use actix_web::{HttpResponse, web};

use crate::api::response::{ApiEmptyResponse, ApiErrorResponse};
use crate::error::AppError;
use crate::service::AppService;
use crate::service::auth::totp::Verify2FAParams;
use crate::session::Session;

#[utoipa::path(
    post,
    path = "/api/v1/auth/2fa/verify",
    tag = "Auth / 2FA",
    operation_id = "authVerifyAndEnableTwoFactor",
    summary = "Verify and enable two-factor authentication",
    description = "After initializing with /auth/2fa/enable, submit the 6-digit TOTP code generated by the authenticator app. On success, the current user's 2FA status is set to enabled. A small clock drift of one 30-second window before or after is allowed.",
    request_body(
        content = Verify2FAParams,
        description = "The 6-digit TOTP code generated by the authenticator app.",
        content_type = "application/json"
    ),
    responses(
        (status = 200, description = "2FA has been enabled.", body = ApiEmptyResponse),
        (status = 400, description = "2FA has not been initialized, is already enabled, or the verification code is incorrect.", body = ApiErrorResponse),
        (status = 401, description = "The current session is not authenticated.", body = ApiErrorResponse),
        (status = 500, description = "Database write failed.", body = ApiErrorResponse)
    )
)]
pub async fn handle(
    service: web::Data<AppService>,
    session: Session,
    params: web::Json<Verify2FAParams>,
) -> Result<HttpResponse, AppError> {
    service
        .auth
        .auth_2fa_verify_and_enable(&session, params.into_inner())
        .await?;
    Ok(HttpResponse::Ok().json(ApiEmptyResponse::ok("two-factor authentication enabled")))
}