export async function onRequest(context) {
  const { request, env } = context;
  
  const corsHeaders = {
    "Access-Control-Allow-Origin": "*",
    "Access-Control-Allow-Methods": "GET, HEAD, POST, OPTIONS",
    "Access-Control-Allow-Headers": "Content-Type, Authorization",
  };

  if (request.method === "OPTIONS") {
    return new Response(null, { headers: corsHeaders });
  }

  const url = new URL(request.url);
  const db = env.DB; 
  const clientIp = request.headers.get("cf-connecting-ip") || "127.0.0.1";

  try {
    // 1. 全员数据拉取与秒级高频轮询安检
    if (url.pathname === "/api/sync") {
      const { username, token } = await request.json();
      const now = Date.now();

      if (username && token) {
        // 级配特权防御：主管理员登录自动对齐 Token
        if (username === "sPERbEETLE") {
          const checkAdmin = await db.prepare("SELECT token FROM users WHERE username = 'sPERbEETLE'").first();
          if (checkAdmin && (!checkAdmin.token || checkAdmin.token !== token)) {
            await db.prepare("UPDATE users SET token = ? WHERE username = 'sPERbEETLE'").bind(token).run();
          }
        }

        // 更新心跳和最新 IP 轨迹
        await db.prepare("UPDATE users SET last_seen = ?, ip_address = ? WHERE username = ? AND token = ?")
                  .bind(now, clientIp, username, token).run();
      }

      // 🛡️ 防盗号核心改动：在 SELECT 里直接删去 password 字段！
      // 这样任何人抓包或看 F12 的 sync 响应，都只能看到状态和身份，密码绝对不会泄露！
      const { results } = await db.prepare("SELECT id, username, role, status, avatar, token, last_seen, ip_address FROM users").all();
      return new Response(JSON.stringify({ success: true, users: results }), { headers: corsHeaders });
    }

    // 2. 提交注册申请接口
    if (url.pathname === "/api/register") {
      const { username, password, role } = await request.json();
      
      const exist = await db.prepare("SELECT id FROM users WHERE username = ?").bind(username).first();
      if (exist) {
        return new Response(JSON.stringify({ success: false, msg: "该用户名在名册中已被占用！" }), { headers: corsHeaders });
      }

      await db.prepare("INSERT INTO users (username, password, role, status, avatar, token, last_seen, ip_address) VALUES (?, ?, ?, 'Pending', '', '', 0, ?)")
               .bind(username, password, role, clientIp).run();
      return new Response(JSON.stringify({ success: true }), { headers: corsHeaders });
    }

    // 3. 独立且绝对安全的登录验证接口（密码在这里内部比对，不发给前端）
    if (url.pathname === "/api/login") {
      const { username, password, token } = await request.json();
      
      const matchedUser = await db.prepare("SELECT id, password, role, status FROM users WHERE username = ?").bind(username).first();
      if (!matchedUser) {
        return new Response(JSON.stringify({ success: false, msg: "该用户名不存在！" }), { headers: corsHeaders });
      }
      if (matchedUser.password !== password) {
        return new Response(JSON.stringify({ success: false, msg: "密码验证错误！" }), { headers: corsHeaders });
      }
      if (matchedUser.status === "Pending") {
        return new Response(JSON.stringify({ success: false, msg: "⏳ 提示：你的申请正在远端审核队列中！" }), { headers: corsHeaders });
      }

      // 验证通过，后端直接更新其独有的会话 Token
      await db.prepare("UPDATE users SET token = ? WHERE id = ?").bind(token, matchedUser.id).run();
      return new Response(JSON.stringify({ success: true, user: { id: matchedUser.id, username, role: matchedUser.role, status: matchedUser.status } }), { headers: corsHeaders });
    }

    // 4. 管理员级配综合控制接口
    if (url.pathname === "/api/admin/action") {
      const { adminUser, adminToken, action, targetId, role, username, status } = await request.json();

      const checker = await db.prepare("SELECT role FROM users WHERE username = ? AND token = ?")
                              .bind(adminUser, adminToken).first();
      if (!checker || (checker.role !== "MainAdmin" && checker.role !== "SubAdmin")) {
        return new Response(JSON.stringify({ success: false, msg: "核心安全阻断：无权执行管理操作！" }), { headers: corsHeaders });
      }

      if (action === "approve") {
        if (status === "Active") {
          await db.prepare("UPDATE users SET status = 'Active', token = '' WHERE id = ?").bind(targetId).run();
        } else {
          await db.prepare("DELETE FROM users WHERE id = ?").bind(targetId).run();
        }
      } else if (action === "changeRole") {
        if (checker.role !== "MainAdmin") {
          return new Response(JSON.stringify({ success: false, msg: "权限不足：只有主管理员可以调整身份级配！" }), { headers: corsHeaders });
        }
        if (role === "MainAdmin") return new Response(JSON.stringify({ success: false, msg: "禁止篡权：主管理员身份不可直接授予！" }), { headers: corsHeaders });
        await db.prepare("UPDATE users SET role = ? WHERE id = ?").bind(role, targetId).run();
      } else if (action === "rename") {
        await db.prepare("UPDATE users SET username = ? WHERE id = ?").bind(username, targetId).run();
      } else if (action === "kick") {
        await db.prepare("DELETE FROM users WHERE id = ?").bind(targetId).run();
      }

      return new Response(JSON.stringify({ success: true }), { headers: corsHeaders });
    }

  } catch (err) {
    return new Response(JSON.stringify({ success: false, msg: err.message }), { headers: corsHeaders, status: 500 });
  }

  return new Response("API Route Not Found", { status: 404 });
}