import { createServerClient } from "@supabase/ssr";
import { createClient as createSupabaseClient, SupabaseClient } from "@supabase/supabase-js";
import { cookies } from "next/headers";

/**
 * Cookie-based server client WITH user context.
 * Use this in Server Components, Server Actions, and Route Handlers
 * where you need to know who the logged-in user is.
 */
export async function createClient() {
  const cookieStore = await cookies();

  return createServerClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    {
      cookies: {
        getAll() {
          return cookieStore.getAll();
        },
        setAll(cookiesToSet) {
          try {
            cookiesToSet.forEach(({ name, value, options }) =>
              cookieStore.set(name, value, options)
            );
          } catch {
            // Cookies can only be set in Server Actions or Route Handlers
          }
        },
      },
    }
  );
}

// Lazy-initialized admin client to avoid build-time errors (H11 fix)
let _supabaseAdmin: SupabaseClient | null = null;

/**
 * Admin client with service key — bypasses RLS.
 * Use ONLY for admin operations (email verification, etc.)
 * NEVER use this to read user data in server components.
 * 
 * Throws if SUPABASE_SERVICE_KEY is not configured.
 */
export function getSupabaseAdmin(): SupabaseClient {
  if (_supabaseAdmin) {
    return _supabaseAdmin;
  }

  const serviceKey = process.env.SUPABASE_SERVICE_KEY;
  const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;

  if (!serviceKey) {
    throw new Error(
      'SUPABASE_SERVICE_KEY is not configured. ' +
      'Please add it to your .env.local file. ' +
      'See SUPABASE-KEY-ROTATION-GUIDE.md for details.'
    );
  }

  if (!supabaseUrl) {
    throw new Error(
      'NEXT_PUBLIC_SUPABASE_URL is not configured. ' +
      'Please add it to your .env.local file.'
    );
  }

  _supabaseAdmin = createSupabaseClient(supabaseUrl, serviceKey, {
    auth: {
      autoRefreshToken: false,
      persistSession: false,
    },
  });

  return _supabaseAdmin;
}

/**
 * @deprecated Use getSupabaseAdmin() instead. This export will be removed.
 * Admin client with service key — bypasses RLS.
 */
export const supabaseAdmin = new Proxy({} as SupabaseClient, {
  get(target, prop) {
    const admin = getSupabaseAdmin();
    return admin[prop as keyof SupabaseClient];
  },
});

/**
 * Helper to verify email addresses (admin operation)
 */
export async function verifyEmail(userId: string) {
  const admin = getSupabaseAdmin();
  const { data, error } = await admin.auth.admin.updateUserById(
    userId,
    { email_confirm: true }
  );

  if (error) throw error;
  return data;
}

/**
 * Helper to check if user has verified their email (admin operation)
 */
export async function isEmailVerified(userId: string): Promise<boolean> {
  const admin = getSupabaseAdmin();
  const { data, error } = await admin.auth.admin.getUserById(userId);

  if (error) return false;
  return !!data.user?.email_confirmed_at;
}