#!/usr/bin/env bash
set -euo pipefail

TOKEN="${1:-}"
ENC_COMMAND="${2:-}"
if [[ -z "${TOKEN}" ]]; then
  echo "Missing token."
  exit 1
fi

API_BASE="${PI_CONTROL_API_URL:-http://gui_nexus}"
API_BASE="${API_BASE%/}"
INFO_URL="${API_BASE}/module/pi_control/terminal_info?token=${TOKEN}"

AUTH_HEADER=()
if [[ -n "${STAGING_AUTH_USER:-}" && -n "${STAGING_AUTH_PASS:-}" ]]; then
  BASIC="$(printf "%s:%s" "${STAGING_AUTH_USER}" "${STAGING_AUTH_PASS}" | base64)"
  AUTH_HEADER=(-H "Authorization: Basic ${BASIC}")
fi
if [[ -n "${PI_CONTROL_SHARED_SECRET:-}" ]]; then
  AUTH_HEADER+=(-H "X-Terminal-Secret: ${PI_CONTROL_SHARED_SECRET}")
fi

JSON="$(curl -sS "${AUTH_HEADER[@]}" "${INFO_URL}")"
OK="$(echo "${JSON}" | jq -r '.ok')"
if [[ "${OK}" != "true" ]]; then
  echo "Invalid or expired token."
  exit 1
fi

HOST="$(echo "${JSON}" | jq -r '.host.host')"
PORT="$(echo "${JSON}" | jq -r '.host.port')"
USER="$(echo "${JSON}" | jq -r '.host.username')"
AUTH_TYPE="$(echo "${JSON}" | jq -r '.host.auth_type')"
KEY_PATH="$(echo "${JSON}" | jq -r '.host.key_path')"
PASSWORD="$(echo "${JSON}" | jq -r '.host.password')"
STRICT_HOSTKEY="$(echo "${JSON}" | jq -r '.strict_hostkey // false')"
TMUX_SESSION_JSON="$(echo "${JSON}" | jq -r '.tmux_session // ""')"

COMMAND="$(echo "${JSON}" | jq -r '.command // ""')"
if [[ -z "${COMMAND}" && -n "${ENC_COMMAND}" ]]; then
  COMMAND="$(printf '%s' "${ENC_COMMAND}" | base64 -d 2>/dev/null || true)"
fi

if [[ -z "${HOST}" || -z "${USER}" ]]; then
  echo "Host data incomplete."
  exit 1
fi

SSH_OPTS=()
if [[ "${STRICT_HOSTKEY}" == "true" || "${PI_CONTROL_STRICT_HOSTKEY:-}" == "1" ]]; then
  SSH_OPTS=(-o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=/root/.ssh/known_hosts)
else
  SSH_OPTS=(-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null)
fi

SSH_TARGET="${USER}@${HOST}"
TMUX_SESSION="${TMUX_SESSION_JSON:-}"
if [[ -z "${TMUX_SESSION}" ]]; then
  TMUX_SESSION="${PI_CONTROL_TMUX_SESSION:-nexus}"
fi
if [[ -n "${COMMAND}" ]]; then
  COMMAND_B64="$(printf '%s' "${COMMAND}" | base64)"
  REMOTE_CMD="CMD_B64='${COMMAND_B64}'; CMD=\"\$(printf '%s' \"\$CMD_B64\" | base64 -d)\"; if command -v tmux >/dev/null 2>&1; then SESSION=\"${TMUX_SESSION}\"; tmux has-session -t \"\$SESSION\" 2>/dev/null || tmux new-session -d -s \"\$SESSION\"; tmux send-keys -t \"\$SESSION\" \"\$CMD\" C-m; exec tmux attach -t \"\$SESSION\"; else eval \"\$CMD\"; exec /bin/bash -il; fi"
  REMOTE_CMD_Q=$(printf "%s" "$REMOTE_CMD" | sed "s/'/'\\\\''/g")
  if [[ "${AUTH_TYPE}" == "key" && -n "${KEY_PATH}" ]]; then
    ssh "${SSH_OPTS[@]}" -i "${KEY_PATH}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/bash -lc "'${REMOTE_CMD_Q}'" || \
      ssh "${SSH_OPTS[@]}" -i "${KEY_PATH}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/sh -lc "'${REMOTE_CMD_Q}'"
  elif [[ "${AUTH_TYPE}" == "pass" && -n "${PASSWORD}" ]]; then
    sshpass -p "${PASSWORD}" ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/bash -lc "'${REMOTE_CMD_Q}'" || \
      sshpass -p "${PASSWORD}" ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/sh -lc "'${REMOTE_CMD_Q}'"
  else
    ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/bash -lc "'${REMOTE_CMD_Q}'" || \
      ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/sh -lc "'${REMOTE_CMD_Q}'"
  fi
  exit $?
else
  REMOTE_CMD="if command -v tmux >/dev/null 2>&1; then exec tmux new -A -s \"${TMUX_SESSION}\"; else exec /bin/bash -il; fi"
  REMOTE_CMD_Q=$(printf "%s" "$REMOTE_CMD" | sed "s/'/'\\\\''/g")
  if [[ "${AUTH_TYPE}" == "key" && -n "${KEY_PATH}" ]]; then
    exec ssh "${SSH_OPTS[@]}" -i "${KEY_PATH}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/bash -lc "'${REMOTE_CMD_Q}'" || \
      exec ssh "${SSH_OPTS[@]}" -i "${KEY_PATH}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/sh -lc "'${REMOTE_CMD_Q}'"
  elif [[ "${AUTH_TYPE}" == "pass" && -n "${PASSWORD}" ]]; then
    exec sshpass -p "${PASSWORD}" ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/bash -lc "'${REMOTE_CMD_Q}'" || \
      exec sshpass -p "${PASSWORD}" ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/sh -lc "'${REMOTE_CMD_Q}'"
  else
    exec ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/bash -lc "'${REMOTE_CMD_Q}'" || \
      exec ssh "${SSH_OPTS[@]}" -p "${PORT:-22}" -tt "${SSH_TARGET}" -- /bin/sh -lc "'${REMOTE_CMD_Q}'"
  fi
fi