use actix_web::{HttpResponse, web};

use crate::api::response::{ApiErrorResponse, ApiResponse};
use crate::error::AppError;
use crate::service::AppService;
use crate::service::auth::totp::Enable2FAResponse;
use crate::session::Session;

#[utoipa::path(
    post,
    path = "/api/v1/auth/2fa/enable",
    tag = "Auth / 2FA",
    operation_id = "authPrepareTwoFactorEnable",
    summary = "Initialize two-factor authentication setup",
    description = "Generate a new TOTP secret, otpauth QR-code URI, and 10 one-time backup codes for the current signed-in user, and save them in a not-yet-enabled state. Clients must guide the user to scan the QR code and call /auth/2fa/verify with a dynamic code before 2FA is actually enabled. Backup codes are returned in plaintext only once in this response; frontends must remind users to store them securely.",
    responses(
        (status = 200, description = "2FA setup initialized successfully. Returns the secret, QR-code URI, and backup codes.", body = ApiResponse<Enable2FAResponse>),
        (status = 400, description = "The current user has already enabled 2FA.", body = ApiErrorResponse),
        (status = 401, description = "The current session is not authenticated.", body = ApiErrorResponse),
        (status = 500, description = "Database write or backup code hashing failed.", body = ApiErrorResponse)
    )
)]
pub async fn handle(
    service: web::Data<AppService>,
    session: Session,
) -> Result<HttpResponse, AppError> {
    let data = service.auth.auth_2fa_enable(&session).await?;
    Ok(HttpResponse::Ok().json(ApiResponse::new(data)))
}