<?php

namespace App\Console\Commands\Mapledeploy;

use App\Models\User;
use Illuminate\Console\Command;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Str;

class UserRevoke extends Command
{
    protected $signature = 'mapledeploy:user:revoke {user_id : Coolify user id}';

    protected $description = 'Revoke a Coolify user login for MapleDeploy dashboard access management';

    public function handle(): int
    {
        $userId = (int) $this->argument('user_id');
        if ($userId === 0) {
            return $this->failWith('CANNOT_REVOKE_ROOT_USER');
        }

        $user = User::find($userId);
        if (! $user) {
            return $this->failWith('USER_NOT_FOUND');
        }

        $user->forceFill([
            'password' => Hash::make(Str::random(64)),
            // MapleDeploy branding: OAuth login matches by email, so keep a
            // persistent marker that the callback can reject after revocation.
            'remember_token' => 'mapledeploy-revoked:'.Str::random(40),
        ])->save();
        $user->tokens()->delete();
        // MapleDeploy branding: revocation must end any active browser sessions.
        DB::table('sessions')->where('user_id', $user->id)->delete();

        $this->line(json_encode([
            'revoked' => [
                'id' => $user->id,
                'email' => $user->email,
            ],
        ], JSON_THROW_ON_ERROR));

        return self::SUCCESS;
    }

    private function failWith(string $code): int
    {
        $this->line(json_encode(['error' => $code], JSON_THROW_ON_ERROR));

        return self::FAILURE;
    }
}