import { Request, Response, NextFunction } from 'express'
import fs from 'node:fs'
import mime from 'mime-types'
import {
  Utils,
  VerifiableCertificate,
  Peer,
  AuthMessage,
  RequestedCertificateSet,
  Transport,
  SessionManager,
  AsyncSessionManager,
  WalletInterface,
  PubKeyHex
} from '@bsv/sdk'
import {
  LogLevel,
  isLogLevelEnabled,
  getLogMethod,
  writeUrlToWriter,
  writeRequestHeadersToWriter,
  writeHeaderPair,
  writeBodyToWriter,
  convertValueToArray,
  makeDebugLogger
} from './authMiddlewareHelpers.js'

export type { LogLevel } from './authMiddlewareHelpers.js'
export { isLogLevelEnabled, getLogMethod } from './authMiddlewareHelpers.js'
export { writeBodyToWriter } from './authMiddlewareHelpers.js'

export interface AuthRequest extends Request {
  auth?: {
    identityKey: PubKeyHex
  }
}

// Developers may optionally provide a handler for incoming certificates.
export interface AuthMiddlewareOptions {
  wallet: WalletInterface
  // Optional session store. Default is in-process synchronous `SessionManager`.
  // Pass an `AsyncSessionManager` (Redis/SQL-backed, etc.) to share state
  // across load-balanced instances; Peer awaits internally so both work.
  sessionManager?: SessionManager | AsyncSessionManager
  allowUnauthenticated?: boolean
  certificatesToRequest?: RequestedCertificateSet
  onCertificatesReceived?: (
    senderPublicKey: string,
    certs: VerifiableCertificate[],
    req: AuthRequest,
    res: Response,
    next: NextFunction
  ) => void

  /**
   * Optional logger (e.g., console). If not provided, logging is disabled.
   */
  logger?: typeof console

  /**
   * Optional logging level. Defaults to no logging if not provided.
   * 'debug' | 'info' | 'warn' | 'error'
   *
   * - debug: Logs *everything*, including low-level details of the auth process.
   * - info: Logs general informational messages about normal operation.
   * - warn: Logs potential issues but not necessarily errors.
   * - error: Logs only critical issues and errors.
   */
  logLevel?: LogLevel
}

/**
 * ResponseWriterWrapper buffers response data until signing is complete.
 * This pattern matches the Go implementation for cleaner response handling.
 */
class ResponseWriterWrapper {
  private statusCode: number = 200
  private headers: Record<string, string> = {}
  private body: number[] = []
  private readonly originalRes: Response
  private flushed: boolean = false

  constructor (res: Response) {
    this.originalRes = res
  }

  status (code: number): this {
    this.statusCode = code
    return this
  }

  set (key: string | Record<string, string>, value?: string): this {
    if (typeof key === 'object' && key !== null) {
      for (const [k, v] of Object.entries(key)) {
        this.headers[k.toLowerCase()] = String(v)
      }
    } else if (typeof key === 'string' && value !== undefined) {
      this.headers[key.toLowerCase()] = String(value)
    }
    return this
  }

  send (data: any): this {
    this.body = convertValueToArray(data, this.headers)
    return this
  }

  json (data: any): this {
    if (!this.headers['content-type']) {
      this.headers['content-type'] = 'application/json'
    }
    this.body = Utils.toArray(JSON.stringify(data), 'utf8')
    return this
  }

  text (data: string): this {
    if (!this.headers['content-type']) {
      this.headers['content-type'] = 'text/plain'
    }
    this.body = Utils.toArray(data, 'utf8')
    return this
  }

  end (): this {
    // No-op for buffering, actual end happens on flush
    return this
  }

  getStatusCode (): number {
    return this.statusCode
  }

  getHeaders (): Record<string, string> {
    return this.headers
  }

  getBody (): number[] {
    return this.body
  }

  getOriginalRes (): Response {
    return this.originalRes
  }

  // Called after peer signs the response
  flush (): void {
    if (this.flushed) return
    this.flushed = true

    this.originalRes.status(this.statusCode)
    for (const [key, value] of Object.entries(this.headers)) {
      this.originalRes.set(key, value)
    }
    if (this.body.length > 0) {
      this.originalRes.send(Buffer.from(new Uint8Array(this.body)))
    } else {
      this.originalRes.end()
    }
  }
}

/**
 * Transport implementation for Express.
 */
export class ExpressTransport implements Transport {
  peer?: Peer
  allowAuthenticated: boolean
  openNonGeneralHandles: Record<string, Array<{ res: Response, next: Function }>> = {}
  openGeneralHandles: Record<string, { next: Function, res: Response }> = {}
  openNextHandlers: Record<string, NextFunction> = {}
  openNextHandlerTimeouts: Record<string, ReturnType<typeof setTimeout>> = {}

  private messageCallback?: (message: AuthMessage) => Promise<void>
  private readonly logger: typeof console | undefined
  private readonly logLevel: LogLevel

  /**
   * Constructs a new ExpressTransport instance.
   *
   * @param {boolean} [allowUnauthenticated=false] - Whether to allow unauthenticated requests passed the auth middleware.
   *   If `true`, requests without authentication will be permitted, and `req.auth.identityKey`
   *   will be set to `"unknown"`. If `false`, unauthenticated requests will result in a `401 Unauthorized` response.
   * @param {typeof console} [logger] - Logger to use (e.g., console). If omitted, logging is disabled.
   * @param {'debug' | 'info' | 'warn' | 'error'} [logLevel] - Log level. If omitted, no logs are output.
   */
  constructor (
    allowUnauthenticated: boolean = false,
    logger?: typeof console,
    logLevel?: LogLevel
  ) {
    this.allowAuthenticated = allowUnauthenticated
    this.logger = logger
    this.logLevel = logLevel || 'error' // Default to 'error' if not provided
  }

  /**
   * Internal logging method, only logs if logger is defined and log level is appropriate.
   *
   * @param level - The log level for this message
   * @param message - The message to log
   * @param data - Optional additional data to log
   */
  private log (
    level: LogLevel,
    message: string,
    data?: any
  ): void {
    if (typeof this.logger !== 'object') return // Logging disabled
    if (isLogLevelEnabled(this.logLevel, level)) {
      const logMethod = getLogMethod(this.logger, level)
      if (data !== undefined) {
        logMethod(`[ExpressTransport] [${level.toUpperCase()}] ${message}`, data)
      } else {
        logMethod(`[ExpressTransport] [${level.toUpperCase()}] ${message}`)
      }
    }
  }

  setPeer (peer: Peer): void {
    this.peer = peer
    this.log('debug', 'Peer set in ExpressTransport', { peer })
  }

  /**
   * Sends an AuthMessage to the connected Peer.
   * This method uses an Express response object to deliver the message to the specified Peer.
   *
   * ### Parameters:
   * @param {AuthMessage} message - The authenticated message to send.
   *
   * ### Returns:
   * @returns {Promise<void>} A promise that resolves once the message has been sent successfully.
   */
  async send (message: AuthMessage): Promise<void> {
    this.log('debug', 'Attempting to send AuthMessage', { message })
    if (message.messageType === 'general') {
      await this.sendGeneralMessage(message)
    } else {
      await this.sendNonGeneralMessage(message)
    }
  }

  /**
   * Handles a general (authenticated application) AuthMessage response.
   */
  private async sendGeneralMessage (message: AuthMessage): Promise<void> {
    const reader = new Utils.Reader(message.payload)
    const requestId = Utils.toBase64(reader.read(32))

    if (typeof this.openGeneralHandles[requestId] !== 'object') {
      this.log('warn', 'No response handle for this requestId', { requestId })
      throw new Error('No response handle for this requestId!')
    }
    let { res, next } = this.openGeneralHandles[requestId]
    delete this.openGeneralHandles[requestId]

    const statusCode = reader.readVarIntNum()
    ;(res as any).__status(statusCode)

    const responseHeaders = this.readResponseHeaders(reader)
    responseHeaders['x-bsv-auth-version'] = message.version
    responseHeaders['x-bsv-auth-identity-key'] = message.identityKey
    responseHeaders['x-bsv-auth-nonce'] = message.nonce!
    responseHeaders['x-bsv-auth-your-nonce'] = message.yourNonce!
    responseHeaders['x-bsv-auth-signature'] = Utils.toHex(message.signature!)
    responseHeaders['x-bsv-auth-request-id'] = requestId

    if (message.requestedCertificates) {
      responseHeaders['x-bsv-auth-requested-certificates'] = JSON.stringify(message.requestedCertificates)
    }

    for (const [k, v] of Object.entries(responseHeaders)) {
      ;(res as any).__set(k, v)
    }

    let responseBody: number[] | undefined
    const responseBodyBytes = reader.readVarIntNum()
    if (responseBodyBytes > 0) {
      responseBody = reader.read(responseBodyBytes)
    }

    res = this.resetRes(res, next)
    this.log('info', 'Sending general AuthMessage response', {
      status: statusCode,
      responseHeaders,
      responseBodyLength: responseBody ? responseBody.length : 0,
      requestId
    })
    if (responseBody) {
      res.send(Buffer.from(new Uint8Array(responseBody)))
    } else {
      res.end()
    }
  }

  /**
   * Reads response headers from a binary reader.
   */
  private readResponseHeaders (reader: Utils.Reader): Record<string, string> {
    const responseHeaders: Record<string, string> = {}
    const nHeaders = reader.readVarIntNum()
    for (let i = 0; i < nHeaders; i++) {
      const nHeaderKeyBytes = reader.readVarIntNum()
      const headerKeyBytes = reader.read(nHeaderKeyBytes)
      const headerKey = Utils.toUTF8(headerKeyBytes)
      const nHeaderValueBytes = reader.readVarIntNum()
      const headerValueBytes = reader.read(nHeaderValueBytes)
      const headerValue = Utils.toUTF8(headerValueBytes)
      responseHeaders[headerKey] = headerValue
    }
    return responseHeaders
  }

  /**
   * Handles a non-general (handshake) AuthMessage response.
   */
  private async sendNonGeneralMessage (message: AuthMessage): Promise<void> {
    const handles = this.openNonGeneralHandles[message.yourNonce!]
    if (!Array.isArray(handles) || handles.length === 0) {
      this.log('warn', 'No open handles to peer for nonce', { yourNonce: message.yourNonce })
      throw new Error('No open handles to this peer!')
    }

    // Since this is an initial response, we can assume there's only one handle per identity
    const { res, next } = handles[0]
    const responseHeaders: Record<string, string> = {
      'x-bsv-auth-version': message.version,
      'x-bsv-auth-message-type': message.messageType,
      'x-bsv-auth-identity-key': message.identityKey,
      'x-bsv-auth-nonce': message.nonce!,
      'x-bsv-auth-your-nonce': message.yourNonce!,
      'x-bsv-auth-signature': Utils.toHex(message.signature!)
    }

    if (typeof message.requestedCertificates === 'object') {
      responseHeaders['x-bsv-auth-requested-certificates'] = JSON.stringify(message.requestedCertificates)
    }
    if ((res as any).__set !== undefined) {
      this.resetRes(res, next)
    }
    for (const [k, v] of Object.entries(responseHeaders)) {
      res.set(k, v)
    }

    this.log('info', 'Sending non-general AuthMessage response', {
      status: 200,
      responseHeaders,
      messagePayload: message
    })
    res.send(message)
    handles.shift()
  }

  /**
   * Stores the callback bound by a Peer
   * @param callback
   */
  async onData (callback: (message: AuthMessage) => Promise<void>): Promise<void> {
    this.log('debug', 'onData callback set')
    this.messageCallback = callback
  }

  /**
   * Handles an incoming request for the Express server.
   *
   * This method processes both general and non-general message types,
   * manages peer-to-peer certificate handling, and modifies the response object
   * to enable custom behaviors like certificate requests and tailored responses.
   *
   * ### Behavior:
   * - For `/.well-known/auth`:
   *   - Handles non-general messages and listens for certificates.
   *   - Calls the `onCertificatesReceived` callback (if provided) when certificates are received.
   * - For general messages:
   *   - Sets up a listener for peer-to-peer general messages.
   *   - Overrides response methods (`send`, `json`, etc.) for custom handling.
   * - Returns a 401 error if mutual authentication fails.
   *
   * ### Parameters:
   * @param {AuthRequest} req - The incoming HTTP request.
   * @param {Response} res - The HTTP response.
   * @param {NextFunction} next - The Express `next` middleware function.
   * @param {Function} [onCertificatesReceived] - Optional callback invoked when certificates are received.
   */
  public async handleIncomingRequest (
    req: AuthRequest,
    res: Response,
    next: NextFunction,
    onCertificatesReceived?: (
      senderPublicKey: string,
      certs: VerifiableCertificate[],
      req: AuthRequest,
      res: Response,
      next: NextFunction
    ) => void
  ): Promise<void> {
    this.log('debug', 'Handling incoming request', {
      path: req.path,
      headers: req.headers,
      method: req.method,
      body: req.body
    })
    try {
      if (!this.peer) {
        this.log('error', 'No Peer set in ExpressTransport! Cannot handle request.')
        throw new Error('You must set a Peer before you can handle incoming requests!')
      }
      if (req.path === '/.well-known/auth') {
        await this.handleWellKnownAuth(req, res, next, onCertificatesReceived)
      } else if (req.headers['x-bsv-auth-request-id']) {
        this.handleGeneralMessage(req, res, next)
      } else {
        this.handleUnauthenticated(req, res, next)
      }
    } catch (error) {
      this.log('error', 'Caught error in handleIncomingRequest', { error })
      next(error)
    }
  }

  /**
   * Handles a request to /.well-known/auth (non-general / handshake messages).
   */
  private async handleWellKnownAuth (
    req: AuthRequest,
    res: Response,
    next: NextFunction,
    onCertificatesReceived?: (
      senderPublicKey: string,
      certs: VerifiableCertificate[],
      req: AuthRequest,
      res: Response,
      next: NextFunction
    ) => void
  ): Promise<void> {
    const message = req.body as AuthMessage
    this.log('debug', 'Received non-general message at /.well-known/auth', { message })

    let requestId = req.headers['x-bsv-auth-request-id'] as string
    if (!requestId) {
      requestId = message.initialNonce!
    }

    if (Array.isArray(this.openNonGeneralHandles[requestId])) {
      this.openNonGeneralHandles[requestId].push({ res, next })
    } else {
      this.openNonGeneralHandles[requestId] = [{ res, next }]
    }

    if (!await this.peer!.sessionManager.hasSession(message.identityKey)) {
      this.registerCertificateListener(req, res, next, requestId, message, onCertificatesReceived)
    }

    if (this.messageCallback) {
      this.log('debug', 'Invoking stored messageCallback for non-general message')
      this.messageCallback(message).catch((err) => {
        this.log('error', 'Error in messageCallback', { error: err.message, err })
        return res.status(500).json({
          status: 'error',
          code: 'ERR_INTERNAL_SERVER_ERROR',
          description: err.message || 'An unknown error occurred.'
        })
      })
    }
  }

  /**
   * Registers a certificate-received listener for a non-general message.
   */
  private registerCertificateListener (
    req: AuthRequest,
    res: Response,
    next: NextFunction,
    requestId: string,
    message: AuthMessage,
    onCertificatesReceived?: (
      senderPublicKey: string,
      certs: VerifiableCertificate[],
      req: AuthRequest,
      res: Response,
      next: NextFunction
    ) => void
  ): void {
    const listenerId = this.peer!.listenForCertificatesReceived(
      (senderPublicKey: string, certs: VerifiableCertificate[]) => {
        try {
          this.log('debug', 'Certificates received event triggered', {
            senderPublicKey,
            certCount: certs?.length,
            requestId
          })
          if (senderPublicKey === req.body.identityKey) {
            this.handleCertificatesForPeer(senderPublicKey, certs, req, res, next, message, onCertificatesReceived)
          }
        } catch (error) {
          this.log('error', 'Error in certificate listener callback', { error })
        } finally {
          const handles = this.openNonGeneralHandles[requestId]
          if (handles && handles.length > 0) {
            handles.shift()
            if (handles.length === 0) {
              delete this.openNonGeneralHandles[requestId]
            }
          }
          this.peer?.stopListeningForCertificatesReceived(listenerId)
        }
      })
    this.log('debug', 'listenForCertificatesReceived registered', { listenerId, requestId })
  }

  /**
   * Processes certificates received from a peer during the handshake.
   */
  private handleCertificatesForPeer (
    senderPublicKey: string,
    certs: VerifiableCertificate[],
    req: AuthRequest,
    res: Response,
    next: NextFunction,
    message: AuthMessage,
    onCertificatesReceived?: (
      senderPublicKey: string,
      certs: VerifiableCertificate[],
      req: AuthRequest,
      res: Response,
      next: NextFunction
    ) => void
  ): void {
    if (!Array.isArray(certs) || certs.length === 0) {
      this.log('warn', 'No certificates provided by peer', { senderPublicKey })
      const handles = this.openNonGeneralHandles[req.headers['x-bsv-auth-request-id'] as string ?? message.initialNonce]
      if (handles && handles.length > 0) {
        handles[0].res.status(400).json({ status: 'No certificates provided' })
      }
      return
    }

    this.log('info', 'Certificates successfully received from peer', { senderPublicKey, certs })
    if (typeof onCertificatesReceived === 'function') {
      onCertificatesReceived(senderPublicKey, certs, req, res, next)
    }

    // Validate that identityKey is an own property of the handler map before
    // invoking, preventing CodeQL js/unvalidated-dynamic-method-call from
    // flagging prototype-chain dispatch on a user-supplied key.
    const identityKey = message.identityKey
    if (typeof identityKey === 'string' && Object.hasOwn(this.openNextHandlers, identityKey)) {
      const nextFn = this.openNextHandlers[identityKey]
      const timeoutHandle = this.openNextHandlerTimeouts[identityKey]
      if (timeoutHandle != null) {
        clearTimeout(timeoutHandle)
        delete this.openNextHandlerTimeouts[identityKey]
      }
      nextFn()
      delete this.openNextHandlers[identityKey]
    }
  }

  /**
   * Handles an authenticated general message (has x-bsv-auth-request-id header).
   */
  private handleGeneralMessage (
    req: AuthRequest,
    res: Response,
    next: NextFunction
  ): void {
    const message = buildAuthMessageFromRequest(req, this.logger, this.logLevel)
    this.log('debug', 'Received general message with x-bsv-auth-request-id', { message })

    // Setup general message listener
    const listenerId = this.peer!.listenForGeneralMessages((senderPublicKey: string, payload: number[]) => {
      try {
        if (senderPublicKey !== req.headers['x-bsv-auth-identity-key']) return
        const requestId = Utils.toBase64(new Utils.Reader(payload).read(32))
        if (requestId === req.headers['x-bsv-auth-request-id']) {
          this.peer?.stopListeningForGeneralMessages(listenerId)
          this.setupAuthenticatedResponse(req, res, next, senderPublicKey, requestId)
        }
      } catch (error) {
        this.log('error', 'Error in listenForGeneralMessages callback', { error })
        next(error)
      }
    })

    this.log('debug', 'listenForGeneralMessages registered', { listenerId })

    if (this.messageCallback) {
      this.log('debug', 'Invoking stored messageCallback for general message')
      this.messageCallback(message).catch((err) => {
        const msg = err instanceof Error ? err.message : String(err)
        const isAuthError = /nonce|signature|session|auth version/i.test(msg)
        this.log('error', 'Error in messageCallback (general message)', { error: msg, isAuthError })
        const statusCode = isAuthError ? 401 : 500
        const code = isAuthError ? 'ERR_AUTH_FAILED' : 'ERR_INTERNAL_SERVER_ERROR'
        const description = isAuthError
          ? (msg || 'Authentication failed.')
          : (msg || 'An unexpected error occurred.')
        return res.status(statusCode).json({ status: 'error', code, description })
      })
    }
  }

  /**
   * Sets up the intercepted response for an authenticated general message.
   */
  private setupAuthenticatedResponse (
    req: AuthRequest,
    res: Response,
    next: NextFunction,
    senderPublicKey: string,
    requestId: string
  ): void {
    this.log('debug', 'General message from the correct identity key', { requestId, senderPublicKey })
    req.auth = { identityKey: senderPublicKey }

    const wrapper = new ResponseWriterWrapper(res)
    let responseSent = false

    const buildAndSendResponse = async (): Promise<void> => {
      if (responseSent) return
      responseSent = true
      try {
        const responsePayload = buildResponsePayload(
          requestId,
          wrapper.getStatusCode(),
          wrapper.getHeaders(),
          wrapper.getBody(),
          req,
          this.logger,
          this.logLevel
        )
        this.openGeneralHandles[requestId] = { res, next }
        this.log('debug', 'Sending general message response', {
          requestId,
          responseStatus: wrapper.getStatusCode(),
          responseHeaders: wrapper.getHeaders(),
          responseBodyLength: wrapper.getBody().length
        })
        await this.peer?.toPeer(responsePayload, req.headers['x-bsv-auth-identity-key'] as string)
      } catch (err) {
        delete this.openGeneralHandles[requestId]
        this.log('error', 'Failed to build and send authenticated response', { error: err })
        try {
          const restored = this.resetRes(res, next)
          restored.status(500).json({
            status: 'error',
            code: 'ERR_RESPONSE_SIGNING_FAILED',
            description: err instanceof Error ? err.message : 'Failed to sign response'
          })
        } catch (_responseAlreadySent) {
          // Response may already be partially sent — nothing to do
        }
      }
    }

    this.hijackResponse(res, next, wrapper, buildAndSendResponse)
    void this.scheduleNextOrCertificateWait(next, senderPublicKey, wrapper, buildAndSendResponse).catch(next)
  }

  /**
   * Overrides the response methods to intercept and buffer the response for signing.
   */
  private hijackResponse (
    res: Response,
    next: NextFunction,
    wrapper: ResponseWriterWrapper,
    buildAndSendResponse: () => Promise<void>
  ): void {
    // Override methods to capture response data
    this.checkRes(res, 'needs to be clear', next)
    ;(res as any).__status = res.status
    res.status = (n) => {
      wrapper.status(n)
      return res
    }

    ;(res as any).__set = res.set
    ;(res as any).set = (keyOrHeaders: string | Record<string, string>, value?: string) => {
      wrapper.set(keyOrHeaders, value)
      return res
    }

    ;(res as any).__send = res.send
    ;(res as any).send = (val: any) => {
      if (typeof val === 'object' && val !== null && !wrapper.getHeaders()['content-type']) {
        wrapper.set('content-type', 'application/json')
      }
      wrapper.send(val)
      buildAndSendResponse()
      return res
    }

    ;(res as any).__json = res.json
    ;(res as any).json = (obj: any) => {
      wrapper.json(obj)
      buildAndSendResponse()
      return res
    }

    ;(res as any).__text = (res as any).text
    ;(res as any).text = (str: string) => {
      wrapper.text(str)
      buildAndSendResponse()
      return res
    }

    ;(res as any).__end = res.end
    ;(res as any).end = () => {
      buildAndSendResponse()
      return res
    }

    ;(res as any).__sendFile = res.sendFile
    ;(res as any).sendFile = (path: string, options?: any, callback?: Function) => {
      fs.readFile(path, (err, data) => {
        if (err) {
          this.log('error', 'Error reading file in sendFile', { error: err.message })
          if (callback) return callback(err)
          wrapper.status(500)
          buildAndSendResponse()
          return
        }

        const mimeType = mime.lookup(path) || 'application/octet-stream'
        wrapper.set('Content-Type', mimeType)
        wrapper.send(Array.from(data))
        buildAndSendResponse()
      })
    }
  }

  /**
   * Either calls next() immediately or stores it pending certificate arrival.
   */
  private async scheduleNextOrCertificateWait (
    next: NextFunction,
    senderPublicKey: string,
    wrapper: ResponseWriterWrapper,
    buildAndSendResponse: () => Promise<void>
  ): Promise<void> {
    const hasSession = await (this.peer?.sessionManager.hasSession(senderPublicKey) ?? false)
    const needsCertificates = this.peer?.certificatesToRequest?.certifiers?.length
    this.log('debug', 'Checking if we need to wait for certificates', {
      senderPublicKey,
      hasSession,
      needsCertificates,
      openNextHandlersKeys: Object.keys(this.openNextHandlers)
    })

    if (!needsCertificates || hasSession) {
      this.log('debug', 'Calling next() immediately - no certificate wait needed', { senderPublicKey, hasSession })
      next()
      return
    }

    this.log('debug', 'Storing next handler to wait for certificates', { senderPublicKey })
    const existingTimeout = this.openNextHandlerTimeouts[senderPublicKey]
    if (existingTimeout != null) {
      clearTimeout(existingTimeout)
      delete this.openNextHandlerTimeouts[senderPublicKey]
    }
    this.openNextHandlers[senderPublicKey] = next

    const CERTIFICATE_TIMEOUT_MS = 30000
    const timeoutHandle = setTimeout(() => {
      if (this.openNextHandlers[senderPublicKey]) {
        this.log('warn', 'Certificate request timed out', { senderPublicKey })
        delete this.openNextHandlers[senderPublicKey]
        delete this.openNextHandlerTimeouts[senderPublicKey]
        wrapper.status(408).json({
          status: 'error',
          code: 'CERTIFICATE_TIMEOUT',
          message: 'Certificate request timed out'
        })
        buildAndSendResponse()
      }
    }, CERTIFICATE_TIMEOUT_MS)
    this.openNextHandlerTimeouts[senderPublicKey] = timeoutHandle
  }

  /**
   * Handles a request with no auth headers.
   */
  private handleUnauthenticated (req: AuthRequest, res: Response, next: NextFunction): void {
    this.log(
      'warn',
      'No Auth headers found on request. Checking allowUnauthenticated setting.',
      { allowAuthenticated: this.allowAuthenticated }
    )
    if (this.allowAuthenticated) {
      req.auth = { identityKey: 'unknown' }
      next()
    } else {
      this.log('warn', 'Mutual-authentication failed. Returning 401.')
      res.status(401).json({
        status: 'error',
        code: 'UNAUTHORIZED',
        message: 'Mutual-authentication failed!'
      })
    }
  }

  private checkRes (res: any, test?: 'needs to be clear' | 'needs to be hijacked', next?: Function): void {
    if (test === 'needs to be clear') {
      if (
        typeof res.__status === 'function' ||
        typeof res.__set === 'function' ||
        typeof res.__json === 'function' ||
        typeof res.__text === 'function' ||
        typeof res.__send === 'function' ||
        typeof res.__end === 'function' ||
        typeof res.__sendFile === 'function'
      ) {
        const e = new Error('Unable to install Auth midddleware on the response object as it is not clear. Are two middleware instances installed?')
        if (typeof next === 'function') {
          next(e)
        }
        throw e
      }
    } else if (
      typeof res.__status !== 'function' ||
      typeof res.__set !== 'function' ||
      typeof res.__json !== 'function' ||
      typeof res.__send !== 'function' ||
      typeof res.__end !== 'function' ||
      typeof res.__sendFile !== 'function'
    ) {
      const e = new Error('Unable to restore response object. Did you tamper with hijacked properties (res.__status, __set, __json, __text, __send, __end, __sendFile) ?')
      if (typeof next === 'function') {
        next(e)
      }
      throw e
    }
  }

  private resetRes (res: Response, next?: Function): Response {
    this.checkRes(res, 'needs to be hijacked', next)
    res.status = (res as any).__status
    res.set = (res as any).__set
    res.json = (res as any).__json
    ;(res as any).text = (res as any).__text
    res.send = (res as any).__send
    res.end = (res as any).__end
    res.sendFile = (res as any).__sendFile
    return res
  }
}

/**
 * Helper: Build AuthMessage from Request
 */
function buildAuthMessageFromRequest (
  req: Request,
  logger?: typeof console,
  logLevel?: LogLevel
): AuthMessage {
  const debugLog = makeDebugLogger(logger, logLevel)
  debugLog('[buildAuthMessageFromRequest] Building message from request...', {
    path: req.path,
    headers: req.headers,
    method: req.method,
    body: req.body
  })

  const writer = new Utils.Writer()
  const requestNonce = req.headers['x-bsv-auth-request-id']
  const requestNonceBytes = requestNonce ? Utils.toArray(requestNonce, 'base64') : []
  writer.write(requestNonceBytes)
  writer.writeVarIntNum(req.method.length)
  writer.write(Utils.toArray(req.method))

  const protocol = req.protocol
  const host = req.get('host')
  const parsedUrl = new URL(`${protocol}://${host}${req.originalUrl}`)

  writeUrlToWriter(parsedUrl, writer)
  writeRequestHeadersToWriter(req, writer)
  writeBodyToWriter(req, writer, logger, logLevel)

  const authMessage = {
    messageType: 'general' as const,
    version: req.headers['x-bsv-auth-version'] as string,
    identityKey: req.headers['x-bsv-auth-identity-key'] as string,
    nonce: req.headers['x-bsv-auth-nonce'] as string,
    yourNonce: req.headers['x-bsv-auth-your-nonce'] as string,
    payload: writer.toArray(),
    signature: req.headers['x-bsv-auth-signature']
      ? Utils.toArray(req.headers['x-bsv-auth-signature'], 'hex')
      : []
  }

  debugLog('[buildAuthMessageFromRequest] AuthMessage built', { authMessage })

  return authMessage
}

/**
 * Helper: Build response payload for sending back to peer
 */
function buildResponsePayload (
  requestId: string,
  responseStatus: number,
  responseHeaders: Record<string, any>,
  responseBody: number[],
  req: Request,
  logger?: typeof console,
  logLevel?: LogLevel
): number[] {
  const debugLog = makeDebugLogger(logger, logLevel)
  debugLog('[buildResponsePayload] Building response payload', {
    requestId,
    responseStatus,
    responseHeaders,
    responseBodyLength: responseBody.length
  })

  const writer = new Utils.Writer()
  writer.write(Utils.toArray(requestId, 'base64'))
  writer.writeVarIntNum(responseStatus)

  // Filter out headers that should NOT be signed:
  // - Include custom headers prefixed with x-bsv (excluding those starting with x-bsv-auth)
  // - Include the authorization header
  const includedHeaders: Array<[string, string]> = []
  Object.entries(responseHeaders).forEach(([key, value]) => {
    const lowerKey = key.toLowerCase()
    if ((lowerKey.startsWith('x-bsv-') || lowerKey === 'authorization') && !lowerKey.startsWith('x-bsv-auth')) {
      includedHeaders.push([lowerKey, value])
    }
  })

  // Sort the headers by key to ensure a consistent order for signing and verification.
  includedHeaders.sort(([keyA], [keyB]) => keyA.localeCompare(keyB))

  writer.writeVarIntNum(includedHeaders.length)
  for (const [headerKey, headerValue] of includedHeaders) {
    writeHeaderPair(writer, headerKey, headerValue)
  }

  if (responseBody.length > 0) {
    writer.writeVarIntNum(responseBody.length)
    writer.write(responseBody)
  } else {
    writer.writeVarIntNum(-1)
  }

  return writer.toArray()
}

/**
 * Creates an Express middleware that handles authentication via BSV-SDK.
 *
 * @param {AuthMiddlewareOptions} options
 * @returns {(req: Request, res: Response, next: NextFunction) => void} Express middleware
 */
export function createAuthMiddleware (options: AuthMiddlewareOptions): (req: AuthRequest, res: Response, next: NextFunction) => void {
  const {
    wallet,
    sessionManager,
    allowUnauthenticated,
    certificatesToRequest,
    onCertificatesReceived,
    logger,
    logLevel
  } = options

  if (!wallet) {
    if (logger && logLevel && isLogLevelEnabled(logLevel, 'error')) {
      getLogMethod(logger, 'error')(
        '[createAuthMiddleware] No wallet provided in AuthMiddlewareOptions.'
      )
    }
    throw new Error('You must configure the auth middleware with a wallet.')
  }

  const transport = new ExpressTransport(allowUnauthenticated ?? false, logger, logLevel)

  const sessionMgr = sessionManager || new SessionManager()

  if (logger && logLevel && isLogLevelEnabled(logLevel, 'info')) {
    getLogMethod(logger, 'info')(
      `[createAuthMiddleware] Creating Peer with provided wallet & transport. Session Manager: ${sessionManager ? 'Custom' : 'Default'
      }`
    )
  }

  const peer = new Peer(wallet, transport, certificatesToRequest, sessionMgr)
  transport.setPeer(peer)

  return (req: AuthRequest, res: Response, next: NextFunction) => {
    if (logger && logLevel && isLogLevelEnabled(logLevel, 'debug')) {
      getLogMethod(logger, 'debug')('[createAuthMiddleware] Incoming request to auth middleware', {
        path: req.path,
        headers: req.headers,
        method: req.method
      })
    }
    void transport.handleIncomingRequest(req, res, next, onCertificatesReceived).catch(next)
  }
}