<?php

declare(strict_types=1);

namespace KTXM\AuthenticationProviderPassword\Stores;

use KTXC\Db\DataStore;

/**
 * Credential Store for Default Identity Provider
 * Manages local authentication credentials
 * 
 * Collection: provider_identity_default
 * Schema: {
 *   tid: string,        // Tenant identifier
 *   identifier: string, // User identity (email/username)
 *   secret: string,     // Encrypted password
 *   created_at: int,    // Creation timestamp
 *   updated_at: int     // Last update timestamp
 * }
 */
class CredentialStore
{
    protected const COLLECTION_NAME = 'provider_identity_default';

    public function __construct(private DataStore $store)
    { }
    
    /**
     * Fetch credential record by identifier (email/username)
     * 
     * @param string $tenant Tenant identifier
     * @param string $identifier User identity
     * @return array|null Credential record or null if not found
     */
    public function fetchByIdentifier(string $tenant, string $identifier): ?array
    {
        $entry = $this->store->selectCollection(self::COLLECTION_NAME)->findOne([
            'tid' => $tenant, 
            'identifier' => $identifier
        ]);
        
        if (!$entry) { 
            return null; 
        }
        
        return (array)$entry;
    }

    /**
     * Create a new credential record
     * 
     * @param string $tenant Tenant identifier
     * @param string $identifier User identity
     * @param string $encryptedSecret Encrypted password
     * @return bool Whether creation was successful
     */
    public function create(string $tenant, string $identifier, string $encryptedSecret): bool
    {
        $result = $this->store->selectCollection(self::COLLECTION_NAME)->insertOne([
            'tid' => $tenant,
            'identifier' => $identifier,
            'secret' => $encryptedSecret,
            'created_at' => time(),
            'updated_at' => time(),
        ]);
        
        return $result->isAcknowledged();
    }

    /**
     * Update credential secret
     * 
     * @param string $tenant Tenant identifier
     * @param string $identifier User identity
     * @param string $encryptedSecret New encrypted password
     * @return bool Whether update was successful
     */
    public function updateSecret(string $tenant, string $identifier, string $encryptedSecret): bool
    {
        $result = $this->store->selectCollection(self::COLLECTION_NAME)->updateOne(
            ['tid' => $tenant, 'identifier' => $identifier],
            ['$set' => [
                'secret' => $encryptedSecret,
                'updated_at' => time(),
            ]]
        );
        
        return $result->isAcknowledged();
    }

    /**
     * Delete credential record
     * 
     * @param string $tenant Tenant identifier
     * @param string $identifier User identity
     * @return bool Whether deletion was successful
     */
    public function delete(string $tenant, string $identifier): bool
    {
        $result = $this->store->selectCollection(self::COLLECTION_NAME)->deleteOne([
            'tid' => $tenant, 
            'identifier' => $identifier
        ]);
        
        return $result->isAcknowledged();
    }

    /**
     * Check if credential exists for identifier
     * 
     * @param string $tenant Tenant identifier
     * @param string $identifier User identity
     * @return bool Whether credential exists
     */
    public function exists(string $tenant, string $identifier): bool
    {
        return $this->fetchByIdentifier($tenant, $identifier) !== null;
    }
}