use actix_web::{HttpResponse, web};
use serde::Deserialize;
use utoipa::IntoParams;

use crate::api::response::{ApiErrorResponse, ApiResponse};
use crate::error::AppError;
use crate::service::AppService;
use crate::service::user::security::UserPersonalAccessTokenInfo;
use crate::session::Session;

#[derive(Debug, Deserialize, IntoParams)]
pub struct QueryParams {
    /// Maximum number of tokens to return (default: 50, max: 100)
    pub limit: Option<i64>,
    /// Number of tokens to skip for pagination (default: 0)
    pub offset: Option<i64>,
}

/// List personal access tokens
///
/// Returns a paginated list of all personal access tokens (PATs) for the authenticated user.
/// Tokens are sorted by creation date (newest first).
/// Includes token names, scopes, last used timestamps, and expiry status.
/// Note: Token values are never returned after creation for security reasons.
/// Requires authentication.
#[utoipa::path(
    get,
    path = "/api/v1/user/security/tokens",
    tag = "User",
    operation_id = "userListTokens",
    params(QueryParams),
    responses(
        (status = 200, description = "Personal access tokens listed successfully. Returns array of token metadata objects (token values are never exposed).", body = ApiResponse<Vec<UserPersonalAccessTokenInfo>>),
        (status = 401, description = "Authentication required or session expired", body = ApiErrorResponse),
        (status = 500, description = "Internal server error", body = ApiErrorResponse),
    ),
    security(
        ("session_cookie" = [])
    )
)]
pub async fn list_tokens(
    service: web::Data<AppService>,
    session: Session,
    query: web::Query<QueryParams>,
) -> Result<HttpResponse, AppError> {
    let tokens = service
        .user
        .user_personal_access_tokens(
            &session,
            query.limit.unwrap_or(50),
            query.offset.unwrap_or(0),
        )
        .await?;
    Ok(HttpResponse::Ok().json(ApiResponse::new(tokens)))
}