pub mod middleware;
pub mod oauth;
pub mod pds_proxy;
pub mod rbac;
pub mod routes;
pub mod session;
pub mod static_files;
pub mod store;

use axum::{Router, middleware as ax_middleware, routing::get, routing::post};

use crate::AppState;

/// Build the admin sub-router.
/// Public routes (login, OAuth callback, client-metadata) are not behind auth middleware.
/// All other admin routes require a valid session.
pub fn router(state: AppState) -> Router<AppState> {
    // Routes that do NOT require authentication
    let public_routes = Router::new()
        .route("/", get(routes::dashboard))
        .route("/login", get(oauth::get_login).post(oauth::post_login))
        .route("/oauth/callback", get(oauth::oauth_callback))
        .route("/client-metadata.json", get(oauth::client_metadata_json))
        .route("/static/{*path}", get(static_files::serve_static));

    // Routes that DO require authentication (via admin_auth middleware)
    let protected_routes = Router::new()
        .route("/dashboard", get(routes::dashboard))
        .route("/accounts", get(routes::accounts_list))
        .route("/accounts/{did}", get(routes::account_detail))
        .route("/accounts/{did}/takedown", post(routes::takedown_account))
        .route(
            "/accounts/{did}/untakedown",
            post(routes::untakedown_account),
        )
        .route("/accounts/{did}/delete", post(routes::delete_account))
        .route(
            "/accounts/{did}/reset-password",
            post(routes::reset_password),
        )
        .route(
            "/accounts/{did}/disable-invites",
            post(routes::disable_account_invites),
        )
        .route(
            "/accounts/{did}/enable-invites",
            post(routes::enable_account_invites),
        )
        .route("/invite-codes", get(routes::invite_codes_list))
        .route("/invite-codes/create", post(routes::create_invite_code))
        .route("/invite-codes/disable", post(routes::disable_invite_codes))
        .route(
            "/create-account",
            get(routes::get_create_account).post(routes::post_create_account),
        )
        .route(
            "/request-crawl",
            get(routes::get_request_crawl).post(routes::post_request_crawl),
        )
        .route("/logout", post(routes::logout))
        .fallback(get(routes::dashboard))
        .layer(ax_middleware::from_fn_with_state(
            state.clone(),
            middleware::admin_auth_middleware,
        ));

    Router::new().merge(public_routes).merge(protected_routes)
}