pedestrian-simulator/server/kml.go

package main

import (
	"bytes"
	"database/sql"
	"encoding/json"
	"encoding/xml"
	"fmt"
	"io"
	"math"
	"net/http"
	"os"
	"path/filepath"
	"strconv"
	"strings"
	"time"

	"github.com/microcosm-cc/bluemonday"
)

// KML structure for parsing
type KML struct {
	XMLName  xml.Name    `xml:"kml"`
	Document KMLDocument `xml:"Document"`
}

type KMLDocument struct {
	Name        string         `xml:"name"`
	Description string         `xml:"description"`
	Placemarks  []KMLPlacemark `xml:"Placemark"`
}

type KMLPlacemark struct {
	Name        string        `xml:"name"`
	Description string        `xml:"description"`
	LineString  KMLLineString `xml:"LineString"`
}

type KMLLineString struct {
	Coordinates string `xml:"coordinates"`
}

// KML Metadata
type KMLMetadata struct {
	Filename    string    `json:"filename"`
	UserID      string    `json:"user_id"`
	DisplayName string    `json:"display_name"` // User's display name
	Distance    float64   `json:"distance"`     // in kilometers
	Description string    `json:"description"`  // Description from KML or user
	IsPublic    bool      `json:"is_public"`
	UploadedAt  time.Time `json:"uploaded_at"`
	Votes       int       `json:"votes"` // Net votes (calculated from voting system)
}

// SetVote sets a user's vote for a KML file in the database
func SetVote(kmlID int, userID string, vote int) error {
	if vote == 0 {
		_, err := db.Exec("DELETE FROM kml_votes WHERE kml_id = ? AND user_id = ?", kmlID, userID)
		return err
	}
	_, err := db.Exec(`
		INSERT INTO kml_votes (kml_id, user_id, vote_value)
		VALUES (?, ?, ?)
		ON DUPLICATE KEY UPDATE vote_value = ?
	`, kmlID, userID, vote, vote)
	return err
}

// CalculateNetVotes calculates net votes for a KML file from the database
func CalculateNetVotes(kmlID int) int {
	var total int
	err := db.QueryRow("SELECT COALESCE(SUM(vote_value), 0) FROM kml_votes WHERE kml_id = ?", kmlID).Scan(&total)
	if err != nil {
		return 0
	}
	return total
}

// Haversine formula to calculate distance between two lat/lng points
func haversineDistance(lat1, lon1, lat2, lon2 float64) float64 {
	const earthRadiusKm = 6371.0

	dLat := (lat2 - lat1) * math.Pi / 180.0
	dLon := (lon2 - lon1) * math.Pi / 180.0

	a := math.Sin(dLat/2)*math.Sin(dLat/2) +
		math.Cos(lat1*math.Pi/180.0)*math.Cos(lat2*math.Pi/180.0)*
			math.Sin(dLon/2)*math.Sin(dLon/2)

	c := 2 * math.Atan2(math.Sqrt(a), math.Sqrt(1-a))

	return earthRadiusKm * c
}

// ParseKML parses a KML file and calculates the total distance and extracts description
func ParseKML(kmlData []byte) (float64, string, error) {
	// 1. Extract Description (Best Effort via Struct)
	var kml KML
	// Ignore errors here as we prioritize distance, description is optional/nice-to-have
	_ = xml.Unmarshal(kmlData, &kml)

	description := kml.Document.Description

	// Sanitize description
	p := bluemonday.UGCPolicy()
	description = p.Sanitize(description)

	if len(description) > 2000 {
		description = description[:1997] + "..."
	}

	// 2. Calculate Distance (Robust Streaming)
	// We re-scan the byte slice using a streaming decoder to find ALL <coordinates> tags,
	// regardless of nesting (Document -> Folder -> Folder -> Placemark -> LineString).
	decoder := xml.NewDecoder(bytes.NewReader(kmlData))
	totalDistance := 0.0

	for {
		token, err := decoder.Token()
		if err == io.EOF {
			break
		}
		if err != nil {
			// If streaming fails, just return what we have so far?
			// Or return error if it's a fundamental XML error.
			return totalDistance, description, err
		}

		switch se := token.(type) {
		case xml.StartElement:
			if se.Name.Local == "coordinates" {
				var coords string
				if err := decoder.DecodeElement(&coords, &se); err != nil {
					continue
				}

				// Calculate distance for this segment
				currentSegmentDistance := 0.0
				items := strings.Fields(coords)
				var prevLat, prevLon float64
				first := true

				for _, item := range items {
					parts := strings.Split(strings.TrimSpace(item), ",")
					if len(parts) < 2 {
						continue
					}

					var lon, lat float64
					_, err1 := fmt.Sscanf(parts[0], "%f", &lon)
					_, err2 := fmt.Sscanf(parts[1], "%f", &lat)
					if err1 != nil || err2 != nil {
						continue
					}

					if !first {
						currentSegmentDistance += haversineDistance(prevLat, prevLon, lat, lon)
					}

					prevLat = lat
					prevLon = lon
					first = false
				}
				totalDistance += currentSegmentDistance
			}
		}
	}

	return totalDistance, description, nil
}

// HandleKMLUpload handles KML file uploads
func HandleKMLUpload(w http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodPost {
		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	userID, ok := getUserID(r.Context())
	if !ok {
		http.Error(w, "Unauthorized", http.StatusUnauthorized)
		return
	}

	// Parse multipart form
	if err := r.ParseMultipartForm(10 << 20); err != nil { // 10 MB limit
		http.Error(w, "Failed to parse form", http.StatusBadRequest)
		return
	}

	file, handler, err := r.FormFile("kml")
	if err != nil {
		http.Error(w, "No file uploaded", http.StatusBadRequest)
		return
	}
	defer file.Close()

	// Sanitize filename to prevent path traversal
	handler.Filename = filepath.Base(handler.Filename)

	// Read file data
	data, err := io.ReadAll(file)
	if err != nil {
		http.Error(w, "Failed to read file", http.StatusInternalServerError)
		return
	}

	// Validate MIME type / Content
	mimeType := http.DetectContentType(data)
	// KML is XML, so valid types are text/xml, application/xml, or text/plain (often detected for simple XML)
	if !strings.Contains(mimeType, "xml") && !strings.Contains(mimeType, "text") {
		http.Error(w, fmt.Sprintf("Invalid file type: %s. Expected KML/XML.", mimeType), http.StatusBadRequest)
		return
	}

	// Calculate distance and extract description
	distance, description, err := ParseKML(data)
	if err != nil {
		http.Error(w, fmt.Sprintf("Failed to parse KML: %v", err), http.StatusBadRequest)
		return
	}

	// Save KML file
	kmlDir := fmt.Sprintf("data/users/%s/kml", userID)
	if err := os.MkdirAll(kmlDir, 0755); err != nil {
		http.Error(w, "Failed to create directory", http.StatusInternalServerError)
		return
	}

	kmlPath := filepath.Join(kmlDir, handler.Filename)
	if err := os.WriteFile(kmlPath, data, 0644); err != nil {
		http.Error(w, "Failed to save file", http.StatusInternalServerError)
		return
	}

	// Save metadata to database
	_, err = db.Exec(`
		INSERT INTO kml_metadata (filename, user_id, distance, description, is_public, uploaded_at)
		VALUES (?, ?, ?, ?, ?, NOW())
		ON DUPLICATE KEY UPDATE distance = ?, description = ?, uploaded_at = NOW()
	`, handler.Filename, userID, distance, description, false, distance, description)
	if err != nil {
		http.Error(w, fmt.Sprintf("Failed to save metadata: %v", err), http.StatusInternalServerError)
		return
	}

	w.Header().Set("Content-Type", "application/json")
	json.NewEncoder(w).Encode(map[string]interface{}{
		"success":  true,
		"filename": handler.Filename,
		"distance": distance,
	})
}

// HandleKMLList lists KML files with pagination and sorting
func HandleKMLList(w http.ResponseWriter, r *http.Request) {
	userID, ok := getUserID(r.Context())
	if !ok {
		http.Error(w, "Unauthorized", http.StatusUnauthorized)
		return
	}

	// Parse parameters for My Files
	myLimit, _ := strconv.Atoi(r.URL.Query().Get("my_limit"))
	if myLimit <= 0 {
		myLimit = 10
	}
	myPage, _ := strconv.Atoi(r.URL.Query().Get("my_page"))
	if myPage <= 0 {
		myPage = 1
	}
	mySortBy := r.URL.Query().Get("my_sort_by")
	if mySortBy == "" {
		mySortBy = "date"
	}

	// Parse parameters for Public Files
	publicLimit, _ := strconv.Atoi(r.URL.Query().Get("public_limit"))
	if publicLimit <= 0 {
		publicLimit = 10
	}
	publicPage, _ := strconv.Atoi(r.URL.Query().Get("public_page"))
	if publicPage <= 0 {
		publicPage = 1
	}
	publicSortBy := r.URL.Query().Get("public_sort_by")
	if publicSortBy == "" {
		publicSortBy = "votes"
	}
	targetUserID := r.URL.Query().Get("target_user_id")

	// 1. Get My Files (if no specific target user is requested, or if target is me)
	// logic: If targetUserID is present and != userID, we don't show "My Files" (which implies private/editable).
	// But the UI might expect the "My Files" block to just be empty.
	// Actually, the prompt implies "My Files" is the logged-in user's files.
	// If we are viewing a profile, we just want that user's PUBLIC files.
	// The current frontend calls this endpoint to populate the standard browser "My Files" and "Public Files" tabs.
	// We should probably keep this behavior for the standard view.

	// If it's a profile request, we might just be using the public list with a filter.
	// Let's rely on the client to ask for what it wants.
	// Existing client: Calls /list without target_user_id. Expects: My Files (all mine), Public Files (all public).

	// New Client (Profile): Needs distinct endpoint or param?
	// If we add `target_user_id` to the public files query, we can reuse this.

	// 1. Get My Files (Logged in user's files)
	var myFiles []KMLMetadata
	var myTotal int
	var err error

	if targetUserID == "" {
		myFiles, myTotal, err = fetchKMLList(userID, true, myPage, myLimit, mySortBy)
		if err != nil {
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
	}

	// 2. Get Public Files
	var publicFiles []KMLMetadata
	var publicTotal int

	publicFiles, publicTotal, err = fetchKMLListPublic(userID, targetUserID, publicPage, publicLimit, publicSortBy)
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}

	w.Header().Set("Content-Type", "application/json")
	json.NewEncoder(w).Encode(map[string]interface{}{
		"my_files":     myFiles,
		"my_total":     myTotal,
		"my_page":      myPage,
		"public_files": publicFiles,
		"public_total": publicTotal,
		"public_page":  publicPage,
		"limit":        10, // Default limit reference for UI
	})
}

func fetchKMLList(userID string, mineOnly bool, page, limit int, sortBy string) ([]KMLMetadata, int, error) {
	// Standard fetch for current user or general public list (wrapper)
	return fetchKMLQuery(userID, "", mineOnly, page, limit, sortBy)
}

func fetchKMLListPublic(requestingUserID, targetUserID string, page, limit int, sortBy string) ([]KMLMetadata, int, error) {
	return fetchKMLQuery(requestingUserID, targetUserID, false, page, limit, sortBy)
}

func fetchKMLQuery(userID, targetUserID string, mineOnly bool, page, limit int, sortBy string) ([]KMLMetadata, int, error) {
	offset := (page - 1) * limit

	var whereClause string
	var args []interface{}

	if mineOnly {
		whereClause = "WHERE m.user_id = ?"
		args = append(args, userID)
	} else {
		whereClause = "WHERE m.is_public = 1"
		if targetUserID != "" {
			whereClause += " AND m.user_id = ?"
			args = append(args, targetUserID)
		}
	}

	// Get total count first
	var total int
	err := db.QueryRow(fmt.Sprintf("SELECT COUNT(*) FROM kml_metadata m %s", whereClause), args...).Scan(&total)
	if err != nil {
		return nil, 0, err
	}

	sortClause := "votes"
	order := "DESC"
	switch sortBy {
	case "date":
		sortClause = "m.uploaded_at"
	case "distance":
		sortClause = "m.distance"
	case "votes":
		sortClause = "votes"
	case "filename":
		sortClause = "m.filename"
		order = "ASC"
	}

	query := fmt.Sprintf(`
		SELECT m.filename, m.user_id, u.display_name, m.distance, m.description, m.is_public, m.uploaded_at,
		       (SELECT COALESCE(SUM(v.vote_value), 0) FROM kml_votes v WHERE v.kml_id = m.id) as votes
		FROM kml_metadata m
		JOIN users u ON m.user_id = u.fitbit_user_id
		%s
		ORDER BY %s %s
		LIMIT ? OFFSET ?
	`, whereClause, sortClause, order)

	args = append(args, limit, offset)
	files, err := queryKMLMetadata(query, args...)
	return files, total, err
}

func queryKMLMetadata(query string, args ...interface{}) ([]KMLMetadata, error) {
	rows, err := db.Query(query, args...)
	if err != nil {
		return nil, err
	}
	defer rows.Close()

	var files []KMLMetadata
	for rows.Next() {
		var m KMLMetadata
		var desc sql.NullString // Handle null description
		err := rows.Scan(&m.Filename, &m.UserID, &m.DisplayName, &m.Distance, &desc, &m.IsPublic, &m.UploadedAt, &m.Votes)
		if err != nil {
			return nil, err
		}
		m.Description = desc.String
		files = append(files, m)
	}
	return files, nil
}

// HandleKMLEdit handles editing KML metadata (description)
func HandleKMLEdit(w http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodPost {
		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	userID, ok := getUserID(r.Context())
	if !ok {
		http.Error(w, "Unauthorized", http.StatusUnauthorized)
		return
	}

	var req struct {
		Filename    string `json:"filename"`
		Description string `json:"description"`
	}
	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
		http.Error(w, "Invalid request", http.StatusBadRequest)
		return
	}

	// Sanitize description
	p := bluemonday.UGCPolicy()
	req.Description = p.Sanitize(req.Description)

	if len(req.Description) > 2000 {
		req.Description = req.Description[:1997] + "..."
	}

	// Update description in database
	res, err := db.Exec("UPDATE kml_metadata SET description = ? WHERE filename = ? AND user_id = ?", req.Description, req.Filename, userID)
	if err != nil {
		http.Error(w, "Failed to update metadata", http.StatusInternalServerError)
		return
	}

	rowsAffected, _ := res.RowsAffected()
	if rowsAffected == 0 {
		// Could mean file doesn't exist or description didn't change, check existence
		var exists bool
		err := db.QueryRow("SELECT EXISTS(SELECT 1 FROM kml_metadata WHERE filename = ? AND user_id = ?)", req.Filename, userID).Scan(&exists)
		if err == nil && !exists {
			http.Error(w, "File not found", http.StatusNotFound)
			return
		}
	}

	w.Header().Set("Content-Type", "application/json")
	json.NewEncoder(w).Encode(map[string]interface{}{
		"success": true,
	})
}

// HandleKMLPrivacyToggle toggles the privacy setting of a KML file
func HandleKMLPrivacyToggle(w http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodPost {
		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	userID, ok := getUserID(r.Context())
	if !ok {
		http.Error(w, "Unauthorized", http.StatusUnauthorized)
		return
	}

	var req struct {
		Filename string `json:"filename"`
	}
	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
		http.Error(w, "Invalid request", http.StatusBadRequest)
		return
	}

	// Toggle privacy in database
	if _, err := db.Exec("UPDATE kml_metadata SET is_public = NOT is_public WHERE filename = ? AND user_id = ?", req.Filename, userID); err != nil {
		http.Error(w, "Failed to update metadata", http.StatusInternalServerError)
		return
	}

	var isPublic bool
	if err := db.QueryRow("SELECT is_public FROM kml_metadata WHERE filename = ? AND user_id = ?", req.Filename, userID).Scan(&isPublic); err != nil {
		http.Error(w, "Failed to fetch updated metadata", http.StatusInternalServerError)
		return
	}

	w.Header().Set("Content-Type", "application/json")
	json.NewEncoder(w).Encode(map[string]interface{}{
		"success":   true,
		"is_public": isPublic,
	})
}

// HandleKMLVote handles voting on KML files (toggle upvote/downvote/none)
func HandleKMLVote(w http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodPost {
		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	userID, ok := getUserID(r.Context())
	if !ok {
		http.Error(w, "Unauthorized", http.StatusUnauthorized)
		return
	}

	var req struct {
		OwnerID  string `json:"owner_id"`
		Filename string `json:"filename"`
		Vote     int    `json:"vote"` // +1, -1, or 0 to remove vote
	}
	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
		http.Error(w, "Invalid request", http.StatusBadRequest)
		return
	}

	// Validate vote value
	if req.Vote != -1 && req.Vote != 0 && req.Vote != 1 {
		http.Error(w, "Invalid vote value (must be -1, 0, or 1)", http.StatusBadRequest)
		return
	}

	// Get KML ID
	var kmlID int
	err := db.QueryRow("SELECT id FROM kml_metadata WHERE user_id = ? AND filename = ?", req.OwnerID, req.Filename).Scan(&kmlID)
	if err != nil {
		http.Error(w, "KML not found", http.StatusNotFound)
		return
	}

	// Set the vote
	if err := SetVote(kmlID, userID, req.Vote); err != nil {
		http.Error(w, "Failed to save vote", http.StatusInternalServerError)
		return
	}

	// Calculate new net votes
	netVotes := CalculateNetVotes(kmlID)

	w.Header().Set("Content-Type", "application/json")
	json.NewEncoder(w).Encode(map[string]interface{}{
		"success":   true,
		"net_votes": netVotes,
	})
}

// HandleKMLDelete deletes a KML file with ownership verification
func HandleKMLDelete(w http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodDelete && r.Method != http.MethodPost {
		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	userID, ok := getUserID(r.Context())
	if !ok {
		http.Error(w, "Unauthorized", http.StatusUnauthorized)
		return
	}

	var req struct {
		Filename string `json:"filename"`
	}
	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
		http.Error(w, "Invalid request", http.StatusBadRequest)
		return
	}

	// Verify ownership and delete metadata from database
	if _, err := db.Exec("DELETE FROM kml_metadata WHERE filename = ? AND user_id = ?", req.Filename, userID); err != nil {
		http.Error(w, "Failed to delete metadata or file not found", http.StatusInternalServerError)
		return
	}

	// Delete KML file
	kmlPath := fmt.Sprintf("data/users/%s/kml/%s", userID, req.Filename)
	os.Remove(kmlPath)

	w.Header().Set("Content-Type", "application/json")
	json.NewEncoder(w).Encode(map[string]interface{}{
		"success": true,
	})
}

// HandleKMLDownload serves a KML file for downloading/viewing
func HandleKMLDownload(w http.ResponseWriter, r *http.Request) {
	userID, ok := getUserID(r.Context())
	if !ok {
		http.Error(w, "Unauthorized", http.StatusUnauthorized)
		return
	}

	ownerID := r.URL.Query().Get("owner_id")
	filename := r.URL.Query().Get("filename")

	if ownerID == "" || filename == "" {
		http.Error(w, "Missing owner_id or filename", http.StatusBadRequest)
		return
	}

	// Verify permission: ownerID == userID OR file is public
	if ownerID != userID {
		var isPublic bool
		err := db.QueryRow("SELECT is_public FROM kml_metadata WHERE user_id = ? AND filename = ?", ownerID, filename).Scan(&isPublic)
		if err != nil {
			http.Error(w, "File not found", http.StatusNotFound)
			return
		}

		if !isPublic {
			http.Error(w, "Forbidden", http.StatusForbidden)
			return
		}
	}

	kmlPath := fmt.Sprintf("data/users/%s/kml/%s", ownerID, filename)
	data, err := os.ReadFile(kmlPath)
	if err != nil {
		http.Error(w, "File not found", http.StatusNotFound)
		return
	}

	w.Header().Set("Content-Type", "application/vnd.google-earth.kml+xml")
	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s", filename))
	w.Write(data)
}

// HandleUserProfile serves public user profile data
func HandleUserProfile(w http.ResponseWriter, r *http.Request) {
	// Authentication optional? Yes, profiles should be public.
	// But let's check auth just to be safe if we want to restrict it to logged-in users later.
	// Current requirement: "implement profile pages... open the KML details overlay... so that you can do it too".
	// Implies logged in users mostly, but let's allow it generally if the files are public.

	// Get target user ID from URL
	targetID := r.URL.Query().Get("user_id")
	if targetID == "" {
		http.Error(w, "Missing user_id", http.StatusBadRequest)
		return
	}

	user, err := GetPublicUser(targetID)
	if err != nil {
		http.Error(w, "Database error", http.StatusInternalServerError)
		return
	}
	if user == nil {
		http.Error(w, "User not found", http.StatusNotFound)
		return
	}

	w.Header().Set("Content-Type", "application/json")
	json.NewEncoder(w).Encode(user)
}