import { Router } from 'express';
import bcrypt from 'bcryptjs';
import { signToken } from '../middleware/auth';

const router = Router();

const ADMIN_IDS = (process.env.CRM_ADMIN_IDS || '1051808861').split(',').map(s => s.trim());

// Store hashed password on startup
let adminPasswordHash: string | null = null;
(async () => {
  const pwd = process.env.CRM_ADMIN_PASSWORD || 'ClawCRM2026!';
  adminPasswordHash = await bcrypt.hash(pwd, 10);
})();

// POST /api/auth/login
router.post('/login', async (req, res) => {
  try {
    const { username, password } = req.body;

    if (!username || !password) {
      res.status(400).json({ error: 'Username and password required' });
      return;
    }

    // Check if username is a valid admin (telegram ID or "admin")
    const isAdmin = username === 'admin' || ADMIN_IDS.includes(username);
    if (!isAdmin) {
      res.status(401).json({ error: 'Invalid credentials' });
      return;
    }

    if (!adminPasswordHash) {
      res.status(500).json({ error: 'Server not ready' });
      return;
    }

    const valid = await bcrypt.compare(password, adminPasswordHash);
    if (!valid) {
      res.status(401).json({ error: 'Invalid credentials' });
      return;
    }

    const token = signToken(username);
    res.json({ token, username });
  } catch (err: any) {
    console.error('Auth error:', err);
    res.status(500).json({ error: err.message });
  }
});

export default router;