'use server';

import { redirect } from 'next/navigation';
import { getSession, createSession } from '@/lib/session';
import { hashPassword } from '@/lib/auth';
import { updateBeoPassword } from '@/lib/phpdb';

export async function changePassword(
  _prevState: { error: string } | undefined,
  formData: FormData
): Promise<{ error: string }> {
  const session = await getSession();
  if (!session) redirect('/login');

  const newPassword = formData.get('newPassword') as string;
  const confirmPassword = formData.get('confirmPassword') as string;

  if (!newPassword || newPassword.length < 6) {
    return { error: 'Das Passwort muss mindestens 6 Zeichen lang sein.' };
  }

  if (newPassword === (process.env.DEFAULT_PASSWORD ?? 'welzheim')) {
    return { error: 'Das Standard-Passwort darf nicht als neues Passwort verwendet werden.' };
  }

  if (newPassword !== confirmPassword) {
    return { error: 'Die Passwörter stimmen nicht überein.' };
  }

  const hashed = await hashPassword(newPassword);
  await updateBeoPassword(session.beoId, hashed);

  await createSession({
    kuerzel: session.kuerzel,
    beoId: session.beoId,
    beoName: session.beoName,
    mustChangePassword: false,
    isAuthenticated: true,
    role: session.role ?? null,
  });

  redirect('/');
}