import { NextRequest, NextResponse } from 'next/server'
import { getDb } from '@/lib/db'
import { initDatabase } from '@/lib/db-schema'
import { getCurrentUser } from '@/lib/auth'
import { hasPermission } from '@/lib/permissions'
import { hashPassword } from '@/lib/auth'

export async function GET() {
  try {
    initDatabase()
    const user = await getCurrentUser()
    if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
    if (!hasPermission(user, 'users:read')) return NextResponse.json({ error: '权限不足' }, { status: 403 })

    const db = getDb()
    const users = db.prepare(`SELECT id, username, display_name, email, role, is_active, created_at, updated_at,
      last_login_at,
      CASE WHEN last_active_at IS NOT NULL AND datetime(last_active_at, '+5 minutes') > datetime('now', '+8 hours') THEN 1 ELSE 0 END AS is_online
      FROM users ORDER BY id`).all()
    return NextResponse.json({ users })
  } catch (e) {
    const msg = e instanceof Error ? e.message : '查询失败'
    return NextResponse.json({ error: msg }, { status: 500 })
  }
}

export async function POST(request: NextRequest) {
  try {
    initDatabase()
    const user = await getCurrentUser()
    if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
    if (!hasPermission(user, 'users:write')) return NextResponse.json({ error: '权限不足' }, { status: 403 })

    const body = await request.json()
    const { username, password, display_name, email, role } = body

    if (!username || !password || !display_name) {
      return NextResponse.json({ error: '用户名、密码和显示名称为必填项' }, { status: 400 })
    }

    const db = getDb()
    const existing = db.prepare('SELECT id FROM users WHERE username = ?').get(username)
    if (existing) return NextResponse.json({ error: '用户名已存在' }, { status: 400 })

    const hash = hashPassword(password)
    const result = db.prepare(
      "INSERT INTO users (username, password_hash, display_name, email, role, created_at, updated_at) VALUES (?, ?, ?, ?, ?, datetime('now', '+8 hours'), datetime('now', '+8 hours'))"
    ).run(username, hash, display_name, email || null, role || 'viewer')

    const newUser = db.prepare('SELECT id, username, display_name, email, role, is_active, created_at FROM users WHERE id = ?').get(result.lastInsertRowid)
    return NextResponse.json({ user: newUser }, { status: 201 })
  } catch (e) {
    const msg = e instanceof Error ? e.message : '创建失败'
    return NextResponse.json({ error: msg }, { status: 500 })
  }
}