#!/usr/bin/env bash
set -euo pipefail

TOKEN="${1:-}"
ENC_COMMAND="${2:-}"
if [[ -z "${TOKEN}" ]]; then
  echo "Missing token."
  exit 1
fi

API_BASE="${PI_CONTROL_API_URL:-http://gui_nexus}"
API_BASE="${API_BASE%/}"
INFO_URL="${API_BASE}/module/pi_control/terminal_info?token=${TOKEN}"

AUTH_HEADER=()
if [[ -n "${STAGING_AUTH_USER:-}" && -n "${STAGING_AUTH_PASS:-}" ]]; then
  BASIC="$(printf "%s:%s" "${STAGING_AUTH_USER}" "${STAGING_AUTH_PASS}" | base64)"
  AUTH_HEADER=(-H "Authorization: Basic ${BASIC}")
fi
if [[ -n "${PI_CONTROL_SHARED_SECRET:-}" ]]; then
  AUTH_HEADER+=(-H "X-Terminal-Secret: ${PI_CONTROL_SHARED_SECRET}")
fi

JSON="$(curl -sS "${AUTH_HEADER[@]}" "${INFO_URL}")"
OK="$(echo "${JSON}" | jq -r '.ok')"
if [[ "${OK}" != "true" ]]; then
  echo "Invalid or expired token."
  exit 1
fi

HOST="$(echo "${JSON}" | jq -r '.host.host')"
PORT="$(echo "${JSON}" | jq -r '.host.port')"
USER="$(echo "${JSON}" | jq -r '.host.username')"
AUTH_TYPE="$(echo "${JSON}" | jq -r '.host.auth_type')"
KEY_PATH="$(echo "${JSON}" | jq -r '.host.key_path')"
PASSWORD="$(echo "${JSON}" | jq -r '.host.password')"

COMMAND="$(echo "${JSON}" | jq -r '.command // ""')"
if [[ -z "${COMMAND}" && -n "${ENC_COMMAND}" ]]; then
  COMMAND="$(printf '%s' "${ENC_COMMAND}" | base64 -d 2>/dev/null || true)"
fi

if [[ -z "${HOST}" || -z "${USER}" ]]; then
  echo "Host data incomplete."
  exit 1
fi

SSH_OPTS=()
if [[ "${PI_CONTROL_STRICT_HOSTKEY:-}" == "1" ]]; then
  SSH_OPTS=(-o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=/root/.ssh/known_hosts)
else
  SSH_OPTS=(-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null)
fi

SSH_TARGET="${USER}@${HOST}"
if [[ -n "${COMMAND}" ]]; then
  REMOTE_CMD="${COMMAND}; exec /bin/bash -il"
  REMOTE_CMD="${REMOTE_CMD//\\/\\\\}"
  REMOTE_CMD="${REMOTE_CMD//\"/\\\"}"
  if [[ "${AUTH_TYPE}" == "key" && -n "${KEY_PATH}" ]]; then
    exec ssh "${SSH_OPTS[@]}" -i "${KEY_PATH}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/bash -lc "${REMOTE_CMD}" || \
      exec ssh "${SSH_OPTS[@]}" -i "${KEY_PATH}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/sh -lc "${REMOTE_CMD}"
  elif [[ "${AUTH_TYPE}" == "pass" && -n "${PASSWORD}" ]]; then
    exec sshpass -p "${PASSWORD}" ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/bash -lc "${REMOTE_CMD}" || \
      exec sshpass -p "${PASSWORD}" ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/sh -lc "${REMOTE_CMD}"
  else
    exec ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/bash -lc "${REMOTE_CMD}" || \
      exec ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/sh -lc "${REMOTE_CMD}"
  fi
else
  if [[ "${AUTH_TYPE}" == "key" && -n "${KEY_PATH}" ]]; then
    exec ssh "${SSH_OPTS[@]}" -i "${KEY_PATH}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/bash -il || \
      exec ssh "${SSH_OPTS[@]}" -i "${KEY_PATH}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/sh -il
  elif [[ "${AUTH_TYPE}" == "pass" && -n "${PASSWORD}" ]]; then
    exec sshpass -p "${PASSWORD}" ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/bash -il || \
      exec sshpass -p "${PASSWORD}" ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/sh -il
  else
    exec ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/bash -il || \
      exec ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/sh -il
  fi
fi