use std::sync::Arc;

use axum::{
    Router, middleware,
    routing::{get, post},
};

use crate::{
    AppState,
    cookie::validation::{validate_admin, validate_token},
    handlers::{
        auth::{
            check_admin_exists, create_user, delete_user, get_current_user, get_user_by_id, get_users, login, logout,
            setup_initial_admin, update_user,
        },
        ticket::{create_ticket, delete_ticket, edit_ticket, get_ticket_by_id, get_tickets},
    },
};

/// Creates the complete router with all API endpoints.
///
/// The router is organized in layers for proper middleware application. Uses [`AppState`]
/// for shared application context across all routes.
///
/// ## Route Layers (from most to least restricted):
///
/// ### Admin-Only Routes (requires admin privilege + valid token)
/// - `GET /api/tickets/{id}` - Get specific ticket details (via `get_ticket_by_id`)
/// - `DELETE /api/tickets/{id}` - Delete a ticket (via `delete_ticket`)
/// - `PATCH /api/tickets/{id}` - Update ticket status (via `edit_ticket`)
/// - `POST /api/register` - Create a new user (via `create_user`)
/// - `GET /api/users` - List all users (via `get_users`)
/// - `GET /api/users/{id}` - Get user details (via `get_user_by_id`)
/// - `DELETE /api/users/{id}` - Delete a user (via `delete_user`)
/// - `PATCH /api/users/{id}` - Update user details (via `update_user`)
///
/// ### Protected Routes (requires valid token)
/// - `GET /api/tickets` - List all tickets (via `get_tickets`)
/// - `POST /api/tickets/create` - Create a new ticket (via `create_ticket`)
/// - `GET /api/logout` - Logout user (via `logout`)
/// - `GET /api/users/current` - Get current authenticated user (via `get_current_user`)
///
/// ### Public Routes (no authentication required)
/// - `POST /api/login` - User login (via `login`)
/// - `GET /api/check-admin` - Check if admin exists (via `check_admin_exists`)
/// - `POST /api/setup-admin` - Create initial admin account (via `setup_initial_admin`)
///
/// # Middleware Stack
/// - Admin routes have `validate_admin` middleware
/// - Protected routes have `validate_token` middleware
/// - Public routes have no authentication requirements
pub fn create_router(state: Arc<AppState>) -> Router {
    let admin_routes = Router::new()
        .route(
            "/api/tickets/{id}",
            get(get_ticket_by_id)
                .delete(delete_ticket)
                .patch(edit_ticket),
        )
        .route("/api/register", post(create_user))
        .route("/api/users", get(get_users))
        .route(
            "/api/users/{id}",
            get(get_user_by_id).delete(delete_user).patch(update_user),
        )
        .layer(middleware::from_fn_with_state(
            state.clone(),
            validate_admin,
        ));

    let protected_routes = Router::new()
        .merge(admin_routes)
        .route("/api/tickets", get(get_tickets))
        .route("/api/tickets/create", post(create_ticket))
        .route("/api/logout", get(logout))
        .route("/api/users/current", get(get_current_user))
        .layer(middleware::from_fn_with_state(
            state.clone(),
            validate_token,
        ));

    Router::new()
        .merge(protected_routes)
        .route("/api/login", post(login))
        .route("/api/check-admin", get(check_admin_exists))
        .route("/api/setup-admin", post(setup_initial_admin))
        .with_state(state)
}