use actix_web::{HttpResponse, web};

use crate::api::response::{ApiEmptyResponse, ApiErrorResponse};
use crate::error::AppError;
use crate::service::AppService;
use crate::service::auth::reset_pass::ResetPasswordVerifyParams;
use crate::session::Session;

#[utoipa::path(
    post,
    path = "/api/v1/auth/reset-password/verify",
    tag = "Auth",
    operation_id = "authVerifyPasswordReset",
    summary = "Confirm password reset",
    description = "Set a new password using the token from the password reset email. password must be encrypted with the current session RSA public key; the new password is strength-checked and rehashed with Argon2id. The token is deleted immediately after successful use; expired or missing tokens fail.",
    request_body(
        content = ResetPasswordVerifyParams,
        description = "The reset token and new password encrypted with RSA.",
        content_type = "application/json"
    ),
    responses(
        (status = 200, description = "Password reset succeeded.", body = ApiEmptyResponse),
        (status = 400, description = "The token is invalid or expired, RSA decryption failed, or the password is too weak.", body = ApiErrorResponse),
        (status = 500, description = "Database update or password hashing failed.", body = ApiErrorResponse)
    )
)]
pub async fn handle(
    service: web::Data<AppService>,
    session: Session,
    params: web::Json<ResetPasswordVerifyParams>,
) -> Result<HttpResponse, AppError> {
    service
        .auth
        .auth_reset_password_verify(&session, params.into_inner())
        .await?;
    Ok(HttpResponse::Ok().json(ApiEmptyResponse::ok("password reset successful")))
}