package middleware

import (
	"net/http"
	"strings"

	"github.com/flatrender/file-svc/internal/models"
	"github.com/gin-gonic/gin"
	"github.com/golang-jwt/jwt/v5"
	"github.com/google/uuid"
)

const (
	KeyUserID   = "user_id"
	KeyTenantID = "tenant_id"
	KeyIsAdmin  = "is_admin"
)

func Auth(jwtSecret string) gin.HandlerFunc {
	return func(c *gin.Context) {
		header := c.GetHeader("Authorization")
		if !strings.HasPrefix(header, "Bearer ") {
			c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
				Error: models.APIError{Code: "unauthorized", Message: "missing bearer token"},
			})
			return
		}

		tokenStr := strings.TrimPrefix(header, "Bearer ")
		token, err := jwt.Parse(tokenStr, func(t *jwt.Token) (any, error) {
			if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
				return nil, jwt.ErrSignatureInvalid
			}
			return []byte(jwtSecret), nil
		})
		if err != nil || !token.Valid {
			c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
				Error: models.APIError{Code: "unauthorized", Message: "invalid token"},
			})
			return
		}

		claims, ok := token.Claims.(jwt.MapClaims)
		if !ok {
			c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
				Error: models.APIError{Code: "unauthorized", Message: "invalid claims"},
			})
			return
		}

		userID, err := uuid.Parse(claims["sub"].(string))
		if err != nil {
			c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
				Error: models.APIError{Code: "unauthorized", Message: "invalid sub claim"},
			})
			return
		}

		tenantID, _ := uuid.Parse(claims["tenant_id"].(string))
		isAdmin, _ := claims["is_admin"].(bool)

		c.Set(KeyUserID, userID)
		c.Set(KeyTenantID, tenantID)
		c.Set(KeyIsAdmin, isAdmin)
		c.Next()
	}
}

func AdminOnly() gin.HandlerFunc {
	return func(c *gin.Context) {
		if isAdmin, _ := c.Get(KeyIsAdmin); isAdmin != true {
			c.AbortWithStatusJSON(http.StatusForbidden, models.ErrorResponse{
				Error: models.APIError{Code: "forbidden", Message: "admin only"},
			})
			return
		}
		c.Next()
	}
}