#!/bin/bash
# JWT Debug and Verification Script
# This script helps debug JWT token issues between gateway and auth service

set -e

# Configuration
API_BASE="http://localhost:8000"
AUTH_BASE="http://localhost:8001"
EMAIL="test@bakery.com"
PASSWORD="TestPassword123!"

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

log_info() {
    echo -e "${BLUE}ℹ️  $1${NC}"
}

log_success() {
    echo -e "${GREEN}✅ $1${NC}"
}

log_warning() {
    echo -e "${YELLOW}⚠️  $1${NC}"
}

log_error() {
    echo -e "${RED}❌ $1${NC}"
}

log_step() {
    echo -e "${BLUE}🔄 $1${NC}"
}

echo "🔍 JWT Token Debug and Verification Script"
echo "==========================================="

# Step 1: Check JWT Configuration
log_step "Step 1: Checking JWT Configuration Consistency"

log_info "Checking Gateway JWT Settings..."
GATEWAY_JWT_SECRET=$(docker-compose exec -T gateway env 2>/dev/null | grep JWT_SECRET_KEY || echo "NOT_SET")
GATEWAY_JWT_ALGO=$(docker-compose exec -T gateway env 2>/dev/null | grep JWT_ALGORITHM || echo "NOT_SET")

log_info "Checking Auth Service JWT Settings..."
AUTH_JWT_SECRET=$(docker-compose exec -T auth-service env 2>/dev/null | grep JWT_SECRET_KEY || echo "NOT_SET")
AUTH_JWT_ALGO=$(docker-compose exec -T auth-service env 2>/dev/null | grep JWT_ALGORITHM || echo "NOT_SET")

echo "Gateway JWT Secret: $GATEWAY_JWT_SECRET"
echo "Auth Service JWT Secret: $AUTH_JWT_SECRET"
echo "Gateway JWT Algorithm: $GATEWAY_JWT_ALGO"
echo "Auth Service JWT Algorithm: $AUTH_JWT_ALGO"

if [ "$GATEWAY_JWT_SECRET" = "$AUTH_JWT_SECRET" ]; then
    log_success "JWT Secret Keys match!"
else
    log_error "JWT Secret Keys DO NOT match!"
    log_warning "This is likely the cause of the authentication issue"
fi

echo ""

# Step 2: Test Direct Auth Service
log_step "Step 2: Testing Direct Auth Service"

# Login directly to auth service
log_info "Logging in directly to auth service..."
AUTH_LOGIN_RESPONSE=$(curl -s -X POST "$AUTH_BASE/api/v1/auth/login" \
    -H "Content-Type: application/json" \
    -d "{
        \"email\": \"$EMAIL\",
        \"password\": \"$PASSWORD\"
    }")

echo "Direct Auth Login Response:"
echo "$AUTH_LOGIN_RESPONSE" | jq '.' 2>/dev/null || echo "$AUTH_LOGIN_RESPONSE"

# Extract token
DIRECT_TOKEN=$(echo "$AUTH_LOGIN_RESPONSE" | jq -r '.access_token' 2>/dev/null)

if [ "$DIRECT_TOKEN" != "null" ] && [ "$DIRECT_TOKEN" != "" ]; then
    log_success "Direct auth login successful!"
    echo "Token: ${DIRECT_TOKEN:0:50}..."
    
    # Test direct auth verification
    log_info "Testing direct auth token verification..."
    AUTH_VERIFY_RESPONSE=$(curl -s -X POST "$AUTH_BASE/api/v1/auth/verify" \
        -H "Authorization: Bearer $DIRECT_TOKEN")
    
    echo "Direct Auth Verify Response:"
    echo "$AUTH_VERIFY_RESPONSE" | jq '.' 2>/dev/null || echo "$AUTH_VERIFY_RESPONSE"
    
    # Test direct auth /users/me
    log_info "Testing direct auth /users/me endpoint..."
    AUTH_ME_RESPONSE=$(curl -s -X GET "$AUTH_BASE/api/v1/users/me" \
        -H "Authorization: Bearer $DIRECT_TOKEN")
    
    echo "Direct Auth /users/me Response:"
    echo "$AUTH_ME_RESPONSE" | jq '.' 2>/dev/null || echo "$AUTH_ME_RESPONSE"
    
else
    log_error "Direct auth login failed!"
    exit 1
fi

echo ""

# Step 3: Test Gateway Login
log_step "Step 3: Testing Gateway Login"

GATEWAY_LOGIN_RESPONSE=$(curl -s -X POST "$API_BASE/api/v1/auth/login" \
    -H "Content-Type: application/json" \
    -d "{
        \"email\": \"$EMAIL\",
        \"password\": \"$PASSWORD\"
    }")

echo "Gateway Login Response:"
echo "$GATEWAY_LOGIN_RESPONSE" | jq '.' 2>/dev/null || echo "$GATEWAY_LOGIN_RESPONSE"

GATEWAY_TOKEN=$(echo "$GATEWAY_LOGIN_RESPONSE" | jq -r '.access_token' 2>/dev/null)

if [ "$GATEWAY_TOKEN" != "null" ] && [ "$GATEWAY_TOKEN" != "" ]; then
    log_success "Gateway login successful!"
    echo "Token: ${GATEWAY_TOKEN:0:50}..."
else
    log_error "Gateway login failed!"
    exit 1
fi

echo ""

# Step 4: Compare Tokens
log_step "Step 4: Comparing Tokens"

if [ "$DIRECT_TOKEN" = "$GATEWAY_TOKEN" ]; then
    log_success "Tokens are identical (expected)"
else
    log_warning "Tokens are different (unexpected if same login)"
fi

# Decode tokens for comparison
log_info "Decoding direct auth token payload..."
DIRECT_PAYLOAD=$(echo "$DIRECT_TOKEN" | cut -d'.' -f2)
# Add padding if needed
while [ $((${#DIRECT_PAYLOAD} % 4)) -ne 0 ]; do
    DIRECT_PAYLOAD="${DIRECT_PAYLOAD}="
done
echo "$DIRECT_PAYLOAD" | base64 -d 2>/dev/null | jq '.' || echo "Failed to decode"

log_info "Decoding gateway token payload..."
GATEWAY_PAYLOAD=$(echo "$GATEWAY_TOKEN" | cut -d'.' -f2)
# Add padding if needed
while [ $((${#GATEWAY_PAYLOAD} % 4)) -ne 0 ]; do
    GATEWAY_PAYLOAD="${GATEWAY_PAYLOAD}="
done
echo "$GATEWAY_PAYLOAD" | base64 -d 2>/dev/null | jq '.' || echo "Failed to decode"

echo ""

# Step 5: Test Gateway Authentication
log_step "Step 5: Testing Gateway Authentication Middleware"

# Test gateway token verification
log_info "Testing gateway token verification..."
GATEWAY_VERIFY_RESPONSE=$(curl -s -X POST "$API_BASE/api/v1/auth/verify" \
    -H "Authorization: Bearer $GATEWAY_TOKEN")

echo "Gateway Verify Response:"
echo "$GATEWAY_VERIFY_RESPONSE" | jq '.' 2>/dev/null || echo "$GATEWAY_VERIFY_RESPONSE"

# Test gateway /users/me (this is where the issue occurs)
log_info "Testing gateway /users/me endpoint (THE FAILING ENDPOINT)..."
GATEWAY_ME_RESPONSE=$(curl -s -w "\nHTTP_CODE:%{http_code}\n" -X GET "$API_BASE/api/v1/users/me" \
    -H "Authorization: Bearer $GATEWAY_TOKEN")

echo "Gateway /users/me Response:"
echo "$GATEWAY_ME_RESPONSE"

# Check if successful
if echo "$GATEWAY_ME_RESPONSE" | grep -q "HTTP_CODE:200"; then
    log_success "Gateway /users/me endpoint working!"
elif echo "$GATEWAY_ME_RESPONSE" | grep -q "HTTP_CODE:401"; then
    log_error "Gateway /users/me endpoint returning 401 Unauthorized"
    log_warning "This confirms the JWT middleware issue"
else
    log_warning "Gateway /users/me endpoint returned unexpected response"
fi

echo ""

# Step 6: Test with verbose curl to see middleware behavior
log_step "Step 6: Verbose Gateway Request Analysis"

log_info "Making verbose request to gateway /users/me..."
curl -v -X GET "$API_BASE/api/v1/users/me" \
    -H "Authorization: Bearer $GATEWAY_TOKEN" 2>&1 | head -20

echo ""

# Step 7: Recommendations
log_step "Step 7: Recommendations"

if [ "$GATEWAY_JWT_SECRET" != "$AUTH_JWT_SECRET" ]; then
    log_error "CRITICAL: JWT secrets don't match between services"
    echo "Fix: Update your .env file and restart services:"
    echo "export JWT_SECRET_KEY='your-super-secret-jwt-key-change-in-production-min-32-characters-long'"
    echo "docker-compose down && docker-compose up -d"
elif echo "$GATEWAY_ME_RESPONSE" | grep -q "HTTP_CODE:401"; then
    log_warning "JWT secrets match but gateway middleware is still failing"
    echo "Possible causes:"
    echo "1. Gateway middleware token validation logic issue"
    echo "2. Token payload structure mismatch"
    echo "3. Gateway not using updated shared JWT handler"
    echo ""
    echo "Recommended fixes:"
    echo "1. Apply the fixed gateway auth middleware"
    echo "2. Apply the fixed shared JWT handler"
    echo "3. Restart gateway service: docker-compose restart gateway"
else
    log_success "All tests passed! JWT authentication is working correctly."
fi

echo ""
echo "🏁 Debug script completed!"