s.lookupChannelID(r, target)
	if err != nil {
		s.respondJSON(w, r, map[string]string{"error": "channel not found"}, http.StatusNotFound)

		return
	}

	msgs, err := s.params.Database.GetMessagesBefore(r.Context(), chID, beforeID, limit)
	if err != nil {
		s.log.Error("get history failed", "error", err)
		s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)

		return
	}

	s.respondJSON(w, r, msgs, http.StatusOK)
}

func (s *Handlers) handleDMHistory(
	w http.ResponseWriter, r *http.Request,
	uid int64, target string, beforeID int64, limit int,
) {
	targetID, err := s.params.Database.LookupUserByNick(r.Context(), target)
	if err != nil {
		s.respondJSON(w, r, map[string]string{"error": "user not found"}, http.StatusNotFound)

		return
	}

	msgs, err := s.params.Database.GetDMsBefore(r.Context(), uid, targetID, beforeID, limit)
	if err != nil {
		s.log.Error("get dm history failed", "error", err)
		s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)

		return
	}

	s.respondJSON(w, r, msgs, http.StatusOK)
}

// lookupChannelID queries the channel ID by name using a parameterized query.
func (s *Handlers) lookupChannelID(r *http.Request, name string) (int64, error) {
	var chID int64

	//nolint:gosec // query uses parameterized placeholder (?), not string interpolation
	err := s.params.Database.GetDB().QueryRowContext(r.Context(),
		"SELECT id FROM channels WHERE name = ?", name).Scan(&chID)

	return chID, err
}

// HandleServerInfo returns server metadata (MOTD, name).
func (s *Handlers) HandleServerInfo() http.HandlerFunc {
	type response struct {
		Name string `json:"name"`
		MOTD string `json:"motd"`
	}

	return func(w http.ResponseWriter, r *http.Request) {
		s.respondJSON(w, r, &response{
			Name: s.params.Config.ServerName,
			MOTD: s.params.Config.MOTD,
		}, http.StatusOK)
	}
}