/**
 * lib/users.ts
 * Reads user config from environment variables — no database needed.
 *
 * .env format:
 *   USER_0_NAME="Mustafa Ayris"
 *   USER_0_EMAIL="mustafa@ayristech.com"
 *   USER_0_PASSWORD="mustafa123"
 *   USER_0_ROLE="SUPER_ADMIN"       // or "DOMAIN_ADMIN"
 *   USER_0_DOMAINS="*"              // "*" for all, or "domain1.com,domain2.com"
 *
 *   USER_1_NAME="Emina Karabudak"
 *   USER_1_EMAIL="emina@ayristech.com"
 *   USER_1_PASSWORD="emina123"
 *   USER_1_ROLE="DOMAIN_ADMIN"
 *   USER_1_DOMAINS="aveminakarabudak.com"
 */

export interface AppUser {
  id: string;           // "user_0", "user_1", ...
  name: string;
  email: string;
  password: string;     // plain text — store hashed in prod or use secrets manager
  role: "SUPER_ADMIN" | "DOMAIN_ADMIN";
  domains: string[];    // ["*"] for super admin, ["domain.com"] for domain admins
  telegramId?: string;  // Optional Telegram ID for notifications
}

/** Load all users defined in environment variables */
export function getUsers(): AppUser[] {
  const users: AppUser[] = [];

  let i = 0;
  while (true) {
    const name = process.env[`USER_${i}_NAME`];
    const email = process.env[`USER_${i}_EMAIL`];
    const password = process.env[`USER_${i}_PASSWORD`];
    const role = process.env[`USER_${i}_ROLE`] as AppUser["role"];
    const domainsRaw = process.env[`USER_${i}_DOMAINS`] ?? "";
    const telegramId = process.env[`USER_${i}_TELEGRAM_ID`];

    if (!name || !email || !password) break;

    users.push({
      id: `user_${i}`,
      name,
      email,
      password,
      role: role ?? "DOMAIN_ADMIN",
      domains: domainsRaw === "*" ? ["*"] : domainsRaw.split(",").map((d) => d.trim()).filter(Boolean),
      telegramId,
    });

    i++;
  }

  return users;
}

/** Find user by email and validate password */
export function authenticateUser(email: string, password: string): AppUser | null {
  const users = getUsers();
  const user = users.find((u) => u.email.toLowerCase() === email.toLowerCase());
  if (!user) return null;
  if (user.password !== password) return null;
  return user;
}

/** Check if a user has access to a specific domain */
export function canAccessDomain(userDomains: string[], domain: string): boolean {
  return userDomains.includes("*") || userDomains.includes(domain);
}