import { adminProvisionUser, AuthConflictError, AuthValidationError } from "#server/service/auth";
import { toPublicAuthError } from "#server/service/auth/errors";
import { requireAdmin } from "#server/utils/admin-guard";
import { assertUnderRateLimit } from "#server/utils/simple-rate-limit";
import { getRequestIP } from "h3";

type Body = {
  username: string;
  password: string;
  email?: string | null;
};

export default defineWrappedResponseHandler(async (event) => {
  await requireAdmin(event);
  const ip = getRequestIP(event, { xForwardedFor: true }) ?? "unknown";
  assertUnderRateLimit(`admin-users-post:${ip}`, 30, 60_000);

  try {
    const body = await readBody<Body>(event);
    const user = await adminProvisionUser({
      username: body.username,
      password: body.password,
      email: body.email,
    });
    return R.success({ user });
  } catch (err) {
    if (err instanceof AuthValidationError) {
      throw createError({ statusCode: 400, statusMessage: err.message });
    }
    if (err instanceof AuthConflictError) {
      throw createError({ statusCode: 409, statusMessage: err.message });
    }
    throw toPublicAuthError(err);
  }
});