import type { PlanKey } from "./plans";

const SANDBOX_BASE = "https://api-m.sandbox.paypal.com";
const base = () => process.env.PAYPAL_API_BASE ?? SANDBOX_BASE;
const appUrl = () => process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000";

// Loudly warn (but don't throw — never break deploys) if PayPal is pointed at the
// sandbox while running in production. The sandbox default is fine for dev.
if (process.env.NODE_ENV === "production" && base().includes("sandbox.paypal.com")) {
  console.warn(
    "[paypal] WARNING: running against the PayPal SANDBOX in production. " +
      "Set PAYPAL_API_BASE=https://api-m.paypal.com for live billing."
  );
}

function creds(): { id: string; secret: string } {
  const id = process.env.PAYPAL_CLIENT_ID;
  const secret = process.env.PAYPAL_CLIENT_SECRET;
  if (!id || !secret) throw new Error("PayPal credentials are not set");
  return { id, secret };
}

export function isPaypalConfigured(): boolean {
  return !!(process.env.PAYPAL_CLIENT_ID && process.env.PAYPAL_CLIENT_SECRET);
}

async function accessToken(): Promise<string> {
  const { id, secret } = creds();
  const res = await fetch(`${base()}/v1/oauth2/token`, {
    method: "POST",
    headers: {
      Authorization: `Basic ${Buffer.from(`${id}:${secret}`).toString("base64")}`,
      "Content-Type": "application/x-www-form-urlencoded",
    },
    body: "grant_type=client_credentials",
  });
  if (!res.ok) throw new Error(`PayPal token error ${res.status}`);
  const data = (await res.json()) as { access_token: string };
  return data.access_token;
}

export interface PaypalCustom {
  subjectId: string;
  subjectType: "user" | "organization";
  plan: PlanKey;
}

/** Create a PayPal subscription; returns the subscription id + approval URL. */
export async function createPaypalSubscription(args: {
  planId: string;
  custom: PaypalCustom;
}): Promise<{ id: string; approveUrl: string }> {
  const token = await accessToken();
  const res = await fetch(`${base()}/v1/billing/subscriptions`, {
    method: "POST",
    headers: {
      Authorization: `Bearer ${token}`,
      "Content-Type": "application/json",
      Prefer: "return=representation",
    },
    body: JSON.stringify({
      plan_id: args.planId,
      custom_id: JSON.stringify(args.custom),
      application_context: {
        brand_name: "PodcastYes",
        user_action: "SUBSCRIBE_NOW",
        shipping_preference: "NO_SHIPPING",
        return_url: `${appUrl()}/billing?status=success&provider=paypal`,
        cancel_url: `${appUrl()}/billing?status=cancel`,
      },
    }),
  });
  if (!res.ok) throw new Error(`PayPal create subscription ${res.status}: ${await res.text()}`);
  const data = (await res.json()) as { id: string; links: { rel: string; href: string }[] };
  const approveUrl = data.links.find((l) => l.rel === "approve")?.href;
  if (!approveUrl) throw new Error("PayPal did not return an approval URL");
  return { id: data.id, approveUrl };
}

export async function getPaypalSubscription(id: string): Promise<Record<string, unknown>> {
  const token = await accessToken();
  const res = await fetch(`${base()}/v1/billing/subscriptions/${id}`, {
    headers: { Authorization: `Bearer ${token}` },
  });
  if (!res.ok) throw new Error(`PayPal get subscription ${res.status}`);
  return res.json();
}

export async function cancelPaypalSubscription(id: string, reason = "Customer requested"): Promise<void> {
  const token = await accessToken();
  const res = await fetch(`${base()}/v1/billing/subscriptions/${id}/cancel`, {
    method: "POST",
    headers: { Authorization: `Bearer ${token}`, "Content-Type": "application/json" },
    body: JSON.stringify({ reason }),
  });
  if (!res.ok && res.status !== 204) {
    throw new Error(`PayPal cancel subscription ${res.status}: ${await res.text()}`);
  }
}

/** Verify a PayPal webhook signature against PAYPAL_WEBHOOK_ID. */
export async function verifyPaypalWebhook(
  headers: Record<string, string | undefined>,
  rawBody: string
): Promise<boolean> {
  const webhookId = process.env.PAYPAL_WEBHOOK_ID;
  if (!webhookId) return false;
  const token = await accessToken();
  const res = await fetch(`${base()}/v1/notifications/verify-webhook-signature`, {
    method: "POST",
    headers: { Authorization: `Bearer ${token}`, "Content-Type": "application/json" },
    body: JSON.stringify({
      auth_algo: headers["paypal-auth-algo"],
      cert_url: headers["paypal-cert-url"],
      transmission_id: headers["paypal-transmission-id"],
      transmission_sig: headers["paypal-transmission-sig"],
      transmission_time: headers["paypal-transmission-time"],
      webhook_id: webhookId,
      webhook_event: JSON.parse(rawBody),
    }),
  });
  if (!res.ok) return false;
  const data = (await res.json()) as { verification_status: string };
  return data.verification_status === "SUCCESS";
}