// deno-lint-ignore-file
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2'

const corsHeaders = {
  'Access-Control-Allow-Origin': '*',
  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
}

const json = (body: Record<string, unknown>, status: number) =>
  new Response(JSON.stringify(body), {
    status,
    headers: { ...corsHeaders, 'Content-Type': 'application/json' },
  })

Deno.serve(async (req) => {
  if (req.method === 'OPTIONS') return new Response('ok', { headers: corsHeaders })

  try {
    const authHeader = req.headers.get('Authorization') ?? ''
    if (!authHeader) return json({ error: 'No authorization header' }, 401)

    const callerClient = createClient(
      Deno.env.get('SUPABASE_URL') ?? '',
      Deno.env.get('SUPABASE_ANON_KEY') ?? '',
      { global: { headers: { Authorization: authHeader } } }
    )

    const { data: userData, error: userError } = await callerClient.auth.getUser()
    if (userError || !userData?.user) return json({ error: `Auth failed: ${userError?.message ?? 'no user'}` }, 401)

    const { data: profile, error: profileError } = await callerClient
      .from('profiles').select('role').eq('id', userData.user.id).single()
    if (profileError) return json({ error: `Profile error: ${profileError.message}` }, 500)
    if (profile?.role !== 'team') return json({ error: 'Forbidden: team only' }, 403)

    const body = await req.json()
    const { name, email, password, company_id, role: roleParam } = body
    if (!name || !email || !password) return json({ error: 'name, email and password are required' }, 400)

    const validRoles = ['team', 'client', 'external']
    const role = validRoles.includes(roleParam) ? roleParam : 'client'

    const admin = createClient(
      Deno.env.get('SUPABASE_URL') ?? '',
      Deno.env.get('SUPABASE_SERVICE_ROLE_KEY') ?? ''
    )

    const { data: created, error: createError } = await admin.auth.admin.createUser({
      email,
      password,
      email_confirm: true,
      user_metadata: { name, role },
    })

    if (createError) return json({ error: `Create user failed: ${createError.message}` }, 500)

    if (role === 'client' && company_id && created?.user) {
      const { error: profileUpsertError } = await admin
        .from('profiles')
        .upsert({
          id: created.user.id,
          name,
          email,
          role,
          company_id,
        }, { onConflict: 'id' })
      if (profileUpsertError) return json({ error: `User created but profile setup failed: ${profileUpsertError.message}` }, 500)

      const { error: assignError } = await admin
        .from('profiles').update({ company_id }).eq('id', created.user.id)
      if (assignError) return json({ error: `User created but company assign failed: ${assignError.message}` }, 500)

      const { error: membershipError } = await admin
        .from('company_members')
        .upsert({ company_id, profile_id: created.user.id }, { onConflict: 'company_id,profile_id' })
      if (membershipError) return json({ error: `User created but company membership failed: ${membershipError.message}` }, 500)
    } else if (role === 'external' && created?.user) {
      const { error: profileUpsertError } = await admin
        .from('profiles')
        .upsert({
          id: created.user.id,
          name,
          email,
          role,
          company_id: null,
        }, { onConflict: 'id' })
      if (profileUpsertError) return json({ error: `User created but profile setup failed: ${profileUpsertError.message}` }, 500)
    }

    return json({ success: true }, 200)

  } catch (err) {
    return json({ error: `Unexpected: ${String(err)}` }, 500)
  }
})