package storage

import (
	"context"
	"fmt"

	"archivmail/internal/auth"
)

// LookupAPIKey resolves an API key by its SHA-256 token hash.
// Returns nil if not found or if the key is inactive.
func (s *Store) LookupAPIKey(ctx context.Context, tokenHash string) (*auth.APIKeyRow, error) {
	if s.db == nil {
		return nil, fmt.Errorf("storage: no database configured")
	}

	row := s.db.QueryRow(ctx,
		`SELECT id, tenant_id, name, role, active, rate_limit
		 FROM api_keys
		 WHERE token_hash = $1`,
		tokenHash,
	)

	var k auth.APIKeyRow
	err := row.Scan(&k.ID, &k.TenantID, &k.Name, &k.Role, &k.Active, &k.RateLimit)
	if err != nil {
		// pgx returns no rows as an error; treat as "not found".
		return nil, nil
	}

	return &k, nil
}

// TouchAPIKeyLastUsed updates the last_used_at timestamp for the given key ID.
func (s *Store) TouchAPIKeyLastUsed(ctx context.Context, keyID int64) error {
	if s.db == nil {
		return nil
	}
	_, err := s.db.Exec(ctx,
		`UPDATE api_keys SET last_used_at = NOW() WHERE id = $1`,
		keyID,
	)
	if err != nil {
		return fmt.Errorf("storage: touch api key: %w", err)
	}
	return nil
}