import { PrismaClient } from '@prisma/client';
import * as bcrypt from 'bcrypt';

const prisma = new PrismaClient();
const INIT_ADMIN_EMAIL = process.env.INIT_ADMIN_EMAIL || 'itadmin@ff.com';

/**
 * 找一个"操作 org"绑给 itadmin 的 Administrator UserRole。
 * 历史上这条 UserRole 的 organizationId 是 NULL（"全局管理员"语义），
 * 但 PR #396 risk-1 删了 internal-app-platform issueToken 的 organization.findFirst()
 * silent fallback 后，没绑 org 的 admin 调 /internal-apps/tokens 会硬抛 no_organization。
 * 解：bootstrap 时主动选第一个 org（按 createdAt）绑给 itadmin。
 *
 * 找不到 org → 返回 null + warn（org 可能尚未创建；后续手工补 SQL 或重跑本脚本即可）。
 */
async function pickDefaultOrgId(): Promise<string | null> {
  const org = await (prisma as any).organization.findFirst({
    orderBy: { createdAt: 'asc' },
    select: { id: true, name: true },
  });
  if (!org) {
    console.log('⚠️  No organization found — Administrator UserRole 将保留 organizationId=NULL');
    console.log('   注意：internal-app-platform 等 org-scoped 模块对该账号会失败，');
    console.log('   建仓后重跑 npm run init:itadmin 自动补绑。');
    return null;
  }
  console.log(`📝 默认 org: ${org.name} (${org.id})`);
  return org.id;
}

async function initITAdmin() {
  console.log('🚀 Initializing IT Admin user...\n');

  try {
    // 1. 检查用户是否已存在
    const existingUser = await prisma.user.findFirst({
      where: {
        OR: [
          { email: INIT_ADMIN_EMAIL },
          { username: 'itadmin' },
        ],
      },
      include: {
        roles: {
          include: {
            role: true,
          },
        },
      },
    });

    if (existingUser) {
      console.log('⚠️  IT Admin user already exists!');
      console.log('   Username:', existingUser.username);
      console.log('   Email:', existingUser.email);
      console.log('   Current roles:', existingUser.roles.map(ur => ur.role.code).join(', '));
      
      // 检查是否有 Administrator 角色
      const hasAdminRole = existingUser.roles.some(ur => ur.role.code === 'Administrator');
      
      if (!hasAdminRole) {
        console.log('\n📝 Adding Administrator role...');
        
        const adminRole = await prisma.role.findUnique({
          where: { code: 'Administrator' },
        });

        if (adminRole) {
          const defaultOrgId = await pickDefaultOrgId();
          await prisma.userRole.create({
            data: {
              userId: existingUser.id,
              roleId: adminRole.id,
              organizationId: defaultOrgId,
            },
          });
          console.log(`✅ Administrator role assigned (org=${defaultOrgId ?? 'NULL'})`);
        } else {
          console.log('❌ Administrator role not found! Please run: npm run init:permissions');
        }
      } else {
        console.log('✅ User already has Administrator role');

        // 修补历史 NULL organizationId（PR #396 risk-1 后 internal-app-platform 需要 org binding）
        const adminRoleAssignment = existingUser.roles.find(ur => ur.role.code === 'Administrator');
        if (adminRoleAssignment && (adminRoleAssignment as any).organizationId == null) {
          const defaultOrgId = await pickDefaultOrgId();
          if (defaultOrgId) {
            await prisma.userRole.update({
              where: { id: (adminRoleAssignment as any).id },
              data: { organizationId: defaultOrgId },
            });
            console.log(`🔧 修补 Administrator UserRole.organizationId NULL → ${defaultOrgId}`);
          }
        }
      }

      return;
    }

    // 2. 获取或创建 Administrator 角色
    let adminRole = await prisma.role.findUnique({
      where: { code: 'Administrator' },
    });

    if (!adminRole) {
      console.log('📝 Creating Administrator role...');
      adminRole = await prisma.role.create({
        data: {
          code: 'Administrator',
          name: 'Administrator',
          description: 'System administrator with full access',
          isBuiltIn: true,
        },
      });
      console.log('✅ Administrator role created');
      
      // 创建所有权限
      console.log('📝 Initializing permissions...');
      console.log('   Please run: npm run init:permissions');
    }

    // 3. 生成默认密码（建议首次登录后修改）
    const defaultPassword = 'Admin@2024';
    const passwordHash = await bcrypt.hash(defaultPassword, 10);

    // 4. 创建用户（多组织架构：User 表不再有 departmentId/positionId/managerId）
    console.log('📝 Creating IT Admin user...');
    const itAdminUser = await prisma.user.create({
      data: {
        username: 'itadmin',
        email: INIT_ADMIN_EMAIL,
        passwordHash: passwordHash,
        displayName: 'IT Administrator',
        status: 'ACTIVE',
        source: 'LOCAL',
        phone: null,
        avatar: null,
      },
    });

    console.log('✅ IT Admin user created successfully!');
    console.log('   ID:', itAdminUser.id);
    console.log('   Username:', itAdminUser.username);
    console.log('   Email:', itAdminUser.email);
    console.log('   Display Name:', itAdminUser.displayName);

    // 5. 分配 Administrator 角色（默认绑首个 org；PR #396 risk-1 后 org-scoped 模块需要）
    const defaultOrgId = await pickDefaultOrgId();
    await prisma.userRole.create({
      data: {
        userId: itAdminUser.id,
        roleId: adminRole.id,
        organizationId: defaultOrgId,
      },
    });

    console.log(`✅ Administrator role assigned (org=${defaultOrgId ?? 'NULL'})`);

    console.log('\n' + '='.repeat(60));
    console.log('🎉 IT Admin user initialization complete!');
    console.log('='.repeat(60));
    console.log('\n📋 Login credentials:');
    console.log('   Username: itadmin');
    console.log(`   Email: ${INIT_ADMIN_EMAIL}`);
    console.log('   Password: Admin@2024');
    console.log('\n⚠️  IMPORTANT: Please change the password after first login!');
    console.log('\n🔗 Login URL: http://localhost:3000/login');
    console.log('');

  } catch (error) {
    console.error('❌ Error initializing IT Admin user:', error);
    throw error;
  } finally {
    await prisma.$disconnect();
  }
}

// 执行脚本
initITAdmin();