const express = require('express');
const router = express.Router();
const db = require('../db');
const crypto = require('crypto');

// Helper to generate fake salt for user privacy
function generateFakeSalt(username) {
    return crypto.createHmac('sha256', 'SERVER_SECRET_KEY') // In prod, use env var
        .update(username)
        .digest('hex');
}

router.post('/register', async (req, res) => {
    const { username, salt, encryptedMK, hak, publicKey, signingKey, encryptedPrivateKeys } = req.body;
    try {
        const result = await db.query(
            `INSERT INTO users (username, client_salt, encrypted_master_key, hashed_auth_key, public_identity_key, public_signing_key, encrypted_private_keys)
             VALUES ($1, $2, $3, $4, $5, $6, $7) RETURNING id`,
            [username, salt, encryptedMK, hak, publicKey, signingKey, encryptedPrivateKeys]
        );
        res.json({ success: true, userId: result.rows[0].id });
    } catch (err) {
        console.error(err);
        if (err.code === '23505') { // Unique violation
            res.status(400).json({ error: 'Username taken' });
        } else {
            res.status(500).json({ error: 'Server error' });
        }
    }
});

router.post('/login/salt', async (req, res) => {
    const { username } = req.body;
    try {
        const result = await db.query('SELECT client_salt FROM users WHERE username = $1', [username]);
        if (result.rows.length > 0) {
            res.json({ salt: result.rows[0].client_salt });
        } else {
            // Return fake salt to prevent enumeration
            res.json({ salt: generateFakeSalt(username) });
        }
    } catch (err) {
        console.error(err);
        res.status(500).json({ error: 'Server error' });
    }
});

router.post('/login/verify', async (req, res) => {
    const { username, dak } = req.body;

    try {
        const result = await db.query(
            'SELECT hashed_auth_key, encrypted_master_key, encrypted_private_keys FROM users WHERE username = $1',
            [username]
        );

        if (result.rows.length === 0) {
            return res.status(401).json({ error: 'Invalid credentials' });
        }

        const user = result.rows[0];
        const hashedDAK = crypto.createHash('sha256').update(dak).digest('hex');

        if (hashedDAK === user.hashed_auth_key) {
            res.json({
                success: true,
                userId: user.id,
                encryptedMK: user.encrypted_master_key,
                encryptedPrivateKeys: user.encrypted_private_keys
            });
        } else {
            res.status(401).json({ error: 'Invalid credentials' });
        }
    } catch (err) {
        console.error(err);
        res.status(500).json({ error: 'Server error' });
    }
});

module.exports = router;