import {
  FORBIDDEN_UPLOAD_BODY_KEYS,
  UPLOAD_DATA_URI_ONLY_ERROR,
  assertValidUploadDataUri,
  isExternalImageUrl,
  isRemoteHttpUrl,
  isValidUploadDataUri,
} from "@/lib/media-manager/local-upload-policy"

export type ImageUploadRequestValidation =
  | { ok: true; dataUri: string; body: Record<string, unknown> }
  | { ok: false; error: string }

function asRecord(body: unknown): Record<string, unknown> | null {
  if (!body || typeof body !== "object" || Array.isArray(body)) return null
  return body as Record<string, unknown>
}

function scanUploadBodyForExternalImages(
  obj: Record<string, unknown>,
  path = ""
): string | null {
  for (const [key, val] of Object.entries(obj)) {
    const fieldPath = path ? `${path}.${key}` : key
    const lower = key.toLowerCase()

    if (lower === "datauri" || lower === "data_uri") continue

    if (typeof val === "string") {
      const trimmed = val.trim()
      if (!trimmed) continue

      if (FORBIDDEN_UPLOAD_BODY_KEYS.has(lower) && isRemoteHttpUrl(trimmed)) {
        return `External image links are not allowed (${fieldPath}). Upload from your device only.`
      }

      if (isExternalImageUrl(trimmed)) {
        return `External image links are not allowed (${fieldPath}). Upload from your device only.`
      }

      if (lower !== "datauri" && /^data:image\//i.test(trimmed)) {
        return `Embedded image data is only accepted in dataUri (${fieldPath}).`
      }
    }

    if (val && typeof val === "object") {
      if (Array.isArray(val)) {
        for (let i = 0; i < val.length; i++) {
          const item = val[i]
          if (item && typeof item === "object") {
            const nested = scanUploadBodyForExternalImages(
              item as Record<string, unknown>,
              `${fieldPath}[${i}]`
            )
            if (nested) return nested
          } else if (typeof item === "string" && isExternalImageUrl(item)) {
            return `External image links are not allowed (${fieldPath}[${i}]).`
          }
        }
      } else {
        const nested = scanUploadBodyForExternalImages(val as Record<string, unknown>, fieldPath)
        if (nested) return nested
      }
    }
  }
  return null
}

/** Validate POST body for upload-image API routes — dataUri only, no external URLs. */
export function validateImageUploadRequest(body: unknown): ImageUploadRequestValidation {
  const record = asRecord(body)
  if (!record) {
    return { ok: false, error: "Invalid request body" }
  }

  const externalError = scanUploadBodyForExternalImages(record)
  if (externalError) {
    return { ok: false, error: externalError }
  }

  const dataUri = record.dataUri ?? record.data_uri
  if (!isValidUploadDataUri(dataUri)) {
    return { ok: false, error: UPLOAD_DATA_URI_ONLY_ERROR }
  }

  try {
    const normalized = assertValidUploadDataUri(dataUri)
    return { ok: true, dataUri: normalized, body: record }
  } catch (e) {
    return {
      ok: false,
      error: e instanceof Error ? e.message : UPLOAD_DATA_URI_ONLY_ERROR,
    }
  }
}