#!/usr/bin/env bash
#
# user-list.sh — List Authentik users
#
# Usage: user-list.sh [-f format] [-s search] [-g group] [-a instance]
#
# Options:
#   -f format     Output format: table (default), json
#   -s search     Search term (matches username, name, email)
#   -g group      Filter by group name
#   -a instance   Authentik instance name (e.g. usc, mosaic)
#   -h            Show this help
#
# Environment variables (or credentials.json):
#   AUTHENTIK_URL — Authentik instance URL
set -euo pipefail

MOSAIC_HOME="${MOSAIC_HOME:-$HOME/.config/mosaic}"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$MOSAIC_HOME/tools/_lib/credentials.sh"

FORMAT="table"
SEARCH=""
GROUP=""
AK_INSTANCE=""

while getopts "f:s:g:a:h" opt; do
  case $opt in
    f) FORMAT="$OPTARG" ;;
    s) SEARCH="$OPTARG" ;;
    g) GROUP="$OPTARG" ;;
    a) AK_INSTANCE="$OPTARG" ;;
    h) head -15 "$0" | grep "^#" | sed 's/^# \?//'; exit 0 ;;
    *) echo "Usage: $0 [-f format] [-s search] [-g group] [-a instance]" >&2; exit 1 ;;
  esac
done

if [[ -n "$AK_INSTANCE" ]]; then
  load_credentials "authentik-${AK_INSTANCE}"
else
  load_credentials authentik
fi

TOKEN=$("$SCRIPT_DIR/auth-token.sh" -q ${AK_INSTANCE:+-a "$AK_INSTANCE"})

# Build query params
PARAMS="ordering=username"
[[ -n "$SEARCH" ]] && PARAMS="${PARAMS}&search=${SEARCH}"
[[ -n "$GROUP" ]] && PARAMS="${PARAMS}&groups_by_name=${GROUP}"

response=$(curl -sk -w "\n%{http_code}" \
  -H "Authorization: Bearer $TOKEN" \
  "${AUTHENTIK_URL}/api/v3/core/users/?${PARAMS}")

http_code=$(echo "$response" | tail -n1)
body=$(echo "$response" | sed '$d')

if [[ "$http_code" != "200" ]]; then
  echo "Error: Failed to list users (HTTP $http_code)" >&2
  exit 1
fi

if [[ "$FORMAT" == "json" ]]; then
  echo "$body" | jq '.results'
  exit 0
fi

# Table output
echo "USERNAME              NAME                          EMAIL                         ACTIVE  LAST LOGIN"
echo "--------------------  ----------------------------  ----------------------------  ------  ----------"
echo "$body" | jq -r '.results[] | [
  .username,
  .name,
  .email,
  (if .is_active then "yes" else "no" end),
  (.last_login // "never" | split("T")[0])
] | @tsv' | while IFS=$'\t' read -r username name email active last_login; do
  printf "%-20s  %-28s  %-28s  %-6s  %s\n" \
    "${username:0:20}" "${name:0:28}" "${email:0:28}" "$active" "$last_login"
done