import { BASE_URL } from 'src/config/erpnext'

// Token is optional — in production, nginx injects it server-side.
// Only needed for local dev (VITE_ERP_TOKEN in .env).
const SERVICE_TOKEN = import.meta.env.VITE_ERP_TOKEN || ''

// Reconnexion auto sur session Authentik expirée, anti-boucle (1 reload / 20 s max).
let _lastReload = 0
function _reauth (status) {
  const now = Date.now()
  if (now - _lastReload > 20000) {
    _lastReload = now
    window.location.reload()
  }
  return new Response('{}', { status: status || 401 })
}

export async function authFetch (url, opts = {}) {
  opts.headers = SERVICE_TOKEN
    ? { ...opts.headers, Authorization: 'token ' + SERVICE_TOKEN }
    : { ...opts.headers }

  let res
  try {
    res = await fetch(url, opts)
  } catch (e) {
    // Coupure réseau transitoire (ex: backend qui redémarre) → 1 retry court avant d'abandonner
    await new Promise(r => setTimeout(r, 800))
    res = await fetch(url, opts)
  }

  // Détection « session Authentik expirée » (la cause du "il faut recharger") :
  //  - 401/403 explicites
  //  - réponse redirigée vers l'IdP (auth.targo.ca / /if/flow/)
  //  - page HTML de login renvoyée à la place du JSON attendu sur un /api/
  const ct = (res.headers && res.headers.get && res.headers.get('content-type')) || ''
  const redirectedToIdp = res.redirected && /auth\.targo\.ca|\/if\/flow\//.test(res.url || '')
  const htmlForApi = res.status === 200 && ct.includes('text/html') && /\/api\//.test(String(url))
  if (res.status === 401 || res.status === 403 || redirectedToIdp || htmlForApi) {
    return _reauth(res.status)
  }
  return res
}

export async function getLoggedUser () {
  // First try nginx whoami endpoint (returns Authentik email header)
  try {
    const res = await fetch(BASE_URL + '/auth/whoami')
    if (res.ok) {
      const data = await res.json()
      if (data.email && data.email !== '') return data.email
    }
  } catch {}
  // Fallback: ask ERPNext (returns API token owner, usually "Administrator")
  try {
    const headers = SERVICE_TOKEN ? { Authorization: 'token ' + SERVICE_TOKEN } : {}
    const res = await fetch(BASE_URL + '/api/method/frappe.auth.get_logged_user', { headers })
    if (res.ok) {
      const data = await res.json()
      return data.message || 'authenticated'
    }
  } catch {}
  return 'authenticated'
}

export async function logout () {
  window.location.href = 'https://auth.targo.ca/if/flow/default-invalidation-flow/'
}