class Users::Api::PasswordsController < ApplicationController
  skip_before_action :verify_authenticity_token, raise: false
  before_action :authenticate_devise_api_token!, except: :reset

  def reset
    # devise docs
    # @see: https://github.com/heartcombo/devise/blob/main/lib/devise/models/recoverable.rb
    @user = User.find_by_email(params[:email])
    if @user
      @user.send_reset_password_instructions
      render json: { expires_at: Time.now + 6.hours, message: I18n.t('devise.passwords.send_instructions') }, status: :ok
    else
      render json: { error: "invalid_email", error_description: I18n.t('devise.failure.user.not_found_in_database') }, status: :not_found
    end
  end

  def update
    if current_devise_api_token
      user = current_devise_api_token.resource_owner
      is_valid_password(user, params)
    else
      render json: { error: "invalid_token", error_description: I18n.t('devise.api.error_response.invalid_authentication') }, status: :unauthorized
    end
  end

  def show
    devise_api_token = current_devise_api_token
    render json: devise_api_token.resource_owner.orders.find(params[:id]), status: :ok
  end

  private

  def is_valid_password(user, params)
    current_password = params[:current_password]
    new_password = params[:new_password]
    if user.valid_password?(current_password)
      # if user.update(password: new_password, password_confirmation: new_password)
      if user.reset_password(new_password, new_password)
        render json: { message: "La contraseña ha sido actualizada.", }, status: :ok
      else
        render json: { error: "invalid", error_description: user.errors.full_messages }, status: :ok
      end
    else
      render json: { error: "invalid_password", error_description: "La contraseña actual es incorrecta." }, status: :unauthorized
    end
  end

end