dev1/backend/server.js

import express from 'express';
import axios from 'axios';
import cors from 'cors';
import helmet from 'helmet';
import dotenv from 'dotenv';
import { fileURLToPath } from 'url';
import fs from 'fs';

import path from 'path';
import bodyParser from 'body-parser';
import bcrypt from 'bcrypt';
import jwt from 'jsonwebtoken'; // For token-based authentication


import mysql from 'mysql2';

import sqlite3 from 'sqlite3'; 


const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);

const rootPath = path.resolve(__dirname, '..'); // Up one level
const env = process.env.NODE_ENV?.trim() || 'development';
const envPath = path.resolve(rootPath, `.env.${env}`);
dotenv.config({ path: envPath }); // Load .env file

// Grab secrets and config from ENV
const SECRET_KEY = process.env.SECRET_KEY || 'supersecurekey';
const DB_HOST = process.env.DB_HOST || '127.0.0.1';
const DB_PORT = process.env.DB_PORT ? parseInt(process.env.DB_PORT) : 3306;
const DB_USER = process.env.DB_USER || 'sqluser';
const DB_PASSWORD = process.env.DB_PASSWORD || '';
const DB_NAME = process.env.DB_NAME || 'user_profile_db';


// Create a MySQL pool for user_profile data
const pool = mysql.createPool({
  host: DB_HOST,
  port: DB_PORT,
  user: DB_USER,
  password: DB_PASSWORD,
  database: DB_NAME,
  connectionLimit: 10, // optional
});

// Test a quick query (optional)
pool.query('SELECT 1', (err) => {
  if (err) {
    console.error('Error connecting to MySQL user_profile_db:', err.message);
  } else {
    console.log('Connected to MySQL user_profile_db');
  }
});

const app = express();
const PORT = 5000;
const allowedOrigins = ['http://localhost:3000', 'http://34.16.120.118:3000', 'https://dev1.aptivaai.com'];

app.disable('x-powered-by');
app.use(bodyParser.json());
app.use(express.json());
app.use(
  helmet({
    contentSecurityPolicy: false,
    crossOriginEmbedderPolicy: false,
  })
);

// Enable CORS with dynamic origin checking
app.use(
  cors({
    origin: (origin, callback) => {
      if (!origin || allowedOrigins.includes(origin)) {
        callback(null, true);
      } else {
        console.error('Blocked by CORS:', origin);
        callback(new Error('Not allowed by CORS'));
      }
    },
    methods: ['GET', 'POST', 'OPTIONS'],
    allowedHeaders: ['Authorization', 'Content-Type', 'Accept', 'Origin', 'X-Requested-With'],
    credentials: true,
  })
);

// Handle preflight requests explicitly
app.options('*', (req, res) => {
  res.setHeader('Access-Control-Allow-Origin', '*');
  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
  res.setHeader('Access-Control-Allow-Headers', 'Authorization, Content-Type, Accept, Origin, X-Requested-With');
  res.status(200).end();
});

// Add HTTP headers for security and caching
app.use((req, res, next) => {
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.setHeader('X-Frame-Options', 'DENY');
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
  res.setHeader('Content-Security-Policy', "default-src 'self';");
  res.removeHeader('X-Powered-By');
  next();
});

// Force Content-Type to application/json on all responses
app.use((req, res, next) => {
  res.setHeader('Content-Type', 'application/json');
  next();
});

// =============== USER REGISTRATION (MySQL) ===============
// /api/register
app.post('/api/register', async (req, res) => {
  const {
    userId, // random ID from the front end
    username,
    password,
    firstname,
    lastname,
    email,
    zipcode,
    state,
    area,
    career_situation
  } = req.body;

  try {
    const hashedPassword = await bcrypt.hash(password, 10);

    // Insert row in user_profile, storing both user_id (random) and letting id auto-increment
    const profileQuery = `
      INSERT INTO user_profile
        (user_id, firstname, lastname, email, zipcode, state, area, career_situation)
      VALUES (?, ?, ?, ?, ?, ?, ?, ?)
    `;
    pool.query(
      profileQuery,
      [userId, firstname, lastname, email, zipcode, state, area, career_situation],
      (errProfile, resultProfile) => {
        if (errProfile) {
          console.error('Error inserting user_profile:', errProfile.message);
          return res.status(500).json({ error: 'Failed to create user profile' });
        }

        const newProfileAutoId = resultProfile.insertId; // auto-increment PK

        // Insert into user_auth, referencing the auto-increment PK
        const authQuery = `
          INSERT INTO user_auth (user_id, username, hashed_password)
          VALUES (?, ?, ?)
        `;
        pool.query(authQuery, [newProfileAutoId, username, hashedPassword], (errAuth) => {
          if (errAuth) {
            console.error('Error inserting user_auth:', errAuth.message);
            if (errAuth.code === 'ER_DUP_ENTRY') {
              return res.status(400).json({ error: 'Username already exists' });
            }
            return res.status(500).json({ error: 'Failed to register user' });
          }
          return res.status(201).json({
            message: 'User registered successfully',
            dbId: newProfileAutoId,   // the auto-increment PK
            customId: userId, // the random ID
          });
        });
      }
    );
  } catch (err) {
    console.error('Error during registration:', err.message);
    return res.status(500).json({ error: 'Internal server error' });
  }
});


// =============== SIGN-IN (MySQL) ===============
app.post('/api/signin', async (req, res) => {
  const { username, password } = req.body;
  if (!username || !password) {
    return res.status(400).json({ error: 'Both username and password are required' });
  }

  const query = `
    SELECT 
      user_auth.user_id, 
      user_auth.hashed_password, 
      user_profile.id,
      user_profile.zipcode,
      user_profile.is_premium,
      user_profile.is_pro_premium,
      user_profile.career_situation,
      user_profile.email,
      user_profile.firstname,
      user_profile.lastname,
      user_profile.career_priorities,
      user_profile.career_list
    FROM user_auth
      LEFT JOIN user_profile ON user_auth.user_id = user_profile.id
    WHERE user_auth.username = ?
  `;
  pool.query(query, [username], async (err, results) => {
    if (err) {
      console.error('Error querying user_auth:', err.message);
      return res.status(500).json({ error: 'Failed to query user authentication data' });
    }

    if (!results || results.length === 0) {
      return res.status(401).json({ error: 'Invalid username or password' });
    }

    const row = results[0];
    const isMatch = await bcrypt.compare(password, row.hashed_password);
    if (!isMatch) {
      return res.status(401).json({ error: 'Invalid username or password' });
    }

    const token = jwt.sign({ userId: row.id }, SECRET_KEY, { expiresIn: '2h' });
    res.status(200).json({
      message: 'Login successful',
      token,
      userId: row.id,
      user: {
        user_id: row.user_id,
        firstname: row.firstname,
        lastname: row.lastname,
        email: row.email,
        zipcode: row.zipcode,
        is_premium: row.is_premium,
        is_pro_premium: row.is_pro_premium,
        career_situation: row.career_situation,
        career_priorities: row.career_priorities,
        career_list: row.career_list,
      },
    });
  });
});

// =============== CHECK USERNAME (MySQL) ===============
app.get('/api/check-username/:username', (req, res) => {
  const { username } = req.params;
  const query = `SELECT username FROM user_auth WHERE username = ?`;
  pool.query(query, [username], (err, results) => {
    if (err) {
      console.error('Error checking username:', err.message);
      return res.status(500).json({ error: 'Database error' });
    }
    if (results && results.length > 0) {
      res.status(200).json({ exists: true });
    } else {
      res.status(200).json({ exists: false });
    }
  });
});

// =============== UPSERT USER PROFILE (MySQL) ===============
app.post('/api/user-profile', (req, res) => {
  const token = req.headers.authorization?.split(' ')[1];
  if (!token) {
    return res.status(401).json({ error: 'Authorization token is required' });
  }

  let userId;
  try {
    const decoded = jwt.verify(token, SECRET_KEY);
    userId = decoded.userId;
  } catch (error) {
    console.error('JWT verification failed:', error);
    return res.status(401).json({ error: 'Invalid or expired token' });
  }

  const {
    firstName,
    lastName,
    email,
    zipCode,
    state,
    area,
    careerSituation,
    interest_inventory_answers,
    career_priorities,
    career_list,
  } = req.body;

  // Check existing profile
  pool.query(`SELECT * FROM user_profile WHERE user_id = ?`, [userId], (err, results) => {
    if (err) {
      console.error('Error checking profile:', err.message);
      return res.status(500).json({ error: 'Database error' });
    }
    const existingRow = results && results.length > 0 ? results[0] : null;

    if (!existingRow && (!firstName || !lastName || !email || !zipCode || !state || !area)) {
      return res.status(400).json({ error: 'All fields are required for initial profile creation.' });
    }

    const finalAnswers =
      interest_inventory_answers !== undefined
        ? interest_inventory_answers
        : existingRow?.interest_inventory_answers || null;

    const finalCareerPriorities =
      career_priorities !== undefined
        ? career_priorities
        : existingRow?.career_priorities || null;

    const finalCareerList =
      career_list !== undefined
        ? career_list
        : existingRow?.career_list || null;

    if (existingRow) {
      // Update
      const updateQuery = `
        UPDATE user_profile
        SET firstname = ?, lastname = ?, email = ?, zipcode = ?, state = ?, area = ?, career_situation = ?,
            interest_inventory_answers = ?, career_priorities = ?, career_list = ?
        WHERE user_id = ?
      `;
      const params = [
        firstName || existingRow.firstname,
        lastName || existingRow.lastname,
        email || existingRow.email,
        zipCode || existingRow.zipcode,
        state || existingRow.state,
        area || existingRow.area,
        careerSituation || existingRow.career_situation,
        finalAnswers,
        finalCareerPriorities,
        finalCareerList,
        userId
      ];
      pool.query(updateQuery, params, (err2, result2) => {
        if (err2) {
          console.error('Update error:', err2.message);
          return res.status(500).json({ error: 'Failed to update user profile' });
        }
        res.status(200).json({ message: 'User profile updated successfully' });
      });
    } else {
      // Insert new profile
      const insertQuery = `
        INSERT INTO user_profile
          (user_id, firstname, lastname, email, zipcode, state, area, career_situation,
           interest_inventory_answers, career_priorities, career_list)
        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
      `;
      const params = [
        userId,
        firstName,
        lastName,
        email,
        zipCode,
        state,
        area,
        careerSituation || null,
        finalAnswers,
        finalCareerPriorities,
        finalCareerList,
      ];
      pool.query(insertQuery, params, (err3, result3) => {
        if (err3) {
          console.error('Insert error:', err3.message);
          return res.status(500).json({ error: 'Failed to create user profile' });
        }
        res.status(201).json({ message: 'User profile created successfully', id: result3.insertId });
      });
    }
  });
});

// =============== FETCH USER PROFILE (MySQL) ===============
app.get('/api/user-profile', (req, res) => {
  const token = req.headers.authorization?.split(' ')[1];
  if (!token) {
    return res.status(401).json({ error: 'Authorization token is required' });
  }
  let userId;
  try {
    const decoded = jwt.verify(token, SECRET_KEY);
    userId = decoded.userId;
  } catch (error) {
    console.error('Error verifying token:', error.message);
    return res.status(401).json({ error: 'Invalid or expired token' });
  }

  const query = 'SELECT * FROM user_profile WHERE user_id = ?';
  pool.query(query, [userId], (err, results) => {
    if (err) {
      console.error('Error fetching user profile:', err.message);
      return res.status(500).json({ error: 'Internal server error' });
    }
    if (!results || results.length === 0) {
      return res.status(404).json({ error: 'User profile not found' });
    }
    res.status(200).json(results[0]);
  });
});

// =============== SALARY_INFO REMAINS IN SQLITE ===============
app.get('/api/areas', (req, res) => {
  const { state } = req.query;
  if (!state) {
    return res.status(400).json({ error: 'State parameter is required' });
  }

  const salaryDbPath = path.resolve('/home/jcoakley/aptiva-dev1-app/salary_info.db');
  const salaryDb = new sqlite3.Database(salaryDbPath, sqlite3.OPEN_READONLY, (err) => {
    if (err) {
      console.error('Error connecting to database:', err.message);
      return res.status(500).json({ error: 'Failed to connect to database' });
    }
  });

  const query = `SELECT DISTINCT AREA_TITLE FROM salary_data WHERE PRIM_STATE = ?`;
  salaryDb.all(query, [state], (err, rows) => {
    if (err) {
      console.error('Error executing query:', err.message);
      return res.status(500).json({ error: 'Failed to fetch areas' });
    }
    const areas = rows.map((row) => row.AREA_TITLE);
    res.json({ areas });
  });

  salaryDb.close((err) => {
    if (err) {
      console.error('Error closing the salary_info.db:', err.message);
    }
  });
});

/* ------------------------------------------------------------------
PREMIUM UPGRADE ENDPOINT
------------------------------------------------------------------ */
app.post('/api/activate-premium', (req, res) => {
  const token = req.headers.authorization?.split(' ')[1];
  if (!token) {
    return res.status(401).json({ error: 'Authorization token is required' });
  }

  let userId;  // Will hold the auto-increment "id" from user_profile
  try {
    const decoded = jwt.verify(token, SECRET_KEY);
    userId = decoded.userId; // => user_profile.id (auto-inc PK)
  } catch (error) {
    return res.status(401).json({ error: 'Invalid or expired token' });
  }

  // Use MySQL pool.query instead of db.run (which is for SQLite)
  const query = `
    UPDATE user_profile
    SET is_premium = 1,
        is_pro_premium = 1
    WHERE id = ?
  `;
  pool.query(query, [userId], (err, results) => {
    if (err) {
      console.error('Error updating premium status:', err.message);
      return res.status(500).json({ error: 'Failed to activate premium' });
    }
    return res.status(200).json({ message: 'Premium activated successfully' });
  });
});

// =============== START SERVER ===============
app.listen(PORT, () => {
  console.log(`Server running on http://localhost:${PORT}`);
});