use actix_web::{HttpResponse, web};

use crate::api::response::{ApiEmptyResponse, ApiErrorResponse};
use crate::error::AppError;
use crate::service::AppService;
use crate::service::auth::totp::Disable2FAParams;
use crate::session::Session;

#[utoipa::path(
    post,
    path = "/api/v1/auth/2fa/disable",
    tag = "Auth / 2FA",
    operation_id = "authDisableTwoFactor",
    summary = "Disable two-factor authentication",
    description = "Disable TOTP two-factor authentication for the current signed-in user. This requires verifying both the current password and a valid TOTP code or backup code. password must be encrypted with the current session RSA public key; a successfully verified backup code is consumed.",
    request_body(
        content = Disable2FAParams,
        description = "TOTP/backup code and the current password encrypted with RSA.",
        content_type = "application/json"
    ),
    responses(
        (status = 200, description = "2FA has been disabled.", body = ApiEmptyResponse),
        (status = 400, description = "2FA is not enabled, the verification code is incorrect, the password is incorrect, or RSA decryption failed.", body = ApiErrorResponse),
        (status = 401, description = "The current session is not authenticated.", body = ApiErrorResponse),
        (status = 500, description = "Database write failed.", body = ApiErrorResponse)
    )
)]
pub async fn handle(
    service: web::Data<AppService>,
    session: Session,
    params: web::Json<Disable2FAParams>,
) -> Result<HttpResponse, AppError> {
    service
        .auth
        .auth_2fa_disable(&session, params.into_inner())
        .await?;
    Ok(HttpResponse::Ok().json(ApiEmptyResponse::ok("two-factor authentication disabled")))
}