defmodule DaProductAppWeb.Router do
  use DaProductAppWeb, :router

  import DaProductAppWeb.UserAuth

  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_live_flash
    plug :put_root_layout, html: {DaProductAppWeb.Layouts, :root}
    plug :protect_from_forgery
    # Cleaned up CSP header with proper formatting
    plug :put_secure_browser_headers, %{
      "content-security-policy" =>
        "default-src 'self'; " <>
        "script-src 'self' 'unsafe-inline' https://testapp.ariticapp.com; " <>
        "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/ag-grid-community https://cdn.jsdelivr.net/npm/ag-charts-community; " <>
        "img-src * data:; " <>
        "font-src 'self' https://fonts.gstatic.com data:; " <>
        "connect-src 'self' wss://ariticapp.com;"
    }
    plug :fetch_current_user
  end

  pipeline :api do
    plug :accepts, ["json"]
  end

  pipeline :api_auth do
    plug :accepts, ["json"]
    plug DaProductAppWeb.Plugs.ApiKeyAuth
  end

  pipeline :non_csrf do
    plug :accepts, ["html", "json"]
    plug :fetch_session
    plug :put_secure_browser_headers
    # Do NOT include :protect_from_forgery, so CSRF is not enforced here
  end

  # Public routes
  scope "/", DaProductAppWeb do
    pipe_through :browser

    get "/", PageController, :home
    
    # Payment confirmation route (GET only - with CSRF protection)
    get "/order/confirmation", PageController, :order_confirmation
    
    live "/form", FormLive, :index
    live "/live", PageLive, :index
    live "/live/modal/:size", PageLive, :modal
    live "/live/slide_over/:origin", SbomComponentLive, :slide_over
    live "/live/pagination/:page", PageLive, :pagination
  end
  
  # Payment callback routes (POST - without CSRF protection for external simulator)
  scope "/", DaProductAppWeb do
    pipe_through :non_csrf
    
    post "/order/confirmation", PageController, :order_confirmation
    post "/payment/callback", PageController, :payment_callback
  end

  # Authenticated user routes
  scope "/", DaProductAppWeb do
    pipe_through [:browser, :require_authenticated_user]

    live_session :default, on_mount: [{DaProductAppWeb.UserAuth, :mount_current_user}] do
      live "/dashboard", DashboardLive, :index
      live "/sbomcomponent", SbomComponentLive, :index
      live "/sbomcomponent/:origin", SbomComponentLive, :slide_over
      live "/workflow", WorkflowLive
      live "/software", SoftwareLive
      live "/software/:id", SoftwareLive.Show
    end
  end

  # Payment Gateway routes - integrated at /pgpayments
  if Code.ensure_loaded?(PaymentGatewayAppWeb.Router) do
    scope "/" do
      # Use full browser session/CSRF plumbing for forwarded LiveView routes.
      # Forwarding through :non_csrf can cause LiveView join to fall back to
      # hard reload loops (stale/unauthorized redirects).
      pipe_through :browser
      forward "/pgpayments", PaymentGatewayAppWeb.Router
    end
  end

  # Enable LiveDashboard and Swoosh mailbox preview in development

  # Development routes

  if Application.compile_env(:da_product_app, :dev_routes) do
    import Phoenix.LiveDashboard.Router

    scope "/dev" do
      pipe_through [:browser, :require_authenticated_user]

      live_dashboard "/dashboard-system", metrics: DaProductAppWeb.Telemetry
      forward "/mailbox", Plug.Swoosh.MailboxPreview
    end
  end

  # Authentication routes - redirect if already authenticated
  scope "/", DaProductAppWeb do
    pipe_through [:browser, :redirect_if_user_is_authenticated]

    live_session :redirect_if_user_is_authenticated,
      on_mount: [{DaProductAppWeb.UserAuth, :redirect_if_user_is_authenticated}] do
      live "/users/register", UserRegistrationLive, :new
      live "/users/log_in", UserLoginLive, :new
      live "/users/reset_password", UserForgotPasswordLive, :new
      live "/users/reset_password/:token", UserResetPasswordLive, :edit
      live "/transactions/:id", TransactionLive.Show, :show
    end

    post "/users/log_in", UserSessionController, :create
  end

  # Settings routes - require authentication
  scope "/", DaProductAppWeb do
    pipe_through [:browser, :require_authenticated_user]

    live_session :require_authenticated_user,
      on_mount: [{DaProductAppWeb.UserAuth, :ensure_authenticated}] do
      live "/users/settings", UserSettingsLive, :edit
      live "/users/settings/confirm_email/:token", UserSettingsLive, :confirm_email
    end
  end

  # Public user routes
  scope "/", DaProductAppWeb do
    pipe_through :browser

    delete "/users/log_out", UserSessionController, :delete

    live_session :current_user,
      on_mount: [{DaProductAppWeb.UserAuth, :mount_current_user}] do
      live "/users/confirm/:token", UserConfirmationLive, :edit
      live "/users/confirm", UserConfirmationInstructionsLive, :new
    end
  end

  # Non-CSRF routes (transaction webhooks)
  scope "/", DaProductAppWeb do
    pipe_through :non_csrf

    post "/transaction_post", TransactionPostController, :new
  end

  # ========================================
  # SECTION 1: PUBLIC API (NO AUTH REQUIRED)
  # ========================================
  scope "/api", DaProductAppWeb do
    pipe_through :api

    post "/device/initiate", DeviceInitiateController, :initiate
    post "/device", DeviceController, :initiate
    post "/Iotmsgtest/createQrMf", QRMoreFunController, :initiate
    post "/qrmorefun/status", QRMoreFunController, :status
    post "/device/status", DeviceInitiateController, :status
  end

  # ========================================
  # SECTION 2: PROTECTED API (AUTH REQUIRED)
  # ========================================
  scope "/api", DaProductAppWeb do
    pipe_through :api_auth

    # QR & Payment Processing
    post "/generate_qr", QRGenerationController, :generate
    post "/qr", QRController, :generate
    post "/alipay/dummy/notify", QRController, :notify
    post "/alipay/notify_payment", AlipayWebhookController, :notify_payment
    post "/qr/initiate", QRInitiateController, :initiate
    post "/qr/status", QRInitiateController, :status

    # Transaction Processing
    post "/processTransaction", QRMiddleLayerController, :processTransaction
    post "/processNewMiddleTransaction", QRNewMiddleLayerController, :processTransaction
    post "/cancelPayment", QRMiddleLayerController, :cancel_payment
    post "/refundPayment", QRMiddleLayerController, :refund_payment
    post "/reprint_last", ReprintController, :last

    # Merchant Transactions & Details
    get "/merchantTransactions", TransactionsController, :get_transactions
  end

  # ========================================
  # SECTION 3: TRANSACTION RULES SERVICE
  # ========================================
  scope "/v1/transaction-rules", DaProductAppWeb do
    pipe_through :api

    post "/evaluate", TransactionRulesController, :evaluate
  end

  # ========================================
  # SECTION 4: MERCHANT ASSETS
  # ========================================
  scope "/v1/merchant", DaProductAppWeb do
    pipe_through :api

    get "/logo/:user_id", MerchantLogoController, :show
  end

  # ========================================
  # SECTION 5: GENERAL MERCHANT API
  # ========================================
  scope "/api", DaProductAppWeb do
    pipe_through :api

    # Merchant Transactions & Devices
    get "/merchantTransactions", TransactionsController, :get_transactions
    get "/merchantDevices", TransactionsController, :get_device_ids
    get "/merchantStores", TransactionsController, :get_store_details
    get "/merchantDeviceDetails", TransactionsController, :get_device_details

    # Store & Device Details
    get "/storeDetails", MerchantApiController, :get_store_detail
    get "/deviceDetails", MerchantApiController, :get_device_detail

    # Merchant API Endpoints
    get "/merchant/hierarchy", MerchantApiController, :get_merchant_hierarchy
    get "/merchant/brands", MerchantApiController, :get_merchant_brands
    get "/merchant/providers", MerchantApiController, :get_providers
    get "/merchant/storeDetails", MerchantApiController, :get_store_details

    # Transaction Queries
    post "/transactions", MerchantApiController, :get_total_transactions
    post "/cardTransactions", MerchantApiController, :get_total_card_transactions
    post "/staticqrtransactions", MerchantApiController, :get_static_qr_transactions
    get "/uniqueDeviceDetails", MerchantApiController, :get_unique_device_detail

    # Group & Chain Management
    post "/chain", MerchantApiController, :create_group
    put "/chain", MerchantApiController, :update_group

    # Store Management
    post "/store", MerchantApiController, :create_store
    put "/store", MerchantApiController, :update_store
    delete "/store", MerchantApiController, :delete_store

    # Merchant Store QR
    post "/merchant/store/qr", MerchantApiController, :get_merchant_store_qr

    # Device & Terminal Management
    post "/merchant/saveDevice", MerchantApiController, :get_save_device
    post "/merchant/updateDevice", MerchantApiController, :updateDevice
    post "/merchant/forceUpdateDevice", MerchantApiController, :forceUpdateDevice

    # Address & Details
    post "/merchant/saveStoreAndAddress", MerchantApiController, :save_store_and_address
    post "/merchant/createGroupAndBrand", MerchantApiController, :create_group_and_brand
    post "/merchant/checkDuplicateTidMid", MerchantApiController, :check_duplicate_tid_mid
    post "/merchant/checkDuplicateYspTidMid", MerchantApiController, :check_duplicate_ysp_tid_mid


    # Terminal Management (Shukria)
    post "/merchant/getTerminalsDetails", MerchantApiController, :get_terminals_details
    post "/merchant/getShukriaTerminalsDetails", MerchantApiController, :getShukriaTerminalsDetails
    post "/merchant/createShukriaTerminalsDetails", MerchantApiController, :createShukriaTerminalsDetails

    # Provider Management
    post "/merchant/getProvidersByAlias", MerchantApiController, :getProvidersByAlias
    post "/merchant/updateShukriaProviderMidTid", MerchantApiController, :updateShukriaProviderMidTid
    post "/merchant/updateShukriaYspMidTid", MerchantApiController, :updateShukriaYspMidTid
    post "/merchant/checkExistingAnniShukriaTerminal", MerchantApiController, :checkExistingAnniShukriaTerminal

    # Store Updates
    post "/merchant/updateStore", MerchantApiController, :updateStore

    # Payment Notifications
    post "/payment/notify-success", PaymentNotificationController, :process_payment_success
    post "/merchant/saveMerchantBatchNumber", MerchantApiController, :save_merchant_batch_number

    # Transaction Details
    get "/getTransactionDetailFromEmail", TransactionsController, :get_transaction_by_email
    get "/getCustomLogFromTxnId", TransactionsController, :get_custom_log_from_txn_id
    get "/getDeviceDetailFromDeviceId", TransactionsController, :get_device_by_device_id
    get "/getStoreDetailFromStoreId", TransactionsController, :get_store_by_store_id

    # Card Transactions
    get "/getAllCardTransaction", PosTransactionController, :get_all_card_transaction
    get "/getCardTransactionById/:id", PosTransactionController, :get_card_transaction_by_id
    get "/getAllMerchantCardTransaction", PosTransactionController, :get_all_merchant_card_transaction
    get "/getDeviceDetailFromDeviceIdTerminalId", PosTransactionController, :get_device_detail_by_serial_terminal_id
    get "/getDeviceDetailFromDeviceIdProviderId", PosTransactionController, :get_device_by_device_id_provider_id

    # MCC Code Management
    post "/addMCCCode", MerchantApiController, :add_mcc_code

    # Refund Details
    post "/merchant/transactionRefundDetails", MerchantApiController, :get_transaction_refund_details

    # Admin
    get "/admin/transactions", MerchantApiController, :get_admin_transactions
    get "/admin/cardTransactions", MerchantApiController, :get_admin_card_transactions

  end
end