import {
  isValidPhoneNumber,
  normalizePhoneNumber,
  type UserRole
} from '~~/shared/auth'

import { requireRole } from '../../../utils/auth'
import { getUserById, updateUserProfile } from '../../../utils/user-repository'

export default defineEventHandler(async (event) => {
  const auth = await requireRole(event, 'super_admin')
  const userId = getRouterParam(event, 'id')

  if (!userId) {
    throw createError({
      statusCode: 400,
      statusMessage: 'User id is required'
    })
  }

  const body = await readBody<{
    fullName?: string
    phoneNumber?: string
    role?: UserRole
  }>(event)

  const fullName = body.fullName?.trim() || ''
  const phoneNumber = normalizePhoneNumber(body.phoneNumber || '')
  const role = body.role

  if (fullName.length < 2) {
    throw createError({
      statusCode: 400,
      statusMessage: 'Display name must be at least 2 characters'
    })
  }

  if (!isValidPhoneNumber(phoneNumber)) {
    throw createError({
      statusCode: 400,
      statusMessage: 'Phone number must contain 8 to 15 digits'
    })
  }

  if (role !== 'super_admin' && role !== 'staff') {
    throw createError({
      statusCode: 400,
      statusMessage: 'Role is invalid'
    })
  }

  const user = await getUserById(userId)

  if (!user) {
    throw createError({
      statusCode: 404,
      statusMessage: 'User not found'
    })
  }

  if (auth.user.id === userId && role !== 'super_admin') {
    throw createError({
      statusCode: 400,
      statusMessage: 'You cannot remove your own super admin access'
    })
  }

  const updatedUser = await updateUserProfile({
    userId,
    fullName,
    phoneNumber,
    role
  })

  return {
    user: updatedUser
  }
})