use actix_web::{HttpResponse, web};

use crate::api::response::{ApiErrorResponse, ApiResponse};
use crate::error::AppError;
use crate::service::AppService;
use crate::service::auth::rsa::RsaResponse;
use crate::session::Session;

#[utoipa::path(
    get,
    path = "/api/v1/auth/rsa",
    tag = "Auth",
    operation_id = "authGetRsaPublicKey",
    summary = "Get login form RSA public key",
    description = "Generate or reuse a temporary RSA-2048 key pair for the current browser session and return the public key in PKCS#1 PEM format. Clients should use this public key to encrypt sensitive fields such as passwords with RSA-OAEP-SHA256 before submitting login, registration, password reset, or 2FA disable requests. The private key is encrypted with AEAD and stored only in the server-side session; it is never returned to clients.",
    responses(
        (status = 200, description = "Return the RSA public key available for the current session; if an unexpired key already exists in the session, reuse the existing public key.", body = ApiResponse<RsaResponse>),
        (status = 500, description = "APP_SESSION_SECRET is missing, RSA generation failed, or session write failed.", body = ApiErrorResponse)
    )
)]
pub async fn handle(
    service: web::Data<AppService>,
    session: Session,
) -> Result<HttpResponse, AppError> {
    let data = service.auth.auth_rsa(&session).await?;
    Ok(HttpResponse::Ok().json(ApiResponse::new(data)))
}