/**
 * Returns a presigned URL the browser can use to PUT a PDF directly to the
 * active storage backend. The URL is constrained by content-length-range up
 * to `system_settings.berth_pdf_max_upload_mb` (default 15 MB) per §11.1.
 *
 * For S3 backends this is a true signed URL; for filesystem backends it's a
 * CRM-internal proxy URL with an HMAC token (see `FilesystemBackend`).
 */

import { NextResponse } from 'next/server';
import { z } from 'zod';

import { type RouteHandler } from '@/lib/api/helpers';
import { parseBody } from '@/lib/api/route-helpers';
import { db } from '@/lib/db';
import { berths } from '@/lib/db/schema/berths';
import { and, eq } from 'drizzle-orm';
import { errorResponse, NotFoundError, ValidationError } from '@/lib/errors';
import { getMaxUploadMb } from '@/lib/services/berth-pdf.service';
import { getStorageBackend } from '@/lib/storage';

const postBodySchema = z.object({
  fileName: z.string().min(1).max(255),
  /** Size hint in bytes - used to early-reject oversized uploads before we
   *  burn a presigned URL. */
  sizeBytes: z.number().int().nonnegative().optional(),
});

export const postHandler: RouteHandler = async (req, ctx, params) => {
  try {
    const body = await parseBody(req, postBodySchema);
    const fileName = body.fileName.trim();
    if (!fileName) throw new ValidationError('fileName is required');

    // Tenant-scoped berth lookup. Without `eq(berths.portId, ctx.portId)` a
    // rep with berths:edit on port A could mint an upload URL targeting a
    // port-B berth (the storage key namespace would land under that berth's
    // id, leaking access).
    const berthRow = await db.query.berths.findFirst({
      where: and(eq(berths.id, params.id!), eq(berths.portId, ctx.portId)),
    });
    if (!berthRow) throw new NotFoundError('Berth');

    const maxMb = await getMaxUploadMb(berthRow.portId);
    const maxBytes = maxMb * 1024 * 1024;
    if (typeof body.sizeBytes === 'number' && body.sizeBytes > maxBytes) {
      throw new ValidationError(
        `File exceeds ${maxMb} MB upload cap (got ${(body.sizeBytes / 1024 / 1024).toFixed(1)} MB).`,
      );
    }

    // Provisional version number: the actual row insert happens in POST
    // /pdf-versions and re-computes via SELECT max+1 inside a transaction,
    // so a race between two reps just shifts which one wins the version
    // slot. The storage key is gen_random_uuid()-namespaced so collisions
    // in the storage layer are impossible.
    //
    // storage-pathing-auditor H1: prefix the port slug so the
    // filesystem-proxy port-binding token (`p` field) can be wired and
    // the namespace matches `buildStoragePath` (which always leads with
    // the port slug).
    const sanitized = fileName.replace(/[^a-zA-Z0-9._-]/g, '_').slice(0, 200) || 'berth.pdf';
    const storageKey = `${ctx.portSlug}/berths/${params.id!}/uploads/${crypto.randomUUID()}_${sanitized}`;

    const backend = await getStorageBackend();
    const presigned = await backend.presignUpload(storageKey, {
      contentType: 'application/pdf',
      expirySeconds: 900,
      portSlug: ctx.portSlug,
    });

    return NextResponse.json({
      data: {
        url: presigned.url,
        method: presigned.method,
        storageKey,
        maxBytes,
        backend: backend.name,
      },
    });
  } catch (error) {
    return errorResponse(error);
  }
};