<?php

declare(strict_types=1);

namespace App\Filament\System\Pages\Auth;

use App\Models\PlatformUser;
use App\Models\Tenant;
use App\Services\Intune\AuditLogger;
use Filament\Auth\Http\Responses\Contracts\LoginResponse;
use Filament\Auth\Pages\Login as BaseLogin;
use Illuminate\Validation\ValidationException;

class Login extends BaseLogin
{
    public function authenticate(): ?LoginResponse
    {
        $data = $this->form->getState();
        $email = (string) ($data['email'] ?? '');

        try {
            $response = parent::authenticate();
        } catch (ValidationException $exception) {
            $this->audit(status: 'failure', email: $email, actor: null, reason: 'invalid_credentials');

            throw $exception;
        }

        if (! $response) {
            return null;
        }

        /** @var PlatformUser|null $user */
        $user = auth('platform')->user();

        if (! ($user instanceof PlatformUser)) {
            return $response;
        }

        if (! $user->is_active) {
            auth('platform')->logout();

            $this->audit(status: 'failure', email: $email, actor: null, reason: 'inactive');

            throw ValidationException::withMessages([
                'data.email' => __('filament-panels::auth/pages/login.messages.failed'),
            ]);
        }

        $user->forceFill(['last_login_at' => now()])->saveQuietly();

        $this->audit(status: 'success', email: $email, actor: $user);

        return $response;
    }

    private function audit(string $status, string $email, ?PlatformUser $actor, ?string $reason = null): void
    {
        $tenant = Tenant::query()->where('external_id', 'platform')->first();

        if (! $tenant) {
            return;
        }

        app(AuditLogger::class)->log(
            tenant: $tenant,
            action: 'platform.auth.login',
            context: [
                'attempted_email' => $email,
                'ip' => request()->ip(),
                'user_agent' => request()->userAgent(),
                'reason' => $reason,
            ],
            actorId: $actor?->getKey(),
            actorEmail: $actor?->email ?? ($email ?: null),
            actorName: $actor?->name,
            status: $status,
            resourceType: 'platform_user',
            resourceId: $actor ? (string) $actor->getKey() : null,
        );
    }
}